commit 0fb43a5e36f40ae7fccd2128e5e0bbb401b3111a
Author: Kon <akonst9@gmail.com>
Date:   Thu Jan 31 13:54:15 2013 -0500

    Initial commit.

diff --git a/src/MANIFEST b/src/MANIFEST
new file mode 100755
index 00000000..755d8ab8
--- /dev/null
+++ b/src/MANIFEST
@@ -0,0 +1,30 @@
+quickstart.py
+setup.py
+simplejson/__init__.py
+simplejson/decoder.py
+simplejson/encoder.py
+simplejson/ordered_dict.py
+simplejson/scanner.py
+simplejson/tool.py
+tuf/__init__.py
+tuf/checkjson.py
+tuf/conf.py
+tuf/download.py
+tuf/formats.py
+tuf/hash.py
+tuf/keydb.py
+tuf/keys.py
+tuf/log.py
+tuf/mirrors.py
+tuf/sig.py
+tuf/util.py
+tuf/client/__init__.py
+tuf/client/updater.py
+tuf/pushtools/push.py
+tuf/pushtools/receivetools/receive.py
+tuf/pushtools/transfer/__init__.py
+tuf/pushtools/transfer/scp.py
+tuf/repo/__init__.py
+tuf/repo/keystore.py
+tuf/repo/signercli.py
+tuf/repo/signerlib.py
diff --git a/src/evpy/__init__.py b/src/evpy/__init__.py
new file mode 100755
index 00000000..e69de29b
diff --git a/src/evpy/cipher.py b/src/evpy/cipher.py
new file mode 100755
index 00000000..de904067
--- /dev/null
+++ b/src/evpy/cipher.py
@@ -0,0 +1,200 @@
+#! /usr/bin/env python
+
+"""
+cipher.py
+
+Written by Geremy Condra
+Released on 18 March 2010
+Licensed under MIT License
+
+This module provides a basic interface to OpenSSL's EVP
+cipher functions.
+
+All the functions in this module raise CipherError on
+malfunction.
+
+From an end-user perspective, this module should be used
+in situations where you want to have a single generally
+human-readable or human-generated key used for both
+encryption and decryption. 
+
+This means that as a general rule, if your application 
+involves transmitting this key over an insecure channel
+you should not be using this module, but rather 
+evpy.envelope.
+
+Usage:
+
+	>>> from evpy import cipher
+	>>> message = b"this is data"
+	>>> pw = b"mypassword"
+	>>> salt, iv, enc = cipher.encrypt(message, pw)
+	>>> cipher.decrypt(salt, iv, enc, pw)
+	'this is data'
+"""
+
+import ctypes
+import time
+
+import evp
+
+
+class CipherError(evp.SSLError):
+	pass
+
+def _strengthen_password(pw, iv, salt=None):
+	# add the hash
+	evp.OpenSSL_add_all_digests()
+	# build the key buffer
+	key = ctypes.create_string_buffer(24)
+	# either take the existing salt or build a new one
+	if not salt:
+		salt = ctypes.create_string_buffer(8)
+		# get the needed entropy, bailing if it doesn't work in
+		# the first thousand tries
+		for i in range(1000):
+			if evp.RAND_bytes(salt, 8): break
+		else:
+			raise CipherError("Could not generate enough entropy")
+		# extract the salt
+		salt = salt.raw
+	# get the hash
+	evp_hash = evp.EVP_get_digestbyname("sha512")
+	if not evp_hash:
+		raise CipherError("Could not create hash object")
+	# fill the key
+	if not evp.EVP_BytesToKey(evp.EVP_aes_192_cbc(), evp_hash, salt, pw, len(pw), 1000, key, iv):
+		raise CipherError("Could not strengthen key")
+	# go home
+	return salt, key.raw
+	
+
+def encrypt(data, password):
+	"""Encrypts the given data, raising CipherError on failure.
+
+	This uses AES192 to encrypt and strengthens the given
+	passphrase using SHA512.
+
+	Usage:
+		>>> from evpy import cipher
+		>>> f = open("test/short.txt", "rb")
+		>>> data = f.read()
+		>>> pw = b"mypassword"
+		>>> salt, iv, enc = cipher.encrypt(data, pw)
+		>>> cipher.decrypt(salt, iv, enc, pw) == data
+		True
+	"""
+	# ensure data exists
+	if not len(data):
+		raise CipherError("Data must actually exist")
+	if not len(password):
+		raise CipherError("Password must actually exist")
+
+	# build and initialize the context
+	ctx = evp.EVP_CIPHER_CTX_new()
+	if not ctx:
+		raise CipherError("Could not create context")
+	evp.EVP_CIPHER_CTX_init(ctx)
+
+	# get the cipher object
+	cipher_object = evp.EVP_aes_192_cbc()
+	if not cipher_object:
+		raise CipherError("Could not create cipher object")
+
+	# finish the context and cipher object
+	if not evp.EVP_EncryptInit_ex(ctx, cipher_object, None, None, None):
+		raise CipherError("Could not finish context")
+
+	# build the randomized iv
+	iv_length = evp.EVP_CIPHER_CTX_iv_length(ctx)
+	iv = ctypes.create_string_buffer(iv_length)
+	# get the needed entropy, bailing if it doesn't work in
+	# the first thousand tries
+	for i in range(1000):
+		if evp.RAND_bytes(iv, iv_length): break
+	else:
+		raise CipherError("Not enough entropy for IV")
+	output_iv = iv.raw
+
+	# strengthen the password into an honest-to-goodness key
+	salt, aes_key = _strengthen_password(password, iv)
+
+	# initialize the encryption operation
+	if not evp.EVP_EncryptInit_ex(ctx, None, None, aes_key, iv):
+		raise CipherError("Could not start encryption operation")
+
+	# build the output buffer
+	buf = ctypes.create_string_buffer(len(data) + 16)
+	written = ctypes.c_int(0)
+	final = ctypes.c_int(0)
+
+	# update
+	if not evp.EVP_EncryptUpdate(ctx, buf, ctypes.byref(written), data, len(data)):
+		raise CipherError("Could not update ciphertext")
+	output = buf.raw[:written.value]
+
+	# finalize
+	if not evp.EVP_EncryptFinal_ex(ctx, buf, ctypes.byref(final)):
+		raise CipherError("Could not finalize ciphertext")
+	output += buf.raw[:final.value]
+
+	# ...and go home
+	return salt, output_iv, output
+
+
+def decrypt(salt, iv, data, password):
+	"""Decrypts the given data, raising CipherError on failure.
+	
+	Usage:
+		>>> from evpy import cipher
+		>>> f = open("test/short.txt", "rb")
+		>>> data = f.read()
+		>>> pw = b"mypassword"
+		>>> salt, iv, enc = cipher.encrypt(data, pw)
+		>>> cipher.decrypt(salt, iv, enc, pw) == data
+		True
+	"""
+	# ensure inputs are the correct size
+	if not len(data):
+		raise CipherError("Data must actually exist")
+	if not len(password):
+		raise CipherError("Password must actually exist")
+	if len(salt) != 8:
+		raise CipherError("Incorrect salt size")
+	if len(iv) != 16:
+		raise CipherError("Incorrect iv size")
+
+	# build and initialize the context
+	ctx = evp.EVP_CIPHER_CTX_new()
+	if not ctx:
+		raise CipherError("Could not create context")
+	evp.EVP_CIPHER_CTX_init(ctx)
+
+	# get the cipher object
+	cipher_object = evp.EVP_aes_192_cbc()
+	if not cipher_object:
+		raise CipherError("Could not create cipher object")
+
+	# build the key
+	salt, key = _strengthen_password(password, iv, salt)
+
+	# start decrypting the ciphertext
+	if not evp.EVP_DecryptInit_ex(ctx, cipher_object, None, key, iv):
+		raise CipherError("Could not open envelope")
+
+	# build the output buffers
+	buf = ctypes.create_string_buffer(len(data) + 16)
+	written = ctypes.c_int(0)
+	final = ctypes.c_int(0)
+
+	# update
+	if not evp.EVP_DecryptUpdate(ctx, buf, ctypes.byref(written), data, len(data)):
+		raise CipherError("Could not update plaintext")
+	output = buf.raw[:written.value]
+
+	# finalize
+	if not evp.EVP_DecryptFinal_ex(ctx, buf, ctypes.byref(final)):
+		raise CipherError("Could not finalize decryption")
+	output += buf.raw[:final.value]
+
+	return output
diff --git a/src/evpy/envelope.py b/src/evpy/envelope.py
new file mode 100755
index 00000000..16ee8f68
--- /dev/null
+++ b/src/evpy/envelope.py
@@ -0,0 +1,326 @@
+#! /usr/bin/env python
+
+"""
+envelope.py
+
+Written by Geremy Condra
+Released on 18 March 2010
+Licensed under MIT License
+
+This module provides a basic interface to OpenSSL's EVP
+envelope functions.
+
+In a nutshell, these functions are designed to provide
+the primary benefit of public key cryptography (the
+ability to provide secrecy without first sharing a
+secret) without its primary downside (small message
+length). It does this by generating a random AES key 
+with which to encrypt the data, then encrypting that
+key against the provided RSA key.
+
+This means that if you have an application in which
+you wish to share sensitive data but do not wish to
+share a common secret, this is your module. Be aware
+that compromising your private key is effectively
+game over with this scheme.
+
+If you require a shared secret and want the key to 
+be human readable, then you will probably want to 
+use the cipher module instead.
+
+All the functions in this module raise EnvelopeError on
+malfunction.
+
+Usage:
+
+	>>> from evpy import envelope
+	>>> f = open("test/short.txt", "rb")
+	>>> data = f.read()
+	>>> public_key = "test/keys/public1.pem"
+	>>> private_key = "test/keys/private1.pem"
+	>>> iv, key, ciphertext = envelope.encrypt(data, public_key)
+	>>> envelope.decrypt(iv, key, ciphertext, private_key) == data
+	True
+"""
+
+import ctypes
+
+import evp
+from signature import _string_to_bio
+
+class EnvelopeError(evp.SSLError):
+	pass
+
+def _build_dkey_from_file(keyfile):
+	fp = evp.fopen(keyfile, "r")
+	if not fp:
+		raise EnvelopeError("Could not open keyfile")
+	# get the decryption key
+	skey = evp.PEM_read_PrivateKey(fp, None, None, None)
+	if not skey:
+		evp.fclose(fp)
+		raise EnvelopeError("Could not read decryption key")
+	# close the file
+	evp.fclose(fp)
+	return skey
+
+def _build_dkey_from_string(key):
+	bio = _string_to_bio(key)
+	dkey = evp.PEM_read_bio_PrivateKey(bio, None, None, None)
+	if not dkey:
+		raise EnvelopeError("Could not build decryption key from string")
+	evp.BIO_free(bio)
+	return dkey
+
+def _build_ekey_from_file(keyfile):
+	fp = evp.fopen(keyfile, "r")
+	if not fp:
+		raise EnvelopeError("Could not open keyfile")
+	# get the encryption key
+	ekey = evp.PEM_read_PUBKEY(fp, None, None, None)
+	if not ekey:
+		evp.fclose(fp)
+		raise EnvelopeError("Could not read encryption key")
+	# close the file
+	evp.fclose(fp)
+	return ekey
+
+def _build_ekey_from_string(key):
+	bio = _string_to_bio(key)
+	ekey = evp.PEM_read_bio_PUBKEY(bio, None, None, None)
+	if not ekey:
+		raise EnvelopeError("Could not create encryption key from string")
+	evp.BIO_free(bio)
+	return ekey
+
+def _build_bio():
+	method = evp.BIO_s_mem()
+	return evp.BIO_new(method);
+
+def _asn1_hex_to_int(value):
+	print(value)
+	return int(''.join(value.split(':')), 16)
+
+def _parse_printed_key(k):
+	attrs = {}
+	current = ""
+	current_attr = ""
+	for line in k.splitlines()[1:]:
+		# its a continuation of the current block
+		if line.startswith(' '):
+			current += line.strip()
+		else:
+			# special case the public exponent
+			if "publicExponent" in current_attr:
+				attrs['publicExponent'] = int(current_attr.split()[1])
+			elif current_attr:
+				attrs[current_attr] = _asn1_hex_to_int(current)
+			current_attr = line.strip(':')
+			current = ""
+	translator = {'publicExponent': 'e', 'privateExponent': 'd', 'modulus': 'n', 'prime1': 'p', 'prime2': 'q'}
+	translated_attrs = {}
+	for key, value in attrs.items():
+		try:
+			translated_attrs[translator[key]] = value
+		except: pass
+	return translated_attrs
+				
+
+def keygen(bitlength=1024, e=65537, pem=True):
+	key = evp.RSA_generate_key(bitlength, e, None, None)
+	if not key:
+		raise EnvelopeError("Could not generate key")
+	if pem:
+		private_bio = evp.BIO_new(evp.BIO_s_mem())
+		if not private_bio:
+			raise KeygenError("Could not create temporary storage")
+		public_bio = evp.BIO_new(evp.BIO_s_mem())
+		if not public_bio:
+			raise KeygenError("Could not create temporary storage")
+		private_buf = ctypes.create_string_buffer('', 65537)
+		if not private_buf:
+			raise MemoryError("Could not allocate key storage")
+		public_buf = ctypes.create_string_buffer('', 65537)
+		if not public_buf:
+			raise MemoryError("Could not allocate key storage")
+		if not evp.PEM_write_bio_RSAPrivateKey(private_bio, key, None, None, 0, 0, None):
+			raise KeygenError("Could not write private key")
+		if not evp.PEM_write_bio_RSA_PUBKEY(public_bio, key):
+			raise KeygenError("Could not write public key")
+		public_len = evp.BIO_read(public_bio, public_buf, 65537)
+		private_len = evp.BIO_read(private_bio, private_buf, 65537)
+		evp.BIO_free(public_bio)
+		evp.BIO_free(private_bio)
+		return public_buf.value, private_buf.value
+	else:
+		# we go through this rigamarole because if there's an engine
+		# in place it won't populate the RSA key's values properly.
+		key_bio = evp.BIO_new(evp.BIO_s_mem())
+		if not key_bio:
+			raise KeygenError("Could not create temporary storage")
+		if not evp.RSA_print(key_bio, key, 0):
+			raise KeygenError("Could not stringify key")
+		key_buf = ctypes.create_string_buffer('', 65537)
+		if not key_buf:
+			raise MemoryError("Could not allocate key storage")
+		evp.BIO_read(key_bio, key_buf, 65537)
+		evp.BIO_free(key_bio)
+		key_string = key_buf.value
+		return key, _parse_printed_key(key_string)
+		
+	
+	
+
+def encrypt(data, keyfile=None, key=None):
+	"""Encrypts the given data, raising EnvelopeError on failure.
+
+	This uses AES192 to do bulk encryption and RSA to encrypt
+	the given public key.
+
+	Usage:
+		>>> from evpy import envelope
+		>>> f = open("test/short.txt", "rb")
+		>>> data = f.read()
+		>>> public_key = "test/keys/public1.pem"
+		>>> private_key = "test/keys/private1.pem"
+		>>> iv, key, ciphertext = envelope.encrypt(data, public_key)
+		>>> envelope.decrypt(iv, key, ciphertext, private_key) == data
+		True
+	"""
+	# validate the incoming data
+	if not data:
+		raise EnvelopeError("Incoming data must be bytes")
+	if not len(data):
+		raise EnvelopeError("Data must actually exist")
+
+	# build and initialize the context
+	ctx = evp.EVP_CIPHER_CTX_new()
+	if not ctx:
+		raise EnvelopeError("Could not create context")
+	evp.EVP_CIPHER_CTX_init(ctx)
+
+	# get the key from the keyfile
+	if key and not keyfile:
+		ekey = _build_ekey_from_string(key)
+	elif keyfile and not key:
+		ekey = _build_ekey_from_file(keyfile)
+	else:
+		raise EnvelopeError("Must specify exactly one key or keyfile")
+
+	# get the cipher object
+	cipher_object = evp.EVP_aes_192_cbc()
+	if not cipher_object:
+		raise EnvelopeError("Could not create cipher object")
+
+	# finish the context and cipher object
+	if not evp.EVP_EncryptInit_ex(ctx, cipher_object, None, None, None):
+		raise EnvelopeError("Could not finish context")
+
+	# build the randomized iv
+	iv_length = evp.EVP_CIPHER_CTX_iv_length(ctx)
+	iv = ctypes.create_string_buffer(iv_length)
+	for i in range(1000):
+		if evp.RAND_bytes(iv, iv_length): break
+	else:
+		raise EnvelopeError("Could not generate enough entropy for IV")
+	output_iv = iv.raw
+
+	# build the randomized AES key
+	keysize = evp.EVP_CIPHER_key_length(cipher_object)
+	aes_key = ctypes.create_string_buffer(keysize)
+	for i in range(1000):
+		if evp.RAND_bytes(aes_key, keysize): break
+	else:
+		raise EnvelopeError("Could not generate enough entropy for AES key")
+
+	# extract the RSA key
+	rsa_key = evp.EVP_PKEY_get1_RSA(ekey)
+	if not rsa_key:
+		raise EnvelopeError("Could not get RSA key")
+
+	# encrypt it
+	buf_size = evp.RSA_size(rsa_key)
+	if not buf_size:
+		raise EnvelopeError("Invalid RSA keysize")
+	encrypted_aes_key = ctypes.create_string_buffer(buf_size)
+	# RSA_PKCS1_PADDING is defined as 1
+	written = evp.RSA_public_encrypt(keysize, aes_key, encrypted_aes_key, rsa_key, 1)
+	if not written:
+		raise EnvelopeError("Could not encrypt AES key")
+	output_key = encrypted_aes_key.raw[:written]
+
+	# initialize the encryption operation
+	if not evp.EVP_EncryptInit_ex(ctx, None, None, aes_key, iv):
+		raise EnvelopeError("Could not start encryption operation")
+
+	# build the output buffer
+	buf = ctypes.create_string_buffer(len(data) + 16)
+	written = ctypes.c_int(0)
+	final = ctypes.c_int(0)
+
+	# update
+	if not evp.EVP_EncryptUpdate(ctx, buf, ctypes.byref(written), data, len(data)):
+		raise EnvelopeError("Could not update ciphertext")
+	output = buf.raw[:written.value]
+
+	# finalize
+	if not evp.EVP_EncryptFinal_ex(ctx, buf, ctypes.byref(final)):
+		raise EnvelopeError("Could not finalize ciphertext")
+	output += buf.raw[:final.value]
+
+	# ...and go home
+	return output_iv, output_key, output
+
+
+def decrypt(iv, encrypted_aes_key, data, keyfile=None, key=None):
+	"""Decrypts the given ciphertext, raising EnvelopeError on failure.
+
+	Usage:
+		>>> from evpy import envelope
+		>>> f = open("test/short.txt", "rb")
+		>>> data = f.read()
+		>>> public_key = "test/keys/public1.pem"
+		>>> private_key = "test/keys/private1.pem"
+		>>> iv, key, ciphertext = envelope.encrypt(data, public_key)
+		>>> envelope.decrypt(iv, key, ciphertext, private_key) == data
+		True
+	"""
+	# build and initialize the context
+	ctx = evp.EVP_CIPHER_CTX_new()
+	if not ctx:
+		raise EnvelopeError("Could not create context")
+	evp.EVP_CIPHER_CTX_init(ctx)
+
+	# get the cipher object
+	cipher_object = evp.EVP_aes_192_cbc()
+	if not cipher_object:
+		raise EnvelopeError("Could not create cipher object")
+
+	# get the key from the keyfile
+	if key and not keyfile:
+		dkey = _build_dkey_from_string(key)
+	elif keyfile and not key:
+		dkey = _build_dkey_from_file(keyfile)
+	else:
+		raise EnvelopeError("Must specify exactly one key or keyfile")
+
+	# open the envelope
+	if not evp.EVP_OpenInit(ctx, cipher_object, encrypted_aes_key, len(encrypted_aes_key), iv, dkey):
+		raise EnvelopeError("Could not open envelope")
+
+	# build the output buffer
+	buf = ctypes.create_string_buffer(len(data) + 16)
+	written = ctypes.c_int(0)
+	final = ctypes.c_int(0)
+
+	# update
+	if not evp.EVP_DecryptUpdate(ctx, buf, ctypes.byref(written), data, len(data)):
+		raise EnvelopeError("Could not update envelope")
+	output = buf.raw[:written.value]
+
+	# finalize
+	if not evp.EVP_DecryptFinal_ex(ctx, buf, ctypes.byref(final)):
+		raise EnvelopeError("Could not finalize envelope")
+	output += buf.raw[:final.value]
+
+	return output
diff --git a/src/evpy/evp.py b/src/evpy/evp.py
new file mode 100755
index 00000000..55988767
--- /dev/null
+++ b/src/evpy/evp.py
@@ -0,0 +1,318 @@
+#! /usr/bin/env python
+
+import ctypes
+import ctypes.util
+import platform
+from os import linesep
+
+def handle_errors():
+	ERR_load_crypto_strings()
+	errno = ERR_get_error()
+	errbuf = ctypes.create_string_buffer(1024)
+	ERR_error_string_n(errno, errbuf, 1024)
+	return errbuf.value.decode("ascii")
+
+class SSLError(Exception):
+	def __init__(self, msg):
+		sslerr = handle_errors()
+		Exception.__init__(self, msg + linesep + sslerr)
+
+libraries = {}
+
+libraries["c"] = ctypes.CDLL(ctypes.util.find_library("c"))
+
+if platform.system() != "Windows":
+	libraries["ssl"] = ctypes.CDLL(ctypes.util.find_library("ssl"))
+else:
+	libraries["ssl"] = ctypes.CDLL(ctypes.util.find_library("libeay32"))
+
+
+class RSA(ctypes.Structure):
+	_fields_ = [	("n", ctypes.c_void_p),
+			("e", ctypes.c_void_p),
+			("d", ctypes.c_void_p),
+			("p", ctypes.c_void_p),
+			("q", ctypes.c_void_p),
+			("dmp1", ctypes.c_void_p),
+			("iqmp", ctypes.c_void_p)]
+
+def handle_errors():
+	ERR_load_crypto_strings()
+	errno = ERR_get_error()
+	errbuf = ctypes.create_string_buffer(1024)
+	ERR_error_string_n(errno, errbuf, 1024)
+	return errbuf.value.decode("ascii")
+
+
+fopen = libraries['c'].fopen
+fopen.restype = ctypes.c_void_p
+fopen.argtypes = [ctypes.c_char_p, ctypes.c_char_p]
+
+
+fclose = libraries['c'].fclose
+fclose.restype = ctypes.c_int
+fclose.argtypes = [ctypes.c_void_p]
+
+
+ERR_load_crypto_strings = libraries['ssl'].ERR_load_crypto_strings
+ERR_load_crypto_strings.restype = ctypes.c_int
+ERR_load_crypto_strings.argtypes = []
+
+
+ERR_print_errors_fp = libraries['ssl'].ERR_print_errors_fp
+ERR_print_errors_fp.restype = ctypes.c_int
+ERR_print_errors_fp.argtypes = [ctypes.c_void_p]
+
+
+OpenSSL_add_all_digests = libraries['ssl'].OpenSSL_add_all_digests
+OpenSSL_add_all_digests.restype = ctypes.c_int
+OpenSSL_add_all_digests.argtypes = []
+
+
+EVP_MD_CTX_create = libraries['ssl'].EVP_MD_CTX_create
+EVP_MD_CTX_create.restype = ctypes.c_void_p
+EVP_MD_CTX_create.argtypes = []
+
+
+PEM_read_PrivateKey = libraries['ssl'].PEM_read_PrivateKey
+PEM_read_PrivateKey.restype = ctypes.c_void_p
+PEM_read_PrivateKey.argtypes = [ctypes.c_void_p, ctypes.c_void_p, ctypes.c_void_p, ctypes.c_void_p]
+
+
+PEM_read_X509 = libraries['ssl'].PEM_read_X509
+PEM_read_X509.restype = ctypes.c_void_p
+PEM_read_X509.argtypes = [ctypes.c_void_p, ctypes.c_void_p, ctypes.c_void_p, ctypes.c_void_p]
+
+
+PEM_read_PUBKEY = libraries['ssl'].PEM_read_PUBKEY
+PEM_read_PUBKEY.restype = ctypes.c_void_p
+PEM_read_PUBKEY.argtypes = [ctypes.c_void_p, ctypes.c_void_p, ctypes.c_void_p, ctypes.c_void_p]
+
+
+PEM_read_bio_PUBKEY = libraries['ssl'].PEM_read_bio_PUBKEY
+PEM_read_bio_PUBKEY.restype = ctypes.c_void_p
+PEM_read_bio_PUBKEY.argtypes = [ctypes.c_void_p, ctypes.c_void_p, ctypes.c_void_p, ctypes.c_void_p]
+
+
+BIO_free = libraries['ssl'].BIO_free
+BIO_free.restype = ctypes.c_int
+BIO_free.argtypes = [ctypes.c_void_p]
+
+
+PEM_read_bio_PrivateKey = libraries['ssl'].PEM_read_bio_PrivateKey
+PEM_read_bio_PrivateKey.restype = ctypes.c_void_p
+PEM_read_bio_PrivateKey.argtypes = [ctypes.c_void_p, ctypes.c_void_p, ctypes.c_void_p, ctypes.c_void_p]
+
+
+EVP_get_digestbyname = libraries['ssl'].EVP_get_digestbyname
+EVP_get_digestbyname.restype = ctypes.c_void_p
+EVP_get_digestbyname.argtypes = [ctypes.c_char_p]
+
+
+EVP_DigestInit = libraries['ssl'].EVP_DigestInit
+EVP_DigestInit.restype = ctypes.c_int
+EVP_DigestInit.argtypes = [ctypes.c_void_p, ctypes.c_void_p]
+
+
+EVP_DigestUpdate = libraries['ssl'].EVP_DigestUpdate
+EVP_DigestUpdate.restype = ctypes.c_int
+EVP_DigestUpdate.argtypes = [ctypes.c_void_p, ctypes.c_char_p, ctypes.c_int]
+
+
+EVP_SignFinal = libraries['ssl'].EVP_SignFinal
+EVP_SignFinal.restype = ctypes.c_int
+EVP_SignFinal.argtypes = [ctypes.c_void_p, ctypes.c_char_p, ctypes.POINTER(ctypes.c_int), ctypes.c_void_p]
+
+
+EVP_VerifyFinal = libraries['ssl'].EVP_VerifyFinal
+EVP_VerifyFinal.restype = ctypes.c_int
+EVP_VerifyFinal.argtypes = [ctypes.c_void_p, ctypes.c_char_p, ctypes.c_int, ctypes.c_void_p]
+
+
+EVP_PKEY_free = libraries['ssl'].EVP_PKEY_free
+EVP_PKEY_free.restype = ctypes.c_int
+EVP_PKEY_free.argtypes = [ctypes.c_void_p]
+
+
+EVP_MD_CTX_cleanup = libraries['ssl'].EVP_MD_CTX_cleanup
+EVP_MD_CTX_cleanup.restype = ctypes.c_int
+EVP_MD_CTX_cleanup.argtypes = [ctypes.c_void_p]
+
+
+EVP_MD_CTX_destroy = libraries['ssl'].EVP_MD_CTX_destroy
+EVP_MD_CTX_destroy.restype = ctypes.c_int
+EVP_MD_CTX_destroy.argtypes = [ctypes.c_void_p]
+
+
+EVP_CIPHER_CTX_new = libraries['ssl'].EVP_CIPHER_CTX_new
+EVP_CIPHER_CTX_new.restype = ctypes.c_void_p
+EVP_CIPHER_CTX_new.argtypes = []
+
+
+EVP_CIPHER_CTX_init = libraries['ssl'].EVP_CIPHER_CTX_init
+EVP_CIPHER_CTX_init.restype = ctypes.c_int
+EVP_CIPHER_CTX_init.argtypes = [ctypes.c_void_p]
+
+try:
+	EVP_CIPHER_CTX_iv_length = libraries['ssl'].EVP_CIPHER_CTX_iv_length
+	EVP_CIPHER_CTX_iv_length.restype = ctypes.c_int
+	EVP_CIPHER_CTX_iv_length.argtypes = [ctypes.c_void_p]
+except:
+	EVP_CIPHER_CTX_iv_length = lambda(x): 16
+
+
+EVP_aes_192_cbc = libraries['ssl'].EVP_aes_192_cbc
+EVP_aes_192_cbc.restype = ctypes.c_void_p
+EVP_aes_192_cbc.argtypes = []
+
+
+EVP_PKEY_size = libraries['ssl'].EVP_PKEY_size
+EVP_PKEY_size.restype = ctypes.c_int
+EVP_PKEY_size.argtypes = [ctypes.c_void_p]
+
+
+EVP_SealInit = libraries['ssl'].EVP_SealInit
+EVP_SealInit.restype = ctypes.c_int
+EVP_SealInit.argtypes = [ctypes.c_void_p, ctypes.c_void_p, ctypes.c_char_p, ctypes.POINTER(ctypes.c_int), ctypes.c_char_p, ctypes.c_void_p, ctypes.c_int]
+
+
+EVP_EncryptInit_ex = libraries['ssl'].EVP_EncryptInit_ex
+EVP_EncryptInit_ex.restype = ctypes.c_int
+EVP_EncryptInit_ex.argtypes = [ctypes.c_void_p, ctypes.c_void_p, ctypes.c_void_p, ctypes.c_char_p, ctypes.c_char_p]
+
+
+EVP_EncryptUpdate = libraries['ssl'].EVP_EncryptUpdate
+EVP_EncryptUpdate.restype = ctypes.c_int
+EVP_EncryptUpdate.argtypes = [ctypes.c_void_p, ctypes.c_char_p, ctypes.POINTER(ctypes.c_int), ctypes.c_char_p, ctypes.c_int]
+
+
+EVP_DecryptUpdate = libraries['ssl'].EVP_DecryptUpdate
+EVP_DecryptUpdate.restype = ctypes.c_int
+EVP_DecryptUpdate.argtypes = [ctypes.c_void_p, ctypes.c_char_p, ctypes.POINTER(ctypes.c_int), ctypes.c_char_p, ctypes.c_int]
+
+
+EVP_EncryptFinal_ex = libraries['ssl'].EVP_EncryptFinal_ex
+EVP_EncryptFinal_ex.restype = ctypes.c_int
+EVP_EncryptFinal_ex.argtypes = [ctypes.c_void_p, ctypes.c_char_p, ctypes.POINTER(ctypes.c_int)]
+
+
+EVP_SealFinal = libraries['ssl'].EVP_SealFinal
+EVP_SealFinal.restype = ctypes.c_int
+EVP_SealFinal.argtypes = [ctypes.c_void_p, ctypes.c_char_p, ctypes.POINTER(ctypes.c_int)]
+
+
+EVP_DecryptFinal_ex = libraries['ssl'].EVP_DecryptFinal_ex
+EVP_DecryptFinal_ex.restype = ctypes.c_int
+EVP_DecryptFinal_ex.argtypes = [ctypes.c_void_p, ctypes.c_char_p, ctypes.POINTER(ctypes.c_int)]
+
+
+RAND_bytes = libraries['ssl'].RAND_bytes
+RAND_bytes.restype = ctypes.c_int
+RAND_bytes.argtypes = [ctypes.c_char_p, ctypes.c_int]
+
+
+BIO_new_mem_buf = libraries['ssl'].BIO_new_mem_buf
+BIO_new_mem_buf.restype = ctypes.c_void_p
+BIO_new_mem_buf.argtypes = [ctypes.c_char_p, ctypes.c_int]
+
+
+EVP_CIPHER_CTX_rand_key = libraries['ssl'].EVP_CIPHER_CTX_rand_key
+EVP_CIPHER_CTX_rand_key.restype = ctypes.c_int
+EVP_CIPHER_CTX_rand_key.argtypes = [ctypes.c_void_p, ctypes.c_char_p]
+
+
+try:
+	EVP_CIPHER_key_length = libraries['ssl'].EVP_CIPHER_key_length
+	EVP_CIPHER_key_length.restype = ctypes.c_int
+	EVP_CIPHER_key_length.argtypes = [ctypes.c_void_p]
+except:
+	EVP_CIPHER_key_length = lambda(x): 24
+
+
+EVP_PKEY_encrypt = libraries['ssl'].EVP_PKEY_encrypt
+EVP_PKEY_encrypt.restype = ctypes.c_int
+EVP_PKEY_encrypt.argtypes = [ctypes.c_char_p, ctypes.c_char_p, ctypes.c_int, ctypes.c_void_p]
+
+
+EVP_OpenInit = libraries['ssl'].EVP_OpenInit
+EVP_OpenInit.restype = ctypes.c_int
+EVP_OpenInit.argtypes = [ctypes.c_void_p, ctypes.c_void_p, ctypes.c_char_p, ctypes.c_int, ctypes.c_char_p, ctypes.c_void_p]
+
+
+EVP_PKEY_size = libraries['ssl'].EVP_PKEY_size
+EVP_PKEY_size.restype = ctypes.c_int
+EVP_PKEY_size.argtypes = [ctypes.c_void_p]
+
+
+RSA_public_encrypt = libraries['ssl'].RSA_public_encrypt
+RSA_public_encrypt.restype = ctypes.c_int
+RSA_public_encrypt.argtypes = [ctypes.c_int, ctypes.c_char_p, ctypes.c_char_p, ctypes.c_void_p, ctypes.c_int]
+
+
+EVP_PKEY_get1_RSA = libraries['ssl'].EVP_PKEY_get1_RSA
+EVP_PKEY_get1_RSA.restype = ctypes.c_void_p
+EVP_PKEY_get1_RSA.argtypes = [ctypes.c_void_p]
+
+
+EVP_DecryptInit_ex = libraries['ssl'].EVP_DecryptInit_ex
+EVP_DecryptInit_ex.restype = ctypes.c_int
+EVP_DecryptInit_ex.argtypes = [ctypes.c_void_p, ctypes.c_void_p, ctypes.c_void_p, ctypes.c_char_p, ctypes.c_char_p]
+
+
+EVP_CIPHER_CTX_set_key_length = libraries['ssl'].EVP_CIPHER_CTX_set_key_length
+EVP_CIPHER_CTX_set_key_length.restype = ctypes.c_int
+EVP_CIPHER_CTX_set_key_length.argtypes = [ctypes.c_void_p, ctypes.c_int]
+
+
+EVP_BytesToKey = libraries['ssl'].EVP_BytesToKey
+EVP_BytesToKey.restype = ctypes.c_int
+EVP_BytesToKey.argtypes = [ctypes.c_void_p, ctypes.c_void_p, ctypes.c_char_p, ctypes.c_char_p, ctypes.c_int, ctypes.c_int, ctypes.c_char_p, ctypes.c_char_p]
+
+
+ERR_get_error = libraries['ssl'].ERR_get_error
+ERR_get_error.restype = ctypes.c_long
+ERR_get_error.argtypes = []
+
+
+ERR_error_string_n = libraries['ssl'].ERR_error_string_n
+ERR_error_string_n.restype = ctypes.c_void_p
+ERR_error_string_n.argtypes = [ctypes.c_long, ctypes.c_char_p, ctypes.c_int]
+
+RSA_size = libraries['ssl'].RSA_size
+RSA_size.restype = ctypes.c_int
+RSA_size.argtypes = [ctypes.c_void_p]
+
+RSA_new = libraries['ssl'].RSA_new
+RSA_new.restype = ctypes.POINTER(RSA)
+
+RSA_generate_key = libraries['ssl'].RSA_generate_key
+RSA_generate_key.restype = ctypes.POINTER(RSA)
+RSA_generate_key.argtypes = [ctypes.c_int, ctypes.c_ulong, ctypes.c_void_p, ctypes.c_void_p]
+
+RSA_print = libraries['ssl'].RSA_print
+RSA_print.restype = ctypes.c_int
+RSA_print.argtypes = [ctypes.c_void_p, ctypes.POINTER(RSA), ctypes.c_int]
+
+PEM_write_bio_RSA_PUBKEY = libraries['ssl'].PEM_write_bio_RSA_PUBKEY
+
+PEM_write_bio_RSAPrivateKey = libraries['ssl'].PEM_write_bio_RSAPrivateKey
+PEM_write_bio_RSAPrivateKey.restype = ctypes.c_int
+PEM_write_bio_RSAPrivateKey.argtypes = [ctypes.c_void_p, ctypes.POINTER(RSA), ctypes.c_void_p, ctypes.c_char_p, ctypes.c_int, ctypes.c_void_p, ctypes.c_void_p]
+
+PEM_write_RSAPrivateKey = libraries['ssl'].PEM_write_RSAPrivateKey
+PEM_write_RSAPrivateKey.restype = ctypes.c_int
+PEM_write_RSAPrivateKey.argtypes = [ctypes.c_void_p, ctypes.POINTER(RSA), ctypes.c_void_p, ctypes.c_char_p, ctypes.c_int, ctypes.c_void_p, ctypes.c_void_p]
+
+i2d_RSAPrivateKey = libraries['ssl'].i2d_RSAPrivateKey
+
+BIO_read = libraries['ssl'].BIO_read
+
+BIO_s_mem = libraries['ssl'].BIO_s_mem
+BIO_s_mem.restype = ctypes.c_void_p
+
+BIO_new = libraries['ssl'].BIO_new
+BIO_new.restype = ctypes.c_void_p
+BIO_new.argtypes = [ctypes.c_void_p]
+
+RAND_seed = libraries['ssl'].RAND_seed
+RAND_seed.argtypes = [ctypes.c_void_p, ctypes.c_int]
diff --git a/src/evpy/signature.py b/src/evpy/signature.py
new file mode 100755
index 00000000..29a6beac
--- /dev/null
+++ b/src/evpy/signature.py
@@ -0,0 +1,215 @@
+#! /usr/bin/env python
+
+"""
+signature.py
+
+Written by Geremy Condra
+Released on 18 March 2010
+Licensed under MIT License
+
+This module provides a basic interface to OpenSSL's EVP
+signature functions.
+
+All functions in this module will raise a SignatureError
+in the event of a malfunction.
+
+The goal of cryptographic signatures is to provide some
+degree of assurance that the data you are processing is
+both coming from the person you think is sending it and
+is what they sent.
+
+Note that this does not encrypt data in the sense that
+it does not provide secrecy for it, while evpy.cipher
+and evpy.envelope provide secrecy but no other security
+properties.
+
+Usage:
+	>>> from evpy import signature
+	>>> data = b"abcdefg"
+	>>> public_key = "test/keys/public1.pem"
+	>>> private_key = "test/keys/private1.pem"
+	>>> s = signature.sign(data, private_key)
+	>>> signature.verify(data, s, public_key)
+	True
+"""
+
+import ctypes
+
+import evp
+
+
+class SignatureError(evp.SSLError):
+	pass
+
+
+def sign(data, keyfile=None, key=None):
+	"""Signs the given data, raising SignatureError on failure.
+
+	Exactly one of keyfile, key should be given; if key is not
+	defined, then the key will be read from the given file.
+
+	Usage:
+		>>> from evpy import signature
+		>>> f = open("test/short.txt", "rb")
+		>>> data = f.read()
+		>>> public_key = "test/keys/public1.pem"
+		>>> private_key = "test/keys/private1.pem"
+		>>> s = signature.sign(data, private_key)
+		>>> signature.verify(data, s, public_key)
+		True
+	"""
+	# add the digests
+	evp.OpenSSL_add_all_digests()
+
+	# build the context
+	ctx = evp.EVP_MD_CTX_create()
+	if not ctx:
+		raise SignatureError("Could not create context")
+
+	# get the signing key
+	if key and not keyfile:
+		skey = _build_skey_from_string(key)
+	elif keyfile and not key:
+		skey = _build_skey_from_file(keyfile)
+	else:
+		raise SignatureError("Exactly one of key, keyfile must be specified")
+
+	# build the hash object
+	evp_hash = _build_hash()
+	if not evp.EVP_DigestInit(ctx, evp_hash):
+		_cleanup(skey, ctx)
+		raise SignatureError("Could not initialize signature")
+
+	# update
+	if not evp.EVP_DigestUpdate(ctx, data, len(data)):
+		_cleanup(skey, ctx)
+		raise SignatureError("Could not update signature")
+
+	# finalize
+	output_buflen = ctypes.c_int(evp.EVP_PKEY_size(skey))
+	output = ctypes.create_string_buffer(output_buflen.value)
+	if not evp.EVP_SignFinal(ctx, output, ctypes.byref(output_buflen), skey):
+		_cleanup(skey, ctx)
+		raise SignatureError("Could not finalize signature")
+
+	# cleanup
+	_cleanup(skey, ctx)
+
+	# and go home
+	return ctypes.string_at(output, output_buflen)
+
+
+def verify(data, sig, keyfile=None, key=None):
+	"""Verifies the given signature, returning a boolean.
+
+	Exactly one of keyfile, key should be specified.
+
+	This function raises SignatureError on error.
+
+	Usage:
+		>>> from evpy import signature
+		>>> f = open("test/short.txt", "rb")
+		>>> data = f.read()
+		>>> public_key = "test/keys/public1.pem"
+		>>> private_key = "test/keys/private1.pem"
+		>>> s = signature.sign(data, private_key)
+		>>> signature.verify(data, s, public_key)
+		True
+	"""
+	# add the digests
+	evp.OpenSSL_add_all_digests()
+	
+	# build the context
+	ctx = evp.EVP_MD_CTX_create()
+	if not ctx:
+		raise SignatureError("Could not create context")
+
+	# get the vkey
+	if key and not keyfile:
+		vkey = _build_vkey_from_string(key)
+	elif keyfile and not key:
+		vkey = _build_vkey_from_file(keyfile)
+	else:
+		raise SignatureError("Exactly one of key, keyfile must be specified")
+
+	# build the hash object
+	evp_hash = _build_hash()
+	if not evp.EVP_DigestInit(ctx, evp_hash):
+		_cleanup(vkey, ctx)
+		raise SignatureError("Could not initialize verifier")
+
+	# update
+	if not evp.EVP_DigestUpdate(ctx, data, len(data)):
+		_cleanup(vkey, ctx)
+		raise SignatureError("Could not update verifier")
+
+	# finalize
+	retcode = evp.EVP_VerifyFinal(ctx, sig, len(sig), vkey)
+
+	# cleanup
+	_cleanup(vkey, ctx)
+
+	# and go home
+	if retcode == 1:
+		return True
+	elif retcode == 0:
+		return False
+	else:
+		raise SignatureError("Error verifying signature")
+
+def _cleanup(key, ctx):
+	evp.EVP_PKEY_free(key)
+	evp.EVP_MD_CTX_cleanup(ctx)
+	evp.EVP_MD_CTX_destroy(ctx)
+
+def _string_to_bio(s):
+	return evp.BIO_new_mem_buf(s, len(s))
+
+def _build_skey_from_file(keyfile):
+	fp = evp.fopen(keyfile, "r")
+	if not fp:
+		raise SignatureError("Could not open keyfile")
+	# get the signing key
+	skey = evp.PEM_read_PrivateKey(fp, None, None, None)
+	if not skey:
+		evp.fclose(fp)
+		raise SignatureError("Could not read signing key")
+	# close the file
+	evp.fclose(fp)
+	return skey
+
+def _build_skey_from_string(key):
+	buf = ctypes.create_string_buffer(key)
+	bio = evp.BIO_new_mem_buf(buf, len(buf.value))
+	skey = evp.PEM_read_bio_PrivateKey(bio, None, None, None, None)
+	if not skey:
+		raise SignatureError("Could not construct signing key from the given string")
+	evp.BIO_free(bio)
+	return skey
+
+def _build_vkey_from_file(keyfile):
+	fp = evp.fopen(keyfile, "r")
+	if not fp:
+		raise SignatureError("Could not open keyfile")
+	# get the verification key
+	vkey = evp.PEM_read_PUBKEY(fp, None, None, None)
+	if not vkey:
+		evp.fclose(fp)
+		raise SignatureError("Could not read verification key")
+	# close the file
+	evp.fclose(fp)
+	return vkey
+
+def _build_vkey_from_string(key):
+	buf = ctypes.create_string_buffer(key)
+	bio = evp.BIO_new_mem_buf(buf, len(buf.value))
+	vkey = evp.PEM_read_bio_PUBKEY(bio, None, None, None)
+	if not vkey:
+		raise SignatureError("Could not construct verification key from the given string")
+	return vkey
+
+def _build_hash():
+	evp_hash = evp.EVP_get_digestbyname("sha512")
+	if not evp_hash:
+		raise SignatureError("Could not create hash object")
+	return evp_hash
diff --git a/src/evpy/test.py b/src/evpy/test.py
new file mode 100755
index 00000000..f9d39f1e
--- /dev/null
+++ b/src/evpy/test.py
@@ -0,0 +1,668 @@
+#! /usr/bin/env python
+
+"""
+test.py
+
+Written by Geremy Condra
+Licensed under MIT License
+Released 21 March 2010
+
+Simple unit tests for evpy
+"""
+
+import unittest
+
+from evpy import evp
+from evpy import cipher
+from evpy import signature
+from evpy import envelope
+
+# locations for test data
+TEST_DATA_DIR = "test/"
+TEST_KEYS = TEST_DATA_DIR + "keys/"
+
+# test text
+STRING = open(TEST_DATA_DIR + "long.txt").read()
+LONG = open(TEST_DATA_DIR + "long.txt", 'rb').read()
+SHORT = open(TEST_DATA_DIR + "short.txt", 'rb').read()
+UNICODE = open(TEST_DATA_DIR + "unicode.txt", 'rb').read()
+NULL = open(TEST_DATA_DIR + "null.txt", 'rb').read()
+TEST_TEXTS = {  "long": LONG, 
+		"short": SHORT, 
+		"unicode": UNICODE, 
+		"null": NULL}
+
+# test keys
+SHORT_SYMMETRIC = open(TEST_KEYS + "short_symmetric.txt", 'rb').read()
+LONG_SYMMETRIC = open(TEST_KEYS + "long_symmetric.txt", 'rb').read()
+SYMMETRIC_KEYS = [LONG_SYMMETRIC, SHORT_SYMMETRIC]
+SYMMETRIC_STRING = open(TEST_KEYS + "short_symmetric.txt").read()
+
+KEY_1 = TEST_KEYS + "private1.pem", TEST_KEYS + "public1.pem"
+KEY_2 = TEST_KEYS + "private2.pem", TEST_KEYS + "public2.pem"
+MISMATCH_1 = KEY_1[0], KEY_2[1]
+MISMATCH_2 = KEY_2[0], KEY_1[1]
+MISSING_PRIVATE_KEY = "notakey.pem", KEY_1[1]
+MISSING_PUBLIC_KEY = KEY_1[0], "notakey.pem"
+BLANK_PRIVATE_KEY = KEY_1[0], TEST_KEYS + "blank.pem"
+BLANK_PUBLIC_KEY = TEST_KEYS + "blank.pem", KEY_1[1]
+
+def run_n_times(f, g, n):
+	def err(*args, **kwargs):
+		if err.n > 0:
+			err.n -= 1
+			return f(*args, **kwargs)
+		else: 
+			return g(*args, **kwargs)
+	err.n = n
+	return err
+
+class TestCipher(unittest.TestCase):
+
+	def round_trip(self, key, text):
+		salt, iv, enc = cipher.encrypt(text, key)
+		output = cipher.decrypt(salt, iv, enc, key)
+		self.assertEqual(output, text, "Failed to round trip")
+
+	def test_round_trip_short_zero(self):
+		self.assertRaises(cipher.CipherError, self.round_trip, SHORT_SYMMETRIC, '')
+
+	def test_round_trip_short_long(self):
+		self.round_trip(SHORT_SYMMETRIC, LONG)
+
+	def test_round_trip_short_short(self):
+		self.round_trip(SHORT_SYMMETRIC, SHORT)
+
+	def test_round_trip_short_unicode(self):
+		self.round_trip(SHORT_SYMMETRIC, UNICODE)
+
+	def test_round_trip_short_null(self):
+		self.round_trip(SHORT_SYMMETRIC, NULL)
+
+	def test_round_trip_long_zero(self):
+		self.assertRaises(cipher.CipherError, self.round_trip, LONG_SYMMETRIC, '')
+
+	def test_round_trip_long_long(self):
+		self.round_trip(LONG_SYMMETRIC, LONG)
+
+	def test_round_trip_long_short(self):
+		self.round_trip(LONG_SYMMETRIC, SHORT)
+
+	def test_round_trip_long_unicode(self):
+		self.round_trip(LONG_SYMMETRIC, UNICODE)
+
+	def test_round_trip_long_null(self):
+		self.round_trip(LONG_SYMMETRIC, NULL)
+
+	def test_no_data(self):
+		iv, salt, enc = cipher.encrypt(UNICODE, SHORT_SYMMETRIC)
+		self.assertRaises(cipher.CipherError, cipher.decrypt, iv, salt, '', SHORT_SYMMETRIC)
+
+	def test_short_salt(self):
+		salt, iv, enc = cipher.encrypt(UNICODE, SHORT_SYMMETRIC)
+		self.assertRaises(cipher.CipherError, cipher.decrypt, salt[:-1], iv, enc, SHORT_SYMMETRIC)
+
+	def test_long_salt(self):
+		salt, iv, enc = cipher.encrypt(UNICODE, SHORT_SYMMETRIC)
+		self.assertRaises(cipher.CipherError, cipher.decrypt, salt+salt[:-1], iv, enc, SHORT_SYMMETRIC)
+
+	def test_short_iv(self):
+		salt, iv, enc = cipher.encrypt(UNICODE, SHORT_SYMMETRIC)
+		self.assertRaises(cipher.CipherError, cipher.decrypt, salt, iv[:-1], enc, SHORT_SYMMETRIC)
+
+	def test_long_iv(self):
+		salt, iv, enc = cipher.encrypt(UNICODE, SHORT_SYMMETRIC)
+		self.assertRaises(cipher.CipherError, cipher.decrypt, salt, iv+iv[:-1], enc, SHORT_SYMMETRIC)
+
+	def test_round_trip_no_password(self):
+		iv, salt, enc = cipher.encrypt(UNICODE, SHORT_SYMMETRIC)
+		self.assertRaises(cipher.CipherError, cipher.encrypt, UNICODE, '')
+		self.assertRaises(cipher.CipherError, cipher.decrypt, iv, salt, enc, '')
+
+	def test_round_trip_failure(self):
+		salt, iv, enc = cipher.encrypt(SHORT, SHORT_SYMMETRIC)
+		self.assertRaises(cipher.CipherError, cipher.decrypt, salt, iv, enc, LONG_SYMMETRIC)
+		salt, iv, enc = cipher.encrypt(NULL, SHORT_SYMMETRIC)
+		self.assertRaises(cipher.CipherError, cipher.decrypt, salt, iv, enc, LONG_SYMMETRIC)
+
+	def test_bad_rand_bytes(self):
+		iv, salt, enc = cipher.encrypt(SHORT, SHORT_SYMMETRIC)
+		rand_bytes = cipher.evp.RAND_bytes
+		cipher.evp.RAND_bytes = lambda a,b: 0
+		self.assertRaises(cipher.CipherError, cipher.encrypt, SHORT, SHORT_SYMMETRIC)
+		cipher.evp.RAND_bytes = rand_bytes
+
+	def test_bad_rand_bytes_1(self):
+		iv, salt, enc = cipher.encrypt(SHORT, SHORT_SYMMETRIC)
+		rand_bytes = cipher.evp.RAND_bytes
+		cipher.evp.RAND_bytes = lambda a,b: 0
+		self.assertRaises(cipher.CipherError, cipher.encrypt, SHORT, SHORT_SYMMETRIC)
+		cipher.evp.RAND_bytes = rand_bytes
+
+	def test_bad_rand_bytes_2(self):
+		iv, salt, enc = cipher.encrypt(SHORT, SHORT_SYMMETRIC)
+		rand_bytes = cipher.evp.RAND_bytes
+		cipher.evp.RAND_bytes = run_n_times(cipher.evp.RAND_bytes, lambda a,b:0, 1)
+		self.assertRaises(cipher.CipherError, cipher.encrypt, SHORT, SHORT_SYMMETRIC)
+		cipher.evp.RAND_bytes = rand_bytes
+
+	def test_bad_hash_by_name(self):
+		iv, salt, enc = cipher.encrypt(SHORT, SHORT_SYMMETRIC)
+		hash_by_name = cipher.evp.EVP_get_digestbyname
+		cipher.evp.EVP_get_digestbyname = lambda a: None
+		self.assertRaises(cipher.CipherError, cipher.encrypt, SHORT, SHORT_SYMMETRIC)
+		cipher.evp.EVP_get_digestbyname = hash_by_name
+
+	def test_bad_bytes_to_key(self):
+		iv, salt, enc = cipher.encrypt(SHORT, SHORT_SYMMETRIC)
+		bytes_to_key = cipher.evp.EVP_BytesToKey
+		cipher.evp.EVP_BytesToKey = lambda a,b,c,d,e,f,g,h: 0
+		self.assertRaises(cipher.CipherError, cipher.encrypt, SHORT, SHORT_SYMMETRIC)
+		self.assertRaises(cipher.CipherError, cipher.decrypt, iv, salt, enc, SHORT_SYMMETRIC)
+		cipher.evp.EVP_BytesToKey = bytes_to_key
+
+	def test_bad_ctx_new(self):
+		iv, salt, enc = cipher.encrypt(SHORT, SHORT_SYMMETRIC)
+		new_ctx = cipher.evp.EVP_CIPHER_CTX_new
+		cipher.evp.EVP_CIPHER_CTX_new = lambda: None
+		self.assertRaises(cipher.CipherError, cipher.encrypt, SHORT, SHORT_SYMMETRIC)
+		self.assertRaises(cipher.CipherError, cipher.decrypt, iv, salt, enc, SHORT_SYMMETRIC)
+		cipher.evp.EVP_CIPHER_CTX_new = new_ctx
+
+	def test_bad_cipher_object(self):
+		iv, salt, enc = cipher.encrypt(SHORT, SHORT_SYMMETRIC)
+		cipher_getter = cipher.evp.EVP_aes_192_cbc
+		cipher.evp.EVP_aes_192_cbc= lambda: None
+		self.assertRaises(cipher.CipherError, cipher.encrypt, SHORT, SHORT_SYMMETRIC)
+		self.assertRaises(cipher.CipherError, cipher.decrypt, iv, salt, enc, SHORT_SYMMETRIC)
+		cipher.evp.EVP_aes_192_cbc = cipher_getter
+
+	def test_bad_encrypt_init_1(self):
+		encrypt_init = cipher.evp.EVP_EncryptInit_ex
+		cipher.evp.EVP_EncryptInit_ex = lambda a,b,c,d,e: None
+		self.assertRaises(cipher.CipherError, cipher.encrypt, SHORT, SHORT_SYMMETRIC)
+		cipher.evp.EVP_EncryptInit_ex = encrypt_init
+
+	def test_bad_encrypt_init_2(self):
+		encrypt_init = cipher.evp.EVP_EncryptInit_ex
+		cipher.evp.EVP_EncryptInit_ex = run_n_times(cipher.evp.EVP_EncryptInit_ex, lambda a,b,c,d,e: None, 1)
+		self.assertRaises(cipher.CipherError, cipher.encrypt, SHORT, SHORT_SYMMETRIC)
+		cipher.evp.EVP_EncryptInit_ex = encrypt_init
+
+	def test_bad_encrypt_update(self):
+		encrypt_update = cipher.evp.EVP_EncryptUpdate
+		cipher.evp.EVP_EncryptUpdate = lambda a,b,c,d,e: None
+		self.assertRaises(cipher.CipherError, cipher.encrypt, SHORT, SHORT_SYMMETRIC)
+		cipher.evp.EVP_EncryptUpdate = encrypt_update
+
+	def test_bad_encrypt_final(self):
+		encrypt_final = cipher.evp.EVP_EncryptFinal_ex
+		cipher.evp.EVP_EncryptFinal_ex = lambda a,b,c: None
+		self.assertRaises(cipher.CipherError, cipher.encrypt, SHORT, SHORT_SYMMETRIC)
+		cipher.evp.EVP_EncryptFinal_ex = encrypt_final
+
+	def test_bad_decrypt_init(self):
+		iv, salt, enc = cipher.encrypt(SHORT, SHORT_SYMMETRIC)
+		decrypt_init = cipher.evp.EVP_DecryptInit_ex
+		cipher.evp.EVP_DecryptInit_ex = lambda a,b,c,d,e: None
+		self.assertRaises(cipher.CipherError, cipher.decrypt, iv, salt, enc, SHORT_SYMMETRIC)
+		cipher.evp.EVP_DecryptInit_ex = decrypt_init
+
+	def test_bad_decrypt_update(self):
+		iv, salt, enc = cipher.encrypt(SHORT, SHORT_SYMMETRIC)
+		decrypt_update = cipher.evp.EVP_DecryptUpdate
+		cipher.evp.EVP_DecryptUpdate = lambda a,b,c,d,e: None
+		self.assertRaises(cipher.CipherError, cipher.decrypt, iv, salt, enc, SHORT_SYMMETRIC)
+		cipher.evp.EVP_DecryptUpdate = decrypt_update
+
+	def test_bad_decrypt_final(self):
+		iv, salt, enc = cipher.encrypt(SHORT, SHORT_SYMMETRIC)
+		decrypt_final = cipher.evp.EVP_DecryptFinal_ex
+		cipher.evp.EVP_DecryptFinal_ex = lambda a,b,c: None
+		self.assertRaises(cipher.CipherError, cipher.decrypt, iv, salt, enc, SHORT_SYMMETRIC)
+		cipher.evp.EVP_DecryptFinal_ex = decrypt_final
+
+
+class TestSignature(unittest.TestCase):
+	
+	def round_trip(self, keys, text):
+		s = signature.sign(text, keys[0])
+		return signature.verify(text, s, keys[1])
+
+	def round_trip_strings(self, keys, text):
+		s = signature.sign(text, key=open(keys[0], 'rb').read())
+		v = signature.verify(text, s, key=open(keys[1], 'rb').read())
+		return v
+
+	def round_trip_all_keys(self, text):
+		self.assertTrue(self.round_trip(KEY_1, text))
+		self.assertTrue(self.round_trip(KEY_2, text))
+		self.assertFalse(self.round_trip(MISMATCH_1, text))
+		self.assertFalse(self.round_trip(MISMATCH_2, text))
+		self.assertTrue(self.round_trip_strings(KEY_1, text))
+		self.assertTrue(self.round_trip_strings(KEY_2, text))
+		self.assertFalse(self.round_trip_strings(MISMATCH_1, text))
+		self.assertFalse(self.round_trip_strings(MISMATCH_2, text))
+
+	def test_round_trip_long(self):
+		self.round_trip_all_keys(LONG)
+
+	def test_round_trip_short(self):
+		self.round_trip_all_keys(SHORT)
+
+	def test_round_trip_unicode(self):
+		self.round_trip_all_keys(UNICODE)
+
+	def test_round_trip_null(self):
+		self.round_trip_all_keys(NULL)
+
+	def test_round_trip_zero(self):
+		self.round_trip_all_keys('')
+
+	def test_arguments(self):
+		text = SHORT
+		keys = KEY_1
+		self.failUnlessRaises(signature.SignatureError, signature.sign, text, key=open(keys[0], 'rb').read(), keyfile=keys[0])
+		self.failUnlessRaises(signature.SignatureError, signature.sign, text)
+		s = signature.sign(text, keyfile=keys[0])
+		self.failUnlessRaises(signature.SignatureError, signature.verify, text, s, key=open(keys[1], 'rb').read(), keyfile=keys[1])
+		self.failUnlessRaises(signature.SignatureError, signature.verify, text, s)
+
+	def test_bad_ctx(self):
+		s = signature.sign(SHORT, KEY_1[0])
+		new_ctx = signature.evp.EVP_MD_CTX_create
+		signature.evp.EVP_MD_CTX_create = lambda: None
+		self.assertRaises(signature.SignatureError, signature.sign, SHORT, KEY_1[0])
+		self.assertRaises(signature.SignatureError, signature.verify, SHORT, s, KEY_1[1])
+		signature.evp.EVP_MD_CTX_create = new_ctx
+
+	def test_bad_hash(self):
+		s = signature.sign(SHORT, KEY_1[0])
+		new_hash = signature.evp.EVP_get_digestbyname
+		signature.evp.EVP_get_digestbyname = lambda a: None
+		self.assertRaises(signature.SignatureError, signature.sign, SHORT, KEY_1[0])
+		self.assertRaises(signature.SignatureError, signature.verify, SHORT, s, KEY_1[1])
+		signature.evp.EVP_get_digestbyname = new_hash
+
+	def test_bad_digest_init(self):
+		s = signature.sign(SHORT, KEY_1[0])
+		init = signature.evp.EVP_DigestInit
+		signature.evp.EVP_DigestInit = lambda a,b: None
+		self.assertRaises(signature.SignatureError, signature.sign, SHORT, KEY_1[0])
+		self.assertRaises(signature.SignatureError, signature.verify, SHORT, s, KEY_1[1])
+		signature.evp.EVP_DigestInit = init
+
+	def test_bad_digest_update(self):
+		s = signature.sign(SHORT, KEY_1[0])
+		update = signature.evp.EVP_DigestUpdate
+		signature.evp.EVP_DigestUpdate = lambda a,b,c: None
+		self.assertRaises(signature.SignatureError, signature.sign, SHORT, KEY_1[0])
+		self.assertRaises(signature.SignatureError, signature.verify, SHORT, s, KEY_1[1])
+		signature.evp.EVP_DigestUpdate = update
+
+	def test_bad_sign_final(self):
+		final = signature.evp.EVP_SignFinal
+		signature.evp.EVP_SignFinal = lambda a,b,c,d: None
+		self.assertRaises(signature.SignatureError, signature.sign, SHORT, KEY_1[0])
+		signature.evp.EVP_SignFinal = final
+
+	def test_bad_verify_final(self):
+		s = signature.sign(SHORT, KEY_1[0])
+		final = signature.evp.EVP_VerifyFinal
+		signature.evp.EVP_VerifyFinal = lambda a,b,c,d: None
+		self.assertRaises(signature.SignatureError, signature.verify, SHORT, s, KEY_1[1])
+		signature.evp.EVP_VerifyFinal = final
+
+	def test_bad_read_privatekey(self):
+		read_private_key = signature.evp.PEM_read_PrivateKey
+		signature.evp.PEM_read_PrivateKey = lambda a,b,c,d: None
+		self.assertRaises(signature.SignatureError, signature.sign, SHORT, KEY_1[0])
+		signature.evp.PEM_read_PrivateKey = read_private_key
+
+	def test_bad_read_publickey(self):
+		s = signature.sign(SHORT, KEY_1[0])
+		read_public_key = signature.evp.PEM_read_PUBKEY
+		signature.evp.PEM_read_PUBKEY = lambda a,b,c,d: None
+		self.assertRaises(signature.SignatureError, signature.verify, SHORT, s, KEY_1[1])
+		signature.evp.PEM_read_PUBKEY = read_public_key
+
+	def test_bad_read_bio_privatekey(self):
+		read_private_key = signature.evp.PEM_read_bio_PrivateKey
+		signature.evp.PEM_read_bio_PrivateKey = lambda a,b,c,d,e: None
+		self.assertRaises(signature.SignatureError, signature.sign, SHORT, key=open(KEY_1[0], 'rb').read())
+		signature.evp.PEM_read_bio_PrivateKey = read_private_key
+
+	def test_bad_read_bio_publickey(self):
+		s = signature.sign(SHORT, KEY_1[0])
+		read_public_key = signature.evp.PEM_read_bio_PUBKEY
+		signature.evp.PEM_read_bio_PUBKEY = lambda a,b,c,d: None
+		self.assertRaises(signature.SignatureError, signature.verify, SHORT, s, key=open(KEY_1[1], 'rb').read())
+		signature.evp.PEM_read_bio_PUBKEY = read_public_key
+
+	def test_bad_fopen(self):
+		s = signature.sign(SHORT, KEY_1[0])
+		file_open = signature.evp.fopen
+		signature.evp.fopen = lambda a,b: None
+		self.assertRaises(signature.SignatureError, signature.sign, SHORT, KEY_1[1])
+		self.assertRaises(signature.SignatureError, signature.verify, SHORT, s, KEY_1[0])
+		signature.evp.fopen = file_open
+
+
+class TestEnvelope(unittest.TestCase):
+
+	def round_trip(self, keys, text):
+		iv, sym_key, enc = envelope.encrypt(text, keys[1])
+		return envelope.decrypt(iv, sym_key, enc, keys[0])
+
+	def round_trip_strings(self, keys, text):
+		iv, sym_key, enc = envelope.encrypt(text, key=open(keys[1], 'rb').read())
+		return envelope.decrypt(iv, sym_key, enc, key=open(keys[0], 'rb').read())
+
+	def test_round_trip_zero(self):
+		self.assertRaises(envelope.EnvelopeError, self.round_trip, KEY_1, '')
+		self.assertRaises(envelope.EnvelopeError, self.round_trip, KEY_2, '')
+		self.assertRaises(envelope.EnvelopeError, self.round_trip, MISMATCH_1, '')
+		self.assertRaises(envelope.EnvelopeError, self.round_trip, MISMATCH_2, '')
+		self.assertRaises(envelope.EnvelopeError, self.round_trip_strings, KEY_1, '')
+		self.assertRaises(envelope.EnvelopeError, self.round_trip_strings, KEY_2, '')
+		self.assertRaises(envelope.EnvelopeError, self.round_trip_strings, MISMATCH_1, '')
+		self.assertRaises(envelope.EnvelopeError, self.round_trip_strings, MISMATCH_2, '')
+
+	def test_round_trip_long(self):
+		self.assertEqual(self.round_trip_strings(KEY_1, LONG), LONG, "Failed to round trip")
+		self.assertEqual(self.round_trip_strings(KEY_2, LONG), LONG, "Failed to round trip")
+		self.assertRaises(envelope.EnvelopeError, self.round_trip_strings, MISMATCH_1, LONG)
+		self.assertRaises(envelope.EnvelopeError, self.round_trip_strings, MISMATCH_2, LONG)
+		self.assertEqual(self.round_trip(KEY_1, LONG), LONG, "Failed to round trip")
+		self.assertEqual(self.round_trip(KEY_2, LONG), LONG, "Failed to round trip")
+		self.assertRaises(envelope.EnvelopeError, self.round_trip, MISMATCH_1, LONG)
+		self.assertRaises(envelope.EnvelopeError, self.round_trip, MISMATCH_2, LONG)
+
+	def test_round_trip_short(self):
+		self.assertEqual(self.round_trip(KEY_1, SHORT), SHORT, "Failed to round trip")
+		self.assertEqual(self.round_trip(KEY_2, SHORT), SHORT, "Failed to round trip")
+		self.assertRaises(envelope.EnvelopeError, self.round_trip, MISMATCH_1, SHORT)
+		self.assertRaises(envelope.EnvelopeError, self.round_trip, MISMATCH_2, SHORT)
+		self.assertEqual(self.round_trip_strings(KEY_1, SHORT), SHORT, "Failed to round trip")
+		self.assertEqual(self.round_trip_strings(KEY_2, SHORT), SHORT, "Failed to round trip")
+		self.assertRaises(envelope.EnvelopeError, self.round_trip_strings, MISMATCH_1, SHORT)
+		self.assertRaises(envelope.EnvelopeError, self.round_trip_strings, MISMATCH_2, SHORT)
+
+	def test_round_trip_unicode(self):
+		self.assertEqual(self.round_trip(KEY_1, UNICODE), UNICODE, "Failed to round trip")
+		self.assertEqual(self.round_trip(KEY_2, UNICODE), UNICODE, "Failed to round trip")
+		self.assertRaises(envelope.EnvelopeError, self.round_trip, MISMATCH_1, UNICODE)
+		self.assertRaises(envelope.EnvelopeError, self.round_trip, MISMATCH_2, UNICODE)
+		self.assertEqual(self.round_trip_strings(KEY_1, UNICODE), UNICODE, "Failed to round trip")
+		self.assertEqual(self.round_trip_strings(KEY_2, UNICODE), UNICODE, "Failed to round trip")
+		self.assertRaises(envelope.EnvelopeError, self.round_trip_strings, MISMATCH_1, UNICODE)
+		self.assertRaises(envelope.EnvelopeError, self.round_trip_strings, MISMATCH_2, UNICODE)
+
+	def test_round_trip_null(self):
+		self.assertEqual(self.round_trip(KEY_1, NULL), NULL, "Failed to round trip")
+		self.assertEqual(self.round_trip(KEY_2, NULL), NULL, "Failed to round trip")
+		self.assertRaises(envelope.EnvelopeError, self.round_trip, MISMATCH_1, NULL)
+		self.assertRaises(envelope.EnvelopeError, self.round_trip, MISMATCH_2, NULL)
+		self.assertEqual(self.round_trip_strings(KEY_1, NULL), NULL, "Failed to round trip")
+		self.assertEqual(self.round_trip_strings(KEY_2, NULL), NULL, "Failed to round trip")
+		self.assertRaises(envelope.EnvelopeError, self.round_trip_strings, MISMATCH_1, NULL)
+		self.assertRaises(envelope.EnvelopeError, self.round_trip_strings, MISMATCH_2, NULL)
+
+	def test_bad_keys(self):
+		self.assertRaises(envelope.EnvelopeError, self.round_trip, MISSING_PUBLIC_KEY, SHORT)
+		self.assertRaises(envelope.EnvelopeError, self.round_trip, MISSING_PRIVATE_KEY, SHORT)
+		self.assertRaises(envelope.EnvelopeError, self.round_trip_strings, BLANK_PUBLIC_KEY, SHORT)
+		self.assertRaises(envelope.EnvelopeError, self.round_trip_strings, BLANK_PRIVATE_KEY, SHORT)
+
+	def test_bad_call(self):
+		# neither key nor keyfile
+		self.assertRaises(envelope.EnvelopeError, envelope.encrypt, SHORT)
+		# both
+		self.assertRaises(envelope.EnvelopeError, envelope.encrypt, SHORT, KEY_1[0], open(KEY_1[0], 'rb').read())
+		# string key instead of bytes
+		self.assertRaises(envelope.EnvelopeError, envelope.encrypt, SHORT, key=open(KEY_1[0], 'r').read())
+		# string data instead of bytes
+		self.assertRaises(envelope.EnvelopeError, envelope.encrypt, str(SHORT), KEY_1[0], open(KEY_1[0], 'rb').read())
+		# get valid encryption data		
+		iv, aes_key, enc = envelope.encrypt(SHORT, KEY_1[1])
+		# neither key nor keyfile
+		self.assertRaises(envelope.EnvelopeError, envelope.decrypt, iv, aes_key, enc)
+		# both
+		self.assertRaises(envelope.EnvelopeError, envelope.decrypt, iv, aes_key, enc, KEY_1[1], key=open(KEY_1[1], 'rb').read())
+		# string key instead of bytes
+		self.assertRaises(envelope.EnvelopeError, envelope.decrypt, iv, aes_key, enc, key=open(KEY_1[1], 'r').read())
+		# string data instead of bytes
+		self.assertRaises(envelope.EnvelopeError, envelope.decrypt, iv, aes_key, str(enc), KEY_1[1], key=open(KEY_1[1], 'rb').read())
+		# string iv instead of bytes
+		self.assertRaises(envelope.EnvelopeError, envelope.decrypt, str(iv), aes_key, enc, KEY_1[1], key=open(KEY_1[1], 'rb').read())
+		# string key instead of bytes
+		self.assertRaises(envelope.EnvelopeError, envelope.decrypt, iv, str(aes_key), enc, KEY_1[1], key=open(KEY_1[1], 'rb').read())
+
+	def test_bad_rand_bytes_1(self):
+		rand_bytes = envelope.evp.RAND_bytes
+		envelope.evp.RAND_bytes = lambda a,b:0
+		self.assertRaises(envelope.EnvelopeError, envelope.encrypt, SHORT, KEY_1[1])
+		envelope.evp.RAND_bytes = rand_bytes
+
+	def test_bad_rand_bytes_2(self):
+		rand_bytes = envelope.evp.RAND_bytes
+		envelope.evp.RAND_bytes = run_n_times(evp.RAND_bytes, lambda a,b:0, 1)
+		self.assertRaises(envelope.EnvelopeError, envelope.encrypt, SHORT, KEY_1[1])
+		envelope.evp.RAND_bytes = rand_bytes
+
+	def test_bad_rsa_size(self):
+		rsa_size = envelope.evp.RSA_size
+		envelope.evp.RSA_size = lambda a:0
+		self.assertRaises(envelope.EnvelopeError, envelope.encrypt, SHORT, KEY_1[1])
+		envelope.evp.RSA_size = rsa_size
+
+	def test_bad_read_privatekey(self):
+		iv, key, enc = envelope.encrypt(SHORT, KEY_1[1])
+		read_private_key = envelope.evp.PEM_read_PrivateKey
+		envelope.evp.PEM_read_PrivateKey = lambda a,b,c,d: None
+		self.assertRaises(envelope.EnvelopeError, envelope.decrypt, iv, key, enc, KEY_1[0])
+		envelope.evp.PEM_read_PrivateKey = read_private_key
+
+	def test_bad_read_publickey(self):
+		read_public_key = envelope.evp.PEM_read_PUBKEY
+		envelope.evp.PEM_read_PUBKEY = lambda a,b,c,d: None
+		self.assertRaises(envelope.EnvelopeError, envelope.encrypt, SHORT, KEY_1[1])
+		envelope.evp.PEM_read_PUBKEY = read_public_key
+
+	def test_bad_read_bio_privatekey(self):
+		iv, key, enc = envelope.encrypt(SHORT, KEY_1[1])
+		read_private_key = envelope.evp.PEM_read_bio_PrivateKey
+		envelope.evp.PEM_read_bio_PrivateKey = lambda a,b,c,d: None
+		self.assertRaises(envelope.EnvelopeError, envelope.decrypt, iv, key, enc, key=open(KEY_1[0], 'rb').read())
+		envelope.evp.PEM_read_bio_PrivateKey = read_private_key
+
+	def test_bad_read_bio_publickey(self):
+		read_public_key = envelope.evp.PEM_read_bio_PUBKEY
+		envelope.evp.PEM_read_bio_PUBKEY = lambda a,b,c,d: None
+		self.assertRaises(envelope.EnvelopeError, envelope.encrypt, SHORT, key=open(KEY_1[0], 'rb').read())
+		envelope.evp.PEM_read_bio_PUBKEY = read_public_key
+
+	def test_bad_fopen(self):
+		iv, aes_key, enc = envelope.encrypt(SHORT, KEY_1[1])
+		file_open = envelope.evp.fopen
+		envelope.evp.fopen = lambda a,b: None
+		self.assertRaises(envelope.EnvelopeError, envelope.encrypt, SHORT, KEY_1[1])
+		self.assertRaises(envelope.EnvelopeError, envelope.decrypt, iv, aes_key, enc, KEY_1[0])
+		envelope.evp.fopen = file_open
+
+	def test_bad_ctx_new(self):
+		iv, aes_key, enc = envelope.encrypt(SHORT, KEY_1[1])
+		new_ctx = envelope.evp.EVP_CIPHER_CTX_new
+		envelope.evp.EVP_CIPHER_CTX_new = lambda: None
+		self.assertRaises(envelope.EnvelopeError, envelope.encrypt, SHORT, KEY_1[1])
+		self.assertRaises(envelope.EnvelopeError, envelope.decrypt, iv, aes_key, enc, KEY_1[0])
+		envelope.evp.EVP_CIPHER_CTX_new = new_ctx
+
+	def test_bad_cipher_object(self):
+		iv, key, enc = envelope.encrypt(SHORT, KEY_1[1])
+		cipher_getter = envelope.evp.EVP_aes_192_cbc
+		envelope.evp.EVP_aes_192_cbc= lambda: None
+		self.assertRaises(envelope.EnvelopeError, envelope.encrypt, SHORT, KEY_1[1])
+		self.assertRaises(envelope.EnvelopeError, envelope.decrypt, iv, key, enc, KEY_1[0])
+		envelope.evp.EVP_aes_192_cbc = cipher_getter
+
+	def test_bad_encrypt_init_1(self):
+		encrypt_init = envelope.evp.EVP_EncryptInit_ex
+		envelope.evp.EVP_EncryptInit_ex = lambda a,b,c,d,e: None
+		self.assertRaises(envelope.EnvelopeError, envelope.encrypt, SHORT, KEY_1[1])
+		envelope.evp.EVP_EncryptInit_ex = encrypt_init
+
+	def test_bad_encrypt_init_2(self):
+		encrypt_init = envelope.evp.EVP_EncryptInit_ex
+		envelope.evp.EVP_EncryptInit_ex = run_n_times(envelope.evp.EVP_EncryptInit_ex, lambda a,b,c,d,e: None, 1)
+		self.assertRaises(envelope.EnvelopeError, envelope.encrypt, SHORT, KEY_1[1])
+		envelope.evp.EVP_EncryptInit_ex = encrypt_init
+
+	def test_bad_encrypt_update(self):
+		encrypt_update = envelope.evp.EVP_EncryptUpdate
+		envelope.evp.EVP_EncryptUpdate = lambda a,b,c,d,e: None
+		self.assertRaises(envelope.EnvelopeError, envelope.encrypt, SHORT, KEY_1[1])
+		envelope.evp.EVP_EncryptUpdate = encrypt_update
+
+	def test_bad_encrypt_final(self):
+		encrypt_final = envelope.evp.EVP_EncryptFinal_ex
+		envelope.evp.EVP_EncryptFinal_ex = lambda a,b,c: None
+		self.assertRaises(envelope.EnvelopeError, envelope.encrypt, SHORT, KEY_1[1])
+		envelope.evp.EVP_EncryptFinal_ex = encrypt_final
+
+	def test_bad_open_init(self):
+		iv, key, enc = envelope.encrypt(SHORT, KEY_1[1])
+		decrypt_init = envelope.evp.EVP_OpenInit
+		envelope.evp.EVP_OpenInit = lambda a,b,c,d,e,f: None
+		self.assertRaises(envelope.EnvelopeError, envelope.decrypt, iv, key, enc, KEY_1[0])
+		envelope.evp.EVP_OpenInit = decrypt_init
+
+	def test_bad_decrypt_update(self):
+		iv, key, enc = envelope.encrypt(SHORT, KEY_1[1])
+		decrypt_update = envelope.evp.EVP_DecryptUpdate
+		envelope.evp.EVP_DecryptUpdate = lambda a,b,c,d,e: None
+		self.assertRaises(envelope.EnvelopeError, envelope.decrypt, iv, key, enc, KEY_1[0])
+		envelope.evp.EVP_DecryptUpdate = decrypt_update
+
+	def test_bad_decrypt_final(self):
+		iv, key, enc = envelope.encrypt(SHORT, KEY_1[1])
+		decrypt_final = envelope.evp.EVP_DecryptFinal_ex
+		envelope.evp.EVP_DecryptFinal_ex = lambda a,b,c: None
+		self.assertRaises(envelope.EnvelopeError, envelope.decrypt, iv, key, enc, KEY_1[0])
+		cipher.evp.EVP_DecryptFinal_ex = decrypt_final
+
+	def test_bad_rsa_get(self):
+		get_rsa = envelope.evp.EVP_PKEY_get1_RSA
+		envelope.evp.EVP_PKEY_get1_RSA = lambda a: None
+		self.assertRaises(envelope.EnvelopeError, envelope.encrypt, SHORT, KEY_1[1])
+		envelope.evp.EVP_PKEY_get1_RSA = get_rsa
+
+	def test_bad_rsa_encrypt(self):
+		encrypt_rsa = envelope.evp.RSA_public_encrypt
+		envelope.evp.RSA_public_encrypt = lambda a,b,c,d,e: None
+		self.assertRaises(envelope.EnvelopeError, envelope.encrypt, SHORT, KEY_1[1])
+		envelope.evp.RSA_public_encrypt = encrypt_rsa
+
+	def test_bad_read_privatekey(self):
+		iv, key, enc = envelope.encrypt(SHORT, KEY_1[1])
+		read_private_key = envelope.evp.PEM_read_PrivateKey
+		envelope.evp.PEM_read_PrivateKey = lambda a,b,c,d: None
+		self.assertRaises(envelope.EnvelopeError, envelope.decrypt, iv, key, enc, KEY_1[0])
+		envelope.evp.PEM_read_PrivateKey = read_private_key
+
+	def test_bad_read_publickey(self):
+		read_public_key = envelope.evp.PEM_read_PUBKEY
+		envelope.evp.PEM_read_PUBKEY = lambda a,b,c,d: None
+		self.assertRaises(envelope.EnvelopeError, envelope.encrypt, SHORT, KEY_1[1])
+		envelope.evp.PEM_read_PUBKEY = read_public_key
+
+	def test_bad_read_bio_privatekey(self):
+		iv, key, enc = envelope.encrypt(SHORT, KEY_1[1])
+		read_private_key = envelope.evp.PEM_read_bio_PrivateKey
+		envelope.evp.PEM_read_bio_PrivateKey = lambda a,b,c,d: None
+		self.assertRaises(envelope.EnvelopeError, envelope.decrypt, iv, key, enc, key=open(KEY_1[0], 'rb').read())
+		envelope.evp.PEM_read_bio_PrivateKey = read_private_key
+
+	def test_bad_read_bio_publickey(self):
+		read_public_key = envelope.evp.PEM_read_bio_PUBKEY
+		envelope.evp.PEM_read_bio_PUBKEY = lambda a,b,c,d: None
+		self.assertRaises(envelope.EnvelopeError, envelope.encrypt, SHORT, key=open(KEY_1[0], 'rb').read())
+		envelope.evp.PEM_read_bio_PUBKEY = read_public_key
+
+	def test_bad_fopen(self):
+		iv, aes_key, enc = envelope.encrypt(SHORT, KEY_1[1])
+		file_open = envelope.evp.fopen
+		envelope.evp.fopen = lambda a,b: None
+		self.assertRaises(envelope.EnvelopeError, envelope.encrypt, SHORT, KEY_1[1])
+		self.assertRaises(envelope.EnvelopeError, envelope.decrypt, iv, aes_key, enc, KEY_1[0])
+		envelope.evp.fopen = file_open
+
+	def test_bad_ctx_new(self):
+		iv, aes_key, enc = envelope.encrypt(SHORT, KEY_1[1])
+		new_ctx = envelope.evp.EVP_CIPHER_CTX_new
+		envelope.evp.EVP_CIPHER_CTX_new = lambda: None
+		self.assertRaises(envelope.EnvelopeError, envelope.encrypt, SHORT, KEY_1[1])
+		self.assertRaises(envelope.EnvelopeError, envelope.decrypt, iv, aes_key, enc, KEY_1[0])
+		envelope.evp.EVP_CIPHER_CTX_new = new_ctx
+
+	def test_bad_cipher_object(self):
+		iv, key, enc = envelope.encrypt(SHORT, KEY_1[1])
+		cipher_getter = envelope.evp.EVP_aes_192_cbc
+		envelope.evp.EVP_aes_192_cbc= lambda: None
+		self.assertRaises(envelope.EnvelopeError, envelope.encrypt, SHORT, KEY_1[1])
+		self.assertRaises(envelope.EnvelopeError, envelope.decrypt, iv, key, enc, KEY_1[0])
+		envelope.evp.EVP_aes_192_cbc = cipher_getter
+
+	def test_bad_encrypt_init(self):
+		encrypt_init = envelope.evp.EVP_EncryptInit_ex
+		envelope.evp.EVP_EncryptInit_ex = lambda a,b,c,d,e: None
+		self.assertRaises(envelope.EnvelopeError, envelope.encrypt, SHORT, KEY_1[1])
+		envelope.evp.EVP_EncryptInit_ex = encrypt_init
+
+	def test_bad_encrypt_update(self):
+		encrypt_update = envelope.evp.EVP_EncryptUpdate
+		envelope.evp.EVP_EncryptUpdate = lambda a,b,c,d,e: None
+		self.assertRaises(envelope.EnvelopeError, envelope.encrypt, SHORT, KEY_1[1])
+		envelope.evp.EVP_EncryptUpdate = encrypt_update
+
+	def test_bad_encrypt_final(self):
+		encrypt_final = envelope.evp.EVP_EncryptFinal_ex
+		envelope.evp.EVP_EncryptFinal_ex = lambda a,b,c: None
+		self.assertRaises(envelope.EnvelopeError, envelope.encrypt, SHORT, KEY_1[1])
+		envelope.evp.EVP_EncryptFinal_ex = encrypt_final
+
+	def test_bad_open_init(self):
+		iv, key, enc = envelope.encrypt(SHORT, KEY_1[1])
+		decrypt_init = envelope.evp.EVP_OpenInit
+		envelope.evp.EVP_OpenInit = lambda a,b,c,d,e,f: None
+		self.assertRaises(envelope.EnvelopeError, envelope.decrypt, iv, key, enc, KEY_1[0])
+		envelope.evp.EVP_OpenInit = decrypt_init
+
+	def test_bad_decrypt_update(self):
+		iv, key, enc = envelope.encrypt(SHORT, KEY_1[1])
+		decrypt_update = envelope.evp.EVP_DecryptUpdate
+		envelope.evp.EVP_DecryptUpdate = lambda a,b,c,d,e: None
+		self.assertRaises(envelope.EnvelopeError, envelope.decrypt, iv, key, enc, KEY_1[0])
+		envelope.evp.EVP_DecryptUpdate = decrypt_update
+
+	def test_bad_decrypt_final(self):
+		iv, key, enc = envelope.encrypt(SHORT, KEY_1[1])
+		decrypt_final = envelope.evp.EVP_DecryptFinal_ex
+		envelope.evp.EVP_DecryptFinal_ex = lambda a,b,c: None
+		self.assertRaises(envelope.EnvelopeError, envelope.decrypt, iv, key, enc, KEY_1[0])
+		cipher.evp.EVP_DecryptFinal_ex = decrypt_final
+
+	def test_bad_rsa_get(self):
+		get_rsa = envelope.evp.EVP_PKEY_get1_RSA
+		envelope.evp.EVP_PKEY_get1_RSA = lambda a: None
+		self.assertRaises(envelope.EnvelopeError, envelope.encrypt, SHORT, KEY_1[1])
+		envelope.evp.EVP_PKEY_get1_RSA = get_rsa
+
+	def test_bad_rsa_encrypt(self):
+		encrypt_rsa = envelope.evp.RSA_public_encrypt
+		envelope.evp.RSA_public_encrypt = lambda a,b,c,d,e: None
+		self.assertRaises(envelope.EnvelopeError, envelope.encrypt, SHORT, KEY_1[1])
+		envelope.evp.RSA_public_encrypt = encrypt_rsa
+
+if __name__ == "__main__":
+	unittest.main()
diff --git a/src/quickstart.py b/src/quickstart.py
new file mode 100755
index 00000000..765002b7
--- /dev/null
+++ b/src/quickstart.py
@@ -0,0 +1,399 @@
+"""
+<Program Name>
+  quickstart.py
+
+<Author>
+  Vladimir Diaz <vladimir.v.diaz@gmail.com>
+
+<Started>
+  June 2012.  Based on a previous version by Geremy Condra.
+
+<Copyright>
+  See LICENSE for licensing information.
+
+<Purpose>
+  This script acts as a handy quickstart for TUF, helping project and
+  repository maintainers get into the game as quickly and painlessly as
+  possible.  'quickstart.py' creates the metadata files for all the top-level
+  roles (along with their respective cryptographic keys), all of the
+  target files specified by the user, and a configuration file named
+  'config.cfg'.  The user may then use the 'signercli' script to modify,
+  if they wish, the basic repository created by 'quickstart.py'.
+
+  If executed successfully, 'quickstart.py' saves the 'repository', 'keystore',
+  and 'client' directories to the current directory.  The 'repository' directory
+  should be transferred to the server responding to TUF repository requests.
+  'keystore' and the individual encrypted key files should be securely stored
+  and managed by the repository maintainer; these files will be needed again
+  when modifying the metadata files.  'client' should be initially distributed
+  to users by the software updater utilizing TUF.
+
+<Usage>
+  $ python quickstart.py --<option> argument
+
+  Examples:
+  $ python quickstart.py --project ./project-files/
+  $ python quickstart.py --project ./project-files/ --verbose 1
+
+<Options>
+  --verbose:
+    Set the verbosity level of logging messages.  Accepts values 1-5.
+    The lower the setting, the greater the verbosity.
+
+  --project:
+    Specify the project directory containing the target files to be
+    served by the TUF repository.
+
+"""
+
+import datetime
+import getpass
+import sys
+import os
+import optparse
+import ConfigParser
+import shutil
+import tempfile
+import logging
+
+import tuf
+import tuf.repo.signerlib
+import tuf.repo.keystore
+import tuf.formats
+import tuf.util
+import tuf.log
+
+# See 'log.py' to learn how logging is handled in TUF.
+logger = logging.getLogger('tuf')
+
+# Set the default file names for the top-level roles.
+# For instance: in 'signerlib.py', ROOT_FILENAME = 'root.txt'.
+ROOT_FILENAME = tuf.repo.signerlib.ROOT_FILENAME
+TARGETS_FILENAME = tuf.repo.signerlib.TARGETS_FILENAME
+RELEASE_FILENAME = tuf.repo.signerlib.RELEASE_FILENAME
+TIMESTAMP_FILENAME = tuf.repo.signerlib.TIMESTAMP_FILENAME
+
+# The maximum number of attempts the user has to enter
+# valid input.
+MAX_INPUT_ATTEMPTS = 3
+
+
+def _prompt(message, result_type=str):
+  """
+    Prompt the user for input by printing 'message', converting
+    the input to 'result_type', and returning the value to the
+    caller.
+
+  """
+
+  return result_type(raw_input(message))
+
+
+
+
+
+def _get_password(prompt='Password: ', confirm=False):
+  """
+    Return the password entered by the user.  If 'confirm'
+    is True, the user is asked to enter the previously
+    entered password once again.  If they match, the
+    password is returned to the caller.
+
+  """
+
+  while True:
+    # getpass() prompts the user for a password without echoing
+    # the user input.
+    password = getpass.getpass(prompt, sys.stderr)
+    if not confirm:
+      return password
+    password2 = getpass.getpass('Confirm: ', sys.stderr)
+    if password == password2:
+      return password
+    else:
+      print 'Mismatch; try again.'
+
+
+
+
+
+def build_repository(project_directory):
+  """
+  <Purpose>
+    Build a basic TUF repository.  All of the required files needed by a
+    repository mirror are created, such as the metadata files of the top-level
+    roles, cryptographic keys, and the directories containing all of the target
+    files.
+
+  <Arguments>
+    project_directory:
+      The directory containing the target files to be copied over to the
+      targets directory of the repository.
+
+  <Exceptions>
+    tuf.RepositoryError, if there was an error building the repository.
+
+  <Side Effects>
+    The repository files created are written to disk to the current
+    working directory.
+
+  <Returns>
+    None.
+
+  """
+
+  # Do the arguments have the correct format?
+  # Raise 'tuf.RepositoryError' if there is a mismatch.
+  try:
+    tuf.formats.PATH_SCHEMA.check_match(project_directory)
+  except tuf.FormatError, e:
+    message = str(e)
+    raise tuf.RepositoryError(message)
+  
+  # Verify the 'project_directory' argument.
+  project_directory = os.path.abspath(project_directory)
+  try:
+    tuf.repo.signerlib.check_directory(project_directory)
+  except (tuf.FormatError, tuf.Error), e:
+    message = str(e)
+    raise tuf.RepositoryError(message)
+  
+  # Handle the expiration time.  The expiration date determines when
+  # the top-level roles expire.
+  message = '\nWhen would you like your certificates to expire? (mm/dd/yyyy): '
+  timeout = None
+  for attempt in range(MAX_INPUT_ATTEMPTS):
+    # Get the difference between the user's entered expiration date and today's
+    # date.  Convert and store the difference to total days till expiration.
+    try:
+      input_date = _prompt(message)
+      expiration_date = datetime.datetime.strptime(input_date, '%m/%d/%Y')
+      time_difference = expiration_date - datetime.datetime.now()
+      timeout = time_difference.days
+      if timeout < 1:
+        raise ValueError
+      break
+    except ValueError, e:
+      logger.error('Invalid expiration date entered')
+      timeout = None
+      continue
+
+  # Was a valid value for 'timeout' set?
+  if timeout is None:
+    raise tuf.RepositoryError('Could not get a valid expiration date\n')
+
+  # Build the repository directories.
+  metadata_directory = None
+  targets_directory = None
+
+  # Save the repository directory to the current directory, with
+  # an initial name of 'repository'.  The repository maintainer
+  # may opt to rename this directory and should transfer it elsewhere,
+  # such as the webserver that will respond to TUF requests.
+  repository_directory = os.path.join(os.getcwd(), 'repository')
+  
+  # Copy the files from the project directory to the repository's targets
+  # directory.  The targets directory will hold all the individual
+  # target files.
+  targets_directory = os.path.join(repository_directory, 'targets')
+  temporary_directory = tempfile.mkdtemp()
+  temporary_targets = os.path.join(temporary_directory, 'targets')
+  shutil.copytree(project_directory, temporary_targets)
+  
+  # Remove the log file created by the tuf logger, if it exists.
+  # It might exist if the current directory was specified as the
+  # project directory on the command-line.
+  log_filename = tuf.log._DEFAULT_LOG_FILENAME
+  if log_filename in os.listdir(temporary_targets):
+    log_file = os.path.join(temporary_targets, log_filename)
+    os.remove(log_file)
+
+  # Try to create the repository directory.
+  try:
+    os.mkdir(repository_directory)
+  # 'OSError' raised if the directory exists.
+  except OSError, e:
+    message = 'Trying to create a new repository over an old repository '+\
+      'installation.  Remove '+repr(repository_directory)+' before '+\
+      'trying again.'
+    raise tuf.RepositoryError(message)
+
+  # Move the temporary targets directory into place now that repository
+  # directory has been created.
+  shutil.move(temporary_targets, targets_directory)
+  
+  # Try to create the metadata directory that will hold all of the
+  # metadata files, such as 'root.txt' and 'release.txt'.
+  try:
+    metadata_directory = os.path.join(repository_directory, 'metadata')
+    logger.info('Creating '+repr(metadata_directory))
+    os.mkdir(metadata_directory)
+  except OSError, e:
+    pass
+
+  # Set the keystore directory.
+  keystore_directory = os.path.join(os.getcwd(), 'keystore')
+
+  # Try to create the keystore directory.
+  try:
+    os.mkdir(keystore_directory)
+  # 'OSError' raised if the directory exists.
+  except OSError, e:
+    pass
+
+  # Build the keystore and save the generated keys.
+  role_info = {}
+  for role in ['root', 'targets', 'release', 'timestamp']:
+    # Ensure the user inputs a valid threshold value.
+    role_threshold = None
+    for attempt in range(MAX_INPUT_ATTEMPTS):
+      message = '\nEnter the desired threshold for the role '+repr(role)+': '
+
+      # Check for non-integers and values less than one.
+      try:
+        role_threshold = _prompt(message, int)
+        if not tuf.formats.THRESHOLD_SCHEMA.matches(role_threshold):
+          raise ValueError
+        break
+      except ValueError, e:
+        logger.warning('Invalid role threshold entered')
+        role_threshold = None
+        continue
+
+    # Did the user input a valid threshold value?
+    if role_threshold is None:
+      raise tuf.RepositoryError('Could not build the keystore\n')
+
+    # Retrieve the password(s) for 'role', generate the key(s),
+    # and save them to the keystore.
+    for threshold in range(role_threshold):
+      message = 'Enter a password for '+repr(role)+' ('+str(threshold+1)+'): '
+      password = _get_password(message)
+      key = tuf.repo.signerlib.generate_and_save_rsa_key(keystore_directory,
+                                                         password)
+      try:
+        role_info[role]['keyids'].append(key['keyid'])
+      except KeyError:
+        info = {'keyids': [key['keyid']], 'threshold': role_threshold}
+        role_info[role] = info
+
+  # At this point the keystore is built and the 'role_info' dictionary
+  # looks something like this:
+  # {'keyids : [keyid1, keyid2] , 'threshold' : 2}
+
+  # Build the configuration file.
+  config_filepath = tuf.repo.signerlib.build_config_file(repository_directory,
+                                                         timeout, role_info)
+
+  # Generate the 'root.txt' metadata file.
+  root_keyids = role_info['root']['keyids']
+  tuf.repo.signerlib.build_root_file(config_filepath, root_keyids,
+                                     metadata_directory)
+
+  # Generate the 'targets.txt' metadata file.
+  targets_keyids = role_info['targets']['keyids']
+  tuf.repo.signerlib.build_targets_file(targets_directory, targets_keyids,
+                                        metadata_directory)
+
+  # Generate the 'release.txt' metadata file.
+  release_keyids = role_info['release']['keyids']
+  tuf.repo.signerlib.build_release_file(release_keyids, metadata_directory)
+
+  # Generate the 'timestamp.txt' metadata file.
+  timestamp_keyids = role_info['timestamp']['keyids']
+  tuf.repo.signerlib.build_timestamp_file(timestamp_keyids, metadata_directory)
+
+  # Generate the 'client' directory containing the metadata of the created
+  # repository.  'tuf.client.updater.py' expects the 'current' and 'previous'
+  # directories to exist under 'metadata'.
+  client_metadata_directory = os.path.join(os.getcwd(), 'client', 'metadata')
+  try:
+    os.makedirs(client_metadata_directory)
+  except OSError, e:
+    message = 'Cannot create a fresh client metadata directory: '+\
+      repr(client_metadata_directory)+'.  The client metadata '+\
+      'will need to be manually created.  See the README file.'
+    logger.warn(message)
+
+  # Move the metadata to the client's 'current' and 'previous' directories.
+  client_current = os.path.join(client_metadata_directory, 'current')
+  client_previous = os.path.join(client_metadata_directory, 'previous')
+  shutil.copytree(metadata_directory, client_current)
+  shutil.copytree(metadata_directory, client_previous)
+
+
+
+
+
+def parse_options():
+  """
+  <Purpose>
+    Parse the command-line options and set the logging level,
+    as specified by the user using the '--verbose' option.
+    The user must also set the '--project' option.  If unset,
+    the current directory is used as the location of the project
+    files.  The project files are copied by 'quickstart.py' and
+    saved to the repository's targets directory.
+
+  <Arguments>
+    None.
+
+  <Exceptions>
+    None.
+
+  <Side Effects>
+    Sets the logging level for TUF logging.
+
+  <Returns>
+    The 'options.PROJECT_DIRECTORY' string.
+
+  """
+
+  parser = optparse.OptionParser()
+
+  # Add the options supported by 'quickstart' to the option parser.
+  parser.add_option('--verbose', dest='VERBOSE', type=int, default=3,
+                    help='Set the verbosity level of logging messages.'
+                         'The lower the setting, the greater the verbosity.')
+
+  parser.add_option('--project', dest='PROJECT_DIRECTORY', type='string',
+                    default='.', help='Specify the directory containing the '
+                    'project files to host on the TUF repository.')
+
+  options, args = parser.parse_args()
+
+  # Set the logging level.
+  if options.VERBOSE == 5:
+    tuf.log.set_log_level(logging.CRITICAL)
+  elif options.VERBOSE == 4:
+    tuf.log.set_log_level(logging.ERROR)
+  elif options.VERBOSE == 3:
+    tuf.log.set_log_level(logging.WARNING)
+  elif options.VERBOSE == 2:
+    tuf.log.set_log_level(logging.INFO)
+  elif options.VERBOSE == 1:
+    tuf.log.set_log_level(logging.DEBUG)
+  else:
+    tuf.log.set_log_level(logging.NOTSET)
+
+  # Return the directory containing the project files.  These files
+  # are copied over to the targets directory of the repository.
+  return options.PROJECT_DIRECTORY 
+
+
+
+if __name__ == '__main__':
+
+  # Parse the options and set the logging level.
+  project_directory = parse_options()
+
+  # Build the repository.  The top-level metadata files, cryptographic keys,
+  # target files, and the configuration file are created.
+  try:
+    build_repository(project_directory)
+  except tuf.RepositoryError, e:
+    sys.stderr.write(str(e)+'\n')
+    sys.exit(1)
+
+  print '\nSuccessfully created the repository.'
+  sys.exit(0)
diff --git a/src/setup.py b/src/setup.py
new file mode 100755
index 00000000..8a30b6be
--- /dev/null
+++ b/src/setup.py
@@ -0,0 +1,17 @@
+#! /usr/bin/env python
+
+from distutils.core import setup
+
+setup(name='TUF',
+      version='0.0',
+      description='A secure updater framework for Python',
+      author='lots of people',
+      url='https://updateframework.com',
+      packages=['tuf', 
+		'tuf.repo', 
+		'tuf.client', 
+		'tuf.pushtools', 
+		'tuf.pushtools.transfer',
+		'simplejson'],
+      scripts=['quickstart.py', 'tuf/pushtools/push.py', 'tuf/pushtools/receivetools/receive.py', 'tuf/repo/signercli.py']
+     )
diff --git a/src/simplejson/__init__.py b/src/simplejson/__init__.py
new file mode 100755
index 00000000..dcfd5413
--- /dev/null
+++ b/src/simplejson/__init__.py
@@ -0,0 +1,437 @@
+r"""JSON (JavaScript Object Notation) <http://json.org> is a subset of
+JavaScript syntax (ECMA-262 3rd edition) used as a lightweight data
+interchange format.
+
+:mod:`simplejson` exposes an API familiar to users of the standard library
+:mod:`marshal` and :mod:`pickle` modules. It is the externally maintained
+version of the :mod:`json` library contained in Python 2.6, but maintains
+compatibility with Python 2.4 and Python 2.5 and (currently) has
+significant performance advantages, even without using the optional C
+extension for speedups.
+
+Encoding basic Python object hierarchies::
+
+    >>> import simplejson as json
+    >>> json.dumps(['foo', {'bar': ('baz', None, 1.0, 2)}])
+    '["foo", {"bar": ["baz", null, 1.0, 2]}]'
+    >>> print json.dumps("\"foo\bar")
+    "\"foo\bar"
+    >>> print json.dumps(u'\u1234')
+    "\u1234"
+    >>> print json.dumps('\\')
+    "\\"
+    >>> print json.dumps({"c": 0, "b": 0, "a": 0}, sort_keys=True)
+    {"a": 0, "b": 0, "c": 0}
+    >>> from StringIO import StringIO
+    >>> io = StringIO()
+    >>> json.dump(['streaming API'], io)
+    >>> io.getvalue()
+    '["streaming API"]'
+
+Compact encoding::
+
+    >>> import simplejson as json
+    >>> json.dumps([1,2,3,{'4': 5, '6': 7}], separators=(',',':'))
+    '[1,2,3,{"4":5,"6":7}]'
+
+Pretty printing::
+
+    >>> import simplejson as json
+    >>> s = json.dumps({'4': 5, '6': 7}, sort_keys=True, indent='    ')
+    >>> print '\n'.join([l.rstrip() for l in  s.splitlines()])
+    {
+        "4": 5,
+        "6": 7
+    }
+
+Decoding JSON::
+
+    >>> import simplejson as json
+    >>> obj = [u'foo', {u'bar': [u'baz', None, 1.0, 2]}]
+    >>> json.loads('["foo", {"bar":["baz", null, 1.0, 2]}]') == obj
+    True
+    >>> json.loads('"\\"foo\\bar"') == u'"foo\x08ar'
+    True
+    >>> from StringIO import StringIO
+    >>> io = StringIO('["streaming API"]')
+    >>> json.load(io)[0] == 'streaming API'
+    True
+
+Specializing JSON object decoding::
+
+    >>> import simplejson as json
+    >>> def as_complex(dct):
+    ...     if '__complex__' in dct:
+    ...         return complex(dct['real'], dct['imag'])
+    ...     return dct
+    ...
+    >>> json.loads('{"__complex__": true, "real": 1, "imag": 2}',
+    ...     object_hook=as_complex)
+    (1+2j)
+    >>> from decimal import Decimal
+    >>> json.loads('1.1', parse_float=Decimal) == Decimal('1.1')
+    True
+
+Specializing JSON object encoding::
+
+    >>> import simplejson as json
+    >>> def encode_complex(obj):
+    ...     if isinstance(obj, complex):
+    ...         return [obj.real, obj.imag]
+    ...     raise TypeError(repr(o) + " is not JSON serializable")
+    ...
+    >>> json.dumps(2 + 1j, default=encode_complex)
+    '[2.0, 1.0]'
+    >>> json.JSONEncoder(default=encode_complex).encode(2 + 1j)
+    '[2.0, 1.0]'
+    >>> ''.join(json.JSONEncoder(default=encode_complex).iterencode(2 + 1j))
+    '[2.0, 1.0]'
+
+
+Using simplejson.tool from the shell to validate and pretty-print::
+
+    $ echo '{"json":"obj"}' | python -m simplejson.tool
+    {
+        "json": "obj"
+    }
+    $ echo '{ 1.2:3.4}' | python -m simplejson.tool
+    Expecting property name: line 1 column 2 (char 2)
+"""
+__version__ = '2.1.1'
+__all__ = [
+    'dump', 'dumps', 'load', 'loads',
+    'JSONDecoder', 'JSONDecodeError', 'JSONEncoder',
+    'OrderedDict',
+]
+
+__author__ = 'Bob Ippolito <bob@redivi.com>'
+
+from decimal import Decimal
+
+from decoder import JSONDecoder, JSONDecodeError
+from encoder import JSONEncoder
+def _import_OrderedDict():
+    import collections
+    try:
+        return collections.OrderedDict
+    except AttributeError:
+        import ordered_dict
+        return ordered_dict.OrderedDict
+OrderedDict = _import_OrderedDict()
+
+def _import_c_make_encoder():
+    try:
+        from simplejson._speedups import make_encoder
+        return make_encoder
+    except ImportError:
+        return None
+
+_default_encoder = JSONEncoder(
+    skipkeys=False,
+    ensure_ascii=True,
+    check_circular=True,
+    allow_nan=True,
+    indent=None,
+    separators=None,
+    encoding='utf-8',
+    default=None,
+    use_decimal=False,
+)
+
+def dump(obj, fp, skipkeys=False, ensure_ascii=True, check_circular=True,
+        allow_nan=True, cls=None, indent=None, separators=None,
+        encoding='utf-8', default=None, use_decimal=False, **kw):
+    """Serialize ``obj`` as a JSON formatted stream to ``fp`` (a
+    ``.write()``-supporting file-like object).
+
+    If ``skipkeys`` is true then ``dict`` keys that are not basic types
+    (``str``, ``unicode``, ``int``, ``long``, ``float``, ``bool``, ``None``)
+    will be skipped instead of raising a ``TypeError``.
+
+    If ``ensure_ascii`` is false, then the some chunks written to ``fp``
+    may be ``unicode`` instances, subject to normal Python ``str`` to
+    ``unicode`` coercion rules. Unless ``fp.write()`` explicitly
+    understands ``unicode`` (as in ``codecs.getwriter()``) this is likely
+    to cause an error.
+
+    If ``check_circular`` is false, then the circular reference check
+    for container types will be skipped and a circular reference will
+    result in an ``OverflowError`` (or worse).
+
+    If ``allow_nan`` is false, then it will be a ``ValueError`` to
+    serialize out of range ``float`` values (``nan``, ``inf``, ``-inf``)
+    in strict compliance of the JSON specification, instead of using the
+    JavaScript equivalents (``NaN``, ``Infinity``, ``-Infinity``).
+
+    If *indent* is a string, then JSON array elements and object members
+    will be pretty-printed with a newline followed by that string repeated
+    for each level of nesting. ``None`` (the default) selects the most compact
+    representation without any newlines. For backwards compatibility with
+    versions of simplejson earlier than 2.1.0, an integer is also accepted
+    and is converted to a string with that many spaces.
+
+    If ``separators`` is an ``(item_separator, dict_separator)`` tuple
+    then it will be used instead of the default ``(', ', ': ')`` separators.
+    ``(',', ':')`` is the most compact JSON representation.
+
+    ``encoding`` is the character encoding for str instances, default is UTF-8.
+
+    ``default(obj)`` is a function that should return a serializable version
+    of obj or raise TypeError. The default simply raises TypeError.
+
+    If *use_decimal* is true (default: ``False``) then decimal.Decimal
+    will be natively serialized to JSON with full precision.
+
+    To use a custom ``JSONEncoder`` subclass (e.g. one that overrides the
+    ``.default()`` method to serialize additional types), specify it with
+    the ``cls`` kwarg.
+
+    """
+    # cached encoder
+    if (not skipkeys and ensure_ascii and
+        check_circular and allow_nan and
+        cls is None and indent is None and separators is None and
+        encoding == 'utf-8' and default is None and not kw):
+        iterable = _default_encoder.iterencode(obj)
+    else:
+        if cls is None:
+            cls = JSONEncoder
+        iterable = cls(skipkeys=skipkeys, ensure_ascii=ensure_ascii,
+            check_circular=check_circular, allow_nan=allow_nan, indent=indent,
+            separators=separators, encoding=encoding,
+            default=default, use_decimal=use_decimal, **kw).iterencode(obj)
+    # could accelerate with writelines in some versions of Python, at
+    # a debuggability cost
+    for chunk in iterable:
+        fp.write(chunk)
+
+
+def dumps(obj, skipkeys=False, ensure_ascii=True, check_circular=True,
+        allow_nan=True, cls=None, indent=None, separators=None,
+        encoding='utf-8', default=None, use_decimal=False, **kw):
+    """Serialize ``obj`` to a JSON formatted ``str``.
+
+    If ``skipkeys`` is false then ``dict`` keys that are not basic types
+    (``str``, ``unicode``, ``int``, ``long``, ``float``, ``bool``, ``None``)
+    will be skipped instead of raising a ``TypeError``.
+
+    If ``ensure_ascii`` is false, then the return value will be a
+    ``unicode`` instance subject to normal Python ``str`` to ``unicode``
+    coercion rules instead of being escaped to an ASCII ``str``.
+
+    If ``check_circular`` is false, then the circular reference check
+    for container types will be skipped and a circular reference will
+    result in an ``OverflowError`` (or worse).
+
+    If ``allow_nan`` is false, then it will be a ``ValueError`` to
+    serialize out of range ``float`` values (``nan``, ``inf``, ``-inf``) in
+    strict compliance of the JSON specification, instead of using the
+    JavaScript equivalents (``NaN``, ``Infinity``, ``-Infinity``).
+
+    If ``indent`` is a string, then JSON array elements and object members
+    will be pretty-printed with a newline followed by that string repeated
+    for each level of nesting. ``None`` (the default) selects the most compact
+    representation without any newlines. For backwards compatibility with
+    versions of simplejson earlier than 2.1.0, an integer is also accepted
+    and is converted to a string with that many spaces.
+
+    If ``separators`` is an ``(item_separator, dict_separator)`` tuple
+    then it will be used instead of the default ``(', ', ': ')`` separators.
+    ``(',', ':')`` is the most compact JSON representation.
+
+    ``encoding`` is the character encoding for str instances, default is UTF-8.
+
+    ``default(obj)`` is a function that should return a serializable version
+    of obj or raise TypeError. The default simply raises TypeError.
+
+    If *use_decimal* is true (default: ``False``) then decimal.Decimal
+    will be natively serialized to JSON with full precision.
+
+    To use a custom ``JSONEncoder`` subclass (e.g. one that overrides the
+    ``.default()`` method to serialize additional types), specify it with
+    the ``cls`` kwarg.
+
+    """
+    # cached encoder
+    if (not skipkeys and ensure_ascii and
+        check_circular and allow_nan and
+        cls is None and indent is None and separators is None and
+        encoding == 'utf-8' and default is None and not use_decimal
+        and not kw):
+        return _default_encoder.encode(obj)
+    if cls is None:
+        cls = JSONEncoder
+    return cls(
+        skipkeys=skipkeys, ensure_ascii=ensure_ascii,
+        check_circular=check_circular, allow_nan=allow_nan, indent=indent,
+        separators=separators, encoding=encoding, default=default,
+        use_decimal=use_decimal, **kw).encode(obj)
+
+
+_default_decoder = JSONDecoder(encoding=None, object_hook=None,
+                               object_pairs_hook=None)
+
+
+def load(fp, encoding=None, cls=None, object_hook=None, parse_float=None,
+        parse_int=None, parse_constant=None, object_pairs_hook=None,
+        use_decimal=False, **kw):
+    """Deserialize ``fp`` (a ``.read()``-supporting file-like object containing
+    a JSON document) to a Python object.
+
+    *encoding* determines the encoding used to interpret any
+    :class:`str` objects decoded by this instance (``'utf-8'`` by
+    default).  It has no effect when decoding :class:`unicode` objects.
+
+    Note that currently only encodings that are a superset of ASCII work,
+    strings of other encodings should be passed in as :class:`unicode`.
+
+    *object_hook*, if specified, will be called with the result of every
+    JSON object decoded and its return value will be used in place of the
+    given :class:`dict`.  This can be used to provide custom
+    deserializations (e.g. to support JSON-RPC class hinting).
+
+    *object_pairs_hook* is an optional function that will be called with
+    the result of any object literal decode with an ordered list of pairs.
+    The return value of *object_pairs_hook* will be used instead of the
+    :class:`dict`.  This feature can be used to implement custom decoders
+    that rely on the order that the key and value pairs are decoded (for
+    example, :func:`collections.OrderedDict` will remember the order of
+    insertion). If *object_hook* is also defined, the *object_pairs_hook*
+    takes priority.
+
+    *parse_float*, if specified, will be called with the string of every
+    JSON float to be decoded.  By default, this is equivalent to
+    ``float(num_str)``. This can be used to use another datatype or parser
+    for JSON floats (e.g. :class:`decimal.Decimal`).
+
+    *parse_int*, if specified, will be called with the string of every
+    JSON int to be decoded.  By default, this is equivalent to
+    ``int(num_str)``.  This can be used to use another datatype or parser
+    for JSON integers (e.g. :class:`float`).
+
+    *parse_constant*, if specified, will be called with one of the
+    following strings: ``'-Infinity'``, ``'Infinity'``, ``'NaN'``.  This
+    can be used to raise an exception if invalid JSON numbers are
+    encountered.
+
+    If *use_decimal* is true (default: ``False``) then it implies
+    parse_float=decimal.Decimal for parity with ``dump``.
+
+    To use a custom ``JSONDecoder`` subclass, specify it with the ``cls``
+    kwarg.
+
+    """
+    return loads(fp.read(),
+        encoding=encoding, cls=cls, object_hook=object_hook,
+        parse_float=parse_float, parse_int=parse_int,
+        parse_constant=parse_constant, object_pairs_hook=object_pairs_hook,
+        use_decimal=use_decimal, **kw)
+
+
+def loads(s, encoding=None, cls=None, object_hook=None, parse_float=None,
+        parse_int=None, parse_constant=None, object_pairs_hook=None,
+        use_decimal=False, **kw):
+    """Deserialize ``s`` (a ``str`` or ``unicode`` instance containing a JSON
+    document) to a Python object.
+
+    *encoding* determines the encoding used to interpret any
+    :class:`str` objects decoded by this instance (``'utf-8'`` by
+    default).  It has no effect when decoding :class:`unicode` objects.
+
+    Note that currently only encodings that are a superset of ASCII work,
+    strings of other encodings should be passed in as :class:`unicode`.
+
+    *object_hook*, if specified, will be called with the result of every
+    JSON object decoded and its return value will be used in place of the
+    given :class:`dict`.  This can be used to provide custom
+    deserializations (e.g. to support JSON-RPC class hinting).
+
+    *object_pairs_hook* is an optional function that will be called with
+    the result of any object literal decode with an ordered list of pairs.
+    The return value of *object_pairs_hook* will be used instead of the
+    :class:`dict`.  This feature can be used to implement custom decoders
+    that rely on the order that the key and value pairs are decoded (for
+    example, :func:`collections.OrderedDict` will remember the order of
+    insertion). If *object_hook* is also defined, the *object_pairs_hook*
+    takes priority.
+
+    *parse_float*, if specified, will be called with the string of every
+    JSON float to be decoded.  By default, this is equivalent to
+    ``float(num_str)``. This can be used to use another datatype or parser
+    for JSON floats (e.g. :class:`decimal.Decimal`).
+
+    *parse_int*, if specified, will be called with the string of every
+    JSON int to be decoded.  By default, this is equivalent to
+    ``int(num_str)``.  This can be used to use another datatype or parser
+    for JSON integers (e.g. :class:`float`).
+
+    *parse_constant*, if specified, will be called with one of the
+    following strings: ``'-Infinity'``, ``'Infinity'``, ``'NaN'``.  This
+    can be used to raise an exception if invalid JSON numbers are
+    encountered.
+
+    If *use_decimal* is true (default: ``False``) then it implies
+    parse_float=decimal.Decimal for parity with ``dump``.
+
+    To use a custom ``JSONDecoder`` subclass, specify it with the ``cls``
+    kwarg.
+
+    """
+    if (cls is None and encoding is None and object_hook is None and
+            parse_int is None and parse_float is None and
+            parse_constant is None and object_pairs_hook is None
+            and not use_decimal and not kw):
+        return _default_decoder.decode(s)
+    if cls is None:
+        cls = JSONDecoder
+    if object_hook is not None:
+        kw['object_hook'] = object_hook
+    if object_pairs_hook is not None:
+        kw['object_pairs_hook'] = object_pairs_hook
+    if parse_float is not None:
+        kw['parse_float'] = parse_float
+    if parse_int is not None:
+        kw['parse_int'] = parse_int
+    if parse_constant is not None:
+        kw['parse_constant'] = parse_constant
+    if use_decimal:
+        if parse_float is not None:
+            raise TypeError("use_decimal=True implies parse_float=Decimal")
+        kw['parse_float'] = Decimal
+    return cls(encoding=encoding, **kw).decode(s)
+
+
+def _toggle_speedups(enabled):
+    import simplejson.decoder as dec
+    import simplejson.encoder as enc
+    import simplejson.scanner as scan
+    c_make_encoder = _import_c_make_encoder()
+    if enabled:
+        dec.scanstring = dec.c_scanstring or dec.py_scanstring
+        enc.c_make_encoder = c_make_encoder
+        enc.encode_basestring_ascii = (enc.c_encode_basestring_ascii or 
+            enc.py_encode_basestring_ascii)
+        scan.make_scanner = scan.c_make_scanner or scan.py_make_scanner
+    else:
+        dec.scanstring = dec.py_scanstring
+        enc.c_make_encoder = None
+        enc.encode_basestring_ascii = enc.py_encode_basestring_ascii
+        scan.make_scanner = scan.py_make_scanner
+    dec.make_scanner = scan.make_scanner
+    global _default_decoder
+    _default_decoder = JSONDecoder(
+        encoding=None,
+        object_hook=None,
+        object_pairs_hook=None,
+    )
+    global _default_encoder
+    _default_encoder = JSONEncoder(
+       skipkeys=False,
+       ensure_ascii=True,
+       check_circular=True,
+       allow_nan=True,
+       indent=None,
+       separators=None,
+       encoding='utf-8',
+       default=None,
+   )
diff --git a/src/simplejson/__init__.pyc b/src/simplejson/__init__.pyc
new file mode 100755
index 00000000..c532b156
Binary files /dev/null and b/src/simplejson/__init__.pyc differ
diff --git a/src/simplejson/_speedups.c b/src/simplejson/_speedups.c
new file mode 100755
index 00000000..b06ba504
--- /dev/null
+++ b/src/simplejson/_speedups.c
@@ -0,0 +1,2561 @@
+#include "Python.h"
+#include "structmember.h"
+#if PY_VERSION_HEX < 0x02070000 && !defined(PyOS_string_to_double)
+#define PyOS_string_to_double json_PyOS_string_to_double
+static double
+json_PyOS_string_to_double(const char *s, char **endptr, PyObject *overflow_exception);
+static double
+json_PyOS_string_to_double(const char *s, char **endptr, PyObject *overflow_exception) {
+    double x;
+    assert(endptr == NULL);
+    assert(overflow_exception == NULL);
+    PyFPE_START_PROTECT("json_PyOS_string_to_double", return -1.0;)
+    x = PyOS_ascii_atof(s);
+    PyFPE_END_PROTECT(x)
+    return x;
+}
+#endif
+#if PY_VERSION_HEX < 0x02060000 && !defined(Py_TYPE)
+#define Py_TYPE(ob)     (((PyObject*)(ob))->ob_type)
+#endif
+#if PY_VERSION_HEX < 0x02050000 && !defined(PY_SSIZE_T_MIN)
+typedef int Py_ssize_t;
+#define PY_SSIZE_T_MAX INT_MAX
+#define PY_SSIZE_T_MIN INT_MIN
+#define PyInt_FromSsize_t PyInt_FromLong
+#define PyInt_AsSsize_t PyInt_AsLong
+#endif
+#ifndef Py_IS_FINITE
+#define Py_IS_FINITE(X) (!Py_IS_INFINITY(X) && !Py_IS_NAN(X))
+#endif
+
+#ifdef __GNUC__
+#define UNUSED __attribute__((__unused__))
+#else
+#define UNUSED
+#endif
+
+#define DEFAULT_ENCODING "utf-8"
+
+#define PyScanner_Check(op) PyObject_TypeCheck(op, &PyScannerType)
+#define PyScanner_CheckExact(op) (Py_TYPE(op) == &PyScannerType)
+#define PyEncoder_Check(op) PyObject_TypeCheck(op, &PyEncoderType)
+#define PyEncoder_CheckExact(op) (Py_TYPE(op) == &PyEncoderType)
+#define Decimal_Check(op) (PyObject_TypeCheck(op, DecimalTypePtr))
+
+static PyTypeObject PyScannerType;
+static PyTypeObject PyEncoderType;
+static PyTypeObject *DecimalTypePtr;
+
+typedef struct _PyScannerObject {
+    PyObject_HEAD
+    PyObject *encoding;
+    PyObject *strict;
+    PyObject *object_hook;
+    PyObject *pairs_hook;
+    PyObject *parse_float;
+    PyObject *parse_int;
+    PyObject *parse_constant;
+    PyObject *memo;
+} PyScannerObject;
+
+static PyMemberDef scanner_members[] = {
+    {"encoding", T_OBJECT, offsetof(PyScannerObject, encoding), READONLY, "encoding"},
+    {"strict", T_OBJECT, offsetof(PyScannerObject, strict), READONLY, "strict"},
+    {"object_hook", T_OBJECT, offsetof(PyScannerObject, object_hook), READONLY, "object_hook"},
+    {"object_pairs_hook", T_OBJECT, offsetof(PyScannerObject, pairs_hook), READONLY, "object_pairs_hook"},
+    {"parse_float", T_OBJECT, offsetof(PyScannerObject, parse_float), READONLY, "parse_float"},
+    {"parse_int", T_OBJECT, offsetof(PyScannerObject, parse_int), READONLY, "parse_int"},
+    {"parse_constant", T_OBJECT, offsetof(PyScannerObject, parse_constant), READONLY, "parse_constant"},
+    {NULL}
+};
+
+typedef struct _PyEncoderObject {
+    PyObject_HEAD
+    PyObject *markers;
+    PyObject *defaultfn;
+    PyObject *encoder;
+    PyObject *indent;
+    PyObject *key_separator;
+    PyObject *item_separator;
+    PyObject *sort_keys;
+    PyObject *skipkeys;
+    PyObject *key_memo;
+    int fast_encode;
+    int allow_nan;
+    int use_decimal;
+} PyEncoderObject;
+
+static PyMemberDef encoder_members[] = {
+    {"markers", T_OBJECT, offsetof(PyEncoderObject, markers), READONLY, "markers"},
+    {"default", T_OBJECT, offsetof(PyEncoderObject, defaultfn), READONLY, "default"},
+    {"encoder", T_OBJECT, offsetof(PyEncoderObject, encoder), READONLY, "encoder"},
+    {"indent", T_OBJECT, offsetof(PyEncoderObject, indent), READONLY, "indent"},
+    {"key_separator", T_OBJECT, offsetof(PyEncoderObject, key_separator), READONLY, "key_separator"},
+    {"item_separator", T_OBJECT, offsetof(PyEncoderObject, item_separator), READONLY, "item_separator"},
+    {"sort_keys", T_OBJECT, offsetof(PyEncoderObject, sort_keys), READONLY, "sort_keys"},
+    {"skipkeys", T_OBJECT, offsetof(PyEncoderObject, skipkeys), READONLY, "skipkeys"},
+    {"key_memo", T_OBJECT, offsetof(PyEncoderObject, key_memo), READONLY, "key_memo"},
+    {NULL}
+};
+
+static Py_ssize_t
+ascii_escape_char(Py_UNICODE c, char *output, Py_ssize_t chars);
+static PyObject *
+ascii_escape_unicode(PyObject *pystr);
+static PyObject *
+ascii_escape_str(PyObject *pystr);
+static PyObject *
+py_encode_basestring_ascii(PyObject* self UNUSED, PyObject *pystr);
+void init_speedups(void);
+static PyObject *
+scan_once_str(PyScannerObject *s, PyObject *pystr, Py_ssize_t idx, Py_ssize_t *next_idx_ptr);
+static PyObject *
+scan_once_unicode(PyScannerObject *s, PyObject *pystr, Py_ssize_t idx, Py_ssize_t *next_idx_ptr);
+static PyObject *
+_build_rval_index_tuple(PyObject *rval, Py_ssize_t idx);
+static PyObject *
+scanner_new(PyTypeObject *type, PyObject *args, PyObject *kwds);
+static int
+scanner_init(PyObject *self, PyObject *args, PyObject *kwds);
+static void
+scanner_dealloc(PyObject *self);
+static int
+scanner_clear(PyObject *self);
+static PyObject *
+encoder_new(PyTypeObject *type, PyObject *args, PyObject *kwds);
+static int
+encoder_init(PyObject *self, PyObject *args, PyObject *kwds);
+static void
+encoder_dealloc(PyObject *self);
+static int
+encoder_clear(PyObject *self);
+static int
+encoder_listencode_list(PyEncoderObject *s, PyObject *rval, PyObject *seq, Py_ssize_t indent_level);
+static int
+encoder_listencode_obj(PyEncoderObject *s, PyObject *rval, PyObject *obj, Py_ssize_t indent_level);
+static int
+encoder_listencode_dict(PyEncoderObject *s, PyObject *rval, PyObject *dct, Py_ssize_t indent_level);
+static PyObject *
+_encoded_const(PyObject *obj);
+static void
+raise_errmsg(char *msg, PyObject *s, Py_ssize_t end);
+static PyObject *
+encoder_encode_string(PyEncoderObject *s, PyObject *obj);
+static int
+_convertPyInt_AsSsize_t(PyObject *o, Py_ssize_t *size_ptr);
+static PyObject *
+_convertPyInt_FromSsize_t(Py_ssize_t *size_ptr);
+static PyObject *
+encoder_encode_float(PyEncoderObject *s, PyObject *obj);
+
+#define S_CHAR(c) (c >= ' ' && c <= '~' && c != '\\' && c != '"')
+#define IS_WHITESPACE(c) (((c) == ' ') || ((c) == '\t') || ((c) == '\n') || ((c) == '\r'))
+
+#define MIN_EXPANSION 6
+#ifdef Py_UNICODE_WIDE
+#define MAX_EXPANSION (2 * MIN_EXPANSION)
+#else
+#define MAX_EXPANSION MIN_EXPANSION
+#endif
+
+static int
+_convertPyInt_AsSsize_t(PyObject *o, Py_ssize_t *size_ptr)
+{
+    /* PyObject to Py_ssize_t converter */
+    *size_ptr = PyInt_AsSsize_t(o);
+    if (*size_ptr == -1 && PyErr_Occurred())
+        return 0;
+    return 1;
+}
+
+static PyObject *
+_convertPyInt_FromSsize_t(Py_ssize_t *size_ptr)
+{
+    /* Py_ssize_t to PyObject converter */
+    return PyInt_FromSsize_t(*size_ptr);
+}
+
+static Py_ssize_t
+ascii_escape_char(Py_UNICODE c, char *output, Py_ssize_t chars)
+{
+    /* Escape unicode code point c to ASCII escape sequences
+    in char *output. output must have at least 12 bytes unused to
+    accommodate an escaped surrogate pair "\uXXXX\uXXXX" */
+    output[chars++] = '\\';
+    switch (c) {
+        case '\\': output[chars++] = (char)c; break;
+        case '"': output[chars++] = (char)c; break;
+        case '\b': output[chars++] = 'b'; break;
+        case '\f': output[chars++] = 'f'; break;
+        case '\n': output[chars++] = 'n'; break;
+        case '\r': output[chars++] = 'r'; break;
+        case '\t': output[chars++] = 't'; break;
+        default:
+#ifdef Py_UNICODE_WIDE
+            if (c >= 0x10000) {
+                /* UTF-16 surrogate pair */
+                Py_UNICODE v = c - 0x10000;
+                c = 0xd800 | ((v >> 10) & 0x3ff);
+                output[chars++] = 'u';
+                output[chars++] = "0123456789abcdef"[(c >> 12) & 0xf];
+                output[chars++] = "0123456789abcdef"[(c >>  8) & 0xf];
+                output[chars++] = "0123456789abcdef"[(c >>  4) & 0xf];
+                output[chars++] = "0123456789abcdef"[(c      ) & 0xf];
+                c = 0xdc00 | (v & 0x3ff);
+                output[chars++] = '\\';
+            }
+#endif
+            output[chars++] = 'u';
+            output[chars++] = "0123456789abcdef"[(c >> 12) & 0xf];
+            output[chars++] = "0123456789abcdef"[(c >>  8) & 0xf];
+            output[chars++] = "0123456789abcdef"[(c >>  4) & 0xf];
+            output[chars++] = "0123456789abcdef"[(c      ) & 0xf];
+    }
+    return chars;
+}
+
+static PyObject *
+ascii_escape_unicode(PyObject *pystr)
+{
+    /* Take a PyUnicode pystr and return a new ASCII-only escaped PyString */
+    Py_ssize_t i;
+    Py_ssize_t input_chars;
+    Py_ssize_t output_size;
+    Py_ssize_t max_output_size;
+    Py_ssize_t chars;
+    PyObject *rval;
+    char *output;
+    Py_UNICODE *input_unicode;
+
+    input_chars = PyUnicode_GET_SIZE(pystr);
+    input_unicode = PyUnicode_AS_UNICODE(pystr);
+
+    /* One char input can be up to 6 chars output, estimate 4 of these */
+    output_size = 2 + (MIN_EXPANSION * 4) + input_chars;
+    max_output_size = 2 + (input_chars * MAX_EXPANSION);
+    rval = PyString_FromStringAndSize(NULL, output_size);
+    if (rval == NULL) {
+        return NULL;
+    }
+    output = PyString_AS_STRING(rval);
+    chars = 0;
+    output[chars++] = '"';
+    for (i = 0; i < input_chars; i++) {
+        Py_UNICODE c = input_unicode[i];
+        if (S_CHAR(c)) {
+            output[chars++] = (char)c;
+        }
+        else {
+            chars = ascii_escape_char(c, output, chars);
+        }
+        if (output_size - chars < (1 + MAX_EXPANSION)) {
+            /* There's more than four, so let's resize by a lot */
+            Py_ssize_t new_output_size = output_size * 2;
+            /* This is an upper bound */
+            if (new_output_size > max_output_size) {
+                new_output_size = max_output_size;
+            }
+            /* Make sure that the output size changed before resizing */
+            if (new_output_size != output_size) {
+                output_size = new_output_size;
+                if (_PyString_Resize(&rval, output_size) == -1) {
+                    return NULL;
+                }
+                output = PyString_AS_STRING(rval);
+            }
+        }
+    }
+    output[chars++] = '"';
+    if (_PyString_Resize(&rval, chars) == -1) {
+        return NULL;
+    }
+    return rval;
+}
+
+static PyObject *
+ascii_escape_str(PyObject *pystr)
+{
+    /* Take a PyString pystr and return a new ASCII-only escaped PyString */
+    Py_ssize_t i;
+    Py_ssize_t input_chars;
+    Py_ssize_t output_size;
+    Py_ssize_t chars;
+    PyObject *rval;
+    char *output;
+    char *input_str;
+
+    input_chars = PyString_GET_SIZE(pystr);
+    input_str = PyString_AS_STRING(pystr);
+
+    /* Fast path for a string that's already ASCII */
+    for (i = 0; i < input_chars; i++) {
+        Py_UNICODE c = (Py_UNICODE)(unsigned char)input_str[i];
+        if (!S_CHAR(c)) {
+            /* If we have to escape something, scan the string for unicode */
+            Py_ssize_t j;
+            for (j = i; j < input_chars; j++) {
+                c = (Py_UNICODE)(unsigned char)input_str[j];
+                if (c > 0x7f) {
+                    /* We hit a non-ASCII character, bail to unicode mode */
+                    PyObject *uni;
+                    uni = PyUnicode_DecodeUTF8(input_str, input_chars, "strict");
+                    if (uni == NULL) {
+                        return NULL;
+                    }
+                    rval = ascii_escape_unicode(uni);
+                    Py_DECREF(uni);
+                    return rval;
+                }
+            }
+            break;
+        }
+    }
+
+    if (i == input_chars) {
+        /* Input is already ASCII */
+        output_size = 2 + input_chars;
+    }
+    else {
+        /* One char input can be up to 6 chars output, estimate 4 of these */
+        output_size = 2 + (MIN_EXPANSION * 4) + input_chars;
+    }
+    rval = PyString_FromStringAndSize(NULL, output_size);
+    if (rval == NULL) {
+        return NULL;
+    }
+    output = PyString_AS_STRING(rval);
+    output[0] = '"';
+
+    /* We know that everything up to i is ASCII already */
+    chars = i + 1;
+    memcpy(&output[1], input_str, i);
+
+    for (; i < input_chars; i++) {
+        Py_UNICODE c = (Py_UNICODE)(unsigned char)input_str[i];
+        if (S_CHAR(c)) {
+            output[chars++] = (char)c;
+        }
+        else {
+            chars = ascii_escape_char(c, output, chars);
+        }
+        /* An ASCII char can't possibly expand to a surrogate! */
+        if (output_size - chars < (1 + MIN_EXPANSION)) {
+            /* There's more than four, so let's resize by a lot */
+            output_size *= 2;
+            if (output_size > 2 + (input_chars * MIN_EXPANSION)) {
+                output_size = 2 + (input_chars * MIN_EXPANSION);
+            }
+            if (_PyString_Resize(&rval, output_size) == -1) {
+                return NULL;
+            }
+            output = PyString_AS_STRING(rval);
+        }
+    }
+    output[chars++] = '"';
+    if (_PyString_Resize(&rval, chars) == -1) {
+        return NULL;
+    }
+    return rval;
+}
+
+static void
+raise_errmsg(char *msg, PyObject *s, Py_ssize_t end)
+{
+    /* Use the Python function simplejson.decoder.errmsg to raise a nice
+    looking ValueError exception */
+    static PyObject *JSONDecodeError = NULL;
+    PyObject *exc;
+    if (JSONDecodeError == NULL) {
+        PyObject *decoder = PyImport_ImportModule("simplejson.decoder");
+        if (decoder == NULL)
+            return;
+        JSONDecodeError = PyObject_GetAttrString(decoder, "JSONDecodeError");
+        Py_DECREF(decoder);
+        if (JSONDecodeError == NULL)
+            return;
+    }
+    exc = PyObject_CallFunction(JSONDecodeError, "(zOO&)", msg, s, _convertPyInt_FromSsize_t, &end);
+    if (exc) {
+        PyErr_SetObject(JSONDecodeError, exc);
+        Py_DECREF(exc);
+    }
+}
+
+static PyObject *
+join_list_unicode(PyObject *lst)
+{
+    /* return u''.join(lst) */
+    static PyObject *joinfn = NULL;
+    if (joinfn == NULL) {
+        PyObject *ustr = PyUnicode_FromUnicode(NULL, 0);
+        if (ustr == NULL)
+            return NULL;
+
+        joinfn = PyObject_GetAttrString(ustr, "join");
+        Py_DECREF(ustr);
+        if (joinfn == NULL)
+            return NULL;
+    }
+    return PyObject_CallFunctionObjArgs(joinfn, lst, NULL);
+}
+
+static PyObject *
+join_list_string(PyObject *lst)
+{
+    /* return ''.join(lst) */
+    static PyObject *joinfn = NULL;
+    if (joinfn == NULL) {
+        PyObject *ustr = PyString_FromStringAndSize(NULL, 0);
+        if (ustr == NULL)
+            return NULL;
+
+        joinfn = PyObject_GetAttrString(ustr, "join");
+        Py_DECREF(ustr);
+        if (joinfn == NULL)
+            return NULL;
+    }
+    return PyObject_CallFunctionObjArgs(joinfn, lst, NULL);
+}
+
+static PyObject *
+_build_rval_index_tuple(PyObject *rval, Py_ssize_t idx) {
+    /* return (rval, idx) tuple, stealing reference to rval */
+    PyObject *tpl;
+    PyObject *pyidx;
+    /*
+    steal a reference to rval, returns (rval, idx)
+    */
+    if (rval == NULL) {
+        return NULL;
+    }
+    pyidx = PyInt_FromSsize_t(idx);
+    if (pyidx == NULL) {
+        Py_DECREF(rval);
+        return NULL;
+    }
+    tpl = PyTuple_New(2);
+    if (tpl == NULL) {
+        Py_DECREF(pyidx);
+        Py_DECREF(rval);
+        return NULL;
+    }
+    PyTuple_SET_ITEM(tpl, 0, rval);
+    PyTuple_SET_ITEM(tpl, 1, pyidx);
+    return tpl;
+}
+
+#define APPEND_OLD_CHUNK \
+    if (chunk != NULL) { \
+        if (chunks == NULL) { \
+            chunks = PyList_New(0); \
+            if (chunks == NULL) { \
+                goto bail; \
+            } \
+        } \
+        if (PyList_Append(chunks, chunk)) { \
+            goto bail; \
+        } \
+        Py_CLEAR(chunk); \
+    }
+
+static PyObject *
+scanstring_str(PyObject *pystr, Py_ssize_t end, char *encoding, int strict, Py_ssize_t *next_end_ptr)
+{
+    /* Read the JSON string from PyString pystr.
+    end is the index of the first character after the quote.
+    encoding is the encoding of pystr (must be an ASCII superset)
+    if strict is zero then literal control characters are allowed
+    *next_end_ptr is a return-by-reference index of the character
+        after the end quote
+
+    Return value is a new PyString (if ASCII-only) or PyUnicode
+    */
+    PyObject *rval;
+    Py_ssize_t len = PyString_GET_SIZE(pystr);
+    Py_ssize_t begin = end - 1;
+    Py_ssize_t next = begin;
+    int has_unicode = 0;
+    char *buf = PyString_AS_STRING(pystr);
+    PyObject *chunks = NULL;
+    PyObject *chunk = NULL;
+
+    if (end < 0 || len <= end) {
+        PyErr_SetString(PyExc_ValueError, "end is out of bounds");
+        goto bail;
+    }
+    while (1) {
+        /* Find the end of the string or the next escape */
+        Py_UNICODE c = 0;
+        for (next = end; next < len; next++) {
+            c = (unsigned char)buf[next];
+            if (c == '"' || c == '\\') {
+                break;
+            }
+            else if (strict && c <= 0x1f) {
+                raise_errmsg("Invalid control character at", pystr, next);
+                goto bail;
+            }
+            else if (c > 0x7f) {
+                has_unicode = 1;
+            }
+        }
+        if (!(c == '"' || c == '\\')) {
+            raise_errmsg("Unterminated string starting at", pystr, begin);
+            goto bail;
+        }
+        /* Pick up this chunk if it's not zero length */
+        if (next != end) {
+            PyObject *strchunk;
+            APPEND_OLD_CHUNK
+            strchunk = PyString_FromStringAndSize(&buf[end], next - end);
+            if (strchunk == NULL) {
+                goto bail;
+            }
+            if (has_unicode) {
+                chunk = PyUnicode_FromEncodedObject(strchunk, encoding, NULL);
+                Py_DECREF(strchunk);
+                if (chunk == NULL) {
+                    goto bail;
+                }
+            }
+            else {
+                chunk = strchunk;
+            }
+        }
+        next++;
+        if (c == '"') {
+            end = next;
+            break;
+        }
+        if (next == len) {
+            raise_errmsg("Unterminated string starting at", pystr, begin);
+            goto bail;
+        }
+        c = buf[next];
+        if (c != 'u') {
+            /* Non-unicode backslash escapes */
+            end = next + 1;
+            switch (c) {
+                case '"': break;
+                case '\\': break;
+                case '/': break;
+                case 'b': c = '\b'; break;
+                case 'f': c = '\f'; break;
+                case 'n': c = '\n'; break;
+                case 'r': c = '\r'; break;
+                case 't': c = '\t'; break;
+                default: c = 0;
+            }
+            if (c == 0) {
+                raise_errmsg("Invalid \\escape", pystr, end - 2);
+                goto bail;
+            }
+        }
+        else {
+            c = 0;
+            next++;
+            end = next + 4;
+            if (end >= len) {
+                raise_errmsg("Invalid \\uXXXX escape", pystr, next - 1);
+                goto bail;
+            }
+            /* Decode 4 hex digits */
+            for (; next < end; next++) {
+                Py_UNICODE digit = buf[next];
+                c <<= 4;
+                switch (digit) {
+                    case '0': case '1': case '2': case '3': case '4':
+                    case '5': case '6': case '7': case '8': case '9':
+                        c |= (digit - '0'); break;
+                    case 'a': case 'b': case 'c': case 'd': case 'e':
+                    case 'f':
+                        c |= (digit - 'a' + 10); break;
+                    case 'A': case 'B': case 'C': case 'D': case 'E':
+                    case 'F':
+                        c |= (digit - 'A' + 10); break;
+                    default:
+                        raise_errmsg("Invalid \\uXXXX escape", pystr, end - 5);
+                        goto bail;
+                }
+            }
+#ifdef Py_UNICODE_WIDE
+            /* Surrogate pair */
+            if ((c & 0xfc00) == 0xd800) {
+                Py_UNICODE c2 = 0;
+                if (end + 6 >= len) {
+                    raise_errmsg("Unpaired high surrogate", pystr, end - 5);
+                    goto bail;
+                }
+                if (buf[next++] != '\\' || buf[next++] != 'u') {
+                    raise_errmsg("Unpaired high surrogate", pystr, end - 5);
+                    goto bail;
+                }
+                end += 6;
+                /* Decode 4 hex digits */
+                for (; next < end; next++) {
+                    c2 <<= 4;
+                    Py_UNICODE digit = buf[next];
+                    switch (digit) {
+                        case '0': case '1': case '2': case '3': case '4':
+                        case '5': case '6': case '7': case '8': case '9':
+                            c2 |= (digit - '0'); break;
+                        case 'a': case 'b': case 'c': case 'd': case 'e':
+                        case 'f':
+                            c2 |= (digit - 'a' + 10); break;
+                        case 'A': case 'B': case 'C': case 'D': case 'E':
+                        case 'F':
+                            c2 |= (digit - 'A' + 10); break;
+                        default:
+                            raise_errmsg("Invalid \\uXXXX escape", pystr, end - 5);
+                            goto bail;
+                    }
+                }
+                if ((c2 & 0xfc00) != 0xdc00) {
+                    raise_errmsg("Unpaired high surrogate", pystr, end - 5);
+                    goto bail;
+                }
+                c = 0x10000 + (((c - 0xd800) << 10) | (c2 - 0xdc00));
+            }
+            else if ((c & 0xfc00) == 0xdc00) {
+                raise_errmsg("Unpaired low surrogate", pystr, end - 5);
+                goto bail;
+            }
+#endif
+        }
+        if (c > 0x7f) {
+            has_unicode = 1;
+        }
+        APPEND_OLD_CHUNK
+        if (has_unicode) {
+            chunk = PyUnicode_FromUnicode(&c, 1);
+            if (chunk == NULL) {
+                goto bail;
+            }
+        }
+        else {
+            char c_char = Py_CHARMASK(c);
+            chunk = PyString_FromStringAndSize(&c_char, 1);
+            if (chunk == NULL) {
+                goto bail;
+            }
+        }
+    }
+
+    if (chunks == NULL) {
+        if (chunk != NULL)
+            rval = chunk;
+        else
+            rval = PyString_FromStringAndSize("", 0);
+    }
+    else {
+        APPEND_OLD_CHUNK
+        rval = join_list_string(chunks);
+        if (rval == NULL) {
+            goto bail;
+        }
+        Py_CLEAR(chunks);
+    }
+
+    *next_end_ptr = end;
+    return rval;
+bail:
+    *next_end_ptr = -1;
+    Py_XDECREF(chunk);
+    Py_XDECREF(chunks);
+    return NULL;
+}
+
+
+static PyObject *
+scanstring_unicode(PyObject *pystr, Py_ssize_t end, int strict, Py_ssize_t *next_end_ptr)
+{
+    /* Read the JSON string from PyUnicode pystr.
+    end is the index of the first character after the quote.
+    if strict is zero then literal control characters are allowed
+    *next_end_ptr is a return-by-reference index of the character
+        after the end quote
+
+    Return value is a new PyUnicode
+    */
+    PyObject *rval;
+    Py_ssize_t len = PyUnicode_GET_SIZE(pystr);
+    Py_ssize_t begin = end - 1;
+    Py_ssize_t next = begin;
+    const Py_UNICODE *buf = PyUnicode_AS_UNICODE(pystr);
+    PyObject *chunks = NULL;
+    PyObject *chunk = NULL;
+
+    if (end < 0 || len <= end) {
+        PyErr_SetString(PyExc_ValueError, "end is out of bounds");
+        goto bail;
+    }
+    while (1) {
+        /* Find the end of the string or the next escape */
+        Py_UNICODE c = 0;
+        for (next = end; next < len; next++) {
+            c = buf[next];
+            if (c == '"' || c == '\\') {
+                break;
+            }
+            else if (strict && c <= 0x1f) {
+                raise_errmsg("Invalid control character at", pystr, next);
+                goto bail;
+            }
+        }
+        if (!(c == '"' || c == '\\')) {
+            raise_errmsg("Unterminated string starting at", pystr, begin);
+            goto bail;
+        }
+        /* Pick up this chunk if it's not zero length */
+        if (next != end) {
+            APPEND_OLD_CHUNK
+            chunk = PyUnicode_FromUnicode(&buf[end], next - end);
+            if (chunk == NULL) {
+                goto bail;
+            }
+        }
+        next++;
+        if (c == '"') {
+            end = next;
+            break;
+        }
+        if (next == len) {
+            raise_errmsg("Unterminated string starting at", pystr, begin);
+            goto bail;
+        }
+        c = buf[next];
+        if (c != 'u') {
+            /* Non-unicode backslash escapes */
+            end = next + 1;
+            switch (c) {
+                case '"': break;
+                case '\\': break;
+                case '/': break;
+                case 'b': c = '\b'; break;
+                case 'f': c = '\f'; break;
+                case 'n': c = '\n'; break;
+                case 'r': c = '\r'; break;
+                case 't': c = '\t'; break;
+                default: c = 0;
+            }
+            if (c == 0) {
+                raise_errmsg("Invalid \\escape", pystr, end - 2);
+                goto bail;
+            }
+        }
+        else {
+            c = 0;
+            next++;
+            end = next + 4;
+            if (end >= len) {
+                raise_errmsg("Invalid \\uXXXX escape", pystr, next - 1);
+                goto bail;
+            }
+            /* Decode 4 hex digits */
+            for (; next < end; next++) {
+                Py_UNICODE digit = buf[next];
+                c <<= 4;
+                switch (digit) {
+                    case '0': case '1': case '2': case '3': case '4':
+                    case '5': case '6': case '7': case '8': case '9':
+                        c |= (digit - '0'); break;
+                    case 'a': case 'b': case 'c': case 'd': case 'e':
+                    case 'f':
+                        c |= (digit - 'a' + 10); break;
+                    case 'A': case 'B': case 'C': case 'D': case 'E':
+                    case 'F':
+                        c |= (digit - 'A' + 10); break;
+                    default:
+                        raise_errmsg("Invalid \\uXXXX escape", pystr, end - 5);
+                        goto bail;
+                }
+            }
+#ifdef Py_UNICODE_WIDE
+            /* Surrogate pair */
+            if ((c & 0xfc00) == 0xd800) {
+                Py_UNICODE c2 = 0;
+                if (end + 6 >= len) {
+                    raise_errmsg("Unpaired high surrogate", pystr, end - 5);
+                    goto bail;
+                }
+                if (buf[next++] != '\\' || buf[next++] != 'u') {
+                    raise_errmsg("Unpaired high surrogate", pystr, end - 5);
+                    goto bail;
+                }
+                end += 6;
+                /* Decode 4 hex digits */
+                for (; next < end; next++) {
+                    c2 <<= 4;
+                    Py_UNICODE digit = buf[next];
+                    switch (digit) {
+                        case '0': case '1': case '2': case '3': case '4':
+                        case '5': case '6': case '7': case '8': case '9':
+                            c2 |= (digit - '0'); break;
+                        case 'a': case 'b': case 'c': case 'd': case 'e':
+                        case 'f':
+                            c2 |= (digit - 'a' + 10); break;
+                        case 'A': case 'B': case 'C': case 'D': case 'E':
+                        case 'F':
+                            c2 |= (digit - 'A' + 10); break;
+                        default:
+                            raise_errmsg("Invalid \\uXXXX escape", pystr, end - 5);
+                            goto bail;
+                    }
+                }
+                if ((c2 & 0xfc00) != 0xdc00) {
+                    raise_errmsg("Unpaired high surrogate", pystr, end - 5);
+                    goto bail;
+                }
+                c = 0x10000 + (((c - 0xd800) << 10) | (c2 - 0xdc00));
+            }
+            else if ((c & 0xfc00) == 0xdc00) {
+                raise_errmsg("Unpaired low surrogate", pystr, end - 5);
+                goto bail;
+            }
+#endif
+        }
+        APPEND_OLD_CHUNK
+        chunk = PyUnicode_FromUnicode(&c, 1);
+        if (chunk == NULL) {
+            goto bail;
+        }
+    }
+
+    if (chunks == NULL) {
+        if (chunk != NULL)
+            rval = chunk;
+        else
+            rval = PyUnicode_FromUnicode(NULL, 0);
+    }
+    else {
+        APPEND_OLD_CHUNK
+        rval = join_list_unicode(chunks);
+        if (rval == NULL) {
+            goto bail;
+        }
+        Py_CLEAR(chunks);
+    }
+    *next_end_ptr = end;
+    return rval;
+bail:
+    *next_end_ptr = -1;
+    Py_XDECREF(chunk);
+    Py_XDECREF(chunks);
+    return NULL;
+}
+
+PyDoc_STRVAR(pydoc_scanstring,
+    "scanstring(basestring, end, encoding, strict=True) -> (str, end)\n"
+    "\n"
+    "Scan the string s for a JSON string. End is the index of the\n"
+    "character in s after the quote that started the JSON string.\n"
+    "Unescapes all valid JSON string escape sequences and raises ValueError\n"
+    "on attempt to decode an invalid string. If strict is False then literal\n"
+    "control characters are allowed in the string.\n"
+    "\n"
+    "Returns a tuple of the decoded string and the index of the character in s\n"
+    "after the end quote."
+);
+
+static PyObject *
+py_scanstring(PyObject* self UNUSED, PyObject *args)
+{
+    PyObject *pystr;
+    PyObject *rval;
+    Py_ssize_t end;
+    Py_ssize_t next_end = -1;
+    char *encoding = NULL;
+    int strict = 1;
+    if (!PyArg_ParseTuple(args, "OO&|zi:scanstring", &pystr, _convertPyInt_AsSsize_t, &end, &encoding, &strict)) {
+        return NULL;
+    }
+    if (encoding == NULL) {
+        encoding = DEFAULT_ENCODING;
+    }
+    if (PyString_Check(pystr)) {
+        rval = scanstring_str(pystr, end, encoding, strict, &next_end);
+    }
+    else if (PyUnicode_Check(pystr)) {
+        rval = scanstring_unicode(pystr, end, strict, &next_end);
+    }
+    else {
+        PyErr_Format(PyExc_TypeError,
+                     "first argument must be a string, not %.80s",
+                     Py_TYPE(pystr)->tp_name);
+        return NULL;
+    }
+    return _build_rval_index_tuple(rval, next_end);
+}
+
+PyDoc_STRVAR(pydoc_encode_basestring_ascii,
+    "encode_basestring_ascii(basestring) -> str\n"
+    "\n"
+    "Return an ASCII-only JSON representation of a Python string"
+);
+
+static PyObject *
+py_encode_basestring_ascii(PyObject* self UNUSED, PyObject *pystr)
+{
+    /* Return an ASCII-only JSON representation of a Python string */
+    /* METH_O */
+    if (PyString_Check(pystr)) {
+        return ascii_escape_str(pystr);
+    }
+    else if (PyUnicode_Check(pystr)) {
+        return ascii_escape_unicode(pystr);
+    }
+    else {
+        PyErr_Format(PyExc_TypeError,
+                     "first argument must be a string, not %.80s",
+                     Py_TYPE(pystr)->tp_name);
+        return NULL;
+    }
+}
+
+static void
+scanner_dealloc(PyObject *self)
+{
+    /* Deallocate scanner object */
+    scanner_clear(self);
+    Py_TYPE(self)->tp_free(self);
+}
+
+static int
+scanner_traverse(PyObject *self, visitproc visit, void *arg)
+{
+    PyScannerObject *s;
+    assert(PyScanner_Check(self));
+    s = (PyScannerObject *)self;
+    Py_VISIT(s->encoding);
+    Py_VISIT(s->strict);
+    Py_VISIT(s->object_hook);
+    Py_VISIT(s->pairs_hook);
+    Py_VISIT(s->parse_float);
+    Py_VISIT(s->parse_int);
+    Py_VISIT(s->parse_constant);
+    Py_VISIT(s->memo);
+    return 0;
+}
+
+static int
+scanner_clear(PyObject *self)
+{
+    PyScannerObject *s;
+    assert(PyScanner_Check(self));
+    s = (PyScannerObject *)self;
+    Py_CLEAR(s->encoding);
+    Py_CLEAR(s->strict);
+    Py_CLEAR(s->object_hook);
+    Py_CLEAR(s->pairs_hook);
+    Py_CLEAR(s->parse_float);
+    Py_CLEAR(s->parse_int);
+    Py_CLEAR(s->parse_constant);
+    Py_CLEAR(s->memo);
+    return 0;
+}
+
+static PyObject *
+_parse_object_str(PyScannerObject *s, PyObject *pystr, Py_ssize_t idx, Py_ssize_t *next_idx_ptr) {
+    /* Read a JSON object from PyString pystr.
+    idx is the index of the first character after the opening curly brace.
+    *next_idx_ptr is a return-by-reference index to the first character after
+        the closing curly brace.
+
+    Returns a new PyObject (usually a dict, but object_hook or
+    object_pairs_hook can change that)
+    */
+    char *str = PyString_AS_STRING(pystr);
+    Py_ssize_t end_idx = PyString_GET_SIZE(pystr) - 1;
+    PyObject *rval = NULL;
+    PyObject *pairs = NULL;
+    PyObject *item;
+    PyObject *key = NULL;
+    PyObject *val = NULL;
+    char *encoding = PyString_AS_STRING(s->encoding);
+    int strict = PyObject_IsTrue(s->strict);
+    int has_pairs_hook = (s->pairs_hook != Py_None);
+    Py_ssize_t next_idx;
+    if (has_pairs_hook) {
+        pairs = PyList_New(0);
+        if (pairs == NULL)
+            return NULL;
+    }
+    else {
+        rval = PyDict_New();
+        if (rval == NULL)
+            return NULL;
+    }
+
+    /* skip whitespace after { */
+    while (idx <= end_idx && IS_WHITESPACE(str[idx])) idx++;
+
+    /* only loop if the object is non-empty */
+    if (idx <= end_idx && str[idx] != '}') {
+        while (idx <= end_idx) {
+            PyObject *memokey;
+
+            /* read key */
+            if (str[idx] != '"') {
+                raise_errmsg("Expecting property name", pystr, idx);
+                goto bail;
+            }
+            key = scanstring_str(pystr, idx + 1, encoding, strict, &next_idx);
+            if (key == NULL)
+                goto bail;
+            memokey = PyDict_GetItem(s->memo, key);
+            if (memokey != NULL) {
+                Py_INCREF(memokey);
+                Py_DECREF(key);
+                key = memokey;
+            }
+            else {
+                if (PyDict_SetItem(s->memo, key, key) < 0)
+                    goto bail;
+            }
+            idx = next_idx;
+
+            /* skip whitespace between key and : delimiter, read :, skip whitespace */
+            while (idx <= end_idx && IS_WHITESPACE(str[idx])) idx++;
+            if (idx > end_idx || str[idx] != ':') {
+                raise_errmsg("Expecting : delimiter", pystr, idx);
+                goto bail;
+            }
+            idx++;
+            while (idx <= end_idx && IS_WHITESPACE(str[idx])) idx++;
+
+            /* read any JSON data type */
+            val = scan_once_str(s, pystr, idx, &next_idx);
+            if (val == NULL)
+                goto bail;
+
+            if (has_pairs_hook) {
+                item = PyTuple_Pack(2, key, val);
+                if (item == NULL)
+                    goto bail;
+                Py_CLEAR(key);
+                Py_CLEAR(val);
+                if (PyList_Append(pairs, item) == -1) {
+                    Py_DECREF(item);
+                    goto bail;
+                }
+                Py_DECREF(item);
+            }
+            else {
+                if (PyDict_SetItem(rval, key, val) < 0)
+                    goto bail;
+                Py_CLEAR(key);
+                Py_CLEAR(val);
+            }
+            idx = next_idx;
+
+            /* skip whitespace before } or , */
+            while (idx <= end_idx && IS_WHITESPACE(str[idx])) idx++;
+
+            /* bail if the object is closed or we didn't get the , delimiter */
+            if (idx > end_idx) break;
+            if (str[idx] == '}') {
+                break;
+            }
+            else if (str[idx] != ',') {
+                raise_errmsg("Expecting , delimiter", pystr, idx);
+                goto bail;
+            }
+            idx++;
+
+            /* skip whitespace after , delimiter */
+            while (idx <= end_idx && IS_WHITESPACE(str[idx])) idx++;
+        }
+    }
+    /* verify that idx < end_idx, str[idx] should be '}' */
+    if (idx > end_idx || str[idx] != '}') {
+        raise_errmsg("Expecting object", pystr, end_idx);
+        goto bail;
+    }
+
+    /* if pairs_hook is not None: rval = object_pairs_hook(pairs) */
+    if (s->pairs_hook != Py_None) {
+        val = PyObject_CallFunctionObjArgs(s->pairs_hook, pairs, NULL);
+        if (val == NULL)
+            goto bail;
+        Py_DECREF(pairs);
+        *next_idx_ptr = idx + 1;
+        return val;
+    }
+
+    /* if object_hook is not None: rval = object_hook(rval) */
+    if (s->object_hook != Py_None) {
+        val = PyObject_CallFunctionObjArgs(s->object_hook, rval, NULL);
+        if (val == NULL)
+            goto bail;
+        Py_DECREF(rval);
+        rval = val;
+        val = NULL;
+    }
+    *next_idx_ptr = idx + 1;
+    return rval;
+bail:
+    Py_XDECREF(rval);
+    Py_XDECREF(key);
+    Py_XDECREF(val);
+    Py_XDECREF(pairs);
+    return NULL;
+}
+
+static PyObject *
+_parse_object_unicode(PyScannerObject *s, PyObject *pystr, Py_ssize_t idx, Py_ssize_t *next_idx_ptr) {
+    /* Read a JSON object from PyUnicode pystr.
+    idx is the index of the first character after the opening curly brace.
+    *next_idx_ptr is a return-by-reference index to the first character after
+        the closing curly brace.
+
+    Returns a new PyObject (usually a dict, but object_hook can change that)
+    */
+    Py_UNICODE *str = PyUnicode_AS_UNICODE(pystr);
+    Py_ssize_t end_idx = PyUnicode_GET_SIZE(pystr) - 1;
+    PyObject *rval = NULL;
+    PyObject *pairs = NULL;
+    PyObject *item;
+    PyObject *key = NULL;
+    PyObject *val = NULL;
+    int strict = PyObject_IsTrue(s->strict);
+    int has_pairs_hook = (s->pairs_hook != Py_None);
+    Py_ssize_t next_idx;
+
+    if (has_pairs_hook) {
+        pairs = PyList_New(0);
+        if (pairs == NULL)
+            return NULL;
+    }
+    else {
+        rval = PyDict_New();
+        if (rval == NULL)
+            return NULL;
+    }
+    
+    /* skip whitespace after { */
+    while (idx <= end_idx && IS_WHITESPACE(str[idx])) idx++;
+
+    /* only loop if the object is non-empty */
+    if (idx <= end_idx && str[idx] != '}') {
+        while (idx <= end_idx) {
+            PyObject *memokey;
+
+            /* read key */
+            if (str[idx] != '"') {
+                raise_errmsg("Expecting property name", pystr, idx);
+                goto bail;
+            }
+            key = scanstring_unicode(pystr, idx + 1, strict, &next_idx);
+            if (key == NULL)
+                goto bail;
+            memokey = PyDict_GetItem(s->memo, key);
+            if (memokey != NULL) {
+                Py_INCREF(memokey);
+                Py_DECREF(key);
+                key = memokey;
+            }
+            else {
+                if (PyDict_SetItem(s->memo, key, key) < 0)
+                    goto bail;
+            }
+            idx = next_idx;
+
+            /* skip whitespace between key and : delimiter, read :, skip whitespace */
+            while (idx <= end_idx && IS_WHITESPACE(str[idx])) idx++;
+            if (idx > end_idx || str[idx] != ':') {
+                raise_errmsg("Expecting : delimiter", pystr, idx);
+                goto bail;
+            }
+            idx++;
+            while (idx <= end_idx && IS_WHITESPACE(str[idx])) idx++;
+
+            /* read any JSON term */
+            val = scan_once_unicode(s, pystr, idx, &next_idx);
+            if (val == NULL)
+                goto bail;
+
+            if (has_pairs_hook) {
+                item = PyTuple_Pack(2, key, val);
+                if (item == NULL)
+                    goto bail;
+                Py_CLEAR(key);
+                Py_CLEAR(val);
+                if (PyList_Append(pairs, item) == -1) {
+                    Py_DECREF(item);
+                    goto bail;
+                }
+                Py_DECREF(item);
+            }
+            else {
+                if (PyDict_SetItem(rval, key, val) < 0)
+                    goto bail;
+                Py_CLEAR(key);
+                Py_CLEAR(val);
+            }
+            idx = next_idx;
+
+            /* skip whitespace before } or , */
+            while (idx <= end_idx && IS_WHITESPACE(str[idx])) idx++;
+
+            /* bail if the object is closed or we didn't get the , delimiter */
+            if (idx > end_idx) break;
+            if (str[idx] == '}') {
+                break;
+            }
+            else if (str[idx] != ',') {
+                raise_errmsg("Expecting , delimiter", pystr, idx);
+                goto bail;
+            }
+            idx++;
+
+            /* skip whitespace after , delimiter */
+            while (idx <= end_idx && IS_WHITESPACE(str[idx])) idx++;
+        }
+    }
+
+    /* verify that idx < end_idx, str[idx] should be '}' */
+    if (idx > end_idx || str[idx] != '}') {
+        raise_errmsg("Expecting object", pystr, end_idx);
+        goto bail;
+    }
+
+    /* if pairs_hook is not None: rval = object_pairs_hook(pairs) */
+    if (s->pairs_hook != Py_None) {
+        val = PyObject_CallFunctionObjArgs(s->pairs_hook, pairs, NULL);
+        if (val == NULL)
+            goto bail;
+        Py_DECREF(pairs);
+        *next_idx_ptr = idx + 1;
+        return val;
+    }
+
+    /* if object_hook is not None: rval = object_hook(rval) */
+    if (s->object_hook != Py_None) {
+        val = PyObject_CallFunctionObjArgs(s->object_hook, rval, NULL);
+        if (val == NULL)
+            goto bail;
+        Py_DECREF(rval);
+        rval = val;
+        val = NULL;
+    }
+    *next_idx_ptr = idx + 1;
+    return rval;
+bail:
+    Py_XDECREF(rval);
+    Py_XDECREF(key);
+    Py_XDECREF(val);
+    Py_XDECREF(pairs);
+    return NULL;
+}
+
+static PyObject *
+_parse_array_str(PyScannerObject *s, PyObject *pystr, Py_ssize_t idx, Py_ssize_t *next_idx_ptr) {
+    /* Read a JSON array from PyString pystr.
+    idx is the index of the first character after the opening brace.
+    *next_idx_ptr is a return-by-reference index to the first character after
+        the closing brace.
+
+    Returns a new PyList
+    */
+    char *str = PyString_AS_STRING(pystr);
+    Py_ssize_t end_idx = PyString_GET_SIZE(pystr) - 1;
+    PyObject *val = NULL;
+    PyObject *rval = PyList_New(0);
+    Py_ssize_t next_idx;
+    if (rval == NULL)
+        return NULL;
+
+    /* skip whitespace after [ */
+    while (idx <= end_idx && IS_WHITESPACE(str[idx])) idx++;
+
+    /* only loop if the array is non-empty */
+    if (idx <= end_idx && str[idx] != ']') {
+        while (idx <= end_idx) {
+
+            /* read any JSON term and de-tuplefy the (rval, idx) */
+            val = scan_once_str(s, pystr, idx, &next_idx);
+            if (val == NULL) {
+                if (PyErr_ExceptionMatches(PyExc_StopIteration)) {
+                    PyErr_Clear();
+                    raise_errmsg("Expecting object", pystr, idx);
+                }
+                goto bail;
+            }
+
+            if (PyList_Append(rval, val) == -1)
+                goto bail;
+
+            Py_CLEAR(val);
+            idx = next_idx;
+
+            /* skip whitespace between term and , */
+            while (idx <= end_idx && IS_WHITESPACE(str[idx])) idx++;
+
+            /* bail if the array is closed or we didn't get the , delimiter */
+            if (idx > end_idx) break;
+            if (str[idx] == ']') {
+                break;
+            }
+            else if (str[idx] != ',') {
+                raise_errmsg("Expecting , delimiter", pystr, idx);
+                goto bail;
+            }
+            idx++;
+
+            /* skip whitespace after , */
+            while (idx <= end_idx && IS_WHITESPACE(str[idx])) idx++;
+        }
+    }
+
+    /* verify that idx < end_idx, str[idx] should be ']' */
+    if (idx > end_idx || str[idx] != ']') {
+        raise_errmsg("Expecting object", pystr, end_idx);
+        goto bail;
+    }
+    *next_idx_ptr = idx + 1;
+    return rval;
+bail:
+    Py_XDECREF(val);
+    Py_DECREF(rval);
+    return NULL;
+}
+
+static PyObject *
+_parse_array_unicode(PyScannerObject *s, PyObject *pystr, Py_ssize_t idx, Py_ssize_t *next_idx_ptr) {
+    /* Read a JSON array from PyString pystr.
+    idx is the index of the first character after the opening brace.
+    *next_idx_ptr is a return-by-reference index to the first character after
+        the closing brace.
+
+    Returns a new PyList
+    */
+    Py_UNICODE *str = PyUnicode_AS_UNICODE(pystr);
+    Py_ssize_t end_idx = PyUnicode_GET_SIZE(pystr) - 1;
+    PyObject *val = NULL;
+    PyObject *rval = PyList_New(0);
+    Py_ssize_t next_idx;
+    if (rval == NULL)
+        return NULL;
+
+    /* skip whitespace after [ */
+    while (idx <= end_idx && IS_WHITESPACE(str[idx])) idx++;
+
+    /* only loop if the array is non-empty */
+    if (idx <= end_idx && str[idx] != ']') {
+        while (idx <= end_idx) {
+
+            /* read any JSON term  */
+            val = scan_once_unicode(s, pystr, idx, &next_idx);
+            if (val == NULL) {
+                if (PyErr_ExceptionMatches(PyExc_StopIteration)) {
+                    PyErr_Clear();
+                    raise_errmsg("Expecting object", pystr, idx);
+                }
+                goto bail;
+            }
+
+            if (PyList_Append(rval, val) == -1)
+                goto bail;
+
+            Py_CLEAR(val);
+            idx = next_idx;
+
+            /* skip whitespace between term and , */
+            while (idx <= end_idx && IS_WHITESPACE(str[idx])) idx++;
+
+            /* bail if the array is closed or we didn't get the , delimiter */
+            if (idx > end_idx) break;
+            if (str[idx] == ']') {
+                break;
+            }
+            else if (str[idx] != ',') {
+                raise_errmsg("Expecting , delimiter", pystr, idx);
+                goto bail;
+            }
+            idx++;
+
+            /* skip whitespace after , */
+            while (idx <= end_idx && IS_WHITESPACE(str[idx])) idx++;
+        }
+    }
+
+    /* verify that idx < end_idx, str[idx] should be ']' */
+    if (idx > end_idx || str[idx] != ']') {
+        raise_errmsg("Expecting object", pystr, end_idx);
+        goto bail;
+    }
+    *next_idx_ptr = idx + 1;
+    return rval;
+bail:
+    Py_XDECREF(val);
+    Py_DECREF(rval);
+    return NULL;
+}
+
+static PyObject *
+_parse_constant(PyScannerObject *s, char *constant, Py_ssize_t idx, Py_ssize_t *next_idx_ptr) {
+    /* Read a JSON constant from PyString pystr.
+    constant is the constant string that was found
+        ("NaN", "Infinity", "-Infinity").
+    idx is the index of the first character of the constant
+    *next_idx_ptr is a return-by-reference index to the first character after
+        the constant.
+
+    Returns the result of parse_constant
+    */
+    PyObject *cstr;
+    PyObject *rval;
+    /* constant is "NaN", "Infinity", or "-Infinity" */
+    cstr = PyString_InternFromString(constant);
+    if (cstr == NULL)
+        return NULL;
+
+    /* rval = parse_constant(constant) */
+    rval = PyObject_CallFunctionObjArgs(s->parse_constant, cstr, NULL);
+    idx += PyString_GET_SIZE(cstr);
+    Py_DECREF(cstr);
+    *next_idx_ptr = idx;
+    return rval;
+}
+
+static PyObject *
+_match_number_str(PyScannerObject *s, PyObject *pystr, Py_ssize_t start, Py_ssize_t *next_idx_ptr) {
+    /* Read a JSON number from PyString pystr.
+    idx is the index of the first character of the number
+    *next_idx_ptr is a return-by-reference index to the first character after
+        the number.
+
+    Returns a new PyObject representation of that number:
+        PyInt, PyLong, or PyFloat.
+        May return other types if parse_int or parse_float are set
+    */
+    char *str = PyString_AS_STRING(pystr);
+    Py_ssize_t end_idx = PyString_GET_SIZE(pystr) - 1;
+    Py_ssize_t idx = start;
+    int is_float = 0;
+    PyObject *rval;
+    PyObject *numstr;
+
+    /* read a sign if it's there, make sure it's not the end of the string */
+    if (str[idx] == '-') {
+        idx++;
+        if (idx > end_idx) {
+            PyErr_SetNone(PyExc_StopIteration);
+            return NULL;
+        }
+    }
+
+    /* read as many integer digits as we find as long as it doesn't start with 0 */
+    if (str[idx] >= '1' && str[idx] <= '9') {
+        idx++;
+        while (idx <= end_idx && str[idx] >= '0' && str[idx] <= '9') idx++;
+    }
+    /* if it starts with 0 we only expect one integer digit */
+    else if (str[idx] == '0') {
+        idx++;
+    }
+    /* no integer digits, error */
+    else {
+        PyErr_SetNone(PyExc_StopIteration);
+        return NULL;
+    }
+
+    /* if the next char is '.' followed by a digit then read all float digits */
+    if (idx < end_idx && str[idx] == '.' && str[idx + 1] >= '0' && str[idx + 1] <= '9') {
+        is_float = 1;
+        idx += 2;
+        while (idx <= end_idx && str[idx] >= '0' && str[idx] <= '9') idx++;
+    }
+
+    /* if the next char is 'e' or 'E' then maybe read the exponent (or backtrack) */
+    if (idx < end_idx && (str[idx] == 'e' || str[idx] == 'E')) {
+
+        /* save the index of the 'e' or 'E' just in case we need to backtrack */
+        Py_ssize_t e_start = idx;
+        idx++;
+
+        /* read an exponent sign if present */
+        if (idx < end_idx && (str[idx] == '-' || str[idx] == '+')) idx++;
+
+        /* read all digits */
+        while (idx <= end_idx && str[idx] >= '0' && str[idx] <= '9') idx++;
+
+        /* if we got a digit, then parse as float. if not, backtrack */
+        if (str[idx - 1] >= '0' && str[idx - 1] <= '9') {
+            is_float = 1;
+        }
+        else {
+            idx = e_start;
+        }
+    }
+
+    /* copy the section we determined to be a number */
+    numstr = PyString_FromStringAndSize(&str[start], idx - start);
+    if (numstr == NULL)
+        return NULL;
+    if (is_float) {
+        /* parse as a float using a fast path if available, otherwise call user defined method */
+        if (s->parse_float != (PyObject *)&PyFloat_Type) {
+            rval = PyObject_CallFunctionObjArgs(s->parse_float, numstr, NULL);
+        }
+        else {
+            /* rval = PyFloat_FromDouble(PyOS_ascii_atof(PyString_AS_STRING(numstr))); */
+            double d = PyOS_string_to_double(PyString_AS_STRING(numstr),
+                                             NULL, NULL);
+            if (d == -1.0 && PyErr_Occurred())
+                return NULL;
+            rval = PyFloat_FromDouble(d);
+        }
+    }
+    else {
+        /* parse as an int using a fast path if available, otherwise call user defined method */
+        if (s->parse_int != (PyObject *)&PyInt_Type) {
+            rval = PyObject_CallFunctionObjArgs(s->parse_int, numstr, NULL);
+        }
+        else {
+            rval = PyInt_FromString(PyString_AS_STRING(numstr), NULL, 10);
+        }
+    }
+    Py_DECREF(numstr);
+    *next_idx_ptr = idx;
+    return rval;
+}
+
+static PyObject *
+_match_number_unicode(PyScannerObject *s, PyObject *pystr, Py_ssize_t start, Py_ssize_t *next_idx_ptr) {
+    /* Read a JSON number from PyUnicode pystr.
+    idx is the index of the first character of the number
+    *next_idx_ptr is a return-by-reference index to the first character after
+        the number.
+
+    Returns a new PyObject representation of that number:
+        PyInt, PyLong, or PyFloat.
+        May return other types if parse_int or parse_float are set
+    */
+    Py_UNICODE *str = PyUnicode_AS_UNICODE(pystr);
+    Py_ssize_t end_idx = PyUnicode_GET_SIZE(pystr) - 1;
+    Py_ssize_t idx = start;
+    int is_float = 0;
+    PyObject *rval;
+    PyObject *numstr;
+
+    /* read a sign if it's there, make sure it's not the end of the string */
+    if (str[idx] == '-') {
+        idx++;
+        if (idx > end_idx) {
+            PyErr_SetNone(PyExc_StopIteration);
+            return NULL;
+        }
+    }
+
+    /* read as many integer digits as we find as long as it doesn't start with 0 */
+    if (str[idx] >= '1' && str[idx] <= '9') {
+        idx++;
+        while (idx <= end_idx && str[idx] >= '0' && str[idx] <= '9') idx++;
+    }
+    /* if it starts with 0 we only expect one integer digit */
+    else if (str[idx] == '0') {
+        idx++;
+    }
+    /* no integer digits, error */
+    else {
+        PyErr_SetNone(PyExc_StopIteration);
+        return NULL;
+    }
+
+    /* if the next char is '.' followed by a digit then read all float digits */
+    if (idx < end_idx && str[idx] == '.' && str[idx + 1] >= '0' && str[idx + 1] <= '9') {
+        is_float = 1;
+        idx += 2;
+        while (idx <= end_idx && str[idx] >= '0' && str[idx] <= '9') idx++;
+    }
+
+    /* if the next char is 'e' or 'E' then maybe read the exponent (or backtrack) */
+    if (idx < end_idx && (str[idx] == 'e' || str[idx] == 'E')) {
+        Py_ssize_t e_start = idx;
+        idx++;
+
+        /* read an exponent sign if present */
+        if (idx < end_idx && (str[idx] == '-' || str[idx] == '+')) idx++;
+
+        /* read all digits */
+        while (idx <= end_idx && str[idx] >= '0' && str[idx] <= '9') idx++;
+
+        /* if we got a digit, then parse as float. if not, backtrack */
+        if (str[idx - 1] >= '0' && str[idx - 1] <= '9') {
+            is_float = 1;
+        }
+        else {
+            idx = e_start;
+        }
+    }
+
+    /* copy the section we determined to be a number */
+    numstr = PyUnicode_FromUnicode(&str[start], idx - start);
+    if (numstr == NULL)
+        return NULL;
+    if (is_float) {
+        /* parse as a float using a fast path if available, otherwise call user defined method */
+        if (s->parse_float != (PyObject *)&PyFloat_Type) {
+            rval = PyObject_CallFunctionObjArgs(s->parse_float, numstr, NULL);
+        }
+        else {
+            rval = PyFloat_FromString(numstr, NULL);
+        }
+    }
+    else {
+        /* no fast path for unicode -> int, just call */
+        rval = PyObject_CallFunctionObjArgs(s->parse_int, numstr, NULL);
+    }
+    Py_DECREF(numstr);
+    *next_idx_ptr = idx;
+    return rval;
+}
+
+static PyObject *
+scan_once_str(PyScannerObject *s, PyObject *pystr, Py_ssize_t idx, Py_ssize_t *next_idx_ptr)
+{
+    /* Read one JSON term (of any kind) from PyString pystr.
+    idx is the index of the first character of the term
+    *next_idx_ptr is a return-by-reference index to the first character after
+        the number.
+
+    Returns a new PyObject representation of the term.
+    */
+    char *str = PyString_AS_STRING(pystr);
+    Py_ssize_t length = PyString_GET_SIZE(pystr);
+    if (idx >= length) {
+        PyErr_SetNone(PyExc_StopIteration);
+        return NULL;
+    }
+    switch (str[idx]) {
+        case '"':
+            /* string */
+            return scanstring_str(pystr, idx + 1,
+                PyString_AS_STRING(s->encoding),
+                PyObject_IsTrue(s->strict),
+                next_idx_ptr);
+        case '{':
+            /* object */
+            return _parse_object_str(s, pystr, idx + 1, next_idx_ptr);
+        case '[':
+            /* array */
+            return _parse_array_str(s, pystr, idx + 1, next_idx_ptr);
+        case 'n':
+            /* null */
+            if ((idx + 3 < length) && str[idx + 1] == 'u' && str[idx + 2] == 'l' && str[idx + 3] == 'l') {
+                Py_INCREF(Py_None);
+                *next_idx_ptr = idx + 4;
+                return Py_None;
+            }
+            break;
+        case 't':
+            /* true */
+            if ((idx + 3 < length) && str[idx + 1] == 'r' && str[idx + 2] == 'u' && str[idx + 3] == 'e') {
+                Py_INCREF(Py_True);
+                *next_idx_ptr = idx + 4;
+                return Py_True;
+            }
+            break;
+        case 'f':
+            /* false */
+            if ((idx + 4 < length) && str[idx + 1] == 'a' && str[idx + 2] == 'l' && str[idx + 3] == 's' && str[idx + 4] == 'e') {
+                Py_INCREF(Py_False);
+                *next_idx_ptr = idx + 5;
+                return Py_False;
+            }
+            break;
+        case 'N':
+            /* NaN */
+            if ((idx + 2 < length) && str[idx + 1] == 'a' && str[idx + 2] == 'N') {
+                return _parse_constant(s, "NaN", idx, next_idx_ptr);
+            }
+            break;
+        case 'I':
+            /* Infinity */
+            if ((idx + 7 < length) && str[idx + 1] == 'n' && str[idx + 2] == 'f' && str[idx + 3] == 'i' && str[idx + 4] == 'n' && str[idx + 5] == 'i' && str[idx + 6] == 't' && str[idx + 7] == 'y') {
+                return _parse_constant(s, "Infinity", idx, next_idx_ptr);
+            }
+            break;
+        case '-':
+            /* -Infinity */
+            if ((idx + 8 < length) && str[idx + 1] == 'I' && str[idx + 2] == 'n' && str[idx + 3] == 'f' && str[idx + 4] == 'i' && str[idx + 5] == 'n' && str[idx + 6] == 'i' && str[idx + 7] == 't' && str[idx + 8] == 'y') {
+                return _parse_constant(s, "-Infinity", idx, next_idx_ptr);
+            }
+            break;
+    }
+    /* Didn't find a string, object, array, or named constant. Look for a number. */
+    return _match_number_str(s, pystr, idx, next_idx_ptr);
+}
+
+static PyObject *
+scan_once_unicode(PyScannerObject *s, PyObject *pystr, Py_ssize_t idx, Py_ssize_t *next_idx_ptr)
+{
+    /* Read one JSON term (of any kind) from PyUnicode pystr.
+    idx is the index of the first character of the term
+    *next_idx_ptr is a return-by-reference index to the first character after
+        the number.
+
+    Returns a new PyObject representation of the term.
+    */
+    Py_UNICODE *str = PyUnicode_AS_UNICODE(pystr);
+    Py_ssize_t length = PyUnicode_GET_SIZE(pystr);
+    if (idx >= length) {
+        PyErr_SetNone(PyExc_StopIteration);
+        return NULL;
+    }
+    switch (str[idx]) {
+        case '"':
+            /* string */
+            return scanstring_unicode(pystr, idx + 1,
+                PyObject_IsTrue(s->strict),
+                next_idx_ptr);
+        case '{':
+            /* object */
+            return _parse_object_unicode(s, pystr, idx + 1, next_idx_ptr);
+        case '[':
+            /* array */
+            return _parse_array_unicode(s, pystr, idx + 1, next_idx_ptr);
+        case 'n':
+            /* null */
+            if ((idx + 3 < length) && str[idx + 1] == 'u' && str[idx + 2] == 'l' && str[idx + 3] == 'l') {
+                Py_INCREF(Py_None);
+                *next_idx_ptr = idx + 4;
+                return Py_None;
+            }
+            break;
+        case 't':
+            /* true */
+            if ((idx + 3 < length) && str[idx + 1] == 'r' && str[idx + 2] == 'u' && str[idx + 3] == 'e') {
+                Py_INCREF(Py_True);
+                *next_idx_ptr = idx + 4;
+                return Py_True;
+            }
+            break;
+        case 'f':
+            /* false */
+            if ((idx + 4 < length) && str[idx + 1] == 'a' && str[idx + 2] == 'l' && str[idx + 3] == 's' && str[idx + 4] == 'e') {
+                Py_INCREF(Py_False);
+                *next_idx_ptr = idx + 5;
+                return Py_False;
+            }
+            break;
+        case 'N':
+            /* NaN */
+            if ((idx + 2 < length) && str[idx + 1] == 'a' && str[idx + 2] == 'N') {
+                return _parse_constant(s, "NaN", idx, next_idx_ptr);
+            }
+            break;
+        case 'I':
+            /* Infinity */
+            if ((idx + 7 < length) && str[idx + 1] == 'n' && str[idx + 2] == 'f' && str[idx + 3] == 'i' && str[idx + 4] == 'n' && str[idx + 5] == 'i' && str[idx + 6] == 't' && str[idx + 7] == 'y') {
+                return _parse_constant(s, "Infinity", idx, next_idx_ptr);
+            }
+            break;
+        case '-':
+            /* -Infinity */
+            if ((idx + 8 < length) && str[idx + 1] == 'I' && str[idx + 2] == 'n' && str[idx + 3] == 'f' && str[idx + 4] == 'i' && str[idx + 5] == 'n' && str[idx + 6] == 'i' && str[idx + 7] == 't' && str[idx + 8] == 'y') {
+                return _parse_constant(s, "-Infinity", idx, next_idx_ptr);
+            }
+            break;
+    }
+    /* Didn't find a string, object, array, or named constant. Look for a number. */
+    return _match_number_unicode(s, pystr, idx, next_idx_ptr);
+}
+
+static PyObject *
+scanner_call(PyObject *self, PyObject *args, PyObject *kwds)
+{
+    /* Python callable interface to scan_once_{str,unicode} */
+    PyObject *pystr;
+    PyObject *rval;
+    Py_ssize_t idx;
+    Py_ssize_t next_idx = -1;
+    static char *kwlist[] = {"string", "idx", NULL};
+    PyScannerObject *s;
+    assert(PyScanner_Check(self));
+    s = (PyScannerObject *)self;
+    if (!PyArg_ParseTupleAndKeywords(args, kwds, "OO&:scan_once", kwlist, &pystr, _convertPyInt_AsSsize_t, &idx))
+        return NULL;
+
+    if (PyString_Check(pystr)) {
+        rval = scan_once_str(s, pystr, idx, &next_idx);
+    }
+    else if (PyUnicode_Check(pystr)) {
+        rval = scan_once_unicode(s, pystr, idx, &next_idx);
+    }
+    else {
+        PyErr_Format(PyExc_TypeError,
+                 "first argument must be a string, not %.80s",
+                 Py_TYPE(pystr)->tp_name);
+        return NULL;
+    }
+    PyDict_Clear(s->memo);
+    return _build_rval_index_tuple(rval, next_idx);
+}
+
+static PyObject *
+scanner_new(PyTypeObject *type, PyObject *args, PyObject *kwds)
+{
+    PyScannerObject *s;
+    s = (PyScannerObject *)type->tp_alloc(type, 0);
+    if (s != NULL) {
+        s->encoding = NULL;
+        s->strict = NULL;
+        s->object_hook = NULL;
+        s->pairs_hook = NULL;
+        s->parse_float = NULL;
+        s->parse_int = NULL;
+        s->parse_constant = NULL;
+    }
+    return (PyObject *)s;
+}
+
+static int
+scanner_init(PyObject *self, PyObject *args, PyObject *kwds)
+{
+    /* Initialize Scanner object */
+    PyObject *ctx;
+    static char *kwlist[] = {"context", NULL};
+    PyScannerObject *s;
+
+    assert(PyScanner_Check(self));
+    s = (PyScannerObject *)self;
+
+    if (!PyArg_ParseTupleAndKeywords(args, kwds, "O:make_scanner", kwlist, &ctx))
+        return -1;
+    
+    if (s->memo == NULL) {
+        s->memo = PyDict_New();
+        if (s->memo == NULL)
+            goto bail;
+    }
+
+    /* PyString_AS_STRING is used on encoding */
+    s->encoding = PyObject_GetAttrString(ctx, "encoding");
+    if (s->encoding == NULL)
+        goto bail;
+    if (s->encoding == Py_None) {
+        Py_DECREF(Py_None);
+        s->encoding = PyString_InternFromString(DEFAULT_ENCODING);
+    }
+    else if (PyUnicode_Check(s->encoding)) {
+        PyObject *tmp = PyUnicode_AsEncodedString(s->encoding, NULL, NULL);
+        Py_DECREF(s->encoding);
+        s->encoding = tmp;
+    }
+    if (s->encoding == NULL || !PyString_Check(s->encoding))
+        goto bail;
+
+    /* All of these will fail "gracefully" so we don't need to verify them */
+    s->strict = PyObject_GetAttrString(ctx, "strict");
+    if (s->strict == NULL)
+        goto bail;
+    s->object_hook = PyObject_GetAttrString(ctx, "object_hook");
+    if (s->object_hook == NULL)
+        goto bail;
+    s->pairs_hook = PyObject_GetAttrString(ctx, "object_pairs_hook");
+    if (s->pairs_hook == NULL)
+        goto bail;
+    s->parse_float = PyObject_GetAttrString(ctx, "parse_float");
+    if (s->parse_float == NULL)
+        goto bail;
+    s->parse_int = PyObject_GetAttrString(ctx, "parse_int");
+    if (s->parse_int == NULL)
+        goto bail;
+    s->parse_constant = PyObject_GetAttrString(ctx, "parse_constant");
+    if (s->parse_constant == NULL)
+        goto bail;
+
+    return 0;
+
+bail:
+    Py_CLEAR(s->encoding);
+    Py_CLEAR(s->strict);
+    Py_CLEAR(s->object_hook);
+    Py_CLEAR(s->pairs_hook);
+    Py_CLEAR(s->parse_float);
+    Py_CLEAR(s->parse_int);
+    Py_CLEAR(s->parse_constant);
+    return -1;
+}
+
+PyDoc_STRVAR(scanner_doc, "JSON scanner object");
+
+static
+PyTypeObject PyScannerType = {
+    PyObject_HEAD_INIT(NULL)
+    0,                    /* tp_internal */
+    "simplejson._speedups.Scanner",       /* tp_name */
+    sizeof(PyScannerObject), /* tp_basicsize */
+    0,                    /* tp_itemsize */
+    scanner_dealloc, /* tp_dealloc */
+    0,                    /* tp_print */
+    0,                    /* tp_getattr */
+    0,                    /* tp_setattr */
+    0,                    /* tp_compare */
+    0,                    /* tp_repr */
+    0,                    /* tp_as_number */
+    0,                    /* tp_as_sequence */
+    0,                    /* tp_as_mapping */
+    0,                    /* tp_hash */
+    scanner_call,         /* tp_call */
+    0,                    /* tp_str */
+    0,/* PyObject_GenericGetAttr, */                    /* tp_getattro */
+    0,/* PyObject_GenericSetAttr, */                    /* tp_setattro */
+    0,                    /* tp_as_buffer */
+    Py_TPFLAGS_DEFAULT | Py_TPFLAGS_HAVE_GC,   /* tp_flags */
+    scanner_doc,          /* tp_doc */
+    scanner_traverse,                    /* tp_traverse */
+    scanner_clear,                    /* tp_clear */
+    0,                    /* tp_richcompare */
+    0,                    /* tp_weaklistoffset */
+    0,                    /* tp_iter */
+    0,                    /* tp_iternext */
+    0,                    /* tp_methods */
+    scanner_members,                    /* tp_members */
+    0,                    /* tp_getset */
+    0,                    /* tp_base */
+    0,                    /* tp_dict */
+    0,                    /* tp_descr_get */
+    0,                    /* tp_descr_set */
+    0,                    /* tp_dictoffset */
+    scanner_init,                    /* tp_init */
+    0,/* PyType_GenericAlloc, */        /* tp_alloc */
+    scanner_new,          /* tp_new */
+    0,/* PyObject_GC_Del, */              /* tp_free */
+};
+
+static PyObject *
+encoder_new(PyTypeObject *type, PyObject *args, PyObject *kwds)
+{
+    PyEncoderObject *s;
+    s = (PyEncoderObject *)type->tp_alloc(type, 0);
+    if (s != NULL) {
+        s->markers = NULL;
+        s->defaultfn = NULL;
+        s->encoder = NULL;
+        s->indent = NULL;
+        s->key_separator = NULL;
+        s->item_separator = NULL;
+        s->sort_keys = NULL;
+        s->skipkeys = NULL;
+        s->key_memo = NULL;
+    }
+    return (PyObject *)s;
+}
+
+static int
+encoder_init(PyObject *self, PyObject *args, PyObject *kwds)
+{
+    /* initialize Encoder object */
+    static char *kwlist[] = {"markers", "default", "encoder", "indent", "key_separator", "item_separator", "sort_keys", "skipkeys", "allow_nan", "key_memo", "use_decimal", NULL};
+
+    PyEncoderObject *s;
+    PyObject *markers, *defaultfn, *encoder, *indent, *key_separator;
+    PyObject *item_separator, *sort_keys, *skipkeys, *allow_nan, *key_memo, *use_decimal;
+
+    assert(PyEncoder_Check(self));
+    s = (PyEncoderObject *)self;
+
+    if (!PyArg_ParseTupleAndKeywords(args, kwds, "OOOOOOOOOOO:make_encoder", kwlist,
+        &markers, &defaultfn, &encoder, &indent, &key_separator, &item_separator,
+        &sort_keys, &skipkeys, &allow_nan, &key_memo, &use_decimal))
+        return -1;
+
+    s->markers = markers;
+    s->defaultfn = defaultfn;
+    s->encoder = encoder;
+    s->indent = indent;
+    s->key_separator = key_separator;
+    s->item_separator = item_separator;
+    s->sort_keys = sort_keys;
+    s->skipkeys = skipkeys;
+    s->key_memo = key_memo;
+    s->fast_encode = (PyCFunction_Check(s->encoder) && PyCFunction_GetFunction(s->encoder) == (PyCFunction)py_encode_basestring_ascii);
+    s->allow_nan = PyObject_IsTrue(allow_nan);
+    s->use_decimal = PyObject_IsTrue(use_decimal);
+
+    Py_INCREF(s->markers);
+    Py_INCREF(s->defaultfn);
+    Py_INCREF(s->encoder);
+    Py_INCREF(s->indent);
+    Py_INCREF(s->key_separator);
+    Py_INCREF(s->item_separator);
+    Py_INCREF(s->sort_keys);
+    Py_INCREF(s->skipkeys);
+    Py_INCREF(s->key_memo);
+    return 0;
+}
+
+static PyObject *
+encoder_call(PyObject *self, PyObject *args, PyObject *kwds)
+{
+    /* Python callable interface to encode_listencode_obj */
+    static char *kwlist[] = {"obj", "_current_indent_level", NULL};
+    PyObject *obj;
+    PyObject *rval;
+    Py_ssize_t indent_level;
+    PyEncoderObject *s;
+    assert(PyEncoder_Check(self));
+    s = (PyEncoderObject *)self;
+    if (!PyArg_ParseTupleAndKeywords(args, kwds, "OO&:_iterencode", kwlist,
+        &obj, _convertPyInt_AsSsize_t, &indent_level))
+        return NULL;
+    rval = PyList_New(0);
+    if (rval == NULL)
+        return NULL;
+    if (encoder_listencode_obj(s, rval, obj, indent_level)) {
+        Py_DECREF(rval);
+        return NULL;
+    }
+    return rval;
+}
+
+static PyObject *
+_encoded_const(PyObject *obj)
+{
+    /* Return the JSON string representation of None, True, False */
+    if (obj == Py_None) {
+        static PyObject *s_null = NULL;
+        if (s_null == NULL) {
+            s_null = PyString_InternFromString("null");
+        }
+        Py_INCREF(s_null);
+        return s_null;
+    }
+    else if (obj == Py_True) {
+        static PyObject *s_true = NULL;
+        if (s_true == NULL) {
+            s_true = PyString_InternFromString("true");
+        }
+        Py_INCREF(s_true);
+        return s_true;
+    }
+    else if (obj == Py_False) {
+        static PyObject *s_false = NULL;
+        if (s_false == NULL) {
+            s_false = PyString_InternFromString("false");
+        }
+        Py_INCREF(s_false);
+        return s_false;
+    }
+    else {
+        PyErr_SetString(PyExc_ValueError, "not a const");
+        return NULL;
+    }
+}
+
+static PyObject *
+encoder_encode_float(PyEncoderObject *s, PyObject *obj)
+{
+    /* Return the JSON representation of a PyFloat */
+    double i = PyFloat_AS_DOUBLE(obj);
+    if (!Py_IS_FINITE(i)) {
+        if (!s->allow_nan) {
+            PyErr_SetString(PyExc_ValueError, "Out of range float values are not JSON compliant");
+            return NULL;
+        }
+        if (i > 0) {
+            return PyString_FromString("Infinity");
+        }
+        else if (i < 0) {
+            return PyString_FromString("-Infinity");
+        }
+        else {
+            return PyString_FromString("NaN");
+        }
+    }
+    /* Use a better float format here? */
+    return PyObject_Repr(obj);
+}
+
+static PyObject *
+encoder_encode_string(PyEncoderObject *s, PyObject *obj)
+{
+    /* Return the JSON representation of a string */
+    if (s->fast_encode)
+        return py_encode_basestring_ascii(NULL, obj);
+    else
+        return PyObject_CallFunctionObjArgs(s->encoder, obj, NULL);
+}
+
+static int
+_steal_list_append(PyObject *lst, PyObject *stolen)
+{
+    /* Append stolen and then decrement its reference count */
+    int rval = PyList_Append(lst, stolen);
+    Py_DECREF(stolen);
+    return rval;
+}
+
+static int
+encoder_listencode_obj(PyEncoderObject *s, PyObject *rval, PyObject *obj, Py_ssize_t indent_level)
+{
+    /* Encode Python object obj to a JSON term, rval is a PyList */
+    PyObject *newobj;
+    int rv;
+
+    if (obj == Py_None || obj == Py_True || obj == Py_False) {
+        PyObject *cstr = _encoded_const(obj);
+        if (cstr == NULL)
+            return -1;
+        return _steal_list_append(rval, cstr);
+    }
+    else if (PyString_Check(obj) || PyUnicode_Check(obj))
+    {
+        PyObject *encoded = encoder_encode_string(s, obj);
+        if (encoded == NULL)
+            return -1;
+        return _steal_list_append(rval, encoded);
+    }
+    else if (PyInt_Check(obj) || PyLong_Check(obj)) {
+        PyObject *encoded = PyObject_Str(obj);
+        if (encoded == NULL)
+            return -1;
+        return _steal_list_append(rval, encoded);
+    }
+    else if (PyFloat_Check(obj)) {
+        PyObject *encoded = encoder_encode_float(s, obj);
+        if (encoded == NULL)
+            return -1;
+        return _steal_list_append(rval, encoded);
+    }
+    else if (PyList_Check(obj) || PyTuple_Check(obj)) {
+        return encoder_listencode_list(s, rval, obj, indent_level);
+    }
+    else if (PyDict_Check(obj)) {
+        return encoder_listencode_dict(s, rval, obj, indent_level);
+    }
+    else if (s->use_decimal && Decimal_Check(obj)) {
+        PyObject *encoded = PyObject_Str(obj);
+        if (encoded == NULL)
+            return -1;
+        return _steal_list_append(rval, encoded);
+    }
+    else {
+        PyObject *ident = NULL;
+        if (s->markers != Py_None) {
+            int has_key;
+            ident = PyLong_FromVoidPtr(obj);
+            if (ident == NULL)
+                return -1;
+            has_key = PyDict_Contains(s->markers, ident);
+            if (has_key) {
+                if (has_key != -1)
+                    PyErr_SetString(PyExc_ValueError, "Circular reference detected");
+                Py_DECREF(ident);
+                return -1;
+            }
+            if (PyDict_SetItem(s->markers, ident, obj)) {
+                Py_DECREF(ident);
+                return -1;
+            }
+        }
+        newobj = PyObject_CallFunctionObjArgs(s->defaultfn, obj, NULL);
+        if (newobj == NULL) {
+            Py_XDECREF(ident);
+            return -1;
+        }
+        rv = encoder_listencode_obj(s, rval, newobj, indent_level);
+        Py_DECREF(newobj);
+        if (rv) {
+            Py_XDECREF(ident);
+            return -1;
+        }
+        if (ident != NULL) {
+            if (PyDict_DelItem(s->markers, ident)) {
+                Py_XDECREF(ident);
+                return -1;
+            }
+            Py_XDECREF(ident);
+        }
+        return rv;
+    }
+}
+
+static int
+encoder_listencode_dict(PyEncoderObject *s, PyObject *rval, PyObject *dct, Py_ssize_t indent_level)
+{
+    /* Encode Python dict dct a JSON term, rval is a PyList */
+    static PyObject *open_dict = NULL;
+    static PyObject *close_dict = NULL;
+    static PyObject *empty_dict = NULL;
+    static PyObject *iteritems = NULL;
+    PyObject *kstr = NULL;
+    PyObject *ident = NULL;
+    PyObject *key, *value;
+    PyObject *iter = NULL;
+    PyObject *item = NULL;
+    PyObject *encoded = NULL;
+    int skipkeys;
+    Py_ssize_t idx;
+
+    if (open_dict == NULL || close_dict == NULL || empty_dict == NULL || iteritems == NULL) {
+        open_dict = PyString_InternFromString("{");
+        close_dict = PyString_InternFromString("}");
+        empty_dict = PyString_InternFromString("{}");
+        iteritems = PyString_InternFromString("iteritems");
+        if (open_dict == NULL || close_dict == NULL || empty_dict == NULL || iteritems == NULL)
+            return -1;
+    }
+    if (PyDict_Size(dct) == 0)
+        return PyList_Append(rval, empty_dict);
+
+    if (s->markers != Py_None) {
+        int has_key;
+        ident = PyLong_FromVoidPtr(dct);
+        if (ident == NULL)
+            goto bail;
+        has_key = PyDict_Contains(s->markers, ident);
+        if (has_key) {
+            if (has_key != -1)
+                PyErr_SetString(PyExc_ValueError, "Circular reference detected");
+            goto bail;
+        }
+        if (PyDict_SetItem(s->markers, ident, dct)) {
+            goto bail;
+        }
+    }
+
+    if (PyList_Append(rval, open_dict))
+        goto bail;
+
+    if (s->indent != Py_None) {
+        /* TODO: DOES NOT RUN */
+        indent_level += 1;
+        /*
+            newline_indent = '\n' + (_indent * _current_indent_level)
+            separator = _item_separator + newline_indent
+            buf += newline_indent
+        */
+    }
+
+    /* TODO: C speedup not implemented for sort_keys */
+
+    skipkeys = PyObject_IsTrue(s->skipkeys);
+    idx = 0;
+    iter = PyObject_CallMethodObjArgs(dct, iteritems, NULL);
+    if (iter == NULL)
+        goto bail;
+    while ((item = PyIter_Next(iter))) {
+
+        key = PyTuple_GetItem(item, 0);
+        if (key == NULL)
+            goto bail;
+        value = PyTuple_GetItem(item, 1);
+        if (value == NULL)
+            goto bail;
+        
+        encoded = PyDict_GetItem(s->key_memo, key);
+        if (encoded != NULL) {
+            Py_INCREF(encoded);
+        }
+        else if (PyString_Check(key) || PyUnicode_Check(key)) {
+            Py_INCREF(key);
+            kstr = key;
+        }
+        else if (PyFloat_Check(key)) {
+            kstr = encoder_encode_float(s, key);
+            if (kstr == NULL)
+                goto bail;
+        }
+        else if (PyInt_Check(key) || PyLong_Check(key)) {
+            kstr = PyObject_Str(key);
+            if (kstr == NULL)
+                goto bail;
+        }
+        else if (key == Py_True || key == Py_False || key == Py_None) {
+            kstr = _encoded_const(key);
+            if (kstr == NULL)
+                goto bail;
+        }
+        else if (skipkeys) {
+            Py_DECREF(item);
+            continue;
+        }
+        else {
+            /* TODO: include repr of key */
+            PyErr_SetString(PyExc_ValueError, "keys must be a string");
+            goto bail;
+        }
+
+        if (idx) {
+            if (PyList_Append(rval, s->item_separator))
+                goto bail;
+        }
+
+        if (encoded == NULL) {
+            encoded = encoder_encode_string(s, kstr);
+            Py_CLEAR(kstr);
+            if (encoded == NULL)
+                goto bail;
+            if (PyDict_SetItem(s->key_memo, key, encoded))
+                goto bail;
+        }
+        if (PyList_Append(rval, encoded)) {
+            goto bail;
+        }
+        Py_CLEAR(encoded);
+        if (PyList_Append(rval, s->key_separator))
+            goto bail;
+        if (encoder_listencode_obj(s, rval, value, indent_level))
+            goto bail;
+        Py_CLEAR(item);
+        idx += 1;
+    }
+    Py_CLEAR(iter);
+    if (PyErr_Occurred())
+        goto bail;
+    if (ident != NULL) {
+        if (PyDict_DelItem(s->markers, ident))
+            goto bail;
+        Py_CLEAR(ident);
+    }
+    if (s->indent != Py_None) {
+        /* TODO: DOES NOT RUN */
+        indent_level -= 1;
+        /*
+            yield '\n' + (_indent * _current_indent_level)
+        */
+    }
+    if (PyList_Append(rval, close_dict))
+        goto bail;
+    return 0;
+
+bail:
+    Py_XDECREF(encoded);
+    Py_XDECREF(item);
+    Py_XDECREF(iter);
+    Py_XDECREF(kstr);
+    Py_XDECREF(ident);
+    return -1;
+}
+
+
+static int
+encoder_listencode_list(PyEncoderObject *s, PyObject *rval, PyObject *seq, Py_ssize_t indent_level)
+{
+    /* Encode Python list seq to a JSON term, rval is a PyList */
+    static PyObject *open_array = NULL;
+    static PyObject *close_array = NULL;
+    static PyObject *empty_array = NULL;
+    PyObject *ident = NULL;
+    PyObject *iter = NULL;
+    PyObject *obj = NULL;
+    int is_true;
+    int i = 0;
+
+    if (open_array == NULL || close_array == NULL || empty_array == NULL) {
+        open_array = PyString_InternFromString("[");
+        close_array = PyString_InternFromString("]");
+        empty_array = PyString_InternFromString("[]");
+        if (open_array == NULL || close_array == NULL || empty_array == NULL)
+            return -1;
+    }
+    ident = NULL;
+    is_true = PyObject_IsTrue(seq);
+    if (is_true == -1)
+        return -1;
+    else if (is_true == 0)
+        return PyList_Append(rval, empty_array);
+
+    if (s->markers != Py_None) {
+        int has_key;
+        ident = PyLong_FromVoidPtr(seq);
+        if (ident == NULL)
+            goto bail;
+        has_key = PyDict_Contains(s->markers, ident);
+        if (has_key) {
+            if (has_key != -1)
+                PyErr_SetString(PyExc_ValueError, "Circular reference detected");
+            goto bail;
+        }
+        if (PyDict_SetItem(s->markers, ident, seq)) {
+            goto bail;
+        }
+    }
+
+    iter = PyObject_GetIter(seq);
+    if (iter == NULL)
+        goto bail;
+
+    if (PyList_Append(rval, open_array))
+        goto bail;
+    if (s->indent != Py_None) {
+        /* TODO: DOES NOT RUN */
+        indent_level += 1;
+        /*
+            newline_indent = '\n' + (_indent * _current_indent_level)
+            separator = _item_separator + newline_indent
+            buf += newline_indent
+        */
+    }
+    while ((obj = PyIter_Next(iter))) {
+        if (i) {
+            if (PyList_Append(rval, s->item_separator))
+                goto bail;
+        }
+        if (encoder_listencode_obj(s, rval, obj, indent_level))
+            goto bail;
+        i++;
+        Py_CLEAR(obj);
+    }
+    Py_CLEAR(iter);
+    if (PyErr_Occurred())
+        goto bail;
+    if (ident != NULL) {
+        if (PyDict_DelItem(s->markers, ident))
+            goto bail;
+        Py_CLEAR(ident);
+    }
+    if (s->indent != Py_None) {
+        /* TODO: DOES NOT RUN */
+        indent_level -= 1;
+        /*
+            yield '\n' + (_indent * _current_indent_level)
+        */
+    }
+    if (PyList_Append(rval, close_array))
+        goto bail;
+    return 0;
+
+bail:
+    Py_XDECREF(obj);
+    Py_XDECREF(iter);
+    Py_XDECREF(ident);
+    return -1;
+}
+
+static void
+encoder_dealloc(PyObject *self)
+{
+    /* Deallocate Encoder */
+    encoder_clear(self);
+    Py_TYPE(self)->tp_free(self);
+}
+
+static int
+encoder_traverse(PyObject *self, visitproc visit, void *arg)
+{
+    PyEncoderObject *s;
+    assert(PyEncoder_Check(self));
+    s = (PyEncoderObject *)self;
+    Py_VISIT(s->markers);
+    Py_VISIT(s->defaultfn);
+    Py_VISIT(s->encoder);
+    Py_VISIT(s->indent);
+    Py_VISIT(s->key_separator);
+    Py_VISIT(s->item_separator);
+    Py_VISIT(s->sort_keys);
+    Py_VISIT(s->skipkeys);
+    Py_VISIT(s->key_memo);
+    return 0;
+}
+
+static int
+encoder_clear(PyObject *self)
+{
+    /* Deallocate Encoder */
+    PyEncoderObject *s;
+    assert(PyEncoder_Check(self));
+    s = (PyEncoderObject *)self;
+    Py_CLEAR(s->markers);
+    Py_CLEAR(s->defaultfn);
+    Py_CLEAR(s->encoder);
+    Py_CLEAR(s->indent);
+    Py_CLEAR(s->key_separator);
+    Py_CLEAR(s->item_separator);
+    Py_CLEAR(s->sort_keys);
+    Py_CLEAR(s->skipkeys);
+    Py_CLEAR(s->key_memo);
+    return 0;
+}
+
+PyDoc_STRVAR(encoder_doc, "_iterencode(obj, _current_indent_level) -> iterable");
+
+static
+PyTypeObject PyEncoderType = {
+    PyObject_HEAD_INIT(NULL)
+    0,                    /* tp_internal */
+    "simplejson._speedups.Encoder",       /* tp_name */
+    sizeof(PyEncoderObject), /* tp_basicsize */
+    0,                    /* tp_itemsize */
+    encoder_dealloc, /* tp_dealloc */
+    0,                    /* tp_print */
+    0,                    /* tp_getattr */
+    0,                    /* tp_setattr */
+    0,                    /* tp_compare */
+    0,                    /* tp_repr */
+    0,                    /* tp_as_number */
+    0,                    /* tp_as_sequence */
+    0,                    /* tp_as_mapping */
+    0,                    /* tp_hash */
+    encoder_call,         /* tp_call */
+    0,                    /* tp_str */
+    0,                    /* tp_getattro */
+    0,                    /* tp_setattro */
+    0,                    /* tp_as_buffer */
+    Py_TPFLAGS_DEFAULT | Py_TPFLAGS_HAVE_GC,   /* tp_flags */
+    encoder_doc,          /* tp_doc */
+    encoder_traverse,     /* tp_traverse */
+    encoder_clear,        /* tp_clear */
+    0,                    /* tp_richcompare */
+    0,                    /* tp_weaklistoffset */
+    0,                    /* tp_iter */
+    0,                    /* tp_iternext */
+    0,                    /* tp_methods */
+    encoder_members,      /* tp_members */
+    0,                    /* tp_getset */
+    0,                    /* tp_base */
+    0,                    /* tp_dict */
+    0,                    /* tp_descr_get */
+    0,                    /* tp_descr_set */
+    0,                    /* tp_dictoffset */
+    encoder_init,         /* tp_init */
+    0,                    /* tp_alloc */
+    encoder_new,          /* tp_new */
+    0,                    /* tp_free */
+};
+
+static PyMethodDef speedups_methods[] = {
+    {"encode_basestring_ascii",
+        (PyCFunction)py_encode_basestring_ascii,
+        METH_O,
+        pydoc_encode_basestring_ascii},
+    {"scanstring",
+        (PyCFunction)py_scanstring,
+        METH_VARARGS,
+        pydoc_scanstring},
+    {NULL, NULL, 0, NULL}
+};
+
+PyDoc_STRVAR(module_doc,
+"simplejson speedups\n");
+
+void
+init_speedups(void)
+{
+    PyObject *m, *decimal;
+    PyScannerType.tp_new = PyType_GenericNew;
+    if (PyType_Ready(&PyScannerType) < 0)
+        return;
+    PyEncoderType.tp_new = PyType_GenericNew;
+    if (PyType_Ready(&PyEncoderType) < 0)
+        return;
+
+    decimal = PyImport_ImportModule("decimal");
+    if (decimal == NULL)
+        return;
+    DecimalTypePtr = (PyTypeObject*)PyObject_GetAttrString(decimal, "Decimal");
+    Py_DECREF(decimal);
+    if (DecimalTypePtr == NULL)
+        return;
+
+    m = Py_InitModule3("_speedups", speedups_methods, module_doc);
+    Py_INCREF((PyObject*)&PyScannerType);
+    PyModule_AddObject(m, "make_scanner", (PyObject*)&PyScannerType);
+    Py_INCREF((PyObject*)&PyEncoderType);
+    PyModule_AddObject(m, "make_encoder", (PyObject*)&PyEncoderType);
+}
diff --git a/src/simplejson/decoder.py b/src/simplejson/decoder.py
new file mode 100755
index 00000000..4cf4015f
--- /dev/null
+++ b/src/simplejson/decoder.py
@@ -0,0 +1,421 @@
+"""Implementation of JSONDecoder
+"""
+import re
+import sys
+import struct
+
+from simplejson.scanner import make_scanner
+def _import_c_scanstring():
+    try:
+        from simplejson._speedups import scanstring
+        return scanstring
+    except ImportError:
+        return None
+c_scanstring = _import_c_scanstring()
+
+__all__ = ['JSONDecoder']
+
+FLAGS = re.VERBOSE | re.MULTILINE | re.DOTALL
+
+def _floatconstants():
+    _BYTES = '7FF80000000000007FF0000000000000'.decode('hex')
+    # The struct module in Python 2.4 would get frexp() out of range here
+    # when an endian is specified in the format string. Fixed in Python 2.5+
+    if sys.byteorder != 'big':
+        _BYTES = _BYTES[:8][::-1] + _BYTES[8:][::-1]
+    nan, inf = struct.unpack('dd', _BYTES)
+    return nan, inf, -inf
+
+NaN, PosInf, NegInf = _floatconstants()
+
+
+class JSONDecodeError(ValueError):
+    """Subclass of ValueError with the following additional properties:
+    
+    msg: The unformatted error message
+    doc: The JSON document being parsed
+    pos: The start index of doc where parsing failed
+    end: The end index of doc where parsing failed (may be None)
+    lineno: The line corresponding to pos
+    colno: The column corresponding to pos
+    endlineno: The line corresponding to end (may be None)
+    endcolno: The column corresponding to end (may be None)
+    
+    """
+    def __init__(self, msg, doc, pos, end=None):
+        ValueError.__init__(self, errmsg(msg, doc, pos, end=end))
+        self.msg = msg
+        self.doc = doc
+        self.pos = pos
+        self.end = end
+        self.lineno, self.colno = linecol(doc, pos)
+        if end is not None:
+            self.endlineno, self.endcolno = linecol(doc, pos)
+        else:
+            self.endlineno, self.endcolno = None, None
+
+
+def linecol(doc, pos):
+    lineno = doc.count('\n', 0, pos) + 1
+    if lineno == 1:
+        colno = pos
+    else:
+        colno = pos - doc.rindex('\n', 0, pos)
+    return lineno, colno
+
+
+def errmsg(msg, doc, pos, end=None):
+    # Note that this function is called from _speedups
+    lineno, colno = linecol(doc, pos)
+    if end is None:
+        #fmt = '{0}: line {1} column {2} (char {3})'
+        #return fmt.format(msg, lineno, colno, pos)
+        fmt = '%s: line %d column %d (char %d)'
+        return fmt % (msg, lineno, colno, pos)
+    endlineno, endcolno = linecol(doc, end)
+    #fmt = '{0}: line {1} column {2} - line {3} column {4} (char {5} - {6})'
+    #return fmt.format(msg, lineno, colno, endlineno, endcolno, pos, end)
+    fmt = '%s: line %d column %d - line %d column %d (char %d - %d)'
+    return fmt % (msg, lineno, colno, endlineno, endcolno, pos, end)
+
+
+_CONSTANTS = {
+    '-Infinity': NegInf,
+    'Infinity': PosInf,
+    'NaN': NaN,
+}
+
+STRINGCHUNK = re.compile(r'(.*?)(["\\\x00-\x1f])', FLAGS)
+BACKSLASH = {
+    '"': u'"', '\\': u'\\', '/': u'/',
+    'b': u'\b', 'f': u'\f', 'n': u'\n', 'r': u'\r', 't': u'\t',
+}
+
+DEFAULT_ENCODING = "utf-8"
+
+def py_scanstring(s, end, encoding=None, strict=True,
+        _b=BACKSLASH, _m=STRINGCHUNK.match):
+    """Scan the string s for a JSON string. End is the index of the
+    character in s after the quote that started the JSON string.
+    Unescapes all valid JSON string escape sequences and raises ValueError
+    on attempt to decode an invalid string. If strict is False then literal
+    control characters are allowed in the string.
+
+    Returns a tuple of the decoded string and the index of the character in s
+    after the end quote."""
+    if encoding is None:
+        encoding = DEFAULT_ENCODING
+    chunks = []
+    _append = chunks.append
+    begin = end - 1
+    while 1:
+        chunk = _m(s, end)
+        if chunk is None:
+            raise JSONDecodeError(
+                "Unterminated string starting at", s, begin)
+        end = chunk.end()
+        content, terminator = chunk.groups()
+        # Content is contains zero or more unescaped string characters
+        if content:
+            if not isinstance(content, unicode):
+                content = unicode(content, encoding)
+            _append(content)
+        # Terminator is the end of string, a literal control character,
+        # or a backslash denoting that an escape sequence follows
+        if terminator == '"':
+            break
+        elif terminator != '\\':
+            if strict:
+                msg = "Invalid control character %r at" % (terminator,)
+                #msg = "Invalid control character {0!r} at".format(terminator)
+                raise JSONDecodeError(msg, s, end)
+            else:
+                _append(terminator)
+                continue
+        try:
+            esc = s[end]
+        except IndexError:
+            raise JSONDecodeError(
+                "Unterminated string starting at", s, begin)
+        # If not a unicode escape sequence, must be in the lookup table
+        if esc != 'u':
+            try:
+                char = _b[esc]
+            except KeyError:
+                msg = "Invalid \\escape: " + repr(esc)
+                raise JSONDecodeError(msg, s, end)
+            end += 1
+        else:
+            # Unicode escape sequence
+            esc = s[end + 1:end + 5]
+            next_end = end + 5
+            if len(esc) != 4:
+                msg = "Invalid \\uXXXX escape"
+                raise JSONDecodeError(msg, s, end)
+            uni = int(esc, 16)
+            # Check for surrogate pair on UCS-4 systems
+            if 0xd800 <= uni <= 0xdbff and sys.maxunicode > 65535:
+                msg = "Invalid \\uXXXX\\uXXXX surrogate pair"
+                if not s[end + 5:end + 7] == '\\u':
+                    raise JSONDecodeError(msg, s, end)
+                esc2 = s[end + 7:end + 11]
+                if len(esc2) != 4:
+                    raise JSONDecodeError(msg, s, end)
+                uni2 = int(esc2, 16)
+                uni = 0x10000 + (((uni - 0xd800) << 10) | (uni2 - 0xdc00))
+                next_end += 6
+            char = unichr(uni)
+            end = next_end
+        # Append the unescaped character
+        _append(char)
+    return u''.join(chunks), end
+
+
+# Use speedup if available
+scanstring = c_scanstring or py_scanstring
+
+WHITESPACE = re.compile(r'[ \t\n\r]*', FLAGS)
+WHITESPACE_STR = ' \t\n\r'
+
+def JSONObject((s, end), encoding, strict, scan_once, object_hook,
+        object_pairs_hook, memo=None,
+        _w=WHITESPACE.match, _ws=WHITESPACE_STR):
+    # Backwards compatibility
+    if memo is None:
+        memo = {}
+    memo_get = memo.setdefault
+    pairs = []
+    # Use a slice to prevent IndexError from being raised, the following
+    # check will raise a more specific ValueError if the string is empty
+    nextchar = s[end:end + 1]
+    # Normally we expect nextchar == '"'
+    if nextchar != '"':
+        if nextchar in _ws:
+            end = _w(s, end).end()
+            nextchar = s[end:end + 1]
+        # Trivial empty object
+        if nextchar == '}':
+            if object_pairs_hook is not None:
+                result = object_pairs_hook(pairs)
+                return result, end
+            pairs = {}
+            if object_hook is not None:
+                pairs = object_hook(pairs)
+            return pairs, end + 1
+        elif nextchar != '"':
+            raise JSONDecodeError("Expecting property name", s, end)
+    end += 1
+    while True:
+        key, end = scanstring(s, end, encoding, strict)
+        key = memo_get(key, key)
+
+        # To skip some function call overhead we optimize the fast paths where
+        # the JSON key separator is ": " or just ":".
+        if s[end:end + 1] != ':':
+            end = _w(s, end).end()
+            if s[end:end + 1] != ':':
+                raise JSONDecodeError("Expecting : delimiter", s, end)
+
+        end += 1
+
+        try:
+            if s[end] in _ws:
+                end += 1
+                if s[end] in _ws:
+                    end = _w(s, end + 1).end()
+        except IndexError:
+            pass
+
+        try:
+            value, end = scan_once(s, end)
+        except StopIteration:
+            raise JSONDecodeError("Expecting object", s, end)
+        pairs.append((key, value))
+
+        try:
+            nextchar = s[end]
+            if nextchar in _ws:
+                end = _w(s, end + 1).end()
+                nextchar = s[end]
+        except IndexError:
+            nextchar = ''
+        end += 1
+
+        if nextchar == '}':
+            break
+        elif nextchar != ',':
+            raise JSONDecodeError("Expecting , delimiter", s, end - 1)
+
+        try:
+            nextchar = s[end]
+            if nextchar in _ws:
+                end += 1
+                nextchar = s[end]
+                if nextchar in _ws:
+                    end = _w(s, end + 1).end()
+                    nextchar = s[end]
+        except IndexError:
+            nextchar = ''
+
+        end += 1
+        if nextchar != '"':
+            raise JSONDecodeError("Expecting property name", s, end - 1)
+
+    if object_pairs_hook is not None:
+        result = object_pairs_hook(pairs)
+        return result, end
+    pairs = dict(pairs)
+    if object_hook is not None:
+        pairs = object_hook(pairs)
+    return pairs, end
+
+def JSONArray((s, end), scan_once, _w=WHITESPACE.match, _ws=WHITESPACE_STR):
+    values = []
+    nextchar = s[end:end + 1]
+    if nextchar in _ws:
+        end = _w(s, end + 1).end()
+        nextchar = s[end:end + 1]
+    # Look-ahead for trivial empty array
+    if nextchar == ']':
+        return values, end + 1
+    _append = values.append
+    while True:
+        try:
+            value, end = scan_once(s, end)
+        except StopIteration:
+            raise JSONDecodeError("Expecting object", s, end)
+        _append(value)
+        nextchar = s[end:end + 1]
+        if nextchar in _ws:
+            end = _w(s, end + 1).end()
+            nextchar = s[end:end + 1]
+        end += 1
+        if nextchar == ']':
+            break
+        elif nextchar != ',':
+            raise JSONDecodeError("Expecting , delimiter", s, end)
+
+        try:
+            if s[end] in _ws:
+                end += 1
+                if s[end] in _ws:
+                    end = _w(s, end + 1).end()
+        except IndexError:
+            pass
+
+    return values, end
+
+class JSONDecoder(object):
+    """Simple JSON <http://json.org> decoder
+
+    Performs the following translations in decoding by default:
+
+    +---------------+-------------------+
+    | JSON          | Python            |
+    +===============+===================+
+    | object        | dict              |
+    +---------------+-------------------+
+    | array         | list              |
+    +---------------+-------------------+
+    | string        | unicode           |
+    +---------------+-------------------+
+    | number (int)  | int, long         |
+    +---------------+-------------------+
+    | number (real) | float             |
+    +---------------+-------------------+
+    | true          | True              |
+    +---------------+-------------------+
+    | false         | False             |
+    +---------------+-------------------+
+    | null          | None              |
+    +---------------+-------------------+
+
+    It also understands ``NaN``, ``Infinity``, and ``-Infinity`` as
+    their corresponding ``float`` values, which is outside the JSON spec.
+
+    """
+
+    def __init__(self, encoding=None, object_hook=None, parse_float=None,
+            parse_int=None, parse_constant=None, strict=True,
+            object_pairs_hook=None):
+        """
+        *encoding* determines the encoding used to interpret any
+        :class:`str` objects decoded by this instance (``'utf-8'`` by
+        default).  It has no effect when decoding :class:`unicode` objects.
+
+        Note that currently only encodings that are a superset of ASCII work,
+        strings of other encodings should be passed in as :class:`unicode`.
+
+        *object_hook*, if specified, will be called with the result of every
+        JSON object decoded and its return value will be used in place of the
+        given :class:`dict`.  This can be used to provide custom
+        deserializations (e.g. to support JSON-RPC class hinting).
+
+        *object_pairs_hook* is an optional function that will be called with
+        the result of any object literal decode with an ordered list of pairs.
+        The return value of *object_pairs_hook* will be used instead of the
+        :class:`dict`.  This feature can be used to implement custom decoders
+        that rely on the order that the key and value pairs are decoded (for
+        example, :func:`collections.OrderedDict` will remember the order of
+        insertion). If *object_hook* is also defined, the *object_pairs_hook*
+        takes priority.
+
+        *parse_float*, if specified, will be called with the string of every
+        JSON float to be decoded.  By default, this is equivalent to
+        ``float(num_str)``. This can be used to use another datatype or parser
+        for JSON floats (e.g. :class:`decimal.Decimal`).
+
+        *parse_int*, if specified, will be called with the string of every
+        JSON int to be decoded.  By default, this is equivalent to
+        ``int(num_str)``.  This can be used to use another datatype or parser
+        for JSON integers (e.g. :class:`float`).
+
+        *parse_constant*, if specified, will be called with one of the
+        following strings: ``'-Infinity'``, ``'Infinity'``, ``'NaN'``.  This
+        can be used to raise an exception if invalid JSON numbers are
+        encountered.
+
+        *strict* controls the parser's behavior when it encounters an
+        invalid control character in a string. The default setting of
+        ``True`` means that unescaped control characters are parse errors, if
+        ``False`` then control characters will be allowed in strings.
+
+        """
+        self.encoding = encoding
+        self.object_hook = object_hook
+        self.object_pairs_hook = object_pairs_hook
+        self.parse_float = parse_float or float
+        self.parse_int = parse_int or int
+        self.parse_constant = parse_constant or _CONSTANTS.__getitem__
+        self.strict = strict
+        self.parse_object = JSONObject
+        self.parse_array = JSONArray
+        self.parse_string = scanstring
+        self.memo = {}
+        self.scan_once = make_scanner(self)
+
+    def decode(self, s, _w=WHITESPACE.match):
+        """Return the Python representation of ``s`` (a ``str`` or ``unicode``
+        instance containing a JSON document)
+
+        """
+        obj, end = self.raw_decode(s, idx=_w(s, 0).end())
+        end = _w(s, end).end()
+        if end != len(s):
+            raise JSONDecodeError("Extra data", s, end, len(s))
+        return obj
+
+    def raw_decode(self, s, idx=0):
+        """Decode a JSON document from ``s`` (a ``str`` or ``unicode``
+        beginning with a JSON document) and return a 2-tuple of the Python
+        representation and the index in ``s`` where the document ended.
+
+        This can be used to decode a JSON document from a string that may
+        have extraneous data at the end.
+
+        """
+        try:
+            obj, end = self.scan_once(s, idx)
+        except StopIteration:
+            raise JSONDecodeError("No JSON object could be decoded", s, idx)
+        return obj, end
diff --git a/src/simplejson/decoder.pyc b/src/simplejson/decoder.pyc
new file mode 100755
index 00000000..e0300154
Binary files /dev/null and b/src/simplejson/decoder.pyc differ
diff --git a/src/simplejson/encoder.py b/src/simplejson/encoder.py
new file mode 100755
index 00000000..cab84565
--- /dev/null
+++ b/src/simplejson/encoder.py
@@ -0,0 +1,501 @@
+"""Implementation of JSONEncoder
+"""
+import re
+from decimal import Decimal
+
+def _import_speedups():
+    try:
+        from simplejson import _speedups
+        return _speedups.encode_basestring_ascii, _speedups.make_encoder
+    except ImportError:
+        return None, None
+c_encode_basestring_ascii, c_make_encoder = _import_speedups()
+
+from simplejson.decoder import PosInf
+
+ESCAPE = re.compile(r'[\x00-\x1f\\"\b\f\n\r\t]')
+ESCAPE_ASCII = re.compile(r'([\\"]|[^\ -~])')
+HAS_UTF8 = re.compile(r'[\x80-\xff]')
+ESCAPE_DCT = {
+    '\\': '\\\\',
+    '"': '\\"',
+    '\b': '\\b',
+    '\f': '\\f',
+    '\n': '\\n',
+    '\r': '\\r',
+    '\t': '\\t',
+}
+for i in range(0x20):
+    #ESCAPE_DCT.setdefault(chr(i), '\\u{0:04x}'.format(i))
+    ESCAPE_DCT.setdefault(chr(i), '\\u%04x' % (i,))
+
+FLOAT_REPR = repr
+
+def encode_basestring(s):
+    """Return a JSON representation of a Python string
+
+    """
+    if isinstance(s, str) and HAS_UTF8.search(s) is not None:
+        s = s.decode('utf-8')
+    def replace(match):
+        return ESCAPE_DCT[match.group(0)]
+    return u'"' + ESCAPE.sub(replace, s) + u'"'
+
+
+def py_encode_basestring_ascii(s):
+    """Return an ASCII-only JSON representation of a Python string
+
+    """
+    if isinstance(s, str) and HAS_UTF8.search(s) is not None:
+        s = s.decode('utf-8')
+    def replace(match):
+        s = match.group(0)
+        try:
+            return ESCAPE_DCT[s]
+        except KeyError:
+            n = ord(s)
+            if n < 0x10000:
+                #return '\\u{0:04x}'.format(n)
+                return '\\u%04x' % (n,)
+            else:
+                # surrogate pair
+                n -= 0x10000
+                s1 = 0xd800 | ((n >> 10) & 0x3ff)
+                s2 = 0xdc00 | (n & 0x3ff)
+                #return '\\u{0:04x}\\u{1:04x}'.format(s1, s2)
+                return '\\u%04x\\u%04x' % (s1, s2)
+    return '"' + str(ESCAPE_ASCII.sub(replace, s)) + '"'
+
+
+encode_basestring_ascii = (
+    c_encode_basestring_ascii or py_encode_basestring_ascii)
+
+class JSONEncoder(object):
+    """Extensible JSON <http://json.org> encoder for Python data structures.
+
+    Supports the following objects and types by default:
+
+    +-------------------+---------------+
+    | Python            | JSON          |
+    +===================+===============+
+    | dict              | object        |
+    +-------------------+---------------+
+    | list, tuple       | array         |
+    +-------------------+---------------+
+    | str, unicode      | string        |
+    +-------------------+---------------+
+    | int, long, float  | number        |
+    +-------------------+---------------+
+    | True              | true          |
+    +-------------------+---------------+
+    | False             | false         |
+    +-------------------+---------------+
+    | None              | null          |
+    +-------------------+---------------+
+
+    To extend this to recognize other objects, subclass and implement a
+    ``.default()`` method with another method that returns a serializable
+    object for ``o`` if possible, otherwise it should call the superclass
+    implementation (to raise ``TypeError``).
+
+    """
+    item_separator = ', '
+    key_separator = ': '
+    def __init__(self, skipkeys=False, ensure_ascii=True,
+            check_circular=True, allow_nan=True, sort_keys=False,
+            indent=None, separators=None, encoding='utf-8', default=None,
+            use_decimal=False):
+        """Constructor for JSONEncoder, with sensible defaults.
+
+        If skipkeys is false, then it is a TypeError to attempt
+        encoding of keys that are not str, int, long, float or None.  If
+        skipkeys is True, such items are simply skipped.
+
+        If ensure_ascii is true, the output is guaranteed to be str
+        objects with all incoming unicode characters escaped.  If
+        ensure_ascii is false, the output will be unicode object.
+
+        If check_circular is true, then lists, dicts, and custom encoded
+        objects will be checked for circular references during encoding to
+        prevent an infinite recursion (which would cause an OverflowError).
+        Otherwise, no such check takes place.
+
+        If allow_nan is true, then NaN, Infinity, and -Infinity will be
+        encoded as such.  This behavior is not JSON specification compliant,
+        but is consistent with most JavaScript based encoders and decoders.
+        Otherwise, it will be a ValueError to encode such floats.
+
+        If sort_keys is true, then the output of dictionaries will be
+        sorted by key; this is useful for regression tests to ensure
+        that JSON serializations can be compared on a day-to-day basis.
+
+        If indent is a string, then JSON array elements and object members
+        will be pretty-printed with a newline followed by that string repeated
+        for each level of nesting. ``None`` (the default) selects the most compact
+        representation without any newlines. For backwards compatibility with
+        versions of simplejson earlier than 2.1.0, an integer is also accepted
+        and is converted to a string with that many spaces.
+
+        If specified, separators should be a (item_separator, key_separator)
+        tuple.  The default is (', ', ': ').  To get the most compact JSON
+        representation you should specify (',', ':') to eliminate whitespace.
+
+        If specified, default is a function that gets called for objects
+        that can't otherwise be serialized.  It should return a JSON encodable
+        version of the object or raise a ``TypeError``.
+
+        If encoding is not None, then all input strings will be
+        transformed into unicode using that encoding prior to JSON-encoding.
+        The default is UTF-8.
+        
+        If use_decimal is true (not the default), ``decimal.Decimal`` will
+        be supported directly by the encoder. For the inverse, decode JSON
+        with ``parse_float=decimal.Decimal``.
+
+        """
+
+        self.skipkeys = skipkeys
+        self.ensure_ascii = ensure_ascii
+        self.check_circular = check_circular
+        self.allow_nan = allow_nan
+        self.sort_keys = sort_keys
+        self.use_decimal = use_decimal
+        if isinstance(indent, (int, long)):
+            indent = ' ' * indent
+        self.indent = indent
+        if separators is not None:
+            self.item_separator, self.key_separator = separators
+        if default is not None:
+            self.default = default
+        self.encoding = encoding
+
+    def default(self, o):
+        """Implement this method in a subclass such that it returns
+        a serializable object for ``o``, or calls the base implementation
+        (to raise a ``TypeError``).
+
+        For example, to support arbitrary iterators, you could
+        implement default like this::
+
+            def default(self, o):
+                try:
+                    iterable = iter(o)
+                except TypeError:
+                    pass
+                else:
+                    return list(iterable)
+                return JSONEncoder.default(self, o)
+
+        """
+        raise TypeError(repr(o) + " is not JSON serializable")
+
+    def encode(self, o):
+        """Return a JSON string representation of a Python data structure.
+
+        >>> from simplejson import JSONEncoder
+        >>> JSONEncoder().encode({"foo": ["bar", "baz"]})
+        '{"foo": ["bar", "baz"]}'
+
+        """
+        # This is for extremely simple cases and benchmarks.
+        if isinstance(o, basestring):
+            if isinstance(o, str):
+                _encoding = self.encoding
+                if (_encoding is not None
+                        and not (_encoding == 'utf-8')):
+                    o = o.decode(_encoding)
+            if self.ensure_ascii:
+                return encode_basestring_ascii(o)
+            else:
+                return encode_basestring(o)
+        # This doesn't pass the iterator directly to ''.join() because the
+        # exceptions aren't as detailed.  The list call should be roughly
+        # equivalent to the PySequence_Fast that ''.join() would do.
+        chunks = self.iterencode(o, _one_shot=True)
+        if not isinstance(chunks, (list, tuple)):
+            chunks = list(chunks)
+        if self.ensure_ascii:
+            return ''.join(chunks)
+        else:
+            return u''.join(chunks)
+
+    def iterencode(self, o, _one_shot=False):
+        """Encode the given object and yield each string
+        representation as available.
+
+        For example::
+
+            for chunk in JSONEncoder().iterencode(bigobject):
+                mysocket.write(chunk)
+
+        """
+        if self.check_circular:
+            markers = {}
+        else:
+            markers = None
+        if self.ensure_ascii:
+            _encoder = encode_basestring_ascii
+        else:
+            _encoder = encode_basestring
+        if self.encoding != 'utf-8':
+            def _encoder(o, _orig_encoder=_encoder, _encoding=self.encoding):
+                if isinstance(o, str):
+                    o = o.decode(_encoding)
+                return _orig_encoder(o)
+
+        def floatstr(o, allow_nan=self.allow_nan,
+                _repr=FLOAT_REPR, _inf=PosInf, _neginf=-PosInf):
+            # Check for specials. Note that this type of test is processor
+            # and/or platform-specific, so do tests which don't depend on
+            # the internals.
+
+            if o != o:
+                text = 'NaN'
+            elif o == _inf:
+                text = 'Infinity'
+            elif o == _neginf:
+                text = '-Infinity'
+            else:
+                return _repr(o)
+
+            if not allow_nan:
+                raise ValueError(
+                    "Out of range float values are not JSON compliant: " +
+                    repr(o))
+
+            return text
+
+
+        key_memo = {}
+        if (_one_shot and c_make_encoder is not None
+                and not self.indent and not self.sort_keys):
+            _iterencode = c_make_encoder(
+                markers, self.default, _encoder, self.indent,
+                self.key_separator, self.item_separator, self.sort_keys,
+                self.skipkeys, self.allow_nan, key_memo, self.use_decimal)
+        else:
+            _iterencode = _make_iterencode(
+                markers, self.default, _encoder, self.indent, floatstr,
+                self.key_separator, self.item_separator, self.sort_keys,
+                self.skipkeys, _one_shot, self.use_decimal)
+        try:
+            return _iterencode(o, 0)
+        finally:
+            key_memo.clear()
+
+
+class JSONEncoderForHTML(JSONEncoder):
+    """An encoder that produces JSON safe to embed in HTML.
+
+    To embed JSON content in, say, a script tag on a web page, the
+    characters &, < and > should be escaped. They cannot be escaped
+    with the usual entities (e.g. &amp;) because they are not expanded
+    within <script> tags.
+    """
+
+    def encode(self, o):
+        # Override JSONEncoder.encode because it has hacks for
+        # performance that make things more complicated.
+        chunks = self.iterencode(o, True)
+        if self.ensure_ascii:
+            return ''.join(chunks)
+        else:
+            return u''.join(chunks)
+
+    def iterencode(self, o, _one_shot=False):
+        chunks = super(JSONEncoderForHTML, self).iterencode(o, _one_shot)
+        for chunk in chunks:
+            chunk = chunk.replace('&', '\\u0026')
+            chunk = chunk.replace('<', '\\u003c')
+            chunk = chunk.replace('>', '\\u003e')
+            yield chunk
+
+
+def _make_iterencode(markers, _default, _encoder, _indent, _floatstr,
+        _key_separator, _item_separator, _sort_keys, _skipkeys, _one_shot,
+        _use_decimal,
+        ## HACK: hand-optimized bytecode; turn globals into locals
+        False=False,
+        True=True,
+        ValueError=ValueError,
+        basestring=basestring,
+        Decimal=Decimal,
+        dict=dict,
+        float=float,
+        id=id,
+        int=int,
+        isinstance=isinstance,
+        list=list,
+        long=long,
+        str=str,
+        tuple=tuple,
+    ):
+
+    def _iterencode_list(lst, _current_indent_level):
+        if not lst:
+            yield '[]'
+            return
+        if markers is not None:
+            markerid = id(lst)
+            if markerid in markers:
+                raise ValueError("Circular reference detected")
+            markers[markerid] = lst
+        buf = '['
+        if _indent is not None:
+            _current_indent_level += 1
+            newline_indent = '\n' + (_indent * _current_indent_level)
+            separator = _item_separator + newline_indent
+            buf += newline_indent
+        else:
+            newline_indent = None
+            separator = _item_separator
+        first = True
+        for value in lst:
+            if first:
+                first = False
+            else:
+                buf = separator
+            if isinstance(value, basestring):
+                yield buf + _encoder(value)
+            elif value is None:
+                yield buf + 'null'
+            elif value is True:
+                yield buf + 'true'
+            elif value is False:
+                yield buf + 'false'
+            elif isinstance(value, (int, long)):
+                yield buf + str(value)
+            elif isinstance(value, float):
+                yield buf + _floatstr(value)
+            elif _use_decimal and isinstance(value, Decimal):
+                yield buf + str(value)
+            else:
+                yield buf
+                if isinstance(value, (list, tuple)):
+                    chunks = _iterencode_list(value, _current_indent_level)
+                elif isinstance(value, dict):
+                    chunks = _iterencode_dict(value, _current_indent_level)
+                else:
+                    chunks = _iterencode(value, _current_indent_level)
+                for chunk in chunks:
+                    yield chunk
+        if newline_indent is not None:
+            _current_indent_level -= 1
+            yield '\n' + (_indent * _current_indent_level)
+        yield ']'
+        if markers is not None:
+            del markers[markerid]
+
+    def _iterencode_dict(dct, _current_indent_level):
+        if not dct:
+            yield '{}'
+            return
+        if markers is not None:
+            markerid = id(dct)
+            if markerid in markers:
+                raise ValueError("Circular reference detected")
+            markers[markerid] = dct
+        yield '{'
+        if _indent is not None:
+            _current_indent_level += 1
+            newline_indent = '\n' + (_indent * _current_indent_level)
+            item_separator = _item_separator + newline_indent
+            yield newline_indent
+        else:
+            newline_indent = None
+            item_separator = _item_separator
+        first = True
+        if _sort_keys:
+            items = dct.items()
+            items.sort(key=lambda kv: kv[0])
+        else:
+            items = dct.iteritems()
+        for key, value in items:
+            if isinstance(key, basestring):
+                pass
+            # JavaScript is weakly typed for these, so it makes sense to
+            # also allow them.  Many encoders seem to do something like this.
+            elif isinstance(key, float):
+                key = _floatstr(key)
+            elif key is True:
+                key = 'true'
+            elif key is False:
+                key = 'false'
+            elif key is None:
+                key = 'null'
+            elif isinstance(key, (int, long)):
+                key = str(key)
+            elif _skipkeys:
+                continue
+            else:
+                raise TypeError("key " + repr(key) + " is not a string")
+            if first:
+                first = False
+            else:
+                yield item_separator
+            yield _encoder(key)
+            yield _key_separator
+            if isinstance(value, basestring):
+                yield _encoder(value)
+            elif value is None:
+                yield 'null'
+            elif value is True:
+                yield 'true'
+            elif value is False:
+                yield 'false'
+            elif isinstance(value, (int, long)):
+                yield str(value)
+            elif isinstance(value, float):
+                yield _floatstr(value)
+            elif _use_decimal and isinstance(value, Decimal):
+                yield str(value)
+            else:
+                if isinstance(value, (list, tuple)):
+                    chunks = _iterencode_list(value, _current_indent_level)
+                elif isinstance(value, dict):
+                    chunks = _iterencode_dict(value, _current_indent_level)
+                else:
+                    chunks = _iterencode(value, _current_indent_level)
+                for chunk in chunks:
+                    yield chunk
+        if newline_indent is not None:
+            _current_indent_level -= 1
+            yield '\n' + (_indent * _current_indent_level)
+        yield '}'
+        if markers is not None:
+            del markers[markerid]
+
+    def _iterencode(o, _current_indent_level):
+        if isinstance(o, basestring):
+            yield _encoder(o)
+        elif o is None:
+            yield 'null'
+        elif o is True:
+            yield 'true'
+        elif o is False:
+            yield 'false'
+        elif isinstance(o, (int, long)):
+            yield str(o)
+        elif isinstance(o, float):
+            yield _floatstr(o)
+        elif isinstance(o, (list, tuple)):
+            for chunk in _iterencode_list(o, _current_indent_level):
+                yield chunk
+        elif isinstance(o, dict):
+            for chunk in _iterencode_dict(o, _current_indent_level):
+                yield chunk
+        elif _use_decimal and isinstance(o, Decimal):
+            yield str(o)
+        else:
+            if markers is not None:
+                markerid = id(o)
+                if markerid in markers:
+                    raise ValueError("Circular reference detected")
+                markers[markerid] = o
+            o = _default(o)
+            for chunk in _iterencode(o, _current_indent_level):
+                yield chunk
+            if markers is not None:
+                del markers[markerid]
+
+    return _iterencode
diff --git a/src/simplejson/encoder.pyc b/src/simplejson/encoder.pyc
new file mode 100755
index 00000000..50247bcb
Binary files /dev/null and b/src/simplejson/encoder.pyc differ
diff --git a/src/simplejson/ordered_dict.py b/src/simplejson/ordered_dict.py
new file mode 100755
index 00000000..87ad8882
--- /dev/null
+++ b/src/simplejson/ordered_dict.py
@@ -0,0 +1,119 @@
+"""Drop-in replacement for collections.OrderedDict by Raymond Hettinger
+
+http://code.activestate.com/recipes/576693/
+
+"""
+from UserDict import DictMixin
+
+# Modified from original to support Python 2.4, see
+# http://code.google.com/p/simplejson/issues/detail?id=53
+try:
+    all
+except NameError:
+    def all(seq):
+        for elem in seq:
+            if not elem:
+                return False
+        return True
+
+class OrderedDict(dict, DictMixin):
+
+    def __init__(self, *args, **kwds):
+        if len(args) > 1:
+            raise TypeError('expected at most 1 arguments, got %d' % len(args))
+        try:
+            self.__end
+        except AttributeError:
+            self.clear()
+        self.update(*args, **kwds)
+
+    def clear(self):
+        self.__end = end = []
+        end += [None, end, end]         # sentinel node for doubly linked list
+        self.__map = {}                 # key --> [key, prev, next]
+        dict.clear(self)
+
+    def __setitem__(self, key, value):
+        if key not in self:
+            end = self.__end
+            curr = end[1]
+            curr[2] = end[1] = self.__map[key] = [key, curr, end]
+        dict.__setitem__(self, key, value)
+
+    def __delitem__(self, key):
+        dict.__delitem__(self, key)
+        key, prev, next = self.__map.pop(key)
+        prev[2] = next
+        next[1] = prev
+
+    def __iter__(self):
+        end = self.__end
+        curr = end[2]
+        while curr is not end:
+            yield curr[0]
+            curr = curr[2]
+
+    def __reversed__(self):
+        end = self.__end
+        curr = end[1]
+        while curr is not end:
+            yield curr[0]
+            curr = curr[1]
+
+    def popitem(self, last=True):
+        if not self:
+            raise KeyError('dictionary is empty')
+        # Modified from original to support Python 2.4, see
+        # http://code.google.com/p/simplejson/issues/detail?id=53
+        if last:
+            key = reversed(self).next()
+        else:
+            key = iter(self).next()
+        value = self.pop(key)
+        return key, value
+
+    def __reduce__(self):
+        items = [[k, self[k]] for k in self]
+        tmp = self.__map, self.__end
+        del self.__map, self.__end
+        inst_dict = vars(self).copy()
+        self.__map, self.__end = tmp
+        if inst_dict:
+            return (self.__class__, (items,), inst_dict)
+        return self.__class__, (items,)
+
+    def keys(self):
+        return list(self)
+
+    setdefault = DictMixin.setdefault
+    update = DictMixin.update
+    pop = DictMixin.pop
+    values = DictMixin.values
+    items = DictMixin.items
+    iterkeys = DictMixin.iterkeys
+    itervalues = DictMixin.itervalues
+    iteritems = DictMixin.iteritems
+
+    def __repr__(self):
+        if not self:
+            return '%s()' % (self.__class__.__name__,)
+        return '%s(%r)' % (self.__class__.__name__, self.items())
+
+    def copy(self):
+        return self.__class__(self)
+
+    @classmethod
+    def fromkeys(cls, iterable, value=None):
+        d = cls()
+        for key in iterable:
+            d[key] = value
+        return d
+
+    def __eq__(self, other):
+        if isinstance(other, OrderedDict):
+            return len(self)==len(other) and \
+                   all(p==q for p, q in  zip(self.items(), other.items()))
+        return dict.__eq__(self, other)
+
+    def __ne__(self, other):
+        return not self == other
diff --git a/src/simplejson/scanner.py b/src/simplejson/scanner.py
new file mode 100755
index 00000000..54593a37
--- /dev/null
+++ b/src/simplejson/scanner.py
@@ -0,0 +1,77 @@
+"""JSON token scanner
+"""
+import re
+def _import_c_make_scanner():
+    try:
+        from simplejson._speedups import make_scanner
+        return make_scanner
+    except ImportError:
+        return None
+c_make_scanner = _import_c_make_scanner()
+
+__all__ = ['make_scanner']
+
+NUMBER_RE = re.compile(
+    r'(-?(?:0|[1-9]\d*))(\.\d+)?([eE][-+]?\d+)?',
+    (re.VERBOSE | re.MULTILINE | re.DOTALL))
+
+def py_make_scanner(context):
+    parse_object = context.parse_object
+    parse_array = context.parse_array
+    parse_string = context.parse_string
+    match_number = NUMBER_RE.match
+    encoding = context.encoding
+    strict = context.strict
+    parse_float = context.parse_float
+    parse_int = context.parse_int
+    parse_constant = context.parse_constant
+    object_hook = context.object_hook
+    object_pairs_hook = context.object_pairs_hook
+    memo = context.memo
+
+    def _scan_once(string, idx):
+        try:
+            nextchar = string[idx]
+        except IndexError:
+            raise StopIteration
+
+        if nextchar == '"':
+            return parse_string(string, idx + 1, encoding, strict)
+        elif nextchar == '{':
+            return parse_object((string, idx + 1), encoding, strict,
+                _scan_once, object_hook, object_pairs_hook, memo)
+        elif nextchar == '[':
+            return parse_array((string, idx + 1), _scan_once)
+        elif nextchar == 'n' and string[idx:idx + 4] == 'null':
+            return None, idx + 4
+        elif nextchar == 't' and string[idx:idx + 4] == 'true':
+            return True, idx + 4
+        elif nextchar == 'f' and string[idx:idx + 5] == 'false':
+            return False, idx + 5
+
+        m = match_number(string, idx)
+        if m is not None:
+            integer, frac, exp = m.groups()
+            if frac or exp:
+                res = parse_float(integer + (frac or '') + (exp or ''))
+            else:
+                res = parse_int(integer)
+            return res, m.end()
+        elif nextchar == 'N' and string[idx:idx + 3] == 'NaN':
+            return parse_constant('NaN'), idx + 3
+        elif nextchar == 'I' and string[idx:idx + 8] == 'Infinity':
+            return parse_constant('Infinity'), idx + 8
+        elif nextchar == '-' and string[idx:idx + 9] == '-Infinity':
+            return parse_constant('-Infinity'), idx + 9
+        else:
+            raise StopIteration
+
+    def scan_once(string, idx):
+        try:
+            return _scan_once(string, idx)
+        finally:
+            memo.clear()
+
+    return scan_once
+
+make_scanner = c_make_scanner or py_make_scanner
diff --git a/src/simplejson/scanner.pyc b/src/simplejson/scanner.pyc
new file mode 100755
index 00000000..38e0d31d
Binary files /dev/null and b/src/simplejson/scanner.pyc differ
diff --git a/src/simplejson/tool.py b/src/simplejson/tool.py
new file mode 100755
index 00000000..73370db5
--- /dev/null
+++ b/src/simplejson/tool.py
@@ -0,0 +1,39 @@
+r"""Command-line tool to validate and pretty-print JSON
+
+Usage::
+
+    $ echo '{"json":"obj"}' | python -m simplejson.tool
+    {
+        "json": "obj"
+    }
+    $ echo '{ 1.2:3.4}' | python -m simplejson.tool
+    Expecting property name: line 1 column 2 (char 2)
+
+"""
+import sys
+import simplejson as json
+
+def main():
+    if len(sys.argv) == 1:
+        infile = sys.stdin
+        outfile = sys.stdout
+    elif len(sys.argv) == 2:
+        infile = open(sys.argv[1], 'rb')
+        outfile = sys.stdout
+    elif len(sys.argv) == 3:
+        infile = open(sys.argv[1], 'rb')
+        outfile = open(sys.argv[2], 'wb')
+    else:
+        raise SystemExit(sys.argv[0] + " [infile [outfile]]")
+    try:
+        obj = json.load(infile,
+                        object_pairs_hook=json.OrderedDict,
+                        use_decimal=True)
+    except ValueError, e:
+        raise SystemExit(e)
+    json.dump(obj, outfile, sort_keys=True, indent='    ', use_decimal=True)
+    outfile.write('\n')
+
+
+if __name__ == '__main__':
+    main()
diff --git a/src/tuf/__init__.py b/src/tuf/__init__.py
new file mode 100755
index 00000000..b8d34217
--- /dev/null
+++ b/src/tuf/__init__.py
@@ -0,0 +1,167 @@
+"""
+<Program Name>
+  __init__.py
+
+<Author>
+  Geremy Condra
+  Vladimir Diaz <vladimir.v.diaz@gmail.com>
+
+<Started>
+  VD: April 4, 2012 Revision.
+
+<Copyright>
+  See LICENSE for licensing information.
+
+<Purpose>
+  Define TUF Exceptions.
+
+  The names chosen for TUF Exception classes should end in
+  'Error' except where there is a good reason not to, and
+  provide that reason in those cases.
+
+"""
+
+# Import 'tuf.formats' if a module tries to import the
+# entire tuf package (i.e., from tuf import *). 
+__all__ = ['formats']
+
+
+class Error(Exception):
+  """Indicate a generic error."""
+  pass
+
+
+
+
+
+class Warning(Warning):
+  """TUF's warning category class.  It is used by the 'warnings' module."""
+  pass
+
+
+
+
+
+class FormatError(Error):
+  """Indicate an error while validating an object's format."""
+  pass
+
+
+
+
+
+class UnsupportedAlgorithmError(Error):
+  """Indicate an error while trying to identify a user-specified algorithm."""
+  pass
+
+
+
+
+
+class BadHashError(Error):
+  """Indicate an error while checking the value a hash object."""
+  pass
+
+
+
+
+
+class BadPasswordError(Error):
+  """Indicate an error after encountering an invalid password."""
+  pass
+
+
+
+
+
+class UnknownKeyError(Error):
+  """Indicate an error while verifying key-like objects (e.g., keyids)."""
+  pass
+
+
+
+
+
+class RepositoryError(Error):
+  """Indicate an error with a repository's state, such as a missing file."""
+  pass
+
+
+
+
+
+class ExpiredMetadataError(Error):
+  """Indicate that a TUF Metadata file has expired."""
+  pass
+
+
+
+
+
+class MetadataNotAvailableError(Error):
+  """Indicate an error locating a Metadata file for a specified target/role."""
+  pass
+
+
+
+
+
+class CryptoError(Error):
+  """Indicate any cryptography-related errors."""
+  pass
+
+
+
+
+
+class UnsupportedLibraryError(Error):
+  """Indicate that a supported library could not be located or imported."""
+  pass
+
+
+
+
+
+class UnknownMethodError(CryptoError):
+  """Indicate that a user-specified cryptograpthic method is unknown."""
+  pass
+
+
+
+
+
+class DownloadError(Error):
+  """Indicate an error occurred while attempting to download a file."""
+  pass
+
+
+
+
+
+class KeyAlreadyExistsError(Error):
+  """Indicate that a key already exists and cannot be added."""
+  pass
+
+
+
+
+
+class RoleAlreadyExistsError(Error):
+  """Indicate that a role already exists and cannot be added."""
+  pass
+
+
+
+
+
+class UnknownRoleError(Error):
+  """Indicate an error trying to locate or identify a specified TUF role."""
+  pass
+
+
+
+
+
+class InvalidNameError(Error):
+  """Indicate an error while trying to validate any type of named object"""
+  pass
diff --git a/src/tuf/aggregate_tests.py b/src/tuf/aggregate_tests.py
new file mode 100755
index 00000000..99ee653c
--- /dev/null
+++ b/src/tuf/aggregate_tests.py
@@ -0,0 +1,48 @@
+"""
+<Program Name>
+  aggregate_tuf.tests.py
+
+<Author>
+  Konstantin Andrianov
+
+<Started>
+  Jamuary 26, 2013
+ 
+<Copyright>
+  See LICENSE for licensing information.
+
+<Purpose>
+  Run all tuf.tests.
+
+"""
+# Run test_updater.py.
+import tuf.tests.test_updater
+
+# Run test_quickstart.
+#import tuf.tests.test_quickstart
+
+# Run test_sig.py.
+#import tuf.tests.test_sig
+
+# Run test_rsa_key.py.
+#import tuf.tests.test_rsa_key
+
+# Run test_keystore.py.
+#import tuf.tests.test_keystore
+
+# Run test_signerlib.py.
+#import tuf.tests.test_signerlib
+
+# Run test_signercli.py.
+import tuf.tests.test_signercli
+
+# Run test_download.py
+#import tuf.tests.test_download
+
+# Run test_hash.py
+#import tuf.tests.test_hash
+
+# Run test_mirrors.py.
+#import tuf.tests.test_mirrors
+
+
diff --git a/src/tuf/build_updater.py b/src/tuf/build_updater.py
new file mode 100755
index 00000000..f570886d
--- /dev/null
+++ b/src/tuf/build_updater.py
@@ -0,0 +1,177 @@
+"""
+
+build_updater.py
+
+Written by Geremy Condra
+Licensed under MIT
+Released 12 October 2010
+
+Implements the Distutils 'build_updater' command.
+"""
+
+from distutils.core import Command
+
+import os
+import shutil
+import subprocess
+import time
+import datetime
+
+
+import tuf
+import tuf.conf
+import tuf.client.updater
+
+def do_update(url):
+	tuf.conf.settings.repo_meta_dir = "."
+	repo_data = {'repo': {'urlbase': url, 'metapath': "meta", 'targetspath': "targets", 'metacontent': ['**'], 'targetscontent': ['**']}}
+
+	repo = tuf.client.updater.Repository("", repo_data)
+
+	repo.refresh()
+	targets = repo.get_all_targets()
+	
+	# JAC: add file removal support for nmap folks...
+	repo.remove_missing_files()
+
+	files_to_update = repo.get_files_to_update(targets)
+	for target in targets:
+		if target in files_to_update:
+			try:os.makedirs(os.path.dirname(target.path))
+			except: pass
+			target.download(target.path)
+
+
+def retry(f, *args, **kwargs):
+	# if an exception is raised, retry the operation
+	f(*args, **kwargs)
+	f(*args, **kwargs)
+
+def copy_metadata(client, server):
+	try: shutil.copytree(os.getcwd(), client)
+	except: pass
+        try: shutil.rmtree(client + '/' + 'cur')
+	except: pass
+	shutil.copytree(server + '/' + 'meta', client + '/' + 'cur')
+        try: shutil.rmtree(client + '/' + 'prev')
+	except: pass
+	shutil.copytree(server + '/' + 'meta', client + '/' + 'prev')
+	try: os.remove('build_updater.pyc')
+	except: pass
+
+class build_updater(Command):
+
+    # Brief (40-50 characters) description of the command
+    description = "Builds all the necessary values for a basic TUF update system for the given project"
+
+    # List of option tuples: long name, short name (None if no short
+    # name), and help string.
+    user_options = [    ('expiration', None, "Determines when signatures expire"),
+                        ('keystore', None, "The path to look for the keystore at"),
+                        ('server', None, "The directory to place the generated meta and targets folders")
+                   ]
+
+    def initialize_options(self):
+        self.keysize = None
+	self.expiration = None
+        self.keystore = None
+	self.server = None
+	self.client = None
+
+    def finalize_options(self):
+	if self.keysize is None:
+	        self.keysize = 1024
+	if self.expiration is None:
+		# today's date + 30 days
+		t = time.time()
+		t += 30 * 24 * 60 * 60
+		dt = datetime.date.fromtimestamp(t)
+		self.expiration = dt.strftime('%d/%m/%Y')
+	if self.keystore is None:
+		self.keystore = '../keystore'
+        if self.server is None:
+                self.server = os.getcwd()
+	if self.client is None:
+		self.client = os.getcwd()
+
+    def run(self):
+	args = ["quickstart.py",
+		"-k",
+		self.keystore,
+		"-t",
+		"1",
+		"-l",
+		self.server,
+		"-r",
+		os.getcwd(),
+		"-e",
+		self.expiration]
+	subprocess.call(args)
+	retry(copy_metadata, self.client, self.server)
+
+class update_updater(Command):
+
+    # Brief (40-50 characters) description of the command
+    description = "Pushes new updates to a preexisting update server"
+
+    # List of option tuples: long name, short name (None if no short
+    # name), and help string.
+    user_options = [    ('keystore', None, "The path to look for the keystore at"),
+                        ('server', None, "The directory to place the generated meta and targets folders"),
+                        ('client', None, "The directory to place the generate client package"),
+			('step', None, "The step in the process to perform")
+                   ]
+
+    def initialize_options(self):
+        self.keystore = None
+	self.server = None
+        self.password = None
+	self.client = None
+	self.step = None
+
+    def finalize_options(self):
+	if self.keystore is None:
+		self.keystore = '../keystore'
+        if self.server is None:
+                self.server = os.getcwd()
+	if self.password is None:
+		self.password = ''
+	if self.client is None:
+		self.client = '.'
+	if self.step is None:
+		self.step = 1
+
+    def run(self):
+	args = ["quickstart.py",
+		"-k",
+		self.keystore,
+		"-l",
+		self.server,
+		"-r",
+		os.getcwd(),
+                "-c",
+		self.server + '/' + 'root.cfg',
+		"--step",
+		str(self.step),
+		"-u"]
+	subprocess.call(args)
+	retry(copy_metadata, self.client, self.server)
+
+class update(Command):
+
+    # Brief (40-50 characters) description of the command
+    description = "Performs an update in the current directory"
+
+    # List of option tuples: long name, short name (None if no short
+    # name), and help string.
+    user_options = [('url', None, "The url of the remote update server")]
+
+    def initialize_options(self):
+        self.url = None
+
+    def finalize_options(self):
+	if self.url is None:
+		raise Exception("No software update URL specified")
+
+    def run(self):
+	do_update(self.url)
diff --git a/src/tuf/client/__init__.py b/src/tuf/client/__init__.py
new file mode 100755
index 00000000..e69de29b
diff --git a/src/tuf/client/updater.py b/src/tuf/client/updater.py
new file mode 100755
index 00000000..0e113c06
--- /dev/null
+++ b/src/tuf/client/updater.py
@@ -0,0 +1,1684 @@
+"""
+<Program Name>
+  updater.py
+
+<Author>
+  Geremy Condra
+  Vladimir Diaz <vladimir.v.diaz@gmail.com>
+
+<Started>
+  July 2012.  Based on a previous version of this module. (VLAD)
+
+<Copyright>
+  See LICENSE for licensing information.
+
+<Purpose>
+  'updater.py' is intended to be the only TUF module that software update
+  systems need to utilize.  It provides a single class representing an
+  updater that includes methods to download, install, and verify
+  metadata/target files in a secure manner.  Importing 'updater.py' and
+  instantiating its main class is all that is required by the client prior
+  to a TUF update request.  The importation and instantiation steps allow
+  TUF to load all of the required metadata files and set the repository mirror
+  information.
+
+  An overview of the update process:
+
+  1. The software update system instructs TUF to check for updates.
+
+  2. TUF downloads and verifies timestamp.txt.
+
+  3. If timestamp.txt indicates that release.txt has changed, TUF downloads and
+  verifies release.txt.
+
+  4. TUF determines which metadata files listed in release.txt differ from those
+  described in the last release.txt that TUF has seen.  If root.txt has changed,
+  the update process starts over using the new root.txt.
+
+  5. TUF provides the software update system with a list of available files
+  according to targets.txt.
+
+  6. The software update system instructs TUF to download a specific target
+  file.
+
+  7. TUF downloads and verifies the file and then makes the file available to
+  the software update system.
+
+<Example Client>
+
+  # The client first imports the 'updater.py' module, the only module the
+  # client is required to import.  The client will utilize a single class
+  # from this module.
+  import tuf.client.updater
+
+  # The only other module the client interacts with is 'tuf.conf'.  The
+  # client accesses this module solely to set the repository directory.
+  # This directory will hold the files downloaded from a remote repository.
+  tuf.conf.repository_directory = 'local-repository'
+ 
+  # Next, the client creates a dictionary object containing the repository
+  # mirrors.  The client may download content from any one of these mirrors.
+  # In the example below, a single mirror named 'mirror1' is defined.  The
+  # mirror is located at 'http://localhost:8001', and all of the metadata
+  # and targets files can be found in the 'metadata' and 'targets' directory,
+  # respectively.  If the client wishes to only download target files from
+  # specific directories on the mirror, the 'confined_target_paths' field
+  # should be set.  In the example, the client has chosen '', which is
+  # interpreted as no confinement.  In other words, the client can download
+  # targets from any directory or subdirectories.  If the client had chosen
+  # 'targets1', they would have been confined to the '/targets/targets1/'
+  # directory on the 'http://localhost:8001' mirror. 
+  repository_mirrors = {'mirror1': {'url_prefix': 'http://localhost:8001',
+                                    'metadata_path': 'metadata',
+                                    'targets_path': 'targets',
+                                    'confined_target_paths': ['']}}
+
+  # The updater may now be instantiated.  The Updater class of 'updater.py'
+  # is called with two arguments.  The first argument assigns a name to this
+  # particular updater and the second argument the repository mirrors defined
+  # above.
+  updater = tuf.client.updater.Updater('updater', repository_mirrors)
+
+  # The client next calls the refresh() method to ensure it has the latest
+  # copies of the metadata files.
+  updater.refresh()
+
+  # The target file information for all the repository targets is determined.
+  targets = updater.all_targets()
+  
+  # Among these targets, determine the ones that have changed since the client's
+  # last refresh().  A target is considered updated if it does not exist in
+  # 'destination_directory' (current directory) or the target located there has
+  # changed.
+  destination_directory = '.'
+  updated_targets = updater.updated_targets(targets, destination_directory)
+
+  # Lastly, attempt to download each target among those that have changed.
+  # The updated target files are saved locally to 'destination_directory'.
+  for target in updated_targets:
+    updater.download_target(target, destination_directory)
+
+"""
+
+import os
+import time
+import logging
+import shutil
+import errno
+
+import tuf.formats
+import tuf.keydb
+import tuf.roledb
+import tuf.mirrors
+import tuf.download
+import tuf.conf
+import tuf.log
+import tuf.sig
+import tuf.util
+
+logger = logging.getLogger('tuf')
+
+
+class Updater(object):
+  """
+  <Purpose>
+    Provide a class that can download target files securely.  The updater
+    keeps track of currently and previously trusted metadata, target files
+    available to the client, target file attributes such as file size and 
+    hashes, key and role information, metadata signatures, and the ability
+    to determine when the download of a file should be permitted.
+
+  <Updater Attributes>
+    self.metadata:
+      Dictionary holding the currently and previously trusted metadata.
+      Example: {'current': {'root': ROOTROLE_SCHEMA,
+                            'targets':TARGETSROLE_SCHEMA, ...},
+                'previous': {'root': ROOTROLE_SCHEMA,
+                             'targets':TARGETSROLE_SCHEMA, ...}}
+    
+    self.metadata_directory:
+      The directory where trusted metadata is stored.
+      
+    self.fileinfo:
+      A cache of lengths and hashes of stored metadata files.
+      Example: {'root.txt': {'length': 13323,
+                             'hashes': {'sha256': dbfac345..}},
+                ...}
+
+    self.mirrors:
+      The repository mirrors from which metadata and targets are available.
+      Conformant to 'tuf.formats.MIRRORDICT_SCHEMA'.
+    
+    self.name:
+      The name of the updater instance.
+ 
+  <Updater Methods>
+    refresh():
+      This method downloads, verifies, and loads metadata for the top-level
+      roles in a specific order (i.e., timestamp -> release -> root -> targets)
+      The expiration time for downloaded metadata is also verified.
+      
+      The metadata for delegated roles are not refreshed by this method, but by
+      the target methods (e.g., all_targets(), targets_of_role(), target()).
+      The refresh() method should be called by the client before any target
+      requests.
+    
+    all_targets():
+      Returns the target information for the 'targets' and delegated roles.
+      Prior to extracting the target information, this method attempts a file
+      download of all the target metadata that have changed.
+    
+    targets_of_role('targets'):
+      Returns the target information for the targets of a specified role.
+      Like all_targets(), delegated metadata is updated if it has changed.
+    
+    target(file_path):
+      Returns the target information for a specific file identified by its file
+      path.  This target method also downloads the metadata of updated targets.
+    
+    updated_targets(targets, destination_directory):
+      After the client has retrieved the target information for those targets
+      they are interested in updating, they would call this method to determine
+      which targets have changed from those saved locally on disk.  All the
+      targets that have changed are returns in a list.  From this list, they
+      can request a download by calling 'download_target()'.
+    
+    download_target(target, destination_directory):
+      This method performs the actual download of the specified target.  The
+      file is saved to the 'destination_directory' argument.
+
+    remove_obsolete_targets(destination_directory):
+      Any files located in 'destination_directory' that were previously
+      served by the repository but have since been removed, can be deleted
+      from disk by the client by calling this method.
+
+  """
+
+  def __init__(self, updater_name, repository_mirrors):
+    """
+    <Purpose>
+      Constructor.  Instantiating an updater object causes all the metadata
+      files for the top-level roles to be read from disk, including the key
+      and role information for the delegated targets of 'targets'.  The actual
+      metadata for delegated roles is not loaded in __init__.  The metadata
+      for these delegated roles, including nested delegated roles, are
+      loaded, updated, and saved to the 'self.metadata' store by the target
+      methods, like all_targets() and targets_of_role().
+      
+      The initial set of metadata files are provided by the software update
+      system utilizing TUF.
+      
+      In order to use an updater, the following directories must already
+      exist locally:
+            
+            {tuf.conf.repository_directory}/metadata/current
+            {tuf.conf.repository_directory}/metadata/previous
+      
+      and, at a minimum, the root metadata file must exist:
+
+            {tuf.conf.repository_directory}/metadata/current/root.txt
+    
+    <Arguments>
+      updater_name:
+        The name of the updater.
+      
+      repository_mirrors:
+        A dictionary holding repository mirror information, conformant to
+        'tuf.formats.MIRRORDICT_SCHEMA'.  This dictionary holds information
+        such as the directory containing the metadata and target files, the
+        server's URL prefix, and the target content directories the client
+        should be confined to.
+            
+        repository_mirrors = {'mirror1': {'url_prefix': 'http://localhost:8001',
+                                          'metadata_path': 'metadata',
+                                          'targets_path': 'targets',
+                                          'confined_target_paths': ['']}}
+    
+    <Exceptions>
+      tuf.FormatError:
+        If the arguments are improperly formatted. 
+      
+      tuf.RepositoryError:
+        If there is an error with the updater's repository files, such
+        as a missing 'root.txt' file.
+
+    <Side Effects>
+      Th metadata files (e.g., 'root.txt', 'targets.txt') for the top-
+      level roles are read from disk and stored in dictionaries.
+
+    <Returns>
+      None.
+
+    """
+  
+    # Do the arguments have the correct format?
+    # These checks ensure the arguments have the appropriate
+    # number of objects and object types and that all dict
+    # keys are properly named.
+    # Raise 'tuf.FormatError' if there is a mistmatch.
+    tuf.formats.NAME_SCHEMA.check_match(updater_name)
+    tuf.formats.MIRRORDICT_SCHEMA.check_match(repository_mirrors)
+   
+    # Save the validated arguments.
+    self.name = updater_name
+    self.mirrors = repository_mirrors
+
+    # Store the trusted metadata read from disk.
+    self.metadata = {}
+    
+    # Store the currently trusted/verified metadata.
+    self.metadata['current'] = {} 
+    
+    # Store the previously trusted/verified metadata.
+    self.metadata['previous'] = {}
+
+    # Store the file information of all the metadata files.  The dict keys are
+    # paths, the dict values fileinfo data. This information can help determine
+    # whether a metadata file has changed and so needs to be re-downloaded.
+    self.fileinfo = {}
+    
+    # Store the location of the client's metadata directory.
+    self.metadata_directory = {}
+    
+    # Ensure the repository metadata directory has been set.
+    if tuf.conf.repository_directory is None:
+      message = 'The TUF update client module must specify the directory' \
+                ' containing the local repository files.' \
+                '  "tuf.conf.repository_directory" MUST be set.'
+      raise tuf.RepositoryError(message)
+
+    # Set the path for the current set of metadata files.  
+    repository_directory = tuf.conf.repository_directory
+    current_path = os.path.join(repository_directory, 'metadata', 'current')
+    
+    # Ensure the current path is valid/exists before saving it.
+    if not os.path.exists(current_path):
+      message = 'Missing '+repr(current_path)+'.  This path must exist and, ' \
+                'at a minimum, contain the root metadata file.' 
+      raise tuf.RepositoryError(message)
+    self.metadata_directory['current'] = current_path
+    
+    # Set the path for the previous set of metadata files. 
+    previous_path = os.path.join(repository_directory, 'metadata', 'previous') 
+   
+    # Ensure the previous path is valid/exists.
+    if not os.path.exists(previous_path):
+      message = 'Missing '+repr(previous_path)+'.  This path must exist.'
+      raise tuf.RepositoryError(message)
+    self.metadata_directory['previous'] = previous_path
+    
+    # Load current and previous metadata.
+    for metadata_set in ['current', 'previous']:
+      for metadata_role in ['root', 'targets', 'release', 'timestamp']:
+        self._load_metadata_from_file(metadata_set, metadata_role)
+      
+    # Raise an exception if the repository is missing the required 'root'
+    # metadata.
+    if 'root' not in self.metadata['current']:
+      message = 'No root of trust! Could not find the "root.txt" file.'
+      raise tuf.RepositoryError(message)
+
+
+
+
+  def __str__(self):
+    """
+      The string representation of an Updater object.
+    
+    """
+    
+    return self.name
+
+
+
+
+
+  def _load_metadata_from_file(self, metadata_set, metadata_role):
+    """
+    <Purpose>
+      Load current or previous metadata if there is a local file.  If the 
+      expected file belonging to 'metadata_role' (e.g., 'root.txt') cannot
+      be loaded, raise an exception.  The extracted metadata object loaded
+      from file is saved to the metadata store (i.e., self.metadata).
+        
+    <Arguments>        
+      metadata_set:
+        The string 'current' or 'previous', depending on whether one wants to
+        load the currently or previously trusted metadata file.
+            
+      metadata_role:
+        The name of the metadata. This is a role name and should
+        not end in '.txt'.  Examples: 'root', 'targets', 'targets/linux/x86'.
+
+    <Exceptions>
+      tuf.RepositoryError:
+        If the metadata could not be loaded or the extracted data is not a 
+        valid metadata object.
+
+      tuf.FormatError:
+        If role information belonging to a delegated role of 'metadata_role'
+        is improperly formatted.
+
+      tuf.Error:
+        If there was an error importing a delegated role of 'metadata_role'
+        or the metadata set is not one currently supported.
+    
+    <Side Effects>
+      If the metadata is loaded successfully, it is saved to the metadata
+      store.  If 'metadata_role' is 'root', the role and key databases
+      are reloaded.  If 'metadata_role' is a target metadata, all its
+      delegated roles are refreshed.
+
+    <Returns>
+      None.
+      
+    """
+
+    # Ensure we have a valid metadata set.
+    if metadata_set not in ['current', 'previous']:
+      raise tuf.Error('Invalid metadata set: '+repr(metadata_set))
+
+    # Save and construct the full metadata path.
+    metadata_directory = self.metadata_directory[metadata_set]
+    metadata_filename = metadata_role + '.txt'
+    metadata_filepath = os.path.join(metadata_directory, metadata_filename)
+    
+    # Ensure the metadata path is valid/exists, else ignore the call. 
+    if os.path.exists(metadata_filepath):
+      # Load the file.  The loaded object should conform to
+      # 'tuf.formats.SIGNABLE_SCHEMA'.
+      metadata_signable = tuf.util.load_json_file(metadata_filepath)
+
+      # Ensure the loaded json object is properly formatted.
+      try: 
+        tuf.formats.check_signable_object_format(metadata_signable)
+      except tuf.FormatError, e:
+        raise RepositoryError('Invalid format: '+repr(metadata_filepath)+'.')
+
+      # Extract the 'signed' role object from 'metadata_signable'.
+      metadata_object = metadata_signable['signed']
+   
+      # Save the metadata object to the metadata store.
+      self.metadata[metadata_set][metadata_role] = metadata_object
+   
+      # We need to rebuild the key and role databases if 
+      # metadata object is 'root' or target metadata.
+      if metadata_set == 'current':
+        if metadata_role == 'root':
+          self._rebuild_key_and_role_db()
+        elif metadata_object['_type'] == 'Targets':
+          tuf.roledb.remove_delegated_roles(metadata_role)
+          self._import_delegations(metadata_role)
+
+
+
+
+
+  def _rebuild_key_and_role_db(self):
+    """
+    <Purpose>
+      Rebuild the key and role databases from the currently trusted
+      'root' metadata object extracted from 'root.txt'.  This private
+      function is called when a new/updated 'root' metadata file is loaded.
+      This function will only store the role information for the top-level
+      roles (i.e., 'root', 'targets', 'release', 'timestamp').
+
+    <Arguments>
+      None.
+
+    <Exceptions>
+      tuf.FormatError:
+        If the 'root' metadata is improperly formatted.
+
+      tuf.Error:
+        If there is an error loading a role contained in the 'root'
+        metadata.
+
+    <Side Effects>
+      The key and role databases are reloaded for the top-level roles.
+
+    <Returns>
+      None.
+    
+    """
+    
+    # Clobbering this means all delegated metadata files are rendered outdated
+    # and will need to be reloaded.  However, reloading the delegated metadata
+    # files is avoided here because fetching target information with methods
+    # like all_targets() and target() always cause a refresh of these files.
+    # The metadata files for delegated roles are also not loaded when the
+    # repository is first instantiated.  Due to this setup, reloading delegated
+    # roles is not required here.
+    tuf.keydb.create_keydb_from_root_metadata(self.metadata['current']['root'])
+    tuf.roledb.create_roledb_from_root_metadata(self.metadata['current']['root'])
+
+
+
+
+
+  def _import_delegations(self, parent_role):
+    """
+    <Purpose>
+      Import all the roles delegated by 'parent_role'.
+    
+    <Arguments>
+      parent_role:
+        The role whose delegations will be imported.
+        
+    <Exceptions>
+      tuf.FormatError:
+        If a key attribute of a delegated role's signing key is
+        improperly formatted.
+
+      tuf.Error:
+        If the signing key of a delegated role cannot not be loaded.
+
+    <Side Effects>
+      The key and role database is modified to include the newly
+      loaded roles delegated by 'parent_role'.
+
+    <Returns>
+      None.
+          
+    """
+        
+    current_parent_metadata = self.metadata['current'][parent_role]
+  
+    if 'delegations' not in current_parent_metadata:
+      return
+
+    # This could be quite slow with a huge number of delegations.
+    keys_info = current_parent_metadata['delegations'].get('keys', {})
+    roles_info = current_parent_metadata['delegations'].get('roles', {})
+
+    logger.debug('Adding roles delegated from '+repr(parent_role)+'.')
+   
+    # Iterate through the keys of the delegated roles of 'parent_role'
+    # and load them.
+    for keyid, keyinfo in keys_info.items():
+      if keyinfo['keytype'] == 'rsa': 
+        rsa_key = tuf.rsa_key.create_from_metadata_format(keyinfo)
+      
+        # We specify the keyid to ensure that it's the correct keyid
+        # for the key.
+        try:
+          tuf.keydb.add_rsakey(rsa_key, keyid)
+        except tuf.KeyAlreadyExistsError:
+          pass
+        except (tuf.FormatError, tuf.Error), e:
+          logger.exception('Failed to add keyid: '+repr(keyid)+'.')
+          logger.error('Aborting role delegation for parent role '+parent_role+'.')
+          raise
+      else:
+        logger.warn('Invalid key type for '+repr(keyid)+'.')
+        continue
+
+      # Add the roles to the role database.
+      for rolename, roleinfo in roles_info.items():
+        logger.debug('Adding delegated role: '+repr(rolename)+'.')
+        try:
+          tuf.roledb.add_role(rolename, roleinfo)
+        except tuf.RoleAlreadyExistsError, e:
+          pass
+        except (tuf.FormatError, tuf.InvalidNameError), e:
+          logger.exception('Failed to add delegated role: '+rolename+'.')
+
+
+
+
+
+  def refresh(self):
+    """
+    <Purpose>
+      Update the latest copies of the metadata for the top-level roles.
+      The update request process follows a specific order to ensure the
+      metadata files are securely updated.
+        
+      The client would call refresh() prior to requesting target file
+      information.  Calling refresh() ensures target methods, like
+      all_targets() and target(), refer to the latest available content.
+      The latest copies for delegated metadata are downloaded and updated
+      by the target methods.
+
+    <Arguments>
+      None.
+
+    <Exceptions>
+      tuf.RepositoryError:
+        If the metadata for any of the top-level roles cannot be updated.
+
+      tuf.ExpiredMetadataError:
+        If any metadata has expired.
+        
+    <Side Effects>
+      Updates the metadata files for the top-level roles with the
+      latest information.
+
+    <Returns>
+      None.
+    
+    """
+        
+    # Update the top-level metadata.  The _update_metadata_if_changed() and
+    # _update_metadata() calls below do NOT perform an update if there
+    # is insufficient trusted signatures for the specified metadata.
+    # Raise 'tuf.RepositoryError' if an update fails.
+    self._update_metadata('timestamp')
+
+    self._update_metadata_if_changed('release', referenced_metadata='timestamp')
+
+    self._update_metadata_if_changed('root')
+
+    self._update_metadata_if_changed('targets')
+
+    # Updated the top-level metadata (which all had valid signatures), however,
+    # have they expired?  Raise 'tuf.ExpiredMetadataError' if any of the metadata
+    # has expired.
+    for metadata_role in ['timestamp', 'root', 'release', 'targets']:
+      self._ensure_not_expired(metadata_role)
+
+
+
+
+
+  def _update_metadata(self, metadata_role, compression=None):
+    """
+    <Purpose>
+      Download, verify, and 'install' the metadata belonging to 'metadata_role'.
+      Calling this function implies the metadata has been updated by the
+      repository and thus needs to be re-downloaded.  The current and previous
+      metadata stores are updated if the newly downloaded metadata is
+      successfully downloaded and verified.
+   
+    <Arguments>
+      metadata_role:
+        The name of the metadata. This is a role name and should not end
+        in '.txt'.  Examples: 'root', 'targets', 'targets/linux/x86'.
+      
+      compression:
+        A string designating the compression type of 'metadata_role'.
+        The 'release' metadata file may be optionally downloaded and stored in
+        compressed form.  Currently, only metadata files compressed with 'gzip'
+        are considered.  Any other string is ignored.
+
+    <Exceptions>
+      tuf.RepositoryError:
+        The metadata could not be updated. This is not specific to a single
+        failure but rather indicates that all possible ways to update the
+        metadata have been tried and failed.
+
+    <Side Effects>
+      The metadata file belonging to 'metadata_role' is downloaded from a
+      repository mirror.  If the metadata is valid, it is stored to the 
+      metadata store.
+
+    <Returns>
+      None.
+    
+    """
+    
+    # Construct the metadata filename as expected by the download/mirror modules.
+    metadata_filename = metadata_role + '.txt'
+   
+    # The 'release' metadata file may be compressed.  Add the appropriate
+    # extension to 'metadata_filename'. 
+    if compression == 'gzip':
+      metadata_filename = metadata_filename + '.gz'
+
+    # Reference to the 'get_list_of_mirrors' function.
+    get_mirrors = tuf.mirrors.get_list_of_mirrors
+
+    # Reference to the 'download_url_to_tempfileobj' function.
+    download_file = tuf.download.download_url_to_tempfileobj
+
+    # Attempt a file download from each mirror until the file is downloaded and
+    # verified.  If the signature of the downloaded file is valid, proceed,
+    # otherwise log a warning and try the next mirror.  'metadata_file_object'
+    # is the file-like object returned by 'download.py'.  'metadata_signable'
+    # is the object extracted from 'metadata_file_object'.  Metadata saved to
+    # files are regarded as 'signable' objects, conformant to
+    # 'tuf.formats.SIGNABLE_SCHEMA'.
+    metadata_file_object = None
+    metadata_signable = None
+    for mirror_url in get_mirrors('meta', metadata_filename, self.mirrors):
+      try:
+        metadata_file_object = download_file(mirror_url)
+      except tuf.DownloadError, e:
+        logger.warn('Download failed from '+mirror_url+'.')
+        continue
+      if compression:
+        metadata_file_object.decompress_temp_file_object(compression)
+
+      # Read and load the downloaded file.
+      metadata_signable = tuf.util.load_json_string(metadata_file_object.read())
+
+      # Verify the signature on the downloaded metadata object.
+      try:
+        valid = tuf.sig.verify(metadata_signable, metadata_role)
+      except (tuf.UnknownRoleError, tuf.FormatError, tuf.Error), e:
+        message = 'Unable to verify '+repr(metadata_filename)+':'+str(e)
+        logger.warn(message)
+        metedata_signable = None
+        continue
+      if valid:
+        logger.debug('Good signature on '+mirror_url+'.')
+        break
+      else:
+        logger.warn('Bad signature on '+mirror_url+'.')
+        metadata_signable = None
+        continue
+    
+    # Raise an exception if a valid metadata signable could not be downloaded
+    # from any of the mirrors.
+    if metadata_signable is None:
+      raise tuf.RepositoryError('Unable to update '+repr(metadata_filename)+'.')
+
+    # Ensure the loaded 'metadata_signable' is properly formatted.
+    try:
+      tuf.formats.check_signable_object_format(metadata_signable)
+    except tuf.FormatError, e:
+      message = 'Unable to load '+repr(metadata_filename)+' after update: '+str(e)
+      raise tuf.RepositoryError(message)
+
+    # Reject the metadata if any specified targets are not allowed.
+    if metadata_signable['signed']['_type'] == 'Targets':
+      self._ensure_all_targets_allowed(metadata_role, metadata_signable['signed'])
+
+    # The metadata has been verified. Move the metadata file into place.
+    # First, move the 'current' metadata file to the 'previous' directory
+    # if it exists.
+    current_filepath = os.path.join(self.metadata_directory['current'],
+                                    metadata_filename)
+    current_filepath = os.path.abspath(current_filepath)
+    tuf.util.ensure_parent_dir(current_filepath)
+    
+    previous_filepath = os.path.join(self.metadata_directory['previous'],
+                                     metadata_filename)
+    previous_filepath = os.path.abspath(previous_filepath)
+    if os.path.exists(current_filepath):
+      shutil.move(current_filepath, previous_filepath)
+
+    # Next, move the verified updated metadata file to the 'current' directory.
+    # Note that the 'move' method comes from tuf.util's TempFile class.
+    # 'metadata_file_object' is an instance of tuf.util.TempFile.
+    metadata_file_object.move(current_filepath)
+    
+    # Extract the metadata object so we can store it to the metadata store.
+    # 'current_metadata_object' set to 'None' if there is not an object
+    # stored for 'metadata_role'.
+    updated_metadata_object = metadata_signable['signed']
+    current_metadata_object = self.metadata['current'].get(metadata_role)
+
+    # Finally, update the metadata store.
+    logger.debug('Updated '+current_filepath+'.')
+    self.metadata['previous'][metadata_role] = current_metadata_object
+    self.metadata['current'][metadata_role] = updated_metadata_object
+
+
+
+
+
+  def _update_metadata_if_changed(self, metadata_role, referenced_metadata='release'):
+    """
+    <Purpose>
+      Update the metadata for 'metadata_role' if it has changed.  With the
+      exception of the 'timestamp' role, all the top-level roles are updated
+      by this function.  The 'timestamp' role is always downloaded from a mirror
+      without first checking if it has been updated; it is updated in refresh()
+      by calling _update_metadata('timestamp').  This function is also called for
+      delegated role metadata, which are referenced by 'release'.
+        
+      If the metadata needs to be updated but an update cannot be obtained,
+      this function will delete the file (with the exception of the root
+      metadata, which never gets removed without a replacement).
+
+      Due to the way in which metadata files are updated, it is expected that
+      'referenced_metadata' is not out of date and trusted.  The refresh()
+      method updates the top-level roles in 'timestamp -> release ->
+      root -> targets' order.  For delegated metadata, the parent role is
+      updated before the delegated role.  Taking into account that
+      'referenced_metadata' is updated and verified before 'metadata_role',
+      this function determines if 'metadata_role' has changed by checking
+      the 'meta' field of the newly updated 'referenced_metadata'.
+
+    <Arguments>
+      metadata_role:
+        The name of the metadata. This is a role name and should not end
+        in '.txt'.  Examples: 'root', 'targets', 'targets/linux/x86'.
+
+      referenced_metadata:
+        This is the metadata that provides the role information for
+        'metadata_role'.  For the top-level roles, the 'release' role
+        is the referenced metadata for the 'root', and 'targets' roles.
+        The 'timestamp' metadata is always downloaded regardless.  In
+        other words, it is updated by calling _update_metadata('timestamp')
+        and not by this function.  The referenced metadata for 'release'
+        is 'timestamp'.  See refresh().
+        
+    <Exceptions>
+      tuf.MetadataNotAvailableError:
+        If 'metadata_role' could not be downloaded after determining
+        that it had changed.
+        
+      tuf.RepositoryError:
+        If the referenced metadata is missing.
+
+    <Side Effects>
+      If it is determined that 'metadata_role' has been updated, the metadata
+      store (i.e., self.metadata) is updated with the new metadata and the
+      affected stores modified (i.e., the previous metadata store is updated).
+      If the metadata is 'targets' or a delegated targets role, the role
+      database is updated with the new information, including its delegated
+      roles.
+
+    <Returns>
+      None.
+    
+    """
+        
+    metadata_filename = metadata_role + '.txt'
+
+    # Need to ensure the referenced metadata has been loaded.
+    # The 'root' role may be updated without having 'release'
+    # available.  
+    if referenced_metadata not in self.metadata['current']:
+      if metadata_role == 'root':
+        new_fileinfo = None
+      else:
+        message = 'Cannot update '+repr(metadata_role)+' because ' \
+                  +referenced_metadata+' is missing.'
+        raise tuf.RepositoryError(message)
+    # The referenced metadata has been loaded.  Extract the new
+    # fileinfo for 'metadata_role' from it. 
+    else:
+      new_fileinfo = self.metadata['current'][referenced_metadata] \
+                                  ['meta'][metadata_filename]
+
+    # Simply return if the fileinfo has not changed according to the
+    # fileinfo provided by the referenced metadata.
+    if not self._fileinfo_has_changed(metadata_filename, new_fileinfo):
+      return
+
+    logger.info('Metadata '+repr(metadata_filename)+' has changed.')
+
+    # There might be a compressed version of the 'release' metadata
+    # that may be downloaded.  Check the 'meta' field of
+    # 'referenced_metadata' to see if it is listed. 
+    compression = None
+    if metadata_role == 'release':
+      gzip_path = metadata_filename + '.gz'
+      if gzip_path in self.metadata['current'][referenced_metadata]['meta']:
+        compression = 'gzip'
+    try:
+      self._update_metadata(metadata_role, compression=compression)
+    except tuf.RepositoryError, e:
+      # The current metadata we have is not current but we couldn't
+      # get new metadata. We shouldn't use the old metadata anymore.
+      # This will get rid of in-memory knowledge of the role and
+      # delegated roles, but will leave delegated metadata files as
+      # current files on disk.
+      # TODO: Should we get rid of the delegated metadata files?
+      # We shouldn't need to, but we need to check the trust
+      # implications of the current implementation.
+      self._delete_metadata(metadata_role)
+      message = 'Metadata for '+repr(metadata_role)+' could not be updated: '
+      raise tuf.MetadataNotAvailableError(message+str(e))
+
+    # We need to remove delegated roles because the delegated roles
+    # may not be trusted anymore.
+    if metadata_role == 'targets' or metadata_role.startswith('targets/'):
+      logger.debug('Removing delegated roles of '+repr(metadata_role)+'.')
+      tuf.roledb.remove_delegated_roles(metadata_role)
+      self._import_delegations(metadata_role)
+
+
+
+
+
+  def _ensure_all_targets_allowed(self, metadata_role, metadata_object):
+    """
+    <Purpose>
+      Ensure the delegated targets of 'metadata_role' are allowed; this is
+      determined by inspecting the delegations field of the parent role
+      of 'metadata_role'.  If a target specified by 'metadata_object'
+      is not found in the parent role's delegations field, raise an
+      exception.
+   
+    <Arguments>
+      metadata_role:
+        The name of the metadata. This is a role name and should not end
+        in '.txt'.  Examples: 'root', 'targets', 'targets/linux/x86'.
+      
+      metadata_object:
+        The metadata role object for 'metadata_role'.  This is the object
+        saved to the metadata store and stored in the 'signed' field of a
+        'signable' object (metadata roles are saved to metadata files as a
+        'signable' object).
+
+    <Exceptions>
+      tuf.RepositoryError:
+        If the targets of 'metadata_role' are not allowed according to
+        the parent's metadata file.
+    
+    <Side Effects>
+      None.
+
+    <Returns>
+      None.
+    
+    """
+    
+    # Return if 'metadata_role' is 'targets'.  'targets' is not
+    # a delegated role.
+    if metadata_role == 'targets':
+      return
+ 
+    # The targets of delegated roles are stored in the parent's
+    # metadata file.  Retrieve the parent role of 'metadata_role'
+    # to confirm 'metadata_role' contains valid targets.
+    parent_role = tuf.roledb.get_parent_rolename(metadata_role)
+
+    # Iterate through the targets of 'metadata_role' and confirm
+    # these targets with the paths listed in the parent role.
+    for target_filepath in metadata_object['targets'].keys():
+      if target_filepath not in self.metadata['current'][parent_role] \
+                                             ['delegations']['roles'] \
+                                             [metadata_role]['paths']:
+        
+        message = 'Role '+repr(metadata_role)+' specifies target '+ \
+                  target_filepath+' which is not an allowed path according '+ \
+                  'to the delegations set by '+repr(parent_role)+'.'
+        raise tuf.RepositoryError(message)
+    
+
+
+
+
+  def _fileinfo_has_changed(self, metadata_filename, new_fileinfo):
+    """
+    <Purpose>
+      Determine whether the current fileinfo of 'metadata_filename'
+      differs from 'new_fileinfo'.  The 'new_fileinfo' argument
+      should be extracted from the latest copy of the metadata
+      that references 'metadata_filename'.  Example: 'root.txt'
+      would be referenced by 'release.txt'.
+        
+      'new_fileinfo' should only be 'None' if this is for updating
+      'root.txt' without having 'release.txt' available.
+
+    <Arguments>
+      metadadata_filename:
+        The metadata filename for the role.  For the 'root' role,
+        'metadata_filename' would be 'root.txt'.
+
+      new_fileinfo:
+        A dict object representing the new file information for
+        'metadata_filename'.  'new_fileinfo' may be 'None' when
+        updating 'root' without having 'release' available.  This
+        dict conforms to 'tuf.formats.FILEINFO_SCHEMA' and has
+        the form:
+        {'length': 23423
+         'hashes': {'sha256': adfbc32343..}}
+        
+    <Exceptions>
+      None.
+
+    <Side Effects>
+      If there is no fileinfo currently loaded for 'metada_filename',
+      try to load it.
+
+    <Returns>
+      Boolean.  True if the fileinfo has changed, false otherwise.
+    
+    """
+       
+    # If there is no fileinfo currently stored for 'metadata_filename',
+    # try to load the file, calculate the fileinfo, and store it.
+    if metadata_filename not in self.fileinfo:
+      self._update_fileinfo(metadata_filename)
+
+    # Return true if there is no fileinfo for 'metadata_filename'.
+    # 'metadata_filename' is not in the 'self.fileinfo' store
+    # and it doesn't exist in the 'current' metadata location.
+    if self.fileinfo.get(metadata_filename) is None:
+      return True
+
+    # 'new_fileinfo' should only be 'None' if updating 'root.txt'
+    # without having 'release.txt'.
+    if new_fileinfo is None:
+      return True
+
+    current_fileinfo = self.fileinfo[metadata_filename]
+
+    if current_fileinfo['length'] != new_fileinfo['length']:
+      return True
+
+    # Now compare hashes. Note that the reason we can't just do a simple
+    # equality check on the fileinfo dicts is that we want to support the
+    # case where the hash algorithms listed in the metadata have changed
+    # without having that result in considering all files as needing to be
+    # updated, or not all hash algorithms listed can be calculated on the
+    # specific client.
+    for algorithm, hash_value in new_fileinfo['hashes'].items():
+      # We're only looking for a single match. This isn't a security
+      # check, we just want to prevent unnecessary downloads.
+      if hash_value == current_fileinfo['hashes'][algorithm]:
+        return False
+
+    return True
+
+
+
+
+
+  def _update_fileinfo(self, metadata_filename):
+    """
+    <Purpose>
+      Update the 'self.fileinfo' entry for the metadata belonging to
+      'metadata_filename'.  If the 'current' metadata for 'metadata_filename'
+      cannot be loaded, set the its fileinfo' to 'None' to  signal that
+      it is not in the 'self.fileinfo' AND it also doesn't exist locally.
+
+    <Arguments>
+      metadata_filename:
+        The metadata filename for the role.  For the 'root' role,
+        'metadata_filename' would be 'root.txt'.
+
+    <Exceptions>
+      None.
+
+    <Side Effects>
+      The file details of 'metadata_filename' is calculated and
+      stored to the 'self.fileinfo' store.
+
+    <Returns>
+      None.
+
+    """
+        
+    # In case we delayed loading the metadata and didn't do it in
+    # __init__ (such as with delegated metadata), then get the file
+    # info now.
+       
+    # Save the path to the current metadata file for 'metadata_filename'.
+    current_filepath = os.path.join(self.metadata_directory['current'],
+                                    metadata_filename)
+    # If the path is invalid, simply return and leave fileinfo unset.
+    if not os.path.exists(current_filepath):
+      self.fileinfo[current_filepath] = None
+      return
+   
+    # Extract the file information from the actual file and save it
+    # to the fileinfo store.
+    file_length, hashes = tuf.util.get_file_details(current_filepath)
+    metadata_fileinfo = tuf.formats.make_fileinfo(file_length, hashes)
+    self.fileinfo[metadata_filename] = metadata_fileinfo
+  
+ 
+
+
+
+  def _move_current_to_previous(self, metadata_role):
+    """
+    <Purpose>
+      Move the current metadata file for 'metadata_role' to the previous
+      directory.
+
+    <Arguments>
+      metadata_role:
+        The name of the metadata. This is a role name and should not end
+        in '.txt'.  Examples: 'root', 'targets', 'targets/linux/x86'.
+    
+    <Exceptions>
+      None.
+
+    <Side Effects>
+     The metadata file for 'metadata_role' is removed from 'current'
+     and moved to the 'previous' directory.
+
+    <Returns>
+      None.
+
+    """
+
+    # Get the 'current' and 'previous' full file paths for 'metadata_role'
+    metadata_filepath = metadata_role + '.txt'
+    previous_filepath = os.path.join(self.metadata_directory['previous'],
+                                     metadata_filepath)
+    current_filepath = os.path.join(self.metadata_directory['current'],
+                                    metadata_filepath)
+   
+    # Remove the previous path if it exists.
+    if os.path.exists(previous_filepath):
+      os.remove(previous_filepath)
+    
+    # Move the current path to the previous path.  
+    if os.path.exists(current_filepath):
+      os.rename(current_filepath, previous_filepath)
+
+
+
+
+
+  def _delete_metadata(self, metadata_role):
+    """
+    <Purpose>
+      Remove all (current) knowledge of 'metadata_role'.  The metadata
+      belonging to 'metadata_role' is removed from the current
+      'self.metadata' store and from the role database. The 'root.txt' role
+      file is never removed.
+
+    <Arguments>
+      metadata_role:
+        The name of the metadata. This is a role name and should not end
+        in '.txt'.  Examples: 'root', 'targets', 'targets/linux/x86'.
+
+    <Exceptions>
+      None.
+
+    <Side Effects>
+      The role database is modified and the metadata for 'metadata_role'
+      removed from the 'self.metadata' store.
+    
+    <Returns>
+      None.
+    
+    """
+      
+    # The root metadata role is never deleted without a replacement.
+    if metadata_role == 'root':
+      return
+    
+    # Get rid of the current metadata file.
+    self._move_current_to_previous(metadata_role)
+    
+    # Remove knowledge of the role.
+    if metadata_role in self.metadata['current']:
+      del self.metadata['current'][metadata_role]
+    tuf.roledb.remove_role(metadata_role)
+
+
+
+
+
+  def _ensure_not_expired(self, metadata_role):
+    """
+    <Purpose>
+      Raise an exception if the current specified metadata has expired.
+    
+    <Arguments>
+      metadata_role:
+        The name of the metadata. This is a role name and should not end
+        in '.txt'.  Examples: 'root', 'targets', 'targets/linux/x86'.
+    
+    <Exceptions>
+      tuf.ExpiredMetadataError:
+        If 'metadata_role' has expired.
+
+    <Side Effects>
+      None.
+
+    <Returns>
+      None.
+    
+    """
+  
+    # Construct the full metadata filename and the location of its
+    # current path.  The current path of 'metadata_role' is needed
+    # to log the exact filename of the expired metadata.
+    metadata_filename = metadata_role + '.txt'
+    rolepath =  os.path.join(self.metadata_directory['current'],
+                             metadata_filename) 
+    
+    # Extract the expiration time.
+    expires = self.metadata['current'][metadata_role]['expires']
+   
+    # If the current time has surpassed the expiration date, raise
+    # an exception.
+    if expires < time.time():
+      expires_formatted = tuf.formats.format_time(expires)
+      message = 'Metadata '+repr(rolepath)+' expired on '+expires_formatted+'.'
+      raise tuf.ExpiredMetadataError(message)
+
+
+
+
+
+  def all_targets(self):
+    """
+    <Purpose> 
+      Get a list of the target information for all the trusted targets
+      on the repository.  This list also includes all the targets of
+      delegated roles.  The list conforms to 'tuf.formats.TARGETFILES_SCHEMA'
+      and has the form:
+      [{'filepath': 'a/b/c.txt',
+        'fileinfo': {'length': 13323,
+                     'hashes': {'sha256': dbfac345..}}
+       ...]
+
+    <Arguments>
+      None.
+
+    <Exceptions>
+      tuf.RepositoryError:
+        If the metadata for the 'targets' role is missing from
+        the 'release' metadata.
+
+      tuf.UnknownRoleError:
+        If one of the roles could not be found in the role database.
+
+    <Side Effects>
+      The metadata for target roles is updated and stored.
+
+    <Returns>
+     A list of targets, conformant to 'tuf.formats.TARGETFILES_SCHEMA'.
+
+    """
+    
+    # Load the most up-to-date targets of the 'targets' role and all
+    # delegated roles.
+    self._refresh_targets_metadata(include_delegations=True)
+ 
+    all_targets = []
+    # Fetch the targets for the 'targets' role.
+    all_targets = self._targets_of_role('targets', skip_refresh=True)
+
+    # Fetch the targets for the delegated roles.
+    for delegated_role in tuf.roledb.get_delegated_rolenames('targets'):
+      all_targets = self._targets_of_role(delegated_role, all_targets,
+                                          skip_refresh=True)
+    
+    return all_targets
+
+
+
+
+
+  def _refresh_targets_metadata(self, rolename='targets', include_delegations=False):
+    """
+    <Purpose>
+      Refresh the targets metadata of 'rolename'.  If 'include_delegations'
+      is True, include all the delegations that follow 'rolename'.  The metadata
+      for the 'targets' role is updated in refresh() by the 
+      _update_metadata_if_changed('targets') call, not here.  Delegated roles
+      are not loaded when the repository is first initialized.  They are loaded
+      from disk, updated if they have changed, and stored to the 'self.metadata'
+      store by this function.  This function is called by the target methods,
+      like all_targets() and targets_of_role().
+
+    <Arguments>
+      rolename:
+        This is a delegated role name and should not end
+        in '.txt'.  Example: 'targets/linux/x86'.
+      
+      include_delegations:
+         Boolean indicating if the delegated roles set by 'rolename' should
+         be refreshed.
+
+    <Exceptions>
+      tuf.RepositoryError:
+        If the metadata file for the 'targets' role is missing
+        from the 'release' metadata.
+
+    <Side Effects>
+      The metadata for the delegated roles are loaded and updated if they
+      have changed.  Delegated metadata is removed from the role database if
+      it has expired.
+
+    <Returns>
+      None.
+
+    """
+
+    roles_to_update = []
+
+    # See if this role provides metadata and, if we're including
+    # delegations, look for metadata from delegated roles.
+    role_prefix = rolename + '/'
+    for metadata_path in self.metadata['current']['release']['meta'].keys():
+      if metadata_path == rolename + '.txt':
+        roles_to_update.append(metadata_path[:-len('.txt')])
+      elif include_delegations and metadata_path.startswith(role_prefix):
+        roles_to_update.append(metadata_path[:-len('.txt')])
+
+    # Remove the 'targets' role because it gets updated when the targets.txt
+    # file is updated in _update_metadata_if_changed('targets').
+    if rolename == 'targets':
+      try:
+        roles_to_update.remove('targets')
+      except ValueError:
+        message = 'The Release metadata file is missing the targets.txt entry.'
+        raise tuf.RepositoryError(message)
+  
+    # If there is nothing to refresh, we are done.
+    if not roles_to_update:
+      return
+
+    # Sort the roles so that parent roles always come first.
+    roles_to_update.sort()
+    logger.debug('Roles to update: '+repr(roles_to_update)+'.')
+
+    # Iterate through 'roles_to_update', load its metadata
+    # file, and update it if it has changed.
+    for rolename in roles_to_update:
+      self._load_metadata_from_file('previous', rolename)
+      self._load_metadata_from_file('current', rolename)
+
+      self._update_metadata_if_changed(rolename)
+
+      # Remove the role if it has expired.
+      try:
+        self._ensure_not_expired(rolename)
+      except tuf.ExpiredMetadataError:
+        tuf.roledb.remove_role(rolename)
+
+
+
+
+
+  def _targets_of_role(self, rolename, targets=None, skip_refresh=False):
+    """
+    <Purpose>
+      Return the target information for all the targets of 'rolename'.
+      The returned information is a list conformant to
+      'tuf.formats.TARGETFILES_SCHEMA' and has the form:
+      [{'filepath': 'a/b/c.txt',
+        'fileinfo': {'length': 13323,
+                     'hashes': {'sha256': dbfac345..}}
+       ...]
+
+    <Arguments>
+      rolename:
+        This is a role name and should not end
+        in '.txt'.  Examples: 'targets', 'targets/linux/x86'.
+      
+      targets:
+        A list of targets containing target information, conformant to
+        'tuf.formats.TARGETFILES_SCHEMA'.
+
+      skip_refresh:
+        A boolean indicating if the target metadata for 'rolename'
+        should be refreshed.
+
+    <Exceptions>
+      tuf.UnknownRoleError:
+        If 'rolename' is not found in the role database.
+
+    <Side Effects>
+      The metadata for 'rolename' is refreshed if 'skip_refresh' is False.
+
+    <Returns>
+      A list of dict objects containing the target information of all the
+      targets of 'rolename'.  Conformant to 'tuf.formats.TARGETFILES_SCHEMA'.
+
+    """
+
+    if targets is None:
+      targets = []
+
+    logger.debug('Getting targets of role: '+repr(rolename)+'.')
+
+    if not tuf.roledb.role_exists(rolename):
+      raise tuf.UnknownRoleError(rolename)
+
+    # We do not need to worry about the target paths being trusted because
+    # this is enforced before any new metadata is accepted.
+    if not skip_refresh:
+      self._refresh_targets_metadata(rolename)
+  
+    # Do we have metadata for 'rolename'?
+    if rolename not in self.metadata['current']:
+      message = 'No metadata for '+rolename+'. Unable to determine targets.'
+      logger.debug(message)
+      return targets
+
+    # Get the targets specified by the role itself.
+    for filepath, fileinfo in self.metadata['current'][rolename]['targets'].items():
+      new_target = {} 
+      new_target['filepath'] = filepath 
+      new_target['fileinfo'] = fileinfo
+      
+      targets.append(new_target)
+
+    return targets
+
+
+
+
+
+  def targets_of_role(self, rolename='targets'):
+    """
+    <Purpose> 
+      Return a list of trusted targets directly specified by 'rolename'.
+      The returned information is a list conformant to
+      tuf.formats.TARGETFILES_SCHEMA and has the form:
+      [{'filepath': 'a/b/c.txt',
+        'fileinfo': {'length': 13323,
+                     'hashes': {'sha256': dbfac345..}}
+       ...]
+      
+      This may be a very slow operation if there is a large number of
+      delegations and many metadata files aren't already downloaded.
+
+    <Arguments>
+      rolename:
+        The name of the role whose list of targets are wanted.
+        The name of the role should start with 'targets'.
+       
+    <Exceptions>
+      tuf.FormatError:
+        If 'rolename' is improperly formatted.
+     
+      tuf.RepositoryError:
+        If the metadata of 'rolename' could not be updated.
+
+      tuf.UnknownRoleError:
+        If 'rolename' is not found in the role database.
+
+    <Side Effects>
+      The metadata for updated delegated roles are downloaded and stored.
+      
+    <Returns>
+      A list of targets, conformant to 'tuf.formats.TARGETFILES_SCHEMA'. 
+
+    """
+      
+    # Does 'rolename' have the correct format?
+    # Raise 'tuf.FormatError' if there is a mismatch.
+    tuf.formats.RELPATH_SCHEMA.check_match(rolename)
+
+    self._refresh_targets_metadata(rolename)
+    
+    return self._targets_of_role(rolename, skip_refresh=True)
+
+
+
+
+
+  def target(self, target_filepath):
+    """
+    <Purpose>
+      Return the target file information for 'target_filepath'.
+    
+    <Arguments>    
+      target_filepath:
+        The path to the target file on the repository. This
+        will be relative to the 'targets' (or equivalent) directory
+        on a given mirror.
+
+    <Exceptions>
+      tuf.FormatError:
+        If 'target_filepath' is improperly formatted.
+
+      tuf.RepositoryError:
+        If 'target_filepath' was not found or there were more multiple
+        versions (same file path but different file attributes).
+   
+    <Side Effects>
+      The metadata for updated delegated roles are download and stored.
+    
+    <Returns>
+      The target information for 'target_filepath', conformant to
+      'tuf.formats.TARGETFILE_SCHEMA'.
+    
+    """
+
+    # Does 'target_filepath' have the correct format?
+    # Raise 'tuf.FormatError' if there is a mismatch.
+    tuf.formats.RELPATH_SCHEMA.check_match(target_filepath)
+
+    # Refresh the target metadata for all the delegated roles. 
+    self._refresh_targets_metadata(include_delegations=True)
+    all_rolenames = tuf.roledb.get_rolenames()
+
+    # Iterate through all the target metadata.  Take precautions
+    # to avoid duplicate files.
+    target = []
+    for rolename in all_rolenames:
+      if self.metadata['current'][rolename]['_type'] != 'Targets':
+        continue
+      # We have a target role.  Extract the filepath and fileinfo
+      # and compare it to 'target_filepath'.  Compare the fileinfo
+      # to avoid duplicates.
+      for filepath, fileinfo in self.metadata['current'][rolename] \
+                                             ['targets'].items():
+        if target_filepath == filepath:
+          # If 'target' is empty, we can just go ahead and add 'target_filepath'
+          # No need to check for duplicates in this case.
+          if len(target) == 0:
+            new_target = {}
+            new_target['filepath'] = filepath
+            new_target['fileinfo'] = fileinfo
+            target.append(new_target)
+            continue
+          # It appears we have a duplicate.  If the fileinfo match,
+          # do not add the duplicate.  Move on to the next target.
+          elif len(target) == 1:
+            if target[0]['fileinfo'] == fileinfo:
+              continue
+            # Okay, we have a matching filepath but a different fileinfo
+            # for the duplicate.  Which one is the client expecting?
+            # And why would the metadata list two different versions of the
+            # same file?  Raise an exception.
+            else:
+              message = 'Found multiple '+repr(target_filepath)+'.'
+              logger.error(message)
+              raise tuf.RespositoryError(message)
+   
+    # Riase an exception if the target information could not be retrieved.
+    if len(target) == 0:
+      message = repr(target_filepath)+' not found.'
+      logger.error(message)
+      raise tuf.RepositoryError(message)
+    
+    return target[0] 
+
+
+
+
+
+  def remove_obsolete_targets(self, destination_directory):
+    """
+    <Purpose>
+      Remove any files that are in 'previous' but not 'current'.  This
+      makes it so if you remove a file from a repository, it actually goes
+      away.  The targets for the 'targets' role and all delegated roles
+      are checked.
+    
+    <Arguments>
+      destination_directory:
+        The directory containing the target files tracked by TUF.
+
+    <Exceptions>
+      tuf.FormatError:
+        If 'destination_directory' is improperly formatted.
+      
+      tuf.RepositoryError:
+        If an error occurred removing any files.
+
+    <Side Effects>
+      Target files are removed from disk.
+
+    <Returns>
+      None.
+
+    """
+  
+    # Does 'destination_directory' have the correct format?
+    # Raise 'tuf.FormatError' if there is a mismatch.
+    tuf.formats.PATH_SCHEMA.check_match(destination_directory)
+
+    # Iterate through the rolenames and verify whether the 'previous'
+    # directory contains a target no longer found in 'current'.
+    for role in tuf.roledb.get_rolenames():
+      if role.startswith('targets'):
+        if role in self.metadata['previous'] and self.metadata['previous'][role] != None:
+          for target in self.metadata['previous'][role]['targets'].keys():
+            if target not in self.metadata['current'][role]['targets'].keys():
+              # 'target' is only in 'previous', so remove it.
+              logger.warn('Removing obsolete file: '+repr(target)+'.')
+              # Remove the file if it hasn't been removed already.
+              destination = os.path.join(destination_directory, target) 
+              try:
+                os.remove(destination)
+              except OSError, e:
+                # If 'filename' already removed, just log it.
+                if e.errno == errno.ENOENT:
+                  logger.info('File '+repr(destination)+' was already removed.')
+                else:
+                  logger.error(str(e))
+              except Exception, e:
+                logger.error(str(e))
+
+
+
+
+
+  def updated_targets(self, targets, destination_directory):
+    """
+    <Purpose>
+      Return the targets in 'targets' that have changed.  Targets are
+      considered changed if they do not exist at 'destination_directory'
+      or the target located there has mismatched file properties.
+
+      The returned information is a list conformant to
+      'tuf.formats.TARGETFILES_SCHEMA' and has the form:
+      [{'filepath': 'a/b/c.txt',
+        'fileinfo': {'length': 13323,
+                     'hashes': {'sha256': dbfac345..}}
+       ...]
+
+    <Arguments>
+      targets:
+        A list of target files.
+
+      destination_directory:
+        The directory containing the target files.
+
+    <Exceptions>
+      tuf.FormatError:
+        If the arguments are improperly formatted.
+
+    <Side Effects>
+      The files in 'targets' are read and their hashes computed. 
+
+    <Returns>
+      A list of targets, conformant to 'tuf.formats.TARGETFILES_SCHEMA'.
+
+    """
+
+    # Do the arguments have the correct format?
+    # Raise 'tuf.FormatError' if there is a mismatch.
+    tuf.formats.TARGETFILES_SCHEMA.check_match(targets)
+    tuf.formats.PATH_SCHEMA.check_match(destination_directory)
+
+    updated_targets = []
+
+    for target in targets:
+      # Get the target's filepath located in 'destination_directory'.
+      # We will compare targets against this file.
+      target_filepath = os.path.join(destination_directory, target['filepath'])
+      
+      # Try one of the algorithm/digest combos for a mismatch.  We break
+      # as soon as we find a mismatch.
+      for algorithm, digest in target['fileinfo']['hashes'].items():
+        digest_object = None
+        try:
+          digest_object = tuf.hash.digest_filename(target_filepath,
+                                                   algorithm=algorithm)
+        # This exception would occur if the target does not exist locally. 
+        except IOError:
+          updated_targets.append(target)
+          break
+        # The file does exist locally, check if its hash differs. 
+        if digest_object.hexdigest() != digest:
+          updated_targets.append(target)
+          break
+    
+    return updated_targets
+
+
+
+
+
+  def download_target(self, target, destination_directory):
+    """
+    <Purpose>
+      Download 'target' and verify it is trusted.
+        
+      This will only store the file at 'destination_directory' if the downloaded
+      file matches the description of the file in the trusted metadata.
+    
+    <Arguments>
+      target:
+        The target to be downloaded.  Conformant to
+        'tuf.formats.TARGETFILE_SCHEMA'.
+
+      destination_directory:
+        The directory to save the downloaded target file.
+
+    <Exceptions>
+      tuf.FormatError:
+        If 'target' is not properly formatted.
+
+      tuf.DownloadError:
+        If a target could not be downloaded from any of the mirrors.
+
+    <Side Effects>
+      A target file is saved to the local system.
+
+    <Returns>
+      None.
+
+    """
+
+    # Do the arguments have the correct format? 
+    # This check ensures the arguments have the appropriate 
+    # number of objects and object types, and that all dict
+    # keys are properly named.
+    # Raise 'tuf.FormatError' if the check fail.
+    tuf.formats.TARGETFILE_SCHEMA.check_match(target)
+    tuf.formats.PATH_SCHEMA.check_match(destination_directory)
+   
+    # Reference to the 'get_list_of_mirrors' function.
+    get_mirrors = tuf.mirrors.get_list_of_mirrors
+
+    # Reference to the 'download_url_to_tempfileobj' function.
+    download_file = tuf.download.download_url_to_tempfileobj
+
+    # Extract the target file information.
+    target_filepath = target['filepath']
+    trusted_length = target['fileinfo']['length']
+    trusted_hashes = target['fileinfo']['hashes']
+
+    target_file_object = None
+    # Iterate through the repositority mirrors until we successfully
+    # download a target.
+    for mirror_url in get_mirrors('target', target_filepath, self.mirrors):
+      try: 
+        target_file_object = download_file(mirror_url, trusted_hashes,
+                                           trusted_length)
+        break
+      except (tuf.DownloadError, tuf.FormatError), e:
+        logger.warn('Download failed from '+mirror_url+'.')
+        target_file_object = None
+        continue
+    # We have gone through all the mirrors.  Did we get a target file object?
+    if target_file_object == None: 
+      raise tuf.DownloadError('No download locations known.')
+   
+    # We acquired a target file object from a mirror.  Move the file into
+    # place (i.e., locally to 'destination_directory').
+    destination = os.path.join(destination_directory, target_filepath)
+    destination = os.path.abspath(destination)
+    target_dirpath = os.path.dirname(destination)
+    if target_dirpath:
+      try:
+        os.makedirs(target_dirpath)
+      except OSError, e:
+        if e.errno == errno.EEXIST:
+          pass
+        else:
+          raise
+    
+    target_file_object.move(destination)
diff --git a/src/tuf/conf.py b/src/tuf/conf.py
new file mode 100755
index 00000000..e0c5fd7f
--- /dev/null
+++ b/src/tuf/conf.py
@@ -0,0 +1,33 @@
+"""
+<Program Name>
+  conf.py
+
+<Author>
+  Vladimir Diaz <vladimir.v.diaz@gmail.com>
+
+<Started>
+  April 4, 2012.  Based a previous version by Geremy Condra.
+
+<Copyright>
+  See LICENSE for licensing information.
+
+<Purpose>
+  A central location for TUF configuration settings.
+
+"""
+
+
+# Set a directory that should be used for all temporary files. If this
+# is None, then the system default will be used. The system default
+# will also be used if a directory path set here is invalid or
+# unusable.
+temporary_directory = None
+
+# The directory under which metadata for all repositories will be
+# stored. This is not a simple cache because each repository's root of
+# trust (root.txt) will need to already be stored below here and should
+# not be deleted. At a minimum, each key in the mirrors dictionary
+# below should have a directory under 'repository_directory'
+# which already exists and within that directory should have the file
+# 'metadata/current/root.txt'.  This must be set!
+repository_directory = None
diff --git a/src/tuf/download.py b/src/tuf/download.py
new file mode 100755
index 00000000..5f72fc2b
--- /dev/null
+++ b/src/tuf/download.py
@@ -0,0 +1,233 @@
+"""
+<Program Name>
+  download.py
+  
+<Started>
+  February 21, 2012.  Based on previous version by Geremy Condra.
+
+<Author>
+  Konstantin Andrianov
+  Vladimir Diaz <vladimir.v.diaz@gmail.com>
+  
+<Copyright>
+  See LICENSE for licensing information.
+  
+<Purpose>
+  Perform any file downloads and check their validity.  This means that the
+  hash and length of a downloaded file has to match the hash and length
+  supplied by the metadata of that file.  The downloaded file is technically a 
+  file-like object that will automatically destroys itself once closed.  Note
+  that the file-like object, 'tuf.util.TempFile', is returned by the
+  'download_url_to_tempfileobj()' function.
+  
+"""
+
+import urllib2
+import logging
+
+import tuf.hash
+import tuf.util
+import tuf.formats
+
+# See 'log.py' to learn how logging is handled in TUF.
+logger = logging.getLogger('tuf.download')
+
+
+def _open_connection(url):
+  """
+  <Purpose>
+    Helper function that opens a connection to the url. urllib2 supports http, 
+    ftp, and file. In python (2.6+) where the ssl module is available, urllib2 
+    also supports https.
+    
+    TODO: Do proper ssl cert/name checking. 
+    TODO: Disallow SSLv2. 	
+    TODO: Support ssl with MCrypto.
+    TODO: Determine whether this follows http redirects and decide if we like
+    that. For example, would we not want to allow redirection from ssl to
+     non-ssl urls?
+  
+  <Arguments>
+    url:
+      URL string (e.g., 'http://...' or 'ftp://...' or 'file://...') 
+    
+  <Exceptions>
+    urllib2.URLError
+    
+  <Side Effects>
+    Opens a connection to a remote server.
+    
+  <Returns>
+    File-like object.
+    
+  """
+  
+  try:
+    # urllib2.Request produces a Request object that allows for a finer control 
+    # of the requesting process. Request object allows to add headers or data to
+    # the HTTP request. For instance, request method add_header(key, val) can be
+    # used to change/spoof 'User-Agent' from default Python-urllib/x.y to 
+    # 'Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)' this can be useful if
+    # servers do not recognize connections that originates from 
+    # Python-urllib/x.y.
+    request = urllib2.Request(url)
+    connection = urllib2.urlopen(request)
+  except Exception, e:
+    raise tuf.DownloadError(e)
+  
+  # urllib2.urlopen returns a file-like object, I think of it as a handle to the
+  # remote data.
+  
+  return connection
+
+
+
+
+
+def _check_hashes(input_file, trusted_hashes):
+  """
+  <Purpose>
+    Helper function that verifies multiple secure hashes of the downloaded file.
+    If any of these fail it raises an exception.  This is to conform with the 
+    TUF specs, which support clients with different hashing algorithms. The
+    'hash.py' module is used to compute the hashes of the 'input_file'. 
+
+  <Arguments>
+    input_file:
+      A file or file-like object.
+    
+    trusted_hashes: 
+      A dictionary with hash-algorithm names as keys and hashes as dict values.
+      The hashes should be in the hexdigest format.
+    
+  <Exceptions>
+    tuf.BadHash, if the hashes don't match.
+    
+  <Side Effects>
+    Hash digest object is created using tfh 'tuf.hash' module.
+    
+  <Returns>
+    None.
+    
+  """
+  # Verify each trusted hash of 'trusted_hashes'.  Raise exception if
+  # any of the hashes are incorrect and return if all are correct.
+  for algorithm, trusted_hash in trusted_hashes.items():
+    digest_object = tuf.hash.digest(algorithm)
+    digest_object.update(input_file.read())
+    computed_hash = digest_object.hexdigest()
+    if trusted_hash != computed_hash:
+      msg = 'Hashes do not match. Expected '+trusted_hash+' got '+computed_hash
+      raise tuf.BadHash(msg)
+    else:
+      logger.info('The file\'s '+algorithm+' hash is correct: '+trusted_hash)
+  
+  return
+
+
+
+
+
+def download_url_to_tempfileobj(url, required_hashes=None, required_length=None):
+  """
+  <Purpose>
+    Given the url, hashes and length of the desired file, this function 
+    opens a connection to 'url' and downloads the file while ensuring its
+    length and hashes match 'required_hashes' and 'required_length'. 
+ 
+    tuf.util.TempFile is used instead of regular tempfile object because of 
+    additional functionality provided by 'tuf.util.TempFile'.
+  
+  <Arguments>
+    url:
+      A url string that represents the location of the file. 
+  
+    required_hashes:
+      A dictionary, where the keys represent the hashing algorithm used to 
+      hash the file and the dict values the hexdigest.
+  
+      For instance, a hash pair might look something like this:
+      {'md5': '37544f383be1fc1a32f42801c9c4b4d6'}
+  
+    required_length:
+      An integer value representing the length of the file.
+  
+  <Side Effects>
+    'tuf.util.TempFile' object is created.
+ 
+  <Exceptions>
+    tuf.DownloadError, if there was an error while downloading the file.
+    
+    tuf.FormatError, if any of the arguments are improperly formatted. 
+ 
+  <Returns>
+    'tuf.util.TempFile' instance.
+  
+  """
+
+  # Do all of the arguments have the appropriate format?
+  # Raise 'tuf.FormatError' if there is a mismatch.
+  tuf.formats.URL_SCHEMA.check_match(url)
+  if required_hashes is not None:
+    tuf.formats.HASHDICT_SCHEMA.check_match(required_hashes)
+  if required_length is not None:
+    tuf.formats.LENGTH_SCHEMA.check_match(required_length)
+
+  # 'url.replace()' is for compatibility with Windows-based systems because they 
+  # might put back-slashes in place of forward-slashes.  This converts it to the
+  # common format. 
+  url = url.replace('\\','/')
+  logger.info('Downloading '+url)
+  connection = _open_connection(url)
+  temp_file = tuf.util.TempFile()
+
+  # Keep track of total bytes downloaded.
+  total_downloaded = 0
+
+  try:
+    # info().get('Content-Length') gets the length of the url file.
+    file_length = int(connection.info().get('Content-Length'))
+    
+    # Does the url's 'file_length' match 'required_length'?
+    if required_length is not None and file_length != required_length:
+      message = 'Incorrect length for '+url+'. Expected '+str(required_length)+ \
+                ', got '+str(file_length)+'.'
+      raise tuf.DownloadError(message)
+
+    # While-block reads data from connection 8192-bytes at a time, or less,
+    # until 'file_length' is reached.
+    while True:
+      data = connection.read(min(8192, file_length - total_downloaded))
+      # We might have no more data to read.  Let us check bytes downloaded. 
+      if not data:
+        message = 'Downloaded '+str(total_downloaded)+'/' \
+                  +str(file_length)+' bytes'
+        logger.debug(message)
+        # Did we download the correct amount indicated by 'Content-Length'? 
+        if total_downloaded != file_length:
+          message = 'Downloaded '+str(total_downloaded)+'.  Expected '+ \
+                    str(file_length)+' for '+url
+          raise tuf.DownloadError(message)
+        # Did we download the correct amount indicated by the user? 
+        if required_length is not None and total_downloaded != required_length:
+          message = 'The user-required length of '+str(required_length)+ \
+                    'did not match the '+str(len(total_downloaded))+' downloaded'
+          raise tuf.DownloadError(message)
+        break
+      # Data successfully read from the connection.  Store it. 
+      temp_file.write(data)
+      total_downloaded = total_downloaded + len(data)
+ 
+    # We appear to have downloaded the correct amount.  Check the hashes.
+    connection.close()
+    if required_length is not None and required_hashes is not None: 
+      _check_hashes(temp_file, required_hashes)
+
+  # Exception is a base class for all non-exiting exceptions.
+  except Exception, e:
+    # Closing 'temp_file'.  The 'temp_file' data is destroyed.
+    temp_file.close_temp_file()
+    logger.error(str(e))
+    raise tuf.DownloadError(e)
+
+  return temp_file
diff --git a/src/tuf/examples/example_client.py b/src/tuf/examples/example_client.py
new file mode 100755
index 00000000..dc2b684d
--- /dev/null
+++ b/src/tuf/examples/example_client.py
@@ -0,0 +1,80 @@
+#! /usr/bin/env python
+
+"""
+  Example script demonstrating custom python code a software updater
+  utilizing The Update Framework may write to securely update files.
+  The 'basic_client.py' script can be used on the command-line to perform
+  an update that will download and update all available targets; writing
+  custom code is not required in this case.  The custom examples below
+  demonstrate: (1) updating all targets (2) updating all the targets of
+  a specified role (3) updating a specific target explicitely named.
+
+"""
+
+import logging
+
+import tuf.client.updater
+
+# Uncomment the line below to enable printing of debugging information.
+#tuf.log.set_log_level(logging.DEBUG)
+
+# Set the local repository directory containing the metadata files.
+tuf.conf.repository_directory = '.'
+
+# Set the repository mirrors.  This dictionary is needed by the repository
+# class of updater.py.  The client will download metadata and target
+# files from any one of these mirrors.
+repository_mirrors = {'mirror1': {'url_prefix': 'http://localhost:8001',
+                                  'metadata_path': 'metadata',
+                                  'targets_path': 'targets',
+                                  'confined_target_paths': ['']}}
+
+# Create the repository object using the updater name 'tuf-example'
+# and the repository mirrors defined above.
+updater = tuf.client.updater.Updater('tuf-example', repository_mirrors)
+
+# Set the local destination directory to save the target files.
+destination_directory = './targets'
+
+# Refresh the repository's top-level roles, store the target information for
+# all the targets tracked, and determine which of these targets have been
+# updated.
+updater.refresh()
+all_targets = updater.all_targets()
+updated_targets = updater.updated_targets(all_targets, destination_directory)
+
+# Download each of these updated targets and save them locally.
+for target in updated_targets:
+  try:
+    updater.download_target(target, destination_directory)
+  except tuf.DownloadError, e:
+    pass
+
+# Remove any files from the destination directory that are no longer being
+# tracked.
+updater.remove_obsolete_targets(destination_directory)
+
+
+"""
+# Example demonstrating an update that only downloads the targets of
+# a specific role (i.e., 'targets/role1')
+
+updater.refresh()
+targets_of_role1 = updater.targets_of_role('targets/role1')
+updated_targets = updater.updated_targets(targets_of_role1, destination_directory)
+
+for target in updated_targets:
+  updater.download_target(target, destination_directory)
+"""
+
+
+"""
+# Example demonstrating an update that downloads a specific target.
+
+updater.refresh()
+target = updater.target('LICENSE.txt')
+updated_target = updater.updated_targets([target], destination_directory)
+
+for target in updated_target:
+  updater.download_target(target, destination_directory)
+"""
diff --git a/src/tuf/examples/repository_basic/client/metadata/current/release.txt b/src/tuf/examples/repository_basic/client/metadata/current/release.txt
new file mode 100644
index 00000000..ade738e8
--- /dev/null
+++ b/src/tuf/examples/repository_basic/client/metadata/current/release.txt
@@ -0,0 +1,28 @@
+{
+ "signatures": [
+  {
+   "keyid": "9411398cb36dbce77727208a3ed8f634a194134a117c5980d3ff22bc54a25de4", 
+   "method": "evp", 
+   "sig": "61020111d9e1e1082d79690596d176d6eb5bad3bd0e695eb42930c39a018d18a64d52d7f4114272c8ee7c1b954708d95e0d7c6cafd95078d122dc67b3709484cef2d823376bbb9010f6cfa8034992df814c55c9f70e9411879ce7b54c4d6f1e4ed91ba328db0c26be0532d404358561ba347f1d55aad0a0eb83d9ba224b6760ad3d47dbcdc90d7ba7bf1597992288ec960a1181a1ffe1ff3b0eb7b5c4423bb1a20c01af2ddf5579e3a0704b4d7a58a8a0745edb6ce41c680239819b3772ae3f20486dc344ca7828c9581ba63af4ec11855dbf6213e2a260cc03b281659fa77c9fceeb0b7a25e1ea08bf1bbe5663bfb502c2145f6b5057005d989a8b35e56ae9b3f1f80c3c74f229d4c0bd3c807a7b6acb221ad42da90bf3137716a7d10aa9004e52ab74ceb706eeb6bb1834df1c994e83a64b3f6dae99a5586668803777d788fcc63e3ed3186c5b1186ec2dcf7fd2d7afe120470d667611ddae9b8617bd4ce1f2f0e6ae37b733a739c1d08814c53b25944f50b5be3f40488f683d3b89eb07127"
+  }
+ ], 
+ "signed": {
+  "_type": "Release", 
+  "expires": "2013-12-17 00:31:02", 
+  "meta": {
+   "root.txt": {
+    "hashes": {
+     "sha256": "72925bfeb643bd56c2368c890eb62af735d35f81d5518f42974c5d90863d4bad"
+    }, 
+    "length": 6571
+   }, 
+   "targets.txt": {
+    "hashes": {
+     "sha256": "e502a5d0079e59e122274f115fcb9a3c84f6d660bb50910fb3a757f58df00fe6"
+    }, 
+    "length": 1346
+   }
+  }, 
+  "ts": "2012-12-17 00:31:02"
+ }
+}
diff --git a/src/tuf/examples/repository_basic/client/metadata/current/root.txt b/src/tuf/examples/repository_basic/client/metadata/current/root.txt
new file mode 100644
index 00000000..bdc140f0
--- /dev/null
+++ b/src/tuf/examples/repository_basic/client/metadata/current/root.txt
@@ -0,0 +1,83 @@
+{
+ "signatures": [
+  {
+   "keyid": "86e0a0c096d2244436911f15d89ee3a647b6978ca156f93b7eba730038e5327b", 
+   "method": "evp", 
+   "sig": "91fb132a9ebf78fb2a688178dc5dcbbbe389baab063dd34fa9e7ccf8cb613a9356eb78ded2f7a12d454e2311b71ca0c75a2548515f1d1d35c1206da478d1535326eb172383a2687087e12f1d19b13b6adf0b4e35b9b992fecef93b0841aafb0143b19fb0e6e2dae49cd4052ddb0c1bcc4efdf3adbede95a509f04057082d80241cdbb5cb190559ce0a57906017b6352cbc0c837ca0d3428519a776454767dbcd0af1cadc5020e9e2d90cd4b8eebd4ca06859486575401aaa8aa6c3603a642d678e1f5b7849949903b28bb9bf88fab62ca30fbd160368eb998ce1c8a90a29573f02f6fcaa13bf1baa1dd72295c4de3350f72f8abbdf6d780810957c38ff2ec499c5928f241f4339c835e71b0013f6dcc41d01a7d43d8def9f8de8a46a73f9845a7f82b2a856096d6cbb9639146b94828ce1bbbf1f4927ab4d4100292d689ccc6efcf9d8fe61077224f4984bdafca6a8848020104130dc18fdea7fb53052d9bc70f94589522e8504a40518b657288ca6c9efaaf6baa562e83bd1e671f8199cafe8"
+  }, 
+  {
+   "keyid": "4ac0adf8fac99d3603b02ee88715b0b18ab9203c639a220f3db7aff78d784ab2", 
+   "method": "evp", 
+   "sig": "845528efb13d16600a492201d1d656d81ab819bab60d123b2dfc9bfc04647bcf8129872a7c1b0db21d9c1005e4cd55c91282f5410c9939ca3e8acb70d55eced6194c94152d70e00193298730b9019a3282196dd23543f15c1d6f5431efb53a1b04c3d40f0e177d7ad6ecafbda363e89d5dd4e2ce8b7ac6ab2808ff361d6dabeeb443358dfcb763aa9b9857826fc587a2c4b72a0ce7d0e2d073ea4f2fe453a5b72afbcf160e3029f969b290f2e0250225a2ce88895e10fcb6c1638c70bca5d2add74324de9d581e54e9b99c9c000904b55d37a775e8496ca97aae384b500c83e2694403f4687479fb2cc56d981afa2c45b9ce968817e168f87fc0d7419e973c4162baa2e59c339ce82ec5a565a4b3993b2f3e885a1d38240996834b530de306b600d2cfbcb2660ac903b5a7b6e270081fe72f98cf6e29047915ade88cde3c860a4d1637a4f8057a6b7815e21111388bd7a678c8b3221b8adcfc1f4629ff75ebadd3160abd88b71bbb175592cd99f0769bde1466174e0a8a63a07cefbba766fcef"
+  }
+ ], 
+ "signed": {
+  "_type": "Root", 
+  "expires": "2014-12-17 00:31:01", 
+  "keys": {
+   "4ac0adf8fac99d3603b02ee88715b0b18ab9203c639a220f3db7aff78d784ab2": {
+    "keytype": "rsa", 
+    "keyval": {
+     "private": "", 
+     "public": "-----BEGIN PUBLIC KEY-----\nMIIBojANBgkqhkiG9w0BAQEFAAOCAY8AMIIBigKCAYEAuFzNjOV+tTnkMzB+UUWi\no/n0hWE5nKeBie+erzGHsRqYTwY2afsUORnogFkt2erdR9zR4TAWGMIvJbnDujQi\npkhUIueZB6vGCRBT2Mfk8vOUTQ+8Xc6FNCyhLZfJKL8fxEOAaF9HSOt3u9BugPVB\nL5QLc/fcWNgBiTErR/kcLH1LvaDeFijOuSC6VDq4GjONK70n1d/CtGmPYIMQj89L\nsIThUrREIH2oHRXFIUDJLHmAJXgw31chpC4CI9/ehnShcM1AaQTfpNwsOFkzNpfk\nCweYN3w9h6I+/3hPlD1oPluolSpz3MTQ2YXnRDBijptGBz4aPW2V6R5fE9Tx2xZr\neI2wlzsObFSvJ9V8guVc/yVM6PwCeVuQknzFo2xXYvQgzpKTSSgk1+0tiJqZkuIk\n7ENhglKwTL9vu40pTgE+gkKRC+CgDPwJ4+VMZJANsFPfCZxMw8+ddufTL70PtSp0\nKDRshTy1E4v8hMacSprTttDsXyyHswp3BARFkPZDy/c3AgMBAAE=\n-----END PUBLIC KEY-----\n"
+    }
+   }, 
+   "7e6d7b7d2d60f175d4e48b11347f8f648e2c58093cd47986531e80747bd2c559": {
+    "keytype": "rsa", 
+    "keyval": {
+     "private": "", 
+     "public": "-----BEGIN PUBLIC KEY-----\nMIIBojANBgkqhkiG9w0BAQEFAAOCAY8AMIIBigKCAYEAsCSACdXyAzAjYWk5acxx\nzlEZgftJULKXvzpcbEzCtwC5Izst23twvlKtGYYcJqw4sPKgxgnHy7WgUxKiVbLX\nQvop4kSKqwpfV4t8ZBHvvHypIzS6ZBknwNU4SvDeYdajbzOlNkPvrANtLyfpKtxT\nxuhmEP7lGFL5pIukNvTqIs2J+3NHNG9O0AU2iwydncohpB10utor6GRgkBj2d9N7\neZQrHyQPtMKodtmlzN2ZUwf859neBPvzd9iGLl+K2zfIHKc0AOyn2kUxFvM81FDy\nHaMuWFqfnKWDftAp8UKZqHFuljvt2zk/HH0t5w9mKiy68qL/jGAoaPcKpWgGAHN4\nTj/6ugSij6/GimYdgOr2taD5BWMyxSjyvCE0FvH/Gi+4+DT6Ll9Ri6K1iLOYjan3\njFsTMBkZ7Gdavc1vIkSgn3joZMGvdVK2JYzPy/ZJ15KEnAUbymnA+CyKAA+gSRzo\nYXSDM6JGlCci3pLl235gDu5lI03Wuf/GlPEwXs4pkry/AgMBAAE=\n-----END PUBLIC KEY-----\n"
+    }
+   }, 
+   "86e0a0c096d2244436911f15d89ee3a647b6978ca156f93b7eba730038e5327b": {
+    "keytype": "rsa", 
+    "keyval": {
+     "private": "", 
+     "public": "-----BEGIN PUBLIC KEY-----\nMIIBojANBgkqhkiG9w0BAQEFAAOCAY8AMIIBigKCAYEA3yIiwviVYlg8NW0B8gxR\nltqmrKL0MfXjoq1UxtE0G/ySki6w8uOznnqiR+G4dOQvHbrTZytTq655v+BySCIC\nQWLyO4x7c2vm4APpiOhIfMjz23uxLhbR9ZVhk0dSv1wykP4O4TIGaRPfLTTTEADS\nqgIIXKOm4zjlztdIzjmlh5vLknI3w1VfRPYT2jBQSZ9Vld0SVNJz3JYW2ylI2jrP\njTPNnrb5GQ/pthrZZFGe1B/w7rfQvO7pA4BfNPT1TI8sL9NpFz8HXAE+bJ8EkP+a\ne01jHNhLtzJxDJRa+BXQtMh5QtJffrLNnwxBGPVBZdIOJm+FSf+D4v+W+Y/M/ayK\nI9TdOlKExYoWQ99tIgG4J7J8L88Mfh9+dduTtDT/jEfQCx4olxsqgJtxpzjTC3Nr\nDpm27djxeX74otXXNNOEN2Wzs/VvEBCWsHfElIyfdElYIImlzd2FyD1AQyhUoe01\nQOI9cjmmLybQKgIXgyoeQ0SRxZFNYAM3kPw4w5/JAsM7AgMBAAE=\n-----END PUBLIC KEY-----\n"
+    }
+   }, 
+   "9411398cb36dbce77727208a3ed8f634a194134a117c5980d3ff22bc54a25de4": {
+    "keytype": "rsa", 
+    "keyval": {
+     "private": "", 
+     "public": "-----BEGIN PUBLIC KEY-----\nMIIBojANBgkqhkiG9w0BAQEFAAOCAY8AMIIBigKCAYEAyFShMexVSDMDMs5wGt0G\nQBOR8XyTV8JpkCKdSRMW3IsSMueagdI754q202SbfIRa0JFah99roPxa3IAIHo0X\n3GUO9HJWp5gSrGcKUXrOiz6CMsGwSh6N9xVCNFqpc8EsPceG/hCaqIX1FIGizYdZ\nN2+LwpGvfpBQfAPUau0NREEA/HgFYB4UptOSyg+3kRFCcXr+nJmiDNc5qXp/HQZ2\nqn6yhuhLMh/I1KsqN4HQGYDOg8L7ybuRzEgGabI0/ZVSnVJpOeHogtH6WHPKGZXX\nA3aY0sr4l++DTwe2wCXTkVYzSBwG/AM/zfVwfazQZFHG2d2VnlS2VN+otbpv+qyG\nq+dF2TmqxnnaOoWTXsQ/XTiIHLlSmySE4WZR7pZREdx12ahgChTA0/0FVrM28DIb\nvh0T0NGyxfAGYEWDvr+xjFyks8RhgsA3ftUSkq7nrmsM4iJyvSN01la4MZNHBQGK\n+jSHvtn7AGMAkr4VY/uv4NWGZHiWt33oL/TK6EAHJmA9AgMBAAE=\n-----END PUBLIC KEY-----\n"
+    }
+   }, 
+   "c57c4439c8cd88e0571d651696b17c069702b637d59f2e9c4f88894d2cb5cabf": {
+    "keytype": "rsa", 
+    "keyval": {
+     "private": "", 
+     "public": "-----BEGIN PUBLIC KEY-----\nMIIBojANBgkqhkiG9w0BAQEFAAOCAY8AMIIBigKCAYEAuN8verErqJFpNYjzWCaV\nXk8f4uow950aJTwt2+BMK97KMccgIpOTKemN80iiDHHLfsBmNozYpF2WuWtWpUGQ\nKlbnafbEuzmTrRSMjhEjTxfvGNTh4NPnfHCJFRql/C0Zln/1YVnRdF7qcc+C+ru8\nc0OhMT1Z4tu4JoqK3jz4Pf5jq+5Vm3SaJ+h0eBo/IArqDoXEHKVZDggsDRM9gVhv\nov79O43Qt3/pdP+o1hAhifHADs6nMse+0PrkP+bYMu9UQ5TqUmKDdaVnYETP7VYX\nDMG1Ipj5GGhPu4bJzahf1j+4RzFAsb8yIojjgHsKxD42rp9mAZt50tr2meSDEO2Z\nLtjH3zaPdaP5WCcQyHhHPVhibdyP8hLmw9FpSTW5pYRRDT8HHcfp/YTpE5TBKApC\n80io16g/FCveJL6pV4leLEZXeroKBB5SCCAPzXoAL7ITUHM3DSmNNcaf+ClXK8Wf\n+s/EUe3qGD2VF0/xs36rsxnsCwwspgjlh6/B+27/i2QRAgMBAAE=\n-----END PUBLIC KEY-----\n"
+    }
+   }
+  }, 
+  "roles": {
+   "release": {
+    "keyids": [
+     "9411398cb36dbce77727208a3ed8f634a194134a117c5980d3ff22bc54a25de4"
+    ], 
+    "threshold": 1
+   }, 
+   "root": {
+    "keyids": [
+     "86e0a0c096d2244436911f15d89ee3a647b6978ca156f93b7eba730038e5327b", 
+     "4ac0adf8fac99d3603b02ee88715b0b18ab9203c639a220f3db7aff78d784ab2"
+    ], 
+    "threshold": 2
+   }, 
+   "targets": {
+    "keyids": [
+     "7e6d7b7d2d60f175d4e48b11347f8f648e2c58093cd47986531e80747bd2c559"
+    ], 
+    "threshold": 1
+   }, 
+   "timestamp": {
+    "keyids": [
+     "c57c4439c8cd88e0571d651696b17c069702b637d59f2e9c4f88894d2cb5cabf"
+    ], 
+    "threshold": 1
+   }
+  }, 
+  "ts": "2012-12-17 00:31:01"
+ }
+}
diff --git a/src/tuf/examples/repository_basic/client/metadata/current/targets.txt b/src/tuf/examples/repository_basic/client/metadata/current/targets.txt
new file mode 100644
index 00000000..07322a34
--- /dev/null
+++ b/src/tuf/examples/repository_basic/client/metadata/current/targets.txt
@@ -0,0 +1,28 @@
+{
+ "signatures": [
+  {
+   "keyid": "7e6d7b7d2d60f175d4e48b11347f8f648e2c58093cd47986531e80747bd2c559", 
+   "method": "evp", 
+   "sig": "959294bc789a7490e235d6313507bcc8b4c6296a32fd923c370ba7529914d6a41c15b4857cd7c31a75e40af3e16ad66055cc79632828ecd08609ebb1f9dcba1b841ba713a3b1535644385b36d8c882192bfd7e64b94a7a71fa9d1b6976466946e08cce0257ed1b3ba7cf28dd7dc6315a6782d366eef0dde2a2222eb7ced1d6fa3680c51ab83490b46de49eb2e1793bbb08bb6b9c16511987beafb143032b7d86700a3a8ab6f62f29afb8da0bcf6f4fbf6e3b9299f9541b5b90d6f6e71ed8bb05fe14c5c6c6a949e22b3ca2fac00c981c18147fad2c92cb7b7a63e5fc9fa9636c0d94597850f4045147b88ae06f49fa1ba4b80ec09d5e9e13b090a6e877dc30d98bfeadf24402767b2c12f1ded8b886f9b8e09c3c4bf192bc40a2b7976580bfc513127f282a26ebb52d4ac29facf5cfc0d372064a0a06a63f50fd1ae932b1909ac5ebb611184c980a169ec4550e1b23da3169351fe42cb4db69865a027690f0489210b1ea3951fd0089cf46ca8cdc9564ba59031d1aa404f8cff157c08ca6bb3b"
+  }
+ ], 
+ "signed": {
+  "_type": "Targets", 
+  "expires": "2013-12-17 00:31:02", 
+  "targets": {
+   "LICENSE.txt": {
+    "hashes": {
+     "sha256": "cd65721176ce5fdbb05773c0b1349f993b94ce77a51062cfa7a78b34cc82fc71"
+    }, 
+    "length": 3286
+   }, 
+   "helloworld.py": {
+    "hashes": {
+     "sha256": "c7861802c53ca2ce7a9717fc1544a902508576799074be9cc21630553a9471da"
+    }, 
+    "length": 21
+   }
+  }, 
+  "ts": "2012-12-17 00:31:02"
+ }
+}
diff --git a/src/tuf/examples/repository_basic/client/metadata/current/timestamp.txt b/src/tuf/examples/repository_basic/client/metadata/current/timestamp.txt
new file mode 100644
index 00000000..73513dd2
--- /dev/null
+++ b/src/tuf/examples/repository_basic/client/metadata/current/timestamp.txt
@@ -0,0 +1,22 @@
+{
+ "signatures": [
+  {
+   "keyid": "c57c4439c8cd88e0571d651696b17c069702b637d59f2e9c4f88894d2cb5cabf", 
+   "method": "evp", 
+   "sig": "401f0b342d8ca5d8ccda13ae006eccff6b970ccb5a40102d5688314c3ddcb62aaa5e71e5f711231e5f0db75ab8764ca7e8d9688736aec25c49575c2a224c3c281b5c5c6ba561e95ab7900f0928b6fa74655b11572d878cabcdbf475f3928d5898a41464739beb2296d01b18017f09658438e32791b6297dda9918716ee9011c5eca22be29b705b7dde33f0f29363eab5348e8b2026c415ea65e6d40c8068e499a3e27c1b85c3f9d15ed251e94b991e469675ce2dadfca21c05ac9f400679bd03c9ff4989b7dbfe696f995697511c0ba80830d51347792ef2a6bc2e8f6ae5f8623c08d616ea94cf2f88c03d8cf2e56f09e189748a66fad393464add092464a1f8842610d96122c372da00638fe90f0ffffe38b2002837f4993e59eb35bb942db2d1e93faa6a3f432be1fbaeb32d60cc612eac1b72d4d5b03c21c2042c720b412266b221bc8917353a7a9140ae4fe5cc6a703e9fb8f898b6cf45e12af440ee06c86d4aab92631f0ae1017a461141e4098df6e7dbda00624e502eb293987053d787"
+  }
+ ], 
+ "signed": {
+  "_type": "Timestamp", 
+  "expires": "2013-12-17 00:31:02", 
+  "meta": {
+   "release.txt": {
+    "hashes": {
+     "sha256": "3a5a6ec1f3530b21a68a5bbe42a7fa5422dae9c4f211a99c678208ddedce36e0"
+    }, 
+    "length": 1340
+   }
+  }, 
+  "ts": "2012-12-17 00:31:02"
+ }
+}
diff --git a/src/tuf/examples/repository_basic/client/metadata/previous/release.txt b/src/tuf/examples/repository_basic/client/metadata/previous/release.txt
new file mode 100644
index 00000000..ade738e8
--- /dev/null
+++ b/src/tuf/examples/repository_basic/client/metadata/previous/release.txt
@@ -0,0 +1,28 @@
+{
+ "signatures": [
+  {
+   "keyid": "9411398cb36dbce77727208a3ed8f634a194134a117c5980d3ff22bc54a25de4", 
+   "method": "evp", 
+   "sig": "61020111d9e1e1082d79690596d176d6eb5bad3bd0e695eb42930c39a018d18a64d52d7f4114272c8ee7c1b954708d95e0d7c6cafd95078d122dc67b3709484cef2d823376bbb9010f6cfa8034992df814c55c9f70e9411879ce7b54c4d6f1e4ed91ba328db0c26be0532d404358561ba347f1d55aad0a0eb83d9ba224b6760ad3d47dbcdc90d7ba7bf1597992288ec960a1181a1ffe1ff3b0eb7b5c4423bb1a20c01af2ddf5579e3a0704b4d7a58a8a0745edb6ce41c680239819b3772ae3f20486dc344ca7828c9581ba63af4ec11855dbf6213e2a260cc03b281659fa77c9fceeb0b7a25e1ea08bf1bbe5663bfb502c2145f6b5057005d989a8b35e56ae9b3f1f80c3c74f229d4c0bd3c807a7b6acb221ad42da90bf3137716a7d10aa9004e52ab74ceb706eeb6bb1834df1c994e83a64b3f6dae99a5586668803777d788fcc63e3ed3186c5b1186ec2dcf7fd2d7afe120470d667611ddae9b8617bd4ce1f2f0e6ae37b733a739c1d08814c53b25944f50b5be3f40488f683d3b89eb07127"
+  }
+ ], 
+ "signed": {
+  "_type": "Release", 
+  "expires": "2013-12-17 00:31:02", 
+  "meta": {
+   "root.txt": {
+    "hashes": {
+     "sha256": "72925bfeb643bd56c2368c890eb62af735d35f81d5518f42974c5d90863d4bad"
+    }, 
+    "length": 6571
+   }, 
+   "targets.txt": {
+    "hashes": {
+     "sha256": "e502a5d0079e59e122274f115fcb9a3c84f6d660bb50910fb3a757f58df00fe6"
+    }, 
+    "length": 1346
+   }
+  }, 
+  "ts": "2012-12-17 00:31:02"
+ }
+}
diff --git a/src/tuf/examples/repository_basic/client/metadata/previous/root.txt b/src/tuf/examples/repository_basic/client/metadata/previous/root.txt
new file mode 100644
index 00000000..bdc140f0
--- /dev/null
+++ b/src/tuf/examples/repository_basic/client/metadata/previous/root.txt
@@ -0,0 +1,83 @@
+{
+ "signatures": [
+  {
+   "keyid": "86e0a0c096d2244436911f15d89ee3a647b6978ca156f93b7eba730038e5327b", 
+   "method": "evp", 
+   "sig": "91fb132a9ebf78fb2a688178dc5dcbbbe389baab063dd34fa9e7ccf8cb613a9356eb78ded2f7a12d454e2311b71ca0c75a2548515f1d1d35c1206da478d1535326eb172383a2687087e12f1d19b13b6adf0b4e35b9b992fecef93b0841aafb0143b19fb0e6e2dae49cd4052ddb0c1bcc4efdf3adbede95a509f04057082d80241cdbb5cb190559ce0a57906017b6352cbc0c837ca0d3428519a776454767dbcd0af1cadc5020e9e2d90cd4b8eebd4ca06859486575401aaa8aa6c3603a642d678e1f5b7849949903b28bb9bf88fab62ca30fbd160368eb998ce1c8a90a29573f02f6fcaa13bf1baa1dd72295c4de3350f72f8abbdf6d780810957c38ff2ec499c5928f241f4339c835e71b0013f6dcc41d01a7d43d8def9f8de8a46a73f9845a7f82b2a856096d6cbb9639146b94828ce1bbbf1f4927ab4d4100292d689ccc6efcf9d8fe61077224f4984bdafca6a8848020104130dc18fdea7fb53052d9bc70f94589522e8504a40518b657288ca6c9efaaf6baa562e83bd1e671f8199cafe8"
+  }, 
+  {
+   "keyid": "4ac0adf8fac99d3603b02ee88715b0b18ab9203c639a220f3db7aff78d784ab2", 
+   "method": "evp", 
+   "sig": "845528efb13d16600a492201d1d656d81ab819bab60d123b2dfc9bfc04647bcf8129872a7c1b0db21d9c1005e4cd55c91282f5410c9939ca3e8acb70d55eced6194c94152d70e00193298730b9019a3282196dd23543f15c1d6f5431efb53a1b04c3d40f0e177d7ad6ecafbda363e89d5dd4e2ce8b7ac6ab2808ff361d6dabeeb443358dfcb763aa9b9857826fc587a2c4b72a0ce7d0e2d073ea4f2fe453a5b72afbcf160e3029f969b290f2e0250225a2ce88895e10fcb6c1638c70bca5d2add74324de9d581e54e9b99c9c000904b55d37a775e8496ca97aae384b500c83e2694403f4687479fb2cc56d981afa2c45b9ce968817e168f87fc0d7419e973c4162baa2e59c339ce82ec5a565a4b3993b2f3e885a1d38240996834b530de306b600d2cfbcb2660ac903b5a7b6e270081fe72f98cf6e29047915ade88cde3c860a4d1637a4f8057a6b7815e21111388bd7a678c8b3221b8adcfc1f4629ff75ebadd3160abd88b71bbb175592cd99f0769bde1466174e0a8a63a07cefbba766fcef"
+  }
+ ], 
+ "signed": {
+  "_type": "Root", 
+  "expires": "2014-12-17 00:31:01", 
+  "keys": {
+   "4ac0adf8fac99d3603b02ee88715b0b18ab9203c639a220f3db7aff78d784ab2": {
+    "keytype": "rsa", 
+    "keyval": {
+     "private": "", 
+     "public": "-----BEGIN PUBLIC KEY-----\nMIIBojANBgkqhkiG9w0BAQEFAAOCAY8AMIIBigKCAYEAuFzNjOV+tTnkMzB+UUWi\no/n0hWE5nKeBie+erzGHsRqYTwY2afsUORnogFkt2erdR9zR4TAWGMIvJbnDujQi\npkhUIueZB6vGCRBT2Mfk8vOUTQ+8Xc6FNCyhLZfJKL8fxEOAaF9HSOt3u9BugPVB\nL5QLc/fcWNgBiTErR/kcLH1LvaDeFijOuSC6VDq4GjONK70n1d/CtGmPYIMQj89L\nsIThUrREIH2oHRXFIUDJLHmAJXgw31chpC4CI9/ehnShcM1AaQTfpNwsOFkzNpfk\nCweYN3w9h6I+/3hPlD1oPluolSpz3MTQ2YXnRDBijptGBz4aPW2V6R5fE9Tx2xZr\neI2wlzsObFSvJ9V8guVc/yVM6PwCeVuQknzFo2xXYvQgzpKTSSgk1+0tiJqZkuIk\n7ENhglKwTL9vu40pTgE+gkKRC+CgDPwJ4+VMZJANsFPfCZxMw8+ddufTL70PtSp0\nKDRshTy1E4v8hMacSprTttDsXyyHswp3BARFkPZDy/c3AgMBAAE=\n-----END PUBLIC KEY-----\n"
+    }
+   }, 
+   "7e6d7b7d2d60f175d4e48b11347f8f648e2c58093cd47986531e80747bd2c559": {
+    "keytype": "rsa", 
+    "keyval": {
+     "private": "", 
+     "public": "-----BEGIN PUBLIC KEY-----\nMIIBojANBgkqhkiG9w0BAQEFAAOCAY8AMIIBigKCAYEAsCSACdXyAzAjYWk5acxx\nzlEZgftJULKXvzpcbEzCtwC5Izst23twvlKtGYYcJqw4sPKgxgnHy7WgUxKiVbLX\nQvop4kSKqwpfV4t8ZBHvvHypIzS6ZBknwNU4SvDeYdajbzOlNkPvrANtLyfpKtxT\nxuhmEP7lGFL5pIukNvTqIs2J+3NHNG9O0AU2iwydncohpB10utor6GRgkBj2d9N7\neZQrHyQPtMKodtmlzN2ZUwf859neBPvzd9iGLl+K2zfIHKc0AOyn2kUxFvM81FDy\nHaMuWFqfnKWDftAp8UKZqHFuljvt2zk/HH0t5w9mKiy68qL/jGAoaPcKpWgGAHN4\nTj/6ugSij6/GimYdgOr2taD5BWMyxSjyvCE0FvH/Gi+4+DT6Ll9Ri6K1iLOYjan3\njFsTMBkZ7Gdavc1vIkSgn3joZMGvdVK2JYzPy/ZJ15KEnAUbymnA+CyKAA+gSRzo\nYXSDM6JGlCci3pLl235gDu5lI03Wuf/GlPEwXs4pkry/AgMBAAE=\n-----END PUBLIC KEY-----\n"
+    }
+   }, 
+   "86e0a0c096d2244436911f15d89ee3a647b6978ca156f93b7eba730038e5327b": {
+    "keytype": "rsa", 
+    "keyval": {
+     "private": "", 
+     "public": "-----BEGIN PUBLIC KEY-----\nMIIBojANBgkqhkiG9w0BAQEFAAOCAY8AMIIBigKCAYEA3yIiwviVYlg8NW0B8gxR\nltqmrKL0MfXjoq1UxtE0G/ySki6w8uOznnqiR+G4dOQvHbrTZytTq655v+BySCIC\nQWLyO4x7c2vm4APpiOhIfMjz23uxLhbR9ZVhk0dSv1wykP4O4TIGaRPfLTTTEADS\nqgIIXKOm4zjlztdIzjmlh5vLknI3w1VfRPYT2jBQSZ9Vld0SVNJz3JYW2ylI2jrP\njTPNnrb5GQ/pthrZZFGe1B/w7rfQvO7pA4BfNPT1TI8sL9NpFz8HXAE+bJ8EkP+a\ne01jHNhLtzJxDJRa+BXQtMh5QtJffrLNnwxBGPVBZdIOJm+FSf+D4v+W+Y/M/ayK\nI9TdOlKExYoWQ99tIgG4J7J8L88Mfh9+dduTtDT/jEfQCx4olxsqgJtxpzjTC3Nr\nDpm27djxeX74otXXNNOEN2Wzs/VvEBCWsHfElIyfdElYIImlzd2FyD1AQyhUoe01\nQOI9cjmmLybQKgIXgyoeQ0SRxZFNYAM3kPw4w5/JAsM7AgMBAAE=\n-----END PUBLIC KEY-----\n"
+    }
+   }, 
+   "9411398cb36dbce77727208a3ed8f634a194134a117c5980d3ff22bc54a25de4": {
+    "keytype": "rsa", 
+    "keyval": {
+     "private": "", 
+     "public": "-----BEGIN PUBLIC KEY-----\nMIIBojANBgkqhkiG9w0BAQEFAAOCAY8AMIIBigKCAYEAyFShMexVSDMDMs5wGt0G\nQBOR8XyTV8JpkCKdSRMW3IsSMueagdI754q202SbfIRa0JFah99roPxa3IAIHo0X\n3GUO9HJWp5gSrGcKUXrOiz6CMsGwSh6N9xVCNFqpc8EsPceG/hCaqIX1FIGizYdZ\nN2+LwpGvfpBQfAPUau0NREEA/HgFYB4UptOSyg+3kRFCcXr+nJmiDNc5qXp/HQZ2\nqn6yhuhLMh/I1KsqN4HQGYDOg8L7ybuRzEgGabI0/ZVSnVJpOeHogtH6WHPKGZXX\nA3aY0sr4l++DTwe2wCXTkVYzSBwG/AM/zfVwfazQZFHG2d2VnlS2VN+otbpv+qyG\nq+dF2TmqxnnaOoWTXsQ/XTiIHLlSmySE4WZR7pZREdx12ahgChTA0/0FVrM28DIb\nvh0T0NGyxfAGYEWDvr+xjFyks8RhgsA3ftUSkq7nrmsM4iJyvSN01la4MZNHBQGK\n+jSHvtn7AGMAkr4VY/uv4NWGZHiWt33oL/TK6EAHJmA9AgMBAAE=\n-----END PUBLIC KEY-----\n"
+    }
+   }, 
+   "c57c4439c8cd88e0571d651696b17c069702b637d59f2e9c4f88894d2cb5cabf": {
+    "keytype": "rsa", 
+    "keyval": {
+     "private": "", 
+     "public": "-----BEGIN PUBLIC KEY-----\nMIIBojANBgkqhkiG9w0BAQEFAAOCAY8AMIIBigKCAYEAuN8verErqJFpNYjzWCaV\nXk8f4uow950aJTwt2+BMK97KMccgIpOTKemN80iiDHHLfsBmNozYpF2WuWtWpUGQ\nKlbnafbEuzmTrRSMjhEjTxfvGNTh4NPnfHCJFRql/C0Zln/1YVnRdF7qcc+C+ru8\nc0OhMT1Z4tu4JoqK3jz4Pf5jq+5Vm3SaJ+h0eBo/IArqDoXEHKVZDggsDRM9gVhv\nov79O43Qt3/pdP+o1hAhifHADs6nMse+0PrkP+bYMu9UQ5TqUmKDdaVnYETP7VYX\nDMG1Ipj5GGhPu4bJzahf1j+4RzFAsb8yIojjgHsKxD42rp9mAZt50tr2meSDEO2Z\nLtjH3zaPdaP5WCcQyHhHPVhibdyP8hLmw9FpSTW5pYRRDT8HHcfp/YTpE5TBKApC\n80io16g/FCveJL6pV4leLEZXeroKBB5SCCAPzXoAL7ITUHM3DSmNNcaf+ClXK8Wf\n+s/EUe3qGD2VF0/xs36rsxnsCwwspgjlh6/B+27/i2QRAgMBAAE=\n-----END PUBLIC KEY-----\n"
+    }
+   }
+  }, 
+  "roles": {
+   "release": {
+    "keyids": [
+     "9411398cb36dbce77727208a3ed8f634a194134a117c5980d3ff22bc54a25de4"
+    ], 
+    "threshold": 1
+   }, 
+   "root": {
+    "keyids": [
+     "86e0a0c096d2244436911f15d89ee3a647b6978ca156f93b7eba730038e5327b", 
+     "4ac0adf8fac99d3603b02ee88715b0b18ab9203c639a220f3db7aff78d784ab2"
+    ], 
+    "threshold": 2
+   }, 
+   "targets": {
+    "keyids": [
+     "7e6d7b7d2d60f175d4e48b11347f8f648e2c58093cd47986531e80747bd2c559"
+    ], 
+    "threshold": 1
+   }, 
+   "timestamp": {
+    "keyids": [
+     "c57c4439c8cd88e0571d651696b17c069702b637d59f2e9c4f88894d2cb5cabf"
+    ], 
+    "threshold": 1
+   }
+  }, 
+  "ts": "2012-12-17 00:31:01"
+ }
+}
diff --git a/src/tuf/examples/repository_basic/client/metadata/previous/targets.txt b/src/tuf/examples/repository_basic/client/metadata/previous/targets.txt
new file mode 100644
index 00000000..07322a34
--- /dev/null
+++ b/src/tuf/examples/repository_basic/client/metadata/previous/targets.txt
@@ -0,0 +1,28 @@
+{
+ "signatures": [
+  {
+   "keyid": "7e6d7b7d2d60f175d4e48b11347f8f648e2c58093cd47986531e80747bd2c559", 
+   "method": "evp", 
+   "sig": "959294bc789a7490e235d6313507bcc8b4c6296a32fd923c370ba7529914d6a41c15b4857cd7c31a75e40af3e16ad66055cc79632828ecd08609ebb1f9dcba1b841ba713a3b1535644385b36d8c882192bfd7e64b94a7a71fa9d1b6976466946e08cce0257ed1b3ba7cf28dd7dc6315a6782d366eef0dde2a2222eb7ced1d6fa3680c51ab83490b46de49eb2e1793bbb08bb6b9c16511987beafb143032b7d86700a3a8ab6f62f29afb8da0bcf6f4fbf6e3b9299f9541b5b90d6f6e71ed8bb05fe14c5c6c6a949e22b3ca2fac00c981c18147fad2c92cb7b7a63e5fc9fa9636c0d94597850f4045147b88ae06f49fa1ba4b80ec09d5e9e13b090a6e877dc30d98bfeadf24402767b2c12f1ded8b886f9b8e09c3c4bf192bc40a2b7976580bfc513127f282a26ebb52d4ac29facf5cfc0d372064a0a06a63f50fd1ae932b1909ac5ebb611184c980a169ec4550e1b23da3169351fe42cb4db69865a027690f0489210b1ea3951fd0089cf46ca8cdc9564ba59031d1aa404f8cff157c08ca6bb3b"
+  }
+ ], 
+ "signed": {
+  "_type": "Targets", 
+  "expires": "2013-12-17 00:31:02", 
+  "targets": {
+   "LICENSE.txt": {
+    "hashes": {
+     "sha256": "cd65721176ce5fdbb05773c0b1349f993b94ce77a51062cfa7a78b34cc82fc71"
+    }, 
+    "length": 3286
+   }, 
+   "helloworld.py": {
+    "hashes": {
+     "sha256": "c7861802c53ca2ce7a9717fc1544a902508576799074be9cc21630553a9471da"
+    }, 
+    "length": 21
+   }
+  }, 
+  "ts": "2012-12-17 00:31:02"
+ }
+}
diff --git a/src/tuf/examples/repository_basic/client/metadata/previous/timestamp.txt b/src/tuf/examples/repository_basic/client/metadata/previous/timestamp.txt
new file mode 100644
index 00000000..73513dd2
--- /dev/null
+++ b/src/tuf/examples/repository_basic/client/metadata/previous/timestamp.txt
@@ -0,0 +1,22 @@
+{
+ "signatures": [
+  {
+   "keyid": "c57c4439c8cd88e0571d651696b17c069702b637d59f2e9c4f88894d2cb5cabf", 
+   "method": "evp", 
+   "sig": "401f0b342d8ca5d8ccda13ae006eccff6b970ccb5a40102d5688314c3ddcb62aaa5e71e5f711231e5f0db75ab8764ca7e8d9688736aec25c49575c2a224c3c281b5c5c6ba561e95ab7900f0928b6fa74655b11572d878cabcdbf475f3928d5898a41464739beb2296d01b18017f09658438e32791b6297dda9918716ee9011c5eca22be29b705b7dde33f0f29363eab5348e8b2026c415ea65e6d40c8068e499a3e27c1b85c3f9d15ed251e94b991e469675ce2dadfca21c05ac9f400679bd03c9ff4989b7dbfe696f995697511c0ba80830d51347792ef2a6bc2e8f6ae5f8623c08d616ea94cf2f88c03d8cf2e56f09e189748a66fad393464add092464a1f8842610d96122c372da00638fe90f0ffffe38b2002837f4993e59eb35bb942db2d1e93faa6a3f432be1fbaeb32d60cc612eac1b72d4d5b03c21c2042c720b412266b221bc8917353a7a9140ae4fe5cc6a703e9fb8f898b6cf45e12af440ee06c86d4aab92631f0ae1017a461141e4098df6e7dbda00624e502eb293987053d787"
+  }
+ ], 
+ "signed": {
+  "_type": "Timestamp", 
+  "expires": "2013-12-17 00:31:02", 
+  "meta": {
+   "release.txt": {
+    "hashes": {
+     "sha256": "3a5a6ec1f3530b21a68a5bbe42a7fa5422dae9c4f211a99c678208ddedce36e0"
+    }, 
+    "length": 1340
+   }
+  }, 
+  "ts": "2012-12-17 00:31:02"
+ }
+}
diff --git a/src/tuf/examples/repository_basic/keystore/4ac0adf8fac99d3603b02ee88715b0b18ab9203c639a220f3db7aff78d784ab2.key b/src/tuf/examples/repository_basic/keystore/4ac0adf8fac99d3603b02ee88715b0b18ab9203c639a220f3db7aff78d784ab2.key
new file mode 100644
index 00000000..5d4735c5
--- /dev/null
+++ b/src/tuf/examples/repository_basic/keystore/4ac0adf8fac99d3603b02ee88715b0b18ab9203c639a220f3db7aff78d784ab2.key
@@ -0,0 +1 @@
+01e42cbe47c08985@@@@1a4bdc5f34685cc82c2e2c7a217654da@@@@7141a82ee067e12c72e78a97e82a373c2bed71926eb1f5dd91ce31ce9265e50c02139d95ff00fb3537a464e974be19f207c0416baf4f2c0909579b72513f6727e978c10d6de79aa1857c14ca52725de03423802043853e07b5ac7a4541039ff9be304f84236529cca0db53aae7fa8ec4f2dd381cad25857aefc85587be706a6fed24605fe9ec9db3f584fc7c4632f14f2810cad0572dc4a0afb3bd00e1f253240e6c361e0c400ca15725718e86693acc9e3f438196792e9b8f3e622279b9b58395693a26ea4700b57c1a344485af0bc53a93415b131c5d7d5d8eb3d9584b02bbbd2b38087c22f0f15902499bd2c30b8027ea4859d2ccec2f757f38f188fe8fe032f16fc1aab3a6dd3b2c5de030ebea7b5f73ab5ee1c8eb912b57db1a49d7c1568e6d8a9971e34d4b7b87ab20a9ccd4c3a125c8f4202446117a81413ac488bc9e7903902b40ed11ad6eaf04bd01102c1ab23cf9d80a38f9e0c5403670f4a0bb48cee8cd8f536d00f2bfac14f08185d45870cce4666e11d12f6a18e83dfb4ede0639f08412b976ab95a59b41248e004b32df76ba0043c2ba710419046ef9792184583b8d247db7e6e6b871228eba6acf2a56ba51e5f1670ce2447988f56c32421b86549db1b67f814d6a0fe9253b8b1a394a1137cefd5cefdc07c0a2273bcb21d90f547168c6286d6807086e9b3b7f4d6e406826daaf7bf021536ece4eb8e9f480163e48fe1e7a32769efe309c2ba7542606610690cf050dd4abf272ffca3b68fcab1ce8ed4158230acf8e017fb0397ad417556ac617031aad79dda2f147932747fe12eb14d534fec9d041a7953c133dba8bcb64240c60ec819d8821ba0b394e670f89fa947c2c2ac9df04f1e157444897a06531f0e8df3264260c1899847bc3648306114ec0afca72d4203188f116e1402c8037e18431358308292752083d315b73eb3a228720f9431bfaccd471bd06c8497fb1b64b2229fe3be8fbca25c81b2b0df4e1763e565c0ad4147af44625d6b3437b7412836853dc86b13dcbd6fd4a41620ea02f0c9f57e5a213d0c318b50c6b8573fbd26de62617dcb046688c64f16aa252986082819ccae059017b6f0860ce48c503360a3cf547d0f446c92d9aee0f59a829cea497f21b65dd74b6373f6a27a46db3c5c8904330bcd319f74662bd481851c863b8dbad982cfaec03398b8f65631159b07a3f13478b30d65afaa6d85f90b35915ead07b842c2785e695b6aeef6e90033f09c155757581384a6f39da83015cbf489a262d24a6ed245cfd659f3bfe035ea88112772149da2894394a71f12740a5e15be071dccb7b81787859313f045c0f852dc9253a60ef3dc3196bf0c2ff3698233404d41d9b0813f4806ead02485d710a431aa9b51850cf7dab2405fc4a4539a68beb258bad418ba92026e4c07496f47f78f242a560bd3678ebb2b8f68b3adfb6078da11129035eaa7d03030e5f525177111c825d74de65617eaa2f88ec6b5818585d687af4f43ee98c833197c12106738548495d0be7bbd5cd272465f3b5d5f1a47c95dfb00d3ab39c972ccb9c71f49cf0e39ff5bbc67d4e79bc49f1a898362409e4f0fb864244cf5db630eaf5dbaa6ec83b46bec3af9e9a3e16c0c972c6decf6dc0b3bbbe495b0b9cee69ae1742748bbd812d61246fa24ae19c4ab674d60700b185284271d70c2276dda3c5fd9575cb37b177de4b2b35882db76847ce9c2126b15c22196e926409d66d15dc1f0704d77f7c8b2290947b5452ae2a5a7e6d15f14a4a1453c5906f371bb9ff2af69fb26ed2c0c9d5f30c11fa5f2b5c6f64b6daa38f0ebbd91b57a7b76cc03787381af5ba9e22dc3f4a56771dab1182d8bccdba6b860a60940a037e3fc6bae8b84c4100bead823c32a18e2933165805f4255309b2912359418e9ca8c99ec3ad42e406e321c5c853988c05db04cdba12b2f89549d897d4a2753b1cc45c95bad1ed184a2368d4af8ab86bfc9951e14a630cdc225fa60c67a8fa68e49d816d47505d967467bb48a860f008696e5a0610455cf0ab4c64b293cba7e5d86781d8649da67f03ae1f968ea55a9629e7bc452dcca722071a1d6093a444f9ebe19e5b9370c3e8f819acdcc830ecaab09e76d91b9237791aa8ddef6caeb38211333081093c1ac5e13b509f616b8382d29f1ad3a33c3aa737727f7b218082b6b8ae58bcd8c1552816112610526984cdf16969c6404078e628dbb85b1b1656746b4535cd49ef69b3856f022f2f1524303b948400ddd77adb01c2396c53a70c1885f6242df0cf15fcc040133971965bbb89d355835256a3d8bf1657e59edaf2e645a6bf77870ac665a7938dd6f126f47b0bf995f09a8d244aecec5cec251a3bcc4a079d8bf8f6c506351f6f7d30828999f67f87c73eae6bee5ca69037203c7f19ac4d794146fcec7b6029845a6114ece833bd41181d1d8b6c6128c2bcb40a9af23ad10e24b1743733f699d59c92a5dad8f12436cccfcbb96693afafb158aa9e5b2cf327cb0b5e69a2f5c0449c3ce2fd31abba1116169e1a6398d4ca16036827a1db838813204609e8368f932bf0c295880d97f764073a29a210b0d61c9b1cf088354ff5177ad2a878bfd1858f1342de479b09a424b4fd2ffc0454c8c31365c7a3459273eb6bb46a466b5f0c7989eebc40c02d9eb9896cbbbb27b83afe269aa2eb90e0032b295c67313b07b2caf5bb59b4dd3e2a66b0046bffca6253ea29b9ea788f0f391aa0792746c5524d1842142711b3077165eb6e64499e6554a78db32fa807834159231064980f456e84c81b3a4bd27c5f3223f9a5b1485abd1d91cd4ee1c39d5ef02e4e39d6eb4e306a8be0e97e384b5d7bbe65292bedc4ea52bf2523a20ca7fab945370a617b223c639da4a9ad0d23a5078c11ca53ce3c7d78844f48fe4c55ae57b1eecd281418ac578114edb69e72b7d46b794b3c49f3c2c809314f3e987567f869b7e82b7b23cd7170857603b346ebed82dc667a795379b62cac5d6d380f7468e7f874c9ab61e8896453129d9ebb916847a4d0274f2578ae091ec8e2cc18f09c854ddb0de2943aeba8377b157c2a0436317a9f844afd1d80e2f1c7bf0919954a48ae038308c7f1dc3429fc80dd620167ddd6425bae079aafbf3b81a321352881e99a4e0d5275fcb3151514175f2fa88985771f7b3a6c2e95d72bc3af3bd58169d3310458d295ae10985017d9905237a4303080e95d472555cabc5b0032e234a12055bceae1d29990f6b74e6aeb11969e8599abc5c26dc4ab59c2de3a63e4f63104c4f91086690ff98d745cf8abc9cb42ffad66b09b50fd40009eb8bd29ca7477de8c63e37e615a6ba92281da60c19eecfd0db2476314a7acc19a7e34d125de3badd82eb2e2fcaaa097fc66c0b3e2832beb1b85068d5b8d9eeac8af286e19ca9c482738a796b174ddf4c8348c523240dd09b7aabb549b448c78c7ebf468a92e6c947440c328ac46fd22b4037cb2b839caba41fe2a7153622a275a869441e67f92120ed96ddfc794960cb3650d321a2e7fece83f85da703d2f11fefbcfa42804bffabae51114c2304fc94e1e8ba55b7e0807f6475b403535682f7fb9209729ed5e6ee050ef955428816eee7d1a0d450d00ee429c4ffed3452be9db7f4f858be2003600805c72fbb8900224f91cb6da48aa51d1d79f0efe29b1a72a38f3aefae5d07dba10629cc61498274ba5454c274dbc193e88aed4022dcd367fb94090e4684dd728184418b0e53f2143063f0c3e91f64388ba4e22ef17b7dbf214f8f9ef759ae0bac69c0bd89eff2efd74d9f5ed97ca2e443ab2a4f6d60f72204c7daac06862a050a723b37309576a2ab9b3d0bc7356e1c3b3dec913a9c566a736d38dddb48b3912505426cd2066a4f7fb4b39c7bc2bcc56268f6583f170555ff3fa8ac97fb7648bc127bad7df0642c61bec5d800223e63f9923d358e49d61bf627c246b35a81b65eb95c0412f69eb7a7ebb11862630c877c6a696e4d51007bc9734ac8ad997bc436c632fd0dedbe3e017af7d5947b9a6d1e5242e6fba720db21a714886f57fe42be4025b07574b846eacc8ff538aa5ca9b23ade45b11d49db50bcc4e2caffafce4b98558eb8d45e6598d7854416dcf90cf21ddfc833b1a243d9aacaca7a8bf0d5d7a13d20725afe1461d46fc8e727f560ac69a6825b923e6705cade0196eb2c911e452faed2ef9fba180a43a48d071157d1a4345e66dbc64eb3d2d08d0dee3a13d50898f6f19c8412dd4719d8a01bb267ea112f3dfe9836b46d912cb58264905ab2208ceb6174cd90cb78ee19df0b4c93f76795eb8988ea5c268145512134fa9037ea3abcfef8bf19062d9910595927f58df26eb618d53613249a58fdc02cd7800e7f2f861707360755b5ecfcf096b2545c368d671f611f9439797e7f9d5f228ddb1c9a227a63632d01e8d50095f21d1451db53c9e28c4957ebf2a5d083b8cfcaaa525d7db56d55d528fd0c4a456f49834b2509eb89bdb1635a6dfe1d54678869b7f75fe781ec0cee3d6c150f549befa2f6e
\ No newline at end of file
diff --git a/src/tuf/examples/repository_basic/keystore/7e6d7b7d2d60f175d4e48b11347f8f648e2c58093cd47986531e80747bd2c559.key b/src/tuf/examples/repository_basic/keystore/7e6d7b7d2d60f175d4e48b11347f8f648e2c58093cd47986531e80747bd2c559.key
new file mode 100644
index 00000000..7edb9d37
--- /dev/null
+++ b/src/tuf/examples/repository_basic/keystore/7e6d7b7d2d60f175d4e48b11347f8f648e2c58093cd47986531e80747bd2c559.key
@@ -0,0 +1 @@
+737593836dc1add3@@@@2fe6c5635f9a7b8e8bdc8377dcc75f70@@@@73580d365bb612d33a1041b45b5b40578d427f1b5c5b2f8622ef5125bfa8e23995f1709848fecdf4506a1dd942cabcd67afd17adcabc5bfbebb6d407e8fa99a574b352a58f73125ecd4b269422abb4df85e7e164dbc8e67fdf93e054eeb0321f43e77e1c8ed035f0a7e7668b576e0520abb9a5fd582f31de264c8d21561d0c66754aa9dc336a60ea7806d006ae1759cba9d7c8b3e261ce95c8edf238e19ee81e63d2557232382f2b3c90008f3f58055f86d806854467717edaa59c43d06d14a9563aa587e4758fed744514297b42ebbabcc0f4470ff3d05e1cb17a00dd06433ae97fde3dd45268f6a6110f745317e84e6fb3efa4b298f2d6ee757d66e0c4b4258143a53698d92d2e0a5feba3f2ee3038dfd98c838bb9d7d5120c7d1ce13a7e81fb3819493c7171d69977914416ac723baf04f17fba83f97dfcddaaf109ca893e5a4ba7750c59d93c27f327cd765d4bcaf6d2aa734905a7209c0cc396552e600c489334625ad8da39822cce0573aa68a2ec0c787fe12ac92faae1563f819f020d36975b88a2be7d99088eeefaa398d079d0ba6f9d76d2352aaaf6570e3a2c657810c3451fbeac2a847c78fc87ef7489a49fc58b35d35c12775ce5daf99844a0df7f62591a64b1326f51a2e00e7e55348bf46dab048ca3e7811a94f130e9730cd1aff3bdfc743514932fc6ab24de71b1060a639ec710cec7ac7c0877314e8c52350caab31d2962c7111960b2e7284802dcd1b06bc0d1aa38a6c3496407380ca76f976328a5438cac27a2e4ef9a3affc13b8537fb36e4050259fc5da329d6145e78cd3f47feeb6e8331cb213d96161939b9b0ce1dd09c4b3d20303b84ba6815e871bd0b0ae8e927fb71d53b914a29e2ea369a9c00f8b3161917f03d36e84009a9773cad09cae37f4eb204d07512e6ae072f66297da35e30b21ab0bbf57ab7e678802274a496b183778fc12821377759ac4fa5edfece058721d3ffb624b296354c0007a3194922e76569de0486abb531e6105c4a84b9f7073f0f11cf257a06f5e074f2ddf0c22e458f0eb5209c8e578cf13c290a3599b6d580ba4529e875d6ab325e06b577e3d11990428a780eeffb2082619ab53a975fe091c2af1a2695ebace31454f9333d017f7bfe9032ef592d1be116b653cfceac05dbffb3a6f35e4a104cc290edb0244b8cbf743d1c4eeeb4ddf377b36313f5c5dd8d698f66f8fb0ed3f2c1a0118813ddac73e258256e63dc09e4de402043631cd3fa425c2abd2471d55e145aa4e16f467c002dc8117b903959b209fb0f73e89cd62b061e1b7e3d48b1ad2862e752b7105f19e8318efa15a53921de535395128860d7e7311a80cd5d4418ec561416c38090c024273ed90a6e56b320518fb3bd2e5d811ab611897c7d01d56e9fd8e2afa3c46b438afa29fcac9127f2db14ddbbead223f00bcbe47bcae1f2df58b43db377a82e9d9cc9fc5fce972867faffad8337701725c3d60c1f307e076812a97b0241c704075ad8e25069096a3dbdf714ddd7dace2808ce218ee692b4bc0e9de65e088a17e0db5c71d2a7b1a34d5192c5bfca7a7aa10ea7638a7f187443217c4b0cf524022fa51fcf4ac5c334e3e87d6ed1d7d149cbc92f8938e0dbd5acbc23e3dd2c0803f61ffb4c6d443530ccc6400339d34a2a9c54fc77d70204b6ec9a52ab425153e1e5c0a1a49626aa5aa1cb42583c484b62a716c65dc20ca7fd23765d79a0b71b8cda5a13b3f25358f9fdf33beaa8c432d5662b74cb4872d32b48866d10c3e80b39c8a2aa668a76f8a9b5c635a80a60d2bfb8911195c9978b2db2c3bcd183d92b461d025a621debcb340a4f5067fe32e68b511da3b84b2baa96b5b8828a12298305d7e5b68c0ea984bf1e076edd5fe844b8e93fc70553092141c0128a03439296f0497a70d1d335f430a5f18e9158f919d4bd9bc0e58fe47d716e1f89c040572a061ba7fec80b8b91e1e7899dd158a42babf9d8ca5c21d0d274fd52d7c38c25fe1c1fd440b8a0b6097b6b27269b7aa3d8f58d71a40cf09b05591fd27cc838b981f3f9f1519b830c232adb9707ae16a2beffd2b43cc7875dd32ce04899a828d81ee2affaba2c643b55ffcbca39fa463ded242ce80bb0abf72a51b0fae99be46974db180bb26c860154b55c8cfa91e5065d45b32892d854a15d4794c43b40cf6b964373d9bac537643842b407eba0d8372cac8abd3ed758d8af8a19aecc74e68ae07039b8c4161409a1774414f172af83ad58738d6b0b3bd8cdc3695eccea1fed249f01fa149ddce3d0b437de2f0a39622fa4549fe1520b701a452c9e8ce2bd2218319b91970fb443fa8250c636b5b6b4d710419fab710565e84225120cb4f055a4ea8eb6bfa75053a6e0cd2163eb19e85016b602337b54b57cb8180d5c4c372b971b06d08ccd909292c13742f5f88a8369f17e3d7cc765020ed9902aaa6e33500072677355b69313f491f28f1f09bfcb5da061a5242c12ffde1cc475a8f6055fda1bd78f963a1bb781c482e6ccba0ab34e73fba6d9e9b6e4a26076a78f48765fae7f6f3aad4e230ec7b90f7034a8291c0da423707c335f8a0a4e68487c67b950c062c7043f0a6c8fc14294f33626335cf6b8eec2ff38aa2ec1f6593c0c8b08c15a3d7716cfda713461201957c41c2bce470463d3f4c58e4c3d70afe19d8c0e1c3f8569f392d9117b1358f77d7701a3da32d46bfc022b553723b5c927a6d60f535aed9a910cde597b900eff99f68a302daf55088d749b0fb6dcfa9f21323d5fe791d5358428add85bf3cbd003998c3861cc9336e38e9e1168b90bb69d9a3198b09ec7d311b88474e141a06aaab3291dc378b63654164be22a6600fa32abc0707733d7e4b43ff6e8bfdb80ea709abde7f0130945bef5d5396ce614642f449bd50d03b867ee1360202a7ced9e45c6a9ed22a45e103c4367479947106870a6f766d6a20bb2bafcdcd49049dac16ae7108c46fc2751f044477430b59aa8844a9895eb1aa40e079797e6f396da6d8f9388d931bd7ca39cce9603fb82b7cd4f385a46154e573175d21ea3910b275a4c606476809a61e9622c0ae64371ba52ed486085538f0aded30f02d8f2c87563e3ee489222c2057a6af970b2379f87fb91a7559b18ce7a6f0251dbcfc27d9a43fbf40eb3413e891ddf8410a5298b27573f02fe41e6208546777f6d0845b21f241896ad4998c81c2baf290145abeec14a14690964207826a92154e4853f8cd9a4266144a57f5a7fa71a1e6da106c0c437c074b10f37d1e420d0dc48f13f19ddf4fbe54c6485bcdfb1eef4b048959a902ef548d76cf2adb59eddb51628b138281b14c0b10135368e4a2f959765d60e5493f2c20e21b2457b102d3ae0c6bf1c6b26077d4e0b8c46cb8bfdb7f0d7e18265fa4523e2c8181eee4b85a8f158e546d08589cd8a5fbb1343e6d0e0fb215f0639e070b2f27c2b46e091a99ce23c53d02a2c71b3b956cef53c68c1b213db62a0accae52257d5ff1f2a003acee093ee3150af8e41fcbd6928247ce51ad88b31358893c47a52cd7091610bf0c4d6c19666705fc7ad1fa9355ba37a2557c75af3549455139d7a46d9512695e66f64398932f66932d9701a1365d6258afc11793d34188ecdbcae81fe031db626d892e5f5e00172a7ae306df285f8ffad64f5050e165e1318e1d6137dd20a19451d8b6bc6812ee9525facf6f6e0b36dd16197646d6b9cdcaa656a0bcd24e7592d122b79f0f784005f8d014bae39a70e05ac1a867c65cfa434764f2d81309a5cdd56f977cdfc3c76e6f396e301fa13a70e6e06b843fd424b83ecf9c059da33b377d25db17388991fc9b6eec3ef457bc9ebb1580e9c0cc5737cd2ba854e6edb9491522f2fa085298ecb660b7989e88260e5ace7778be724889d227898dbcb23cf37d070cd69ece80220649286144161b0880220e0312cba1f3a9582a33768e7ec0f859e5d2e444be7720e08769e33627ad63e71cff4464e68d9f1e5117748bcf76449adcc79df8af3c17929677c69fcb23719102a1a70af57688224eff9488ca467a914b32deed6d1e357001148849b4a8a56bc9f49676db48e57ecc43daf16edd2e3f2f181f1f0223fd2ee6dbeb3424028967173e2faa47372a26f43895b69d97388105c8e4f2d4f28cbf42c9edf71f08859cbde4d7ac4678f841d575e38b29a6c1f7b7da73f884f4ddc95c6ac5287de1314515a48f48640e49a265c13b1843fbe91eade32839c9c2f2787965c94e6c9148f8f377c68ae47eecb6c06f2a18fcf13bf2cd88bfa8e6ef53a961944d51626b93fc47a52cbd3aa07ef58f245c8415246958487b3f259c6cfa6a315b25547e0355c9f218bd6ee15d1534386fdd5bbacb4567e9d42cb2330984fea0071b983643048552276aef530be304cff1698a91a787d88deee2ec11832366f935999d8ddad8c83ed8351a86a7ce22734d1c4f92675d86886396162beb7be9f356e7e91f2bb3392c2516097c6b86ced3bcd4f79a247e93b85760f8915d7f1ea4407f7d439489894cf56c84029
\ No newline at end of file
diff --git a/src/tuf/examples/repository_basic/keystore/86e0a0c096d2244436911f15d89ee3a647b6978ca156f93b7eba730038e5327b.key b/src/tuf/examples/repository_basic/keystore/86e0a0c096d2244436911f15d89ee3a647b6978ca156f93b7eba730038e5327b.key
new file mode 100644
index 00000000..00ef2177
--- /dev/null
+++ b/src/tuf/examples/repository_basic/keystore/86e0a0c096d2244436911f15d89ee3a647b6978ca156f93b7eba730038e5327b.key
@@ -0,0 +1 @@
+b156d80060d60ad4@@@@c904e10836c9c61bbcc4955e7e5611c3@@@@c3cda40bbeb44bf8ccde39c971c656c56e1539d21f49c2af4125bcb8ecd068faa210d54a4962045406a68e26f205d27081c69cd836ca090c7d72e89d9786587eaca929f5084f6358d9244498c08968770282f25965460989c197992af2b8da8e5cc60b11858b51be30c42d21cac7c01b15f69e1d7d409bbcd6787ea2663d9a61d0be9bab51ca661b95783906067c5a94eaaf57e7c3b4c0deb771669a310e66972d35576d152644665540f1128c6b64e58d29675ee41e93ba7990f0968cb3d2a8dc93675c2fdec3540817a22181f2b9b62ad6caf62fec5235558b26f7f85019754e8c4a71832e5a680abc69a622ea79744cecc0f831b54c9df4c0ef93171594a5657434f8ab2bc5ec9a1c787e84d9f43088c9061066a771303705533d27afceee3b67de5f4eb47c4078a6814a6847d5ade3eeb77c6433a90e9e60ee1c58601f61d1238207e2f5f9ee7ef4eb23714c64b928451ec30a5356f9af4c8f967f8bcdecb946cd466e6fb3321626cb0137ad8e91681ec40ebfd8e76da78b5c49dacf4e195054fcfe1df37f5fbc25d627c9a13776df959810b78ea4c2717a12d449db0b10dca51203db42249efbc006b113abe9bf55682cc4b8603660862ba5475bd98b674de9f7a5e49b9d3f724455f0b67855b92329687f28eab6b9d183c0969f2e5d89cd015cfccf857b13a573851776e795ec5aa44f1552bd5badc92a37b7141b902d4ba4c7ad0c01bf1fb2adff4a8585ea1b1740fbb8c852dd15bf6048f80950a4593c6158ac874abc156ec4c60c49bf261d722b2e84291c9c1e5b380bfad8df41f23627d546b630dbfc3b0e5f7dcdd4b6ba2f3479113d9df2a66c9da2687f38c248f01d43a3df59980768dcffb48bdf630d5c1fbf004576c7de3e2ff6b1edac8feed3595860acadb339c1b006db3ff82d459d5af41faa1511c1283128ffb214e04c1a2bbd072498b433c483d3ddc98f6b4d6c77f4aaa61e63f82953438d6daf3c35c7dd3f2ae05caaba088e9c39bb7e58318b838466033484784fbab4aa2668fa53689b9e4026e595886cc51d50fedbf2ec425b1d64be329938387114da86200ce7524caf6be441fa06535ededad86cb591ef75ad6368be4fabbf8005218d1211cf95eb5e23922e0f726cdec79dc51fe874e07b2eba201cf7294497f643dd869224ec8f5985e441b0c32f31fa923c4fa22b23f2d10f508f18db700086ea468f9988c15c2099c0bb633069fb32fd2a8d0be44212cfe0435e9be816049646f96e434cea41f9f19b314021e790c38720bb73d0e6ef6cfe8f93ffea1fd027c61c448983daa3b25ba0096255ca66231a491fa78b03f2a4ea43015b7c4e5b067ce2ac57513d67418fca045e1c556c096526cf3c8a4b7d22ab217332d4f830441fd5680275d6680ddbd367463125c24bf471d701dd8fb79827c925b448c3bc69a04a426a5bdb257913e181a3b0b18be0e207d520a0f173b66c6844afd5be794b9de1a39bf1b6c597c52650b2471e1ae899b809b445f649d838496b9b11e33a14191ef6d137f88ab75873c2a8dd698537a8d6f48475c5198b132052f7fa691b99edcb77ab93957cf6a35ab039addceeeafe55e23066dbbc3f7149b5d6fd8b6d9936eb304fa8cdbe1c6ae3dae827fd0b6ea4b97b3aed4fe9f26174e1972ae62f03727903f8902b3de084cc4c0b356f44e822baab348829d851b52ffc323d6bfb0ba86981d17ead08869e69d0654b93be76f5120e98e5b6bdae5ac47e7e9ca4b708a513b02040d55b791390707f45c65604188f823af9766e4f3dff74d92931d1d1d4afb5b91543eb6ec61658f4c1c12ed53686ff3d2009a2a55ab158bc39b1cbbe596bb53c2ec603e99837b83a17d832512ffb65d4028b35129b6c0f116129af398baeb4033544f004ed64bc0559072689be56b948c50f43e6fdc8feaf91a568be176545fe4886e84f830546cbc5bfea873619c74cfb3fd7e6f7738035b9a50228c3a221eed34f7d292e2193a6ec02c3b099307a11083025eea24e7dc783494c208009391ba5ffed4d431bd70250141cd4d1cde0e92b9c35065f26079a37b92577726d365abd12a9a12d6cc5cb1979d75c1c344747fd3aaebd1b98fbd52fa06121a32819f969cc755ae1e52480517e2d5831262bb38fa6a2ea60ed9cc57bccac1a86b9a7deaab643eaae2506bf23b47415a06d1791374f532d785e0cdc674d0da034f0eedd81780573c807075cf750e9a24616e1bfde9d6f661f7161ef3e1ff8b8b7cb1a3fff70a9607c9e8cf717b0f2b660aa2d30bd4221de13736163129a4b69c0ff8dd30ca5222efb6430205cdfb2c039c5cae5cab341d1b0e409f9185b1306f9b6ff5cd7f65814e4099b7c4722ac183408e7ca10cf0b6353aa9b298efd01af0cef210bff4b812daccf2db3311bfca58a404c246509d661f4f5db0057342436b59f68fece5a7cf684f77c77650261b2fac27b60d17dd4381002839595209bc2f4edccb0f2c15c9458c127036fecb51fd82416554bd56467d30f1538728543f2a75e7b09ad78f209c4c211479ee02f5f2de8df516c32114bf7f8e697ab0906a6d4bf289aad3127b03578c9c9a0eec758ebb7563011fb2874fe1910b873f2b8040c3b8690716c6d318fea1a22b979d56514aaf08f1f1361e47f1003576b63a716bfbf21566f36fbbb92eed9d1654736db3ed261a49b36c29b3b9c3af70149de8542b217e500686becdc64ec92c868e50d05478ee1830d39620d0eaddc6aa9f6df4ebbcadcaeee907b900df2aa458a0d26475ebce5fc830302ae2cac7760f8d778ab5a931b2697b3bc61e5c34d27662d26980c737eab211b00d1055024a8e8f85382fa3bfd6fdff2691c064834dca2789e2d1d02e74e0a550e0a322331484d1beeb50537f7fff2fad59997be8fe968746d95cda7f8b6269e5f527aa58d39713ba04122f20fab8979ed815bdc0f867e18deaa72e87cd8a4258fc0bf496c7cbe56b6597c92403e09fe25b40924ac08464c7eeeccb1f5206966127397d464343ceb9d79c6fd3eca0578b37a54edc8e0c4416a22e6c9099f8d92ac3fd2354f17bc45fe65f47d8a097db8941bfaa7f4d03acdb79a41d99d232ba964dc2d6f72122cfcb6cd0064dd36efedf493b11975723e923fdabe125fa36aa8e7438fe6eb32f2ab5f93ec3422337247293c79f63d3866be4ff47d5e7ff30c480ee8d6d4e1a44c6f04942c7b8a131cd140f53872571af74bafd2829c70fca352e2cf3ea77d6e36e2d5ae1e44de18438e356b0b7779e68817d521f4b48855c98c67c7a7dde92d584f9a206bc47ac36b0c691c84aa2390a7898bf1fdff8f7615886745802470f5a82be0444163e31d2bdb6707c780586f636fdae3b2a7853e1ff2664c2882c33765741eea147b3e32ae0bd50d14daf84867dd2a00c3cb64519e3ac5aebf72d25f7dc5a62a06dd80177c78e8761167d59a0c6cb357930c17c7e696b65d500b17d7e34562cd584f1e06f6f35492e39de63f455a119409f13cf4c8b3bd9acf75389bf7ac1b21bab2291d1c937211bdd38622e2eef9af7855248389ff597bb0bd5a3572fb40ac0e1b3d6ad32c64ec802b0790450feb325b8a462be6e6866095c7eac069f39034eb4eaf2c35739bf374fdb8d68e8e11cee969343a819281af1edaa2f26845398599d0b3aa6fb1433e97fff91348ead73bb81fdb473cc8e4db9bc19f5167decfc3695aa2610df3de1af90c6c5dee5e77a948ba8e3731c154347b030e422de34e291580896920586fee1acd4acf05225dbe74fd1c72482e8c17e3dc13206f322573d4615e6bd5f926dba2ddef8a7f09a0085dde8aa6d20eb72f393ed2a1e3c345f3d936e138fd4cc4a62c693c67012e1c67db5a2656dce32f0ee9ca33ebe78c747dfbeb6ce12ebeb28ef539167dc54b6195c4e743db5f4e61b12dd544c453832a6f244a9f8e69b0dbe1a9518ec19ef30c112ac54e0a45f1413f5c415f4d0688d922ace8e1310cfb88d48ee1edd87c004b0d67ab18abe8e2b4def7c0ff2b9c5569be5b1d0672277cde0fef17639a4d6e37e0705f99678da2520578f9c6ae410b3566fd4ab325dcd587a2b5ce7f7c1425943a07c858f04241f8cc9c71f233e2124f76e10e71cacc13cdc4272cb46ffe3ee8fffdf17c888812de6037e46ab13d6696841f83969128a2b71bf20c890224b219f53b07504a3375a273cf29b96a27ce6697f4f7b8fb3f08b940301f976f617f9670b07d4be006ff98ac83009c2eec35532f8e7967449bc584bbe9934bf0f5c77b15c2ff10dab68b4d7bbfaccea9c0e166c7879c0f912660b2d23ff2d3f26201cc55425f136cf3bb84082778858bff01ff8ab84bb187398766dbb6289f01349563842217050f14d90dc01b69f8a9b34c9ffbdae4629bb274e946dbcf39fa31237f2a3b749bbfa589ba555eba0a023b31d1fbd56bb9ef0f20d9eeda503924995ad6d15e116fe84b1ac10772ee3b154c961dbebfdc9faa303e825b69c7838a130e27beec91fc93a9fb9dbb4491ec58aa3263c29edd3875
\ No newline at end of file
diff --git a/src/tuf/examples/repository_basic/keystore/9411398cb36dbce77727208a3ed8f634a194134a117c5980d3ff22bc54a25de4.key b/src/tuf/examples/repository_basic/keystore/9411398cb36dbce77727208a3ed8f634a194134a117c5980d3ff22bc54a25de4.key
new file mode 100644
index 00000000..14ff778c
--- /dev/null
+++ b/src/tuf/examples/repository_basic/keystore/9411398cb36dbce77727208a3ed8f634a194134a117c5980d3ff22bc54a25de4.key
@@ -0,0 +1 @@
+4f74a37a4548e651@@@@16fa190bf9fcb63f31a090bdbd4abe70@@@@a94ec40c404bb70ffff4c550a9040425e3adb862428922523a309611df51934220e88095b12ba1f3b4437713ac90cd64f8fc8f864fb6c1b91396e88e0f1f30ef8c6cd3c6e979fb95b0d2ab7dd18f6012a953fe21897897d6903ec62954198ab92262319cebc2f939d0f6be618fcfb0088c13960f6d48ef7697787496a6ac2e43b1d26a3a84d6f3871837d331c5d83829850e2c8d738532313bb0d22ea2ea87acf199d2d52c9aec9a3670d5f5b9cf662024dea7aac6e45c78f27e146bc46b5500640aeec6c9f7cdc8240c90b33d5111f41907133c1aa9c060fde7ef11cc08214c7dd13e7da8a9e284b6c486eb369ef27a1b3c195d02eb2f02a0cc572ebf8d438007a6553d31581494f76c9fa76742fc7caf09fef2273563373d310f76dae3c89edbfeeb262dde83dec8290c1fad4c4c4f41d64c4adebf50f57e4acbfe920255bad3ef9089c6093b418d3a95531637702dfbc927ea077bd38a2ed751b1c1f648385a4d8f6ab16a3cdb9d15443f1daa2186372d059601e49ce53954d68b7a5de890288b3339e33d081d6e0289afc4ffaea1f36e00290db90653a4a977f745cae98ef24dbe1aa02f7c5e7a880e605d054fd1d7dfe79eb9e17d73856dd492fee56895bb308f1c4415d9c9bab361441f29501d8d721c71823c4cf25b7a11ed0c4980fa22899646bd18d62ed1a9f68165c53fdb2828f8c5ec6c2144ed94dc73b41d377ef5dfc17be29ce5cd870672eb5060f5008adf1c0842984e3e5b153feb6f5f19200975178c57745dc474249d6dfaa1da398cecd5661aad26c9e90bf85af74b75632a74ccaf0dd273e08034ec91460138e8a39b5b0b086beba60771ed550aeee818fda3550f09f1685ff994696f94cda402cfa7d1bb6101c69652614370f5df05181b1f6b38fbe78efb1f190827085a3ba0c6cc7ddab2e646fe5b7b4b89ebaee7a067cd7c24ae2f431b5be2604e7f2eed0819ad87dae44c727d029dc554d4a1183c3f96b0238f4c65dcd1ea705e1e7e73d198c2e18024981cad41ec5ca191be98927a1fe3d2689d728c1864246717ced69aa626c247a93dbe5fcf24581a4ccc631c8831e6be6fedfe6cd133dabf19417dd0ed4a732eb0cc1a22401ff5f3b70c986e644467684c22ba0baef00cba43788f2652165080bc4412e4060a5511e4707c227e023d2efb2fb4eac7b7213b9d9de3de4be3c5f004d3511e68a5ddd7e4bdb7a95c9102dd52e37606f129478aa2ad1592178e0748a5944cd0b7d21481409eb09f969e11c26b7b0d01160337e338c8f7bd9fa1a60a451fc9e8749faa312fad8c8246569283bb809084cd8ebafb43f7a76729fa3123ad111f4ff997ee150311bb681dd0ad6699e92c98cf7bc55b5d0b1e02b21a61c847226e88b69dea8302154d9b2ede5954e3bffd0d37ddc928e63c43b6111f6585249ecfc4769690b6ace180aa2a1eeda2fbfd9c479648ac03f4b917e241a06ab6538a2f4f18e191e2701643eec915f8565373c3eb13d874d3ad99e92a014b6dcd93fc0b25b0bb14c27535ccfd97e72a9c32c7f1599fe52b1596585b98a426fc7261e374cff1e66a19000eb5e75e3fe8088d58076e95eacd39cd956b87cf162affc15dc0d44f3cd3d64cd61ec9c0eb1b758a3e72ca418bb9062c392d1892b2861bd50c78e9b00a8839d4ab829064d56fcc659113f4c64a6801bc49617401051f08d97fd658403dabcbb992c59b09a04a0f732f18356e3f636a31d5752ced7bb1b3f84be986bb9c552b4656d4cdeeea3437cc6e466a709780618caaaf7235054ffa7b64f698f39212f580a8bfe24e66caa3835f3965b078feb75eab97555669a6772571ab2f9d6b5b6fb32ae81c883a2e15a262e92cdf2a09f598834e7d60927bd405a7eb10fb5d5c5ac5e31d99fe9e7a8d9e4592c75086d1bc1e5d9bd3cbba9b42fa96a8afa474b09eb582996593e46555781e8a20b3eee823fff68b3f35fbbe3627f6f9e4042f64d937d053aa2c499ea052506c98a826a495aa00e7c07615f25f60b68f2d2cc2e6a4dae193d20030a24faa55b9c391288a9dfd1354b9678cc742c6dab8c0d09627ec541b41b90bf5a35e092a69f93c0de44f5aa29d6a9d5e84cfdbe7cc3ae083cae2c3e5b650dd42397d36e801b463faac316e913a1535b90569b68c021808dc3b8dc3c9d75a3ad9b8d78ced8706981994ad08001cd5e69650e3247cb3c1a61f10faebcdbf1308a9ecfece301b0ce341a8b11dcdf1540448b0d103ab076abc7e91ce4147ebd7c104544e181fdd279fc5bc3910e37a3b84781f4a67e2874824c86724016efc6c6c6f79d6881adc44fe2d4e4871c5fb69936e6eb2ba5a2ea5fe295444c4a7d2e690540ba5f973fd9be92df785623cfc188d4fc4de7aa8ddb558939f52e1581955579a991779e81267b479d2b91ace3f24e9e6fa69231fe97a29e55c1c8d1eebd969e69487eae4f1cc2abc47d04374a94bd62975789af468ec0e6e17a11ffe8ca81d19c153094543acd06febcba9b2a239fe6067e597629440545f5fe04467cc12bf25dcb2a8b803a475592f78a9b2ed7fe98af364e6254d1e4957183433d02579138ec878f1339c8c832f35eb7168b1b8e425dee00376060a14221d6a708c4894d941fa0ef2acef853af65c975057733c68b2dc2466995c988c83e91adcc7ba450aa4277f188298279e10b81250b1b46650de5c2cc99d73b0ff1a41d00c63548bc55d989c74a6fbf3c56e5a803e35992f29418422b4f027ab266cf093aae4bfdc3a01cd78518d4351dcfe8401452feb58de73f1941e9085a926f7dd2c2df98ea7b756c82a9fe6c07f5fd6527999215a7a4b8f41563ae81eacb413282c61b4e101dee3eb4d4c338e28161df8a5c2ae3088722beb53ab407803562b45ff863894565e11defdc16d91e8970da4aa18f33fa98a7d31ca96596ce7ff9f39a1d365b3f6115bb2c2735b0f8ad47c5fc32034746a8a9f82ddbd115981629bcdba215b703ae9cddb12a50453d740fa08eb5c292d56b69de5d08f004dd824ec93b0f5ffb617b0844a7ca5d3986bccfb127c8772d778baaece744f4ecc8d81a43449a342549f895309402c5da78737b7bf775cbbce18bfd802313a98bba1d8b80a49e90f2a829f87b55965cb7826703e1a509220132ac50606c7fabe5adce4d5b71617c6532e38acdfcb841063e8ea3f48f325e004bd2fe522d6cae478a1093693c79c120ba294d5b006a842539a115d7793eb32375a9dfa046e0eda1c942d5d5b3a7a699b3a382c066f6f106c8276e9e4e829cdfd53208b0af26edda917cd5e39a070d74c8a3835db5c32c254ca5c158b0e207f0cdb23642e7f99bf4b6b65745966047d9f4fa505a9f2514c9df27b22efda3379749a0c736580e55041478e70d4738ab8a09d7431e68ec54faa62fa323de5b38eae46cdeba651c471f36c145a14bde8bb8209095b04a89668bcd795b3e45e1b72ddcde0eb55379c06802a62429361a4357cdb017d8c140bd48e2d9ca432993ee23cab736b6b0191455504595af191e9dd51e5be1ab29fa8c2e045071e331d04713163f3f385ada1b294b8e6efcdb27feaed57f30af49b0f75679671be26bcf78d46f5cb7770cda4d2fb21d841bef3d4744df4dfcb3bdcccc6fda9afa4ba0ebdda77a8861c632cbe141789c5f4a200c1e5e6b90ee251d9c3d557469580f6ac09af41f18bfa883e418b2bfc392db41f0b890c3c121368fcf3743301b4c9cdb19aa5c4b32f04bc72d4bf06ad3ae44122a50a5f255b8871a1c71c7c4498537528b40d876cc88451758bc548784f814ef258091503baff418dc7a15fe0e4d8ca78cb5c84d09df93a7078d7591bbbff8ff4605a5c5984d7cc7ce7233a6c84d45d974a5e342726861617c3b6ca4517700b528afcd47cf676dc16145e22bca0e616a1bdceced2b467e84e8dcb869b43ec652ead0cecbcda58c37888411d43f98ab9d3bbc322e63dacc402279b6e6b11e4ec45b58fbb8aafb1761b4c5fabb829411d8089760f9424d51d1617205bd8582c8dc29b9e0d0d585658298709620420f8e7be86034a0eda76f2f787c8e18080ff68d10c5f2189998eb883c9bb81fc194f8ed96a1706a5a4d6e8ac70141f7e28ab54ab22ef87833832904289f000998a8583b08b96017f11065f769505c82b201de5c0102a7b4d71281acf0ad3106b236781a8a287e18ed38c0f6a659ab37cbed74040715810d132216e64462082579d32a8d8ba082779dce925d65f844fb619bf21304f677d88e098d32a9fc6eefd327d023517c135601a846065ecfbb3611e12a1932bc4dd729169330432d6bf80c084012c4920445dbf6794b13554eedfccab04701ae83ddc47c6d6de545e224fc245492780b877e33c201c42aa761051c54bb10312dd044c41a6561d5ba4041d8c1d67b047ec1e84b6eb17c6940fbaacb26377db5532bd340e0f343a1f502cbed258f97db1fe1d381504e79bc727ec6d581e2c155f8c3fa362e2ddb6ea3ba35a34a6c2b625100f44dd25737d9c6ef0aacf59c0e0e15b7c3b
\ No newline at end of file
diff --git a/src/tuf/examples/repository_basic/keystore/c57c4439c8cd88e0571d651696b17c069702b637d59f2e9c4f88894d2cb5cabf.key b/src/tuf/examples/repository_basic/keystore/c57c4439c8cd88e0571d651696b17c069702b637d59f2e9c4f88894d2cb5cabf.key
new file mode 100644
index 00000000..e65d5ae8
--- /dev/null
+++ b/src/tuf/examples/repository_basic/keystore/c57c4439c8cd88e0571d651696b17c069702b637d59f2e9c4f88894d2cb5cabf.key
@@ -0,0 +1 @@
+513ce3ed8f8da7d9@@@@a8cd9eae208b7252e9dea0aaa5f971fc@@@@6f3b067614dff4022c24db3f1eb43dc47c4f392b2984c99c89e09fdc80b7efdba76082b184ba86876f0cc2f08bd2a9d398b22e79811698a56e6d22590e82d2367e1c624b73f4b4ad2105fd43801d5be36312336ef910dddba7e70d20e27ec8d449c911492d08eeb0fe68e77a532073379bca762905a5d8b851a4ac324e9d32adc168b293e30bf7d36f00e24156659dfc2f2e888a77c8b23fdbbc2a865d1d9753cc141c1096ce40c01a2c7d2c5e1c6f0e467da3e6d8b7aefc1107b47370e0aab31ce53019bd44ff41cac9645ff5f82f484553fe1285ae8e0deee2c15731595d44b4f6ed53c52355cc944d82952066a058c51a99d60ff1a75b9fe13fed20561d77322fe95242b0f084d212f27f9a65bb230bf881b8f81a6fddd5d51503cde23aec2544183d79dfbf0e61d3518238dd573e50d4baf64131817b2baf0d453377a74dbb9e5de260c081f43c280ca42574432399d4e3a8b00f70a977bd41eca16b224ed36467d5db5ea5ea0ed1394adb4d8f4d5577bf0e147dc4dfd86d3ac4cfc030381ac8db1f8abcebb7d7df9fcf78ae62f62810229177b5d8e8e76afa44fdd95a85668919688872cbb9d958db0f10752187b09eacd0f7ffbd834ddcc1be3e8364981033916d30784c7dc328a5dfdc5b0c90601d4241a1624ec55718b2bfd0ee68319e2ce14bc30b5de7894d43c8d11868e9f00b9f1907336eeddfe9868377b9ed084452dc01fd0ace5b3955803220d45bb106a73c5ed168ca6875c5556251f2f29feecc4369a05a82493b5189591d26f58bd4556dccc1d18a8845bbbe14d26a16fdc77cd4f3775081871427001f1c69f4e1ec283c4f4434d809f81b3c00b5d830836972fb39d6679973f8fb43d129f15596286908642dc814d8bf9553b3c7c2bde2ffea73c09d579c6eeff728144c6031afb64f84e63e6a2e1e21d31e0694133b84b8ff6c07e598b1e7640db86e120e088d87389f92054b344a9d3c00312e2654ab48759ea671f711ce437fbe95c2ae7008251d1036d8c6a2fef78cd550094766c6ce9c54957b14d04c25cff02a8051448ea273abb49bceff6bd28e651fa16cdb73d501b007df16b4be1c19359d6323bfe9c24f8dd35b5831a9a3546f0bef3e705069c4a2ed8972f87c3e8da59ffb3689a4fd5c28e67ae732b21b07a30a85e86afacb77cf816476403fe8b107c85bef1a6a7c164cccb5fa4ee65acab45297a05d4752fea89587e003448ec3949937f775a42fa69e4e870a054a918ef0f9070a9117ed6615b312d2d2071e3479a19f09b7cd84f184c5fcd6f5a5917aa17e6c8a561af3c18c34c871441b0164e9e5244be9a3d1f88d6de9042e3af1f3891d78e1ea3f81e53a4bb0d6bbbd954703e78129ad7887b86cec77ce8c840e978c7762ad4370190e210fb4d1b564c6efc9a4e9410d8e8725db0b2e3a330a1c05633d039a92001d6ff8088aa6782adabcb16ea02c7d12d210404299e6ff88e505071723292ad5db90b2cdcf31272a48f1f8a86c11d166cd9ecc2b47d493afbbba197cbb250dd77d079a56a17bcf761e7ab5135a19adb57e37add8a1c5f40da9236d5d6c0d0bdeae69b667890ac850df0597074375d7bd8b35063462c2b1551663850b749c09ca4ac55e70a7a730dbd5cfde2ad3bc996e1e393061e5e34eeaeb61651ec88cf62ef4a4dc39dfb2ceb8eaa0bc5d62b912bddebac90ff6d1d8b69f8c9179af627f5602a21d899d98921b9fe47885521510be9f1283b2058a2ecb83cd6172354db4bd21d70a035ffd9d75e7830786b586cbaea138810ad98f82e553b037783e40b524318c82cedd04f6c98c474406eb631cbe3704ee245160a90b24b090c9acfcf472b1ab546fe2818a2515f88f3dc40014f4b09da948cbc26b813dd6c8c630897c2cbc1e949708f8f735269677c5498a6d6b0f13262ced195849cee7bc2ed48226ca7a35fe92f839b432b0339296733f1dde0ca1972d94cb5d39994b193dfcae4674272092d4d51115f406cf6832083c98c7817d17eb29d0034e2860b55ee6c28ad37c6b0c6f19149a6bdf6b068cfdc2a9df112c408fa34094a81195aa6084d732b81d21782a3b834d65e561a01c1ecb5b7ec84beed3d99dd99b11ea312b532a7401550ac1280214291c6c2031407a88248b8932ee0dabf65c00562cb5656377a5bea865f531b712fe2cb6a12404ea9d589b46b13bf8163c6199bee670611f88a981ea4fffef77cabb9cf38d27aab4c32f6e971fe36d80b69f10f17419fc1f3994bb937aa84f0bca2841778649d0cc678533739a07300f7a8270357ed426cc200e43cdc2cc26e5b209ad7992a0f7b4950e972f18cf7def7e986019c59bd1ec729a98a41a2e82ecddefb72a0288c3578d8b6d089f6d485d8e2aa44fc9f2c8082c6783e5ab1bd9cee551d6f1d8635ef834846c6e9ce80b3f6aec4971ed14731716aa70de24c0990cd2140728012394457acace889ecd012c302e0b22f3a51153c55be9fb6adb60c9b649a12cc4675f08d25c79a64de3f1e95f126e951f97fa0d9ed4077120d4fb5be688c40b385dc73a234e1943561bda8455c0c6ad3b7c8e411f63e64b53d5e8a0184b7cb09ef2b1fbc0fc438b93fe93ec8ca20a27cf63bb6c7028267895e0fcaff4f9a214fb8fecbe73f90fd1b816c8b55a432d2e047918a9e57501ad42bbe0a764c6bd3d1d35459a9021803fd5f3bf2f6f028fff5616d8cd316369c28b92e6eecbfa1c1ddf66f154f454fc44b7ed5d1cf0f424c7ad176022e47ff7589d1bc9c14386598a698db92f07c73187580e33d3b4073bec19b93b4ca3dec980afd0c9d2e58a04725c6725c24928744ebe638d15ff3f02a75f2e327a006fe7044a3f6bc6b5a4eb9e1618d22a390c8783e1949d55f408ded3b3a4628ba4d0efb86a49103276b005a96cccd7413290e0cec5cae2dce22bbb367b04afd3d75d13b734f12509aa8a4915a3a1bdfc6213b633e5b7e6e1a5d3685a543daf47f6cdb722531223463507c259edb03402e0784ee568a229218595a494322337439540ac95a1de7b8a8638b242fbae19f00ae315bcc91c4ee34a4d1ac1c6461b30d86f30ab60dfe4c0b8bf472649d681c63136e7e429bdcc608ee0acc08e588de7da6c031b975b992f4bc5e77584b30db7d6ca19636da01bc76a8e84c65fcef9aa161e505e9bd64decfe7e4c751ecbd276e3b207790b00c2985560fe4ff27ef4ee9940c06a9ed3b0af5e2b856f47bde94c1827368bc4a0b0f5e23b245fd873f1bc6f557ac0265fee0ab133e5473a82e9502a8b4e4f964b2faadc310245ac3a32a550ebc29894d6db0ddd83acdf94111c610dfad41b2844814593db7a2838a9f963133997d20eb82b9c4ef64680d638099d58b083cdaa303d75ccac49225863bb7da2d13fab767ac9784ae93ec7e1372d0e143e19c10e073897d7e832487aa81fefc363fe249dc1909b1ce31d518d12ebc2cff11d1623ec477489b559627f4442a18cdf28f307de6b0d3fb31e4451159f4e93340a97cc19129b948e4e3f43551e351f263eb0bb00f3ad04139d89b74fbe7402fe1254c5e32eec9a1172258f3ba19ad61515620d2ddeb94c1ded760d2409d1b7ad775607b033c42a6348643317cff13dae462eb4702ed19cc268ea77c6890e3796c345b90f1894911d809de1e23f74fdf36998b4bf0a0d5b9c5e50feece9716a6f3d3100bd4fe2c950dcb5c4c64c5fd6c8f25cdd1b76c6103eb3c399f6eb53d38c69b2baa409151ae13678f6d954b8af53244cccec53e26792410edf9bc1e7418545ba43b4b7377362f2c78d7782de5869273d986adf75700723cdd5096a7fd16f0c8a918b7a92f0ccbccef0e01318b62a01227cb46fa122346c087473ed75426883b71e38c501579a80e3aeaedd9d7964c6d7b92aa1e76e68d61a0a22bdd82d0797c70d1d0d11ddc02cf39e363f27fb67b4c7006e410f662b966ce9ca2cdeac1e98c198cba3753c63970591747d7c8e8844cd362eaa2bd849c8481ef161b5d5fb73063b19d276ff7a42c91e54876a558c43e7d853e7c5aa00ab4bd7ae1c33cd94aca90a43b4352d8d58e2bddf41d84c297448bc396ad9763beca41d8f0db363fb4955cfb58f9b4286767168ef5c8c7484370c17414778bdc257ecff9f3dac73ece9e45a1002ad01781b4a94a20cd63b660890f8ec9a9f384b4233d51a092f8b60cd40503cc2e11d6a5d5ff2764f224e4d5ff8eb123415f47e20668143863c8aff4a5ba8b69431cae642dce0f0a7c2e3c65f66c3c134aa2c6f6528de633e98d56f9174e12aa5931cf292a80427d66c5dddaeee82b9b74be8ad590b9bde8fe99b9d9cfecd325d39995c69312c0599b56ad9116435bb1bbc6c28cb103946c32abaca3762145e706a3384b00cf85419b38d7bc80e46334c5ea4e2c502ce8d84150fdf03452e5aa8c3b08d5fd750077dc9b25a1ef6eabdfb27c1531ecf6d628dcdfd98a98823ec284d6b49bf50c312bd8769648ca5c031c1fa25d78a74d2ed03719807214a5d939aef13eed29c271c24f30521c4
\ No newline at end of file
diff --git a/src/tuf/examples/repository_basic/repository/config.cfg b/src/tuf/examples/repository_basic/repository/config.cfg
new file mode 100644
index 00000000..c35917b1
--- /dev/null
+++ b/src/tuf/examples/repository_basic/repository/config.cfg
@@ -0,0 +1,23 @@
+[expiration]
+days = 730
+years = 0
+minutes = 0
+hours = 0
+seconds = 0
+
+[release]
+keyids = 9411398cb36dbce77727208a3ed8f634a194134a117c5980d3ff22bc54a25de4
+threshold = 1
+
+[timestamp]
+keyids = c57c4439c8cd88e0571d651696b17c069702b637d59f2e9c4f88894d2cb5cabf
+threshold = 1
+
+[root]
+keyids = 86e0a0c096d2244436911f15d89ee3a647b6978ca156f93b7eba730038e5327b,4ac0adf8fac99d3603b02ee88715b0b18ab9203c639a220f3db7aff78d784ab2
+threshold = 2
+
+[targets]
+keyids = 7e6d7b7d2d60f175d4e48b11347f8f648e2c58093cd47986531e80747bd2c559
+threshold = 1
+
diff --git a/src/tuf/examples/repository_basic/repository/metadata/release.txt b/src/tuf/examples/repository_basic/repository/metadata/release.txt
new file mode 100644
index 00000000..ade738e8
--- /dev/null
+++ b/src/tuf/examples/repository_basic/repository/metadata/release.txt
@@ -0,0 +1,28 @@
+{
+ "signatures": [
+  {
+   "keyid": "9411398cb36dbce77727208a3ed8f634a194134a117c5980d3ff22bc54a25de4", 
+   "method": "evp", 
+   "sig": "61020111d9e1e1082d79690596d176d6eb5bad3bd0e695eb42930c39a018d18a64d52d7f4114272c8ee7c1b954708d95e0d7c6cafd95078d122dc67b3709484cef2d823376bbb9010f6cfa8034992df814c55c9f70e9411879ce7b54c4d6f1e4ed91ba328db0c26be0532d404358561ba347f1d55aad0a0eb83d9ba224b6760ad3d47dbcdc90d7ba7bf1597992288ec960a1181a1ffe1ff3b0eb7b5c4423bb1a20c01af2ddf5579e3a0704b4d7a58a8a0745edb6ce41c680239819b3772ae3f20486dc344ca7828c9581ba63af4ec11855dbf6213e2a260cc03b281659fa77c9fceeb0b7a25e1ea08bf1bbe5663bfb502c2145f6b5057005d989a8b35e56ae9b3f1f80c3c74f229d4c0bd3c807a7b6acb221ad42da90bf3137716a7d10aa9004e52ab74ceb706eeb6bb1834df1c994e83a64b3f6dae99a5586668803777d788fcc63e3ed3186c5b1186ec2dcf7fd2d7afe120470d667611ddae9b8617bd4ce1f2f0e6ae37b733a739c1d08814c53b25944f50b5be3f40488f683d3b89eb07127"
+  }
+ ], 
+ "signed": {
+  "_type": "Release", 
+  "expires": "2013-12-17 00:31:02", 
+  "meta": {
+   "root.txt": {
+    "hashes": {
+     "sha256": "72925bfeb643bd56c2368c890eb62af735d35f81d5518f42974c5d90863d4bad"
+    }, 
+    "length": 6571
+   }, 
+   "targets.txt": {
+    "hashes": {
+     "sha256": "e502a5d0079e59e122274f115fcb9a3c84f6d660bb50910fb3a757f58df00fe6"
+    }, 
+    "length": 1346
+   }
+  }, 
+  "ts": "2012-12-17 00:31:02"
+ }
+}
diff --git a/src/tuf/examples/repository_basic/repository/metadata/root.txt b/src/tuf/examples/repository_basic/repository/metadata/root.txt
new file mode 100644
index 00000000..bdc140f0
--- /dev/null
+++ b/src/tuf/examples/repository_basic/repository/metadata/root.txt
@@ -0,0 +1,83 @@
+{
+ "signatures": [
+  {
+   "keyid": "86e0a0c096d2244436911f15d89ee3a647b6978ca156f93b7eba730038e5327b", 
+   "method": "evp", 
+   "sig": "91fb132a9ebf78fb2a688178dc5dcbbbe389baab063dd34fa9e7ccf8cb613a9356eb78ded2f7a12d454e2311b71ca0c75a2548515f1d1d35c1206da478d1535326eb172383a2687087e12f1d19b13b6adf0b4e35b9b992fecef93b0841aafb0143b19fb0e6e2dae49cd4052ddb0c1bcc4efdf3adbede95a509f04057082d80241cdbb5cb190559ce0a57906017b6352cbc0c837ca0d3428519a776454767dbcd0af1cadc5020e9e2d90cd4b8eebd4ca06859486575401aaa8aa6c3603a642d678e1f5b7849949903b28bb9bf88fab62ca30fbd160368eb998ce1c8a90a29573f02f6fcaa13bf1baa1dd72295c4de3350f72f8abbdf6d780810957c38ff2ec499c5928f241f4339c835e71b0013f6dcc41d01a7d43d8def9f8de8a46a73f9845a7f82b2a856096d6cbb9639146b94828ce1bbbf1f4927ab4d4100292d689ccc6efcf9d8fe61077224f4984bdafca6a8848020104130dc18fdea7fb53052d9bc70f94589522e8504a40518b657288ca6c9efaaf6baa562e83bd1e671f8199cafe8"
+  }, 
+  {
+   "keyid": "4ac0adf8fac99d3603b02ee88715b0b18ab9203c639a220f3db7aff78d784ab2", 
+   "method": "evp", 
+   "sig": "845528efb13d16600a492201d1d656d81ab819bab60d123b2dfc9bfc04647bcf8129872a7c1b0db21d9c1005e4cd55c91282f5410c9939ca3e8acb70d55eced6194c94152d70e00193298730b9019a3282196dd23543f15c1d6f5431efb53a1b04c3d40f0e177d7ad6ecafbda363e89d5dd4e2ce8b7ac6ab2808ff361d6dabeeb443358dfcb763aa9b9857826fc587a2c4b72a0ce7d0e2d073ea4f2fe453a5b72afbcf160e3029f969b290f2e0250225a2ce88895e10fcb6c1638c70bca5d2add74324de9d581e54e9b99c9c000904b55d37a775e8496ca97aae384b500c83e2694403f4687479fb2cc56d981afa2c45b9ce968817e168f87fc0d7419e973c4162baa2e59c339ce82ec5a565a4b3993b2f3e885a1d38240996834b530de306b600d2cfbcb2660ac903b5a7b6e270081fe72f98cf6e29047915ade88cde3c860a4d1637a4f8057a6b7815e21111388bd7a678c8b3221b8adcfc1f4629ff75ebadd3160abd88b71bbb175592cd99f0769bde1466174e0a8a63a07cefbba766fcef"
+  }
+ ], 
+ "signed": {
+  "_type": "Root", 
+  "expires": "2014-12-17 00:31:01", 
+  "keys": {
+   "4ac0adf8fac99d3603b02ee88715b0b18ab9203c639a220f3db7aff78d784ab2": {
+    "keytype": "rsa", 
+    "keyval": {
+     "private": "", 
+     "public": "-----BEGIN PUBLIC KEY-----\nMIIBojANBgkqhkiG9w0BAQEFAAOCAY8AMIIBigKCAYEAuFzNjOV+tTnkMzB+UUWi\no/n0hWE5nKeBie+erzGHsRqYTwY2afsUORnogFkt2erdR9zR4TAWGMIvJbnDujQi\npkhUIueZB6vGCRBT2Mfk8vOUTQ+8Xc6FNCyhLZfJKL8fxEOAaF9HSOt3u9BugPVB\nL5QLc/fcWNgBiTErR/kcLH1LvaDeFijOuSC6VDq4GjONK70n1d/CtGmPYIMQj89L\nsIThUrREIH2oHRXFIUDJLHmAJXgw31chpC4CI9/ehnShcM1AaQTfpNwsOFkzNpfk\nCweYN3w9h6I+/3hPlD1oPluolSpz3MTQ2YXnRDBijptGBz4aPW2V6R5fE9Tx2xZr\neI2wlzsObFSvJ9V8guVc/yVM6PwCeVuQknzFo2xXYvQgzpKTSSgk1+0tiJqZkuIk\n7ENhglKwTL9vu40pTgE+gkKRC+CgDPwJ4+VMZJANsFPfCZxMw8+ddufTL70PtSp0\nKDRshTy1E4v8hMacSprTttDsXyyHswp3BARFkPZDy/c3AgMBAAE=\n-----END PUBLIC KEY-----\n"
+    }
+   }, 
+   "7e6d7b7d2d60f175d4e48b11347f8f648e2c58093cd47986531e80747bd2c559": {
+    "keytype": "rsa", 
+    "keyval": {
+     "private": "", 
+     "public": "-----BEGIN PUBLIC KEY-----\nMIIBojANBgkqhkiG9w0BAQEFAAOCAY8AMIIBigKCAYEAsCSACdXyAzAjYWk5acxx\nzlEZgftJULKXvzpcbEzCtwC5Izst23twvlKtGYYcJqw4sPKgxgnHy7WgUxKiVbLX\nQvop4kSKqwpfV4t8ZBHvvHypIzS6ZBknwNU4SvDeYdajbzOlNkPvrANtLyfpKtxT\nxuhmEP7lGFL5pIukNvTqIs2J+3NHNG9O0AU2iwydncohpB10utor6GRgkBj2d9N7\neZQrHyQPtMKodtmlzN2ZUwf859neBPvzd9iGLl+K2zfIHKc0AOyn2kUxFvM81FDy\nHaMuWFqfnKWDftAp8UKZqHFuljvt2zk/HH0t5w9mKiy68qL/jGAoaPcKpWgGAHN4\nTj/6ugSij6/GimYdgOr2taD5BWMyxSjyvCE0FvH/Gi+4+DT6Ll9Ri6K1iLOYjan3\njFsTMBkZ7Gdavc1vIkSgn3joZMGvdVK2JYzPy/ZJ15KEnAUbymnA+CyKAA+gSRzo\nYXSDM6JGlCci3pLl235gDu5lI03Wuf/GlPEwXs4pkry/AgMBAAE=\n-----END PUBLIC KEY-----\n"
+    }
+   }, 
+   "86e0a0c096d2244436911f15d89ee3a647b6978ca156f93b7eba730038e5327b": {
+    "keytype": "rsa", 
+    "keyval": {
+     "private": "", 
+     "public": "-----BEGIN PUBLIC KEY-----\nMIIBojANBgkqhkiG9w0BAQEFAAOCAY8AMIIBigKCAYEA3yIiwviVYlg8NW0B8gxR\nltqmrKL0MfXjoq1UxtE0G/ySki6w8uOznnqiR+G4dOQvHbrTZytTq655v+BySCIC\nQWLyO4x7c2vm4APpiOhIfMjz23uxLhbR9ZVhk0dSv1wykP4O4TIGaRPfLTTTEADS\nqgIIXKOm4zjlztdIzjmlh5vLknI3w1VfRPYT2jBQSZ9Vld0SVNJz3JYW2ylI2jrP\njTPNnrb5GQ/pthrZZFGe1B/w7rfQvO7pA4BfNPT1TI8sL9NpFz8HXAE+bJ8EkP+a\ne01jHNhLtzJxDJRa+BXQtMh5QtJffrLNnwxBGPVBZdIOJm+FSf+D4v+W+Y/M/ayK\nI9TdOlKExYoWQ99tIgG4J7J8L88Mfh9+dduTtDT/jEfQCx4olxsqgJtxpzjTC3Nr\nDpm27djxeX74otXXNNOEN2Wzs/VvEBCWsHfElIyfdElYIImlzd2FyD1AQyhUoe01\nQOI9cjmmLybQKgIXgyoeQ0SRxZFNYAM3kPw4w5/JAsM7AgMBAAE=\n-----END PUBLIC KEY-----\n"
+    }
+   }, 
+   "9411398cb36dbce77727208a3ed8f634a194134a117c5980d3ff22bc54a25de4": {
+    "keytype": "rsa", 
+    "keyval": {
+     "private": "", 
+     "public": "-----BEGIN PUBLIC KEY-----\nMIIBojANBgkqhkiG9w0BAQEFAAOCAY8AMIIBigKCAYEAyFShMexVSDMDMs5wGt0G\nQBOR8XyTV8JpkCKdSRMW3IsSMueagdI754q202SbfIRa0JFah99roPxa3IAIHo0X\n3GUO9HJWp5gSrGcKUXrOiz6CMsGwSh6N9xVCNFqpc8EsPceG/hCaqIX1FIGizYdZ\nN2+LwpGvfpBQfAPUau0NREEA/HgFYB4UptOSyg+3kRFCcXr+nJmiDNc5qXp/HQZ2\nqn6yhuhLMh/I1KsqN4HQGYDOg8L7ybuRzEgGabI0/ZVSnVJpOeHogtH6WHPKGZXX\nA3aY0sr4l++DTwe2wCXTkVYzSBwG/AM/zfVwfazQZFHG2d2VnlS2VN+otbpv+qyG\nq+dF2TmqxnnaOoWTXsQ/XTiIHLlSmySE4WZR7pZREdx12ahgChTA0/0FVrM28DIb\nvh0T0NGyxfAGYEWDvr+xjFyks8RhgsA3ftUSkq7nrmsM4iJyvSN01la4MZNHBQGK\n+jSHvtn7AGMAkr4VY/uv4NWGZHiWt33oL/TK6EAHJmA9AgMBAAE=\n-----END PUBLIC KEY-----\n"
+    }
+   }, 
+   "c57c4439c8cd88e0571d651696b17c069702b637d59f2e9c4f88894d2cb5cabf": {
+    "keytype": "rsa", 
+    "keyval": {
+     "private": "", 
+     "public": "-----BEGIN PUBLIC KEY-----\nMIIBojANBgkqhkiG9w0BAQEFAAOCAY8AMIIBigKCAYEAuN8verErqJFpNYjzWCaV\nXk8f4uow950aJTwt2+BMK97KMccgIpOTKemN80iiDHHLfsBmNozYpF2WuWtWpUGQ\nKlbnafbEuzmTrRSMjhEjTxfvGNTh4NPnfHCJFRql/C0Zln/1YVnRdF7qcc+C+ru8\nc0OhMT1Z4tu4JoqK3jz4Pf5jq+5Vm3SaJ+h0eBo/IArqDoXEHKVZDggsDRM9gVhv\nov79O43Qt3/pdP+o1hAhifHADs6nMse+0PrkP+bYMu9UQ5TqUmKDdaVnYETP7VYX\nDMG1Ipj5GGhPu4bJzahf1j+4RzFAsb8yIojjgHsKxD42rp9mAZt50tr2meSDEO2Z\nLtjH3zaPdaP5WCcQyHhHPVhibdyP8hLmw9FpSTW5pYRRDT8HHcfp/YTpE5TBKApC\n80io16g/FCveJL6pV4leLEZXeroKBB5SCCAPzXoAL7ITUHM3DSmNNcaf+ClXK8Wf\n+s/EUe3qGD2VF0/xs36rsxnsCwwspgjlh6/B+27/i2QRAgMBAAE=\n-----END PUBLIC KEY-----\n"
+    }
+   }
+  }, 
+  "roles": {
+   "release": {
+    "keyids": [
+     "9411398cb36dbce77727208a3ed8f634a194134a117c5980d3ff22bc54a25de4"
+    ], 
+    "threshold": 1
+   }, 
+   "root": {
+    "keyids": [
+     "86e0a0c096d2244436911f15d89ee3a647b6978ca156f93b7eba730038e5327b", 
+     "4ac0adf8fac99d3603b02ee88715b0b18ab9203c639a220f3db7aff78d784ab2"
+    ], 
+    "threshold": 2
+   }, 
+   "targets": {
+    "keyids": [
+     "7e6d7b7d2d60f175d4e48b11347f8f648e2c58093cd47986531e80747bd2c559"
+    ], 
+    "threshold": 1
+   }, 
+   "timestamp": {
+    "keyids": [
+     "c57c4439c8cd88e0571d651696b17c069702b637d59f2e9c4f88894d2cb5cabf"
+    ], 
+    "threshold": 1
+   }
+  }, 
+  "ts": "2012-12-17 00:31:01"
+ }
+}
diff --git a/src/tuf/examples/repository_basic/repository/metadata/targets.txt b/src/tuf/examples/repository_basic/repository/metadata/targets.txt
new file mode 100644
index 00000000..07322a34
--- /dev/null
+++ b/src/tuf/examples/repository_basic/repository/metadata/targets.txt
@@ -0,0 +1,28 @@
+{
+ "signatures": [
+  {
+   "keyid": "7e6d7b7d2d60f175d4e48b11347f8f648e2c58093cd47986531e80747bd2c559", 
+   "method": "evp", 
+   "sig": "959294bc789a7490e235d6313507bcc8b4c6296a32fd923c370ba7529914d6a41c15b4857cd7c31a75e40af3e16ad66055cc79632828ecd08609ebb1f9dcba1b841ba713a3b1535644385b36d8c882192bfd7e64b94a7a71fa9d1b6976466946e08cce0257ed1b3ba7cf28dd7dc6315a6782d366eef0dde2a2222eb7ced1d6fa3680c51ab83490b46de49eb2e1793bbb08bb6b9c16511987beafb143032b7d86700a3a8ab6f62f29afb8da0bcf6f4fbf6e3b9299f9541b5b90d6f6e71ed8bb05fe14c5c6c6a949e22b3ca2fac00c981c18147fad2c92cb7b7a63e5fc9fa9636c0d94597850f4045147b88ae06f49fa1ba4b80ec09d5e9e13b090a6e877dc30d98bfeadf24402767b2c12f1ded8b886f9b8e09c3c4bf192bc40a2b7976580bfc513127f282a26ebb52d4ac29facf5cfc0d372064a0a06a63f50fd1ae932b1909ac5ebb611184c980a169ec4550e1b23da3169351fe42cb4db69865a027690f0489210b1ea3951fd0089cf46ca8cdc9564ba59031d1aa404f8cff157c08ca6bb3b"
+  }
+ ], 
+ "signed": {
+  "_type": "Targets", 
+  "expires": "2013-12-17 00:31:02", 
+  "targets": {
+   "LICENSE.txt": {
+    "hashes": {
+     "sha256": "cd65721176ce5fdbb05773c0b1349f993b94ce77a51062cfa7a78b34cc82fc71"
+    }, 
+    "length": 3286
+   }, 
+   "helloworld.py": {
+    "hashes": {
+     "sha256": "c7861802c53ca2ce7a9717fc1544a902508576799074be9cc21630553a9471da"
+    }, 
+    "length": 21
+   }
+  }, 
+  "ts": "2012-12-17 00:31:02"
+ }
+}
diff --git a/src/tuf/examples/repository_basic/repository/metadata/timestamp.txt b/src/tuf/examples/repository_basic/repository/metadata/timestamp.txt
new file mode 100644
index 00000000..73513dd2
--- /dev/null
+++ b/src/tuf/examples/repository_basic/repository/metadata/timestamp.txt
@@ -0,0 +1,22 @@
+{
+ "signatures": [
+  {
+   "keyid": "c57c4439c8cd88e0571d651696b17c069702b637d59f2e9c4f88894d2cb5cabf", 
+   "method": "evp", 
+   "sig": "401f0b342d8ca5d8ccda13ae006eccff6b970ccb5a40102d5688314c3ddcb62aaa5e71e5f711231e5f0db75ab8764ca7e8d9688736aec25c49575c2a224c3c281b5c5c6ba561e95ab7900f0928b6fa74655b11572d878cabcdbf475f3928d5898a41464739beb2296d01b18017f09658438e32791b6297dda9918716ee9011c5eca22be29b705b7dde33f0f29363eab5348e8b2026c415ea65e6d40c8068e499a3e27c1b85c3f9d15ed251e94b991e469675ce2dadfca21c05ac9f400679bd03c9ff4989b7dbfe696f995697511c0ba80830d51347792ef2a6bc2e8f6ae5f8623c08d616ea94cf2f88c03d8cf2e56f09e189748a66fad393464add092464a1f8842610d96122c372da00638fe90f0ffffe38b2002837f4993e59eb35bb942db2d1e93faa6a3f432be1fbaeb32d60cc612eac1b72d4d5b03c21c2042c720b412266b221bc8917353a7a9140ae4fe5cc6a703e9fb8f898b6cf45e12af440ee06c86d4aab92631f0ae1017a461141e4098df6e7dbda00624e502eb293987053d787"
+  }
+ ], 
+ "signed": {
+  "_type": "Timestamp", 
+  "expires": "2013-12-17 00:31:02", 
+  "meta": {
+   "release.txt": {
+    "hashes": {
+     "sha256": "3a5a6ec1f3530b21a68a5bbe42a7fa5422dae9c4f211a99c678208ddedce36e0"
+    }, 
+    "length": 1340
+   }
+  }, 
+  "ts": "2012-12-17 00:31:02"
+ }
+}
diff --git a/src/tuf/examples/repository_basic/repository/targets/LICENSE.txt b/src/tuf/examples/repository_basic/repository/targets/LICENSE.txt
new file mode 100644
index 00000000..544f53dc
--- /dev/null
+++ b/src/tuf/examples/repository_basic/repository/targets/LICENSE.txt
@@ -0,0 +1,66 @@
+        This file contains the license for TUF: The Update Framework.
+
+         It also lists license information for components and source
+                   code used by TUF: The Update Framework.
+
+             If you got this file as a part of a larger bundle,
+        there may be other license terms that you should be aware of.
+
+===============================================================================
+TUF: The Update Framework is distributed under this license:
+
+Copyright (c) 2010, Justin Samuel and Justin Cappos.
+
+Permission is hereby granted, free of charge, to any person obtaining a copy of
+this software and/or hardware specification (the “Work”) to deal in the Work
+without restriction, including without limitation the rights to use, copy,
+modify, merge, publish, distribute, sublicense, and/or sell copies of the Work,
+and to permit persons to whom the Work is furnished to do so, subject to the
+following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Work.
+
+THE WORK IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
+THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR
+OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE,
+ARISING FROM, OUT OF OR IN CONNECTION WITH THE WORK OR THE USE OR OTHER
+DEALINGS IN THE WORK.
+===============================================================================
+Many files are modified from Thandy and are licensed under the
+following license:
+
+Thandy is distributed under this license:
+
+Copyright (c) 2008, The Tor Project, Inc.
+
+Redistribution and use in source and binary forms, with or without
+modification, are permitted provided that the following conditions are
+met:
+
+    * Redistributions of source code must retain the above copyright
+notice, this list of conditions and the following disclaimer.
+
+    * Redistributions in binary form must reproduce the above
+copyright notice, this list of conditions and the following disclaimer
+in the documentation and/or other materials provided with the
+distribution.
+
+    * Neither the names of the copyright owners nor the names of its
+contributors may be used to endorse or promote products derived from
+this software without specific prior written permission.
+
+THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+"AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+===============================================================================
diff --git a/src/tuf/examples/repository_basic/repository/targets/helloworld.py b/src/tuf/examples/repository_basic/repository/targets/helloworld.py
new file mode 100755
index 00000000..255e9764
--- /dev/null
+++ b/src/tuf/examples/repository_basic/repository/targets/helloworld.py
@@ -0,0 +1 @@
+print 'hello world!'
diff --git a/src/tuf/examples/repository_delegations/client/metadata/current/release.txt b/src/tuf/examples/repository_delegations/client/metadata/current/release.txt
new file mode 100644
index 00000000..dfd82681
--- /dev/null
+++ b/src/tuf/examples/repository_delegations/client/metadata/current/release.txt
@@ -0,0 +1,28 @@
+{
+ "signatures": [
+  {
+   "keyid": "b6422d4c8a4acb07317b032b89f7d03cc8b42a8b464355141d06a61c13849d92", 
+   "method": "evp", 
+   "sig": "4d8826441628b5d024478808ccb972a6869e357e31ce6770f1b1e5abf93640326f16441ded5c43a99beed7326757e1aec65f72707e9a38a52d8138d5880e628e6a4275fd245c12ca5c846ae031b1990a78699ed425efa0deb5187567661d4eb213b3977751d5b41550d795c063b07fdf601a69f0ec47a11f8ece99e1784bd8b2ab23766dc562dae739b32460331e2ae6dfce9b3e71ccca31ed566fa7be4ad00563e3ad71c95cb7794a689006a242e910036e503a465b2500a1b9ff3ae2c3cec86070c64fb4600a0d1f2d2dc424d770e4836904bc7b254c15511b5915c96303d5d50d175aa721bce98c50f7aad761abd057560dd2d8caef6b2c046bb6db76025ac8effc751d448d4ce4afe813de6e1ccc3a247b98c92497ddcbb8e87cf759a5e53d4c0f5e64440a530f39535771eee63761bb1f3bf65523b15284057c429204eab2eaccbd70307c91c2f313a3ee7a210fe9f6bceba0d390e160b2e25c141bd0c01963d5f12ec2ac10804be445bf15ccd4cef137cb896664b51b2db0a3950f9f34"
+  }
+ ], 
+ "signed": {
+  "_type": "Release", 
+  "expires": "2013-12-17 01:38:35", 
+  "meta": {
+   "root.txt": {
+    "hashes": {
+     "sha256": "5adad012a2d1b3a8d695ac4f17056d205f127d59686d1a4b0c446c8d0beb2acf"
+    }, 
+    "length": 4804
+   }, 
+   "targets.txt": {
+    "hashes": {
+     "sha256": "ca3f216421c9ebdc910c9416a294723d15bd0bd0747d56071b37560b738834a8"
+    }, 
+    "length": 1194
+   }
+  }, 
+  "ts": "2012-12-17 01:38:35"
+ }
+}
diff --git a/src/tuf/examples/repository_delegations/client/metadata/current/root.txt b/src/tuf/examples/repository_delegations/client/metadata/current/root.txt
new file mode 100644
index 00000000..8281165f
--- /dev/null
+++ b/src/tuf/examples/repository_delegations/client/metadata/current/root.txt
@@ -0,0 +1,70 @@
+{
+ "signatures": [
+  {
+   "keyid": "caa188c0925736af382a61fcdc62ce68e360e9ac5f50abefacb749e20dad23d8", 
+   "method": "evp", 
+   "sig": "47a01d62fc6ffcaaca0c1e3de74306d603a67e554acf00c125aa8b2aaefe73269cfe5875f230e2359eacf75c2cf84f71ae43d4dad9415edc80973bfcc620579f7521fdbd00a8386c54ea9459f714fdc305ba8544b5f157632844cddb18b33c95419490db52cafb564456af403a2db33a4f5ba0588db8736e6bc1c8718979a3818b7c9309d9d6a9b0ad686d48fd3148128bb2b0749f27d8b9e2640e278f0082decd56468e3c1002316b0ea9dc1d244499774c9e4e20896307b6cfcb747f89ed953ab6523dade8de33bd5a5ae5351d6be3d3b4140f131e62d9236313a9df644cc4f365de2107427ce8785a454da122eae1dfca6ccbc9b48eca88ac5c7ded1efffc8b2b0ee9f8cecef170592438aed1153b111d0ca0259c6cc131708a17d901349d6e4a6694b7cd770a40613da3420408da1d83fc34c218e378e1862c893e6a91cd8e8313ce1aed4ef293139762b6b5ed5be15fcc06504ecdc3c18bed1c73b18eac0d55a9788faa99a1dbacf16000da941380a3368a726c3d94990090ce5a0eb0ed"
+  }
+ ], 
+ "signed": {
+  "_type": "Root", 
+  "expires": "2014-12-17 01:38:35", 
+  "keys": {
+   "0e4b16ecd2fdde03651fe4d7e069ae3edeabbf781b7f6a2e56a71cc1955e202f": {
+    "keytype": "rsa", 
+    "keyval": {
+     "private": "", 
+     "public": "-----BEGIN PUBLIC KEY-----\nMIIBojANBgkqhkiG9w0BAQEFAAOCAY8AMIIBigKCAYEAw3GRZaihBaYj7TkcoQdJ\n20Oj9GKJaT1P80G4HcjwuRTrP9bF6K2yEmVvsisM7ZXY0tCo7F4LLnVxUf00Y9Cb\nwf7wg238cAF72HfMCU4j8mbxwkEK3yh1+N6A8qXfhJGmmftGzfqqo1e3e4dejZXh\nERiUPc34c2T5Z+ReG0GHMOoQNqES1in90AIUvvCMXkHs7BvWTIMJ34b2+JqF6L1t\ngF4Yax/7nJ+BOGmb21lpfPYdijCnLdI7GWeovqVY+fy7DCtQrrpybCBIn2gp/Cn1\n0EXGhMvKDXNQN1sJsi3M/i81tyCfouTOy//p5/zygEd3WkK986JSzB9SX0oK1X7B\nmytRvG2hVfNb4UarZd4Jfi44y5UPOr5VWd/YiLBnI2QkOLChhpSCus8GGi+yXJr8\nmQ7X0sctgsYxAJoREGB4sm1XmYXnGNuSbH+KSD1jYFhJKYPnJQCth3YCs7p/lfER\nWxMw/YVy+JFT2azLC5dgBXz5dxtTeCPL7mM5OB0ea+/tAgMBAAE=\n-----END PUBLIC KEY-----\n"
+    }
+   }, 
+   "b6422d4c8a4acb07317b032b89f7d03cc8b42a8b464355141d06a61c13849d92": {
+    "keytype": "rsa", 
+    "keyval": {
+     "private": "", 
+     "public": "-----BEGIN PUBLIC KEY-----\nMIIBojANBgkqhkiG9w0BAQEFAAOCAY8AMIIBigKCAYEAxKsZG4IWgn1vMIzIQtxr\nbXrP2sfeGsqMFpGKJS0/KJXtwTpOAb25fqHW25m9Xku/tSWqZw6EiqKKugeQtPHU\nYV0msWLUiSVYG6UQ4MZkO9wMnEaqF85upf0VALm7uVTcqcoZs0Gc1gIzO0Kl75sq\nB+vo92cqo7/MNAi9Dk2D3rGeYmca0y1QphkRHt2wmtuZyVkurSyXHXERM7d0+gVT\n5eajbP+E9xk70Hm4j4o3VcLBJtldNEclPp70j/8nLoV8S06DcxuPG4szrDuzPLas\nGAtKpJLDsp5nxTFn+6BhC/F6fLdO+I5lsxNg4ZBHVUwkbiwDPMSBb+TRjszFHOZ+\nzYuM7f+r6Ed537LUIJEXu2RKdoY1wsKkyzXiKEo+4Asyzz3dPnuuvuXFAN5jRBhA\nitkKPnyrSL2l1wDUazOfXlcP8uMA3jQrKZam9SqLo8sFnEMwgXAHeK8sNITOrnj6\nVMC39D24sfOLBhRo+N6f2FtgP4p/3MoQ6aw/fvjirWqDAgMBAAE=\n-----END PUBLIC KEY-----\n"
+    }
+   }, 
+   "c577a726a369d412247f1eb5d14234a90d84332b295d31bea42cf482fec0c885": {
+    "keytype": "rsa", 
+    "keyval": {
+     "private": "", 
+     "public": "-----BEGIN PUBLIC KEY-----\nMIIBojANBgkqhkiG9w0BAQEFAAOCAY8AMIIBigKCAYEA4vn+PtG6ZJB7JnG7D5wJ\nz8QszLm8EmIznxt50e6nivVj9ttTbJFIk1Mgi/ob91ZvMlys23aYi8AjI74yZZlp\nkunvLSpwAgz4tPnbHy4G5WP/TzDjCsts+CSqcFAZZw7Tuk31Ewvh2cn0XpDWnFhF\ni8M1S6EEX+IifHndPa6pHQWCQHus+VieJuJXfr0COsL1tYFAEk1mOlm9EemBd4iI\nQUDKm89vwpj3/kcYT2EvfKDszF9SV7FO5DxcVNbqoUdkeUYuUVw5tUmFvHb0P00N\n4ak4LoHtR3x/ov4xOJ1IQt+qGa0DFYAre/KpRq+CYOH0OnAhOqmZ5t7zuMDJFhy9\nqiOi8tI2LU6LwUmTjgcmSta2dZudejFH/TxYsixQgY3l0sT27TZcPP9ul0rQHcav\nad1OUOyFtlk3SIM9UM1NA69L78EwEXrikIZCon68Vql56nKBb6XXSTPsQEUeH1gf\nw459RJOIA5iTBAEYJOYEd84QAR6Ut2DjApXSyJFzZAt3AgMBAAE=\n-----END PUBLIC KEY-----\n"
+    }
+   }, 
+   "caa188c0925736af382a61fcdc62ce68e360e9ac5f50abefacb749e20dad23d8": {
+    "keytype": "rsa", 
+    "keyval": {
+     "private": "", 
+     "public": "-----BEGIN PUBLIC KEY-----\nMIIBojANBgkqhkiG9w0BAQEFAAOCAY8AMIIBigKCAYEAm2ASrXfbkNOmQ/TQ4uUM\n2o95S6ebcIKhg/h6HWY/HctMblpPaLfJq/5GEFdsNKs3gyo7uJfDUk6Ab5+BjBKm\nMqIDubUUJ7TNrE7EJYM+ml+Wf1MQooglFk+L1sRAh8uFSFOR4Q39cFQ1TS5+BjUF\n0fISXYcPZGL2cp0Fbwo3dD1UM3bXeFGij8KeXZ18Aijjbmkbsfgx4x8/HRO3wsAQ\nKNyqyQvKfkHO0HrzC8r/CLas98rfK79Ib76fheBhizPez4Efom9BljsaAPEaTvYs\nRoYk1UTefXWf+J5cOZcst+C+f6a3Yd108O6FUTVzMZVGp4PUQjtR1GgWhNUPCsyM\nsKenk3X1qTeD2+n4wY69BtBPV4i+8YZ/Qdx1BV6kdFg+WWV8YrPER+0zyUCBZgKx\naKmC5xc1yrcWW1gRrdAZ8HPvzoo6eHUWWSewU40D3xCRHcRXuP3vsAzX62Kpa+Rv\nszCveUWJK8oiwVt0XhtpCHP2ifWGlnUG9MWvI5wdEdXxAgMBAAE=\n-----END PUBLIC KEY-----\n"
+    }
+   }
+  }, 
+  "roles": {
+   "release": {
+    "keyids": [
+     "b6422d4c8a4acb07317b032b89f7d03cc8b42a8b464355141d06a61c13849d92"
+    ], 
+    "threshold": 1
+   }, 
+   "root": {
+    "keyids": [
+     "caa188c0925736af382a61fcdc62ce68e360e9ac5f50abefacb749e20dad23d8"
+    ], 
+    "threshold": 1
+   }, 
+   "targets": {
+    "keyids": [
+     "0e4b16ecd2fdde03651fe4d7e069ae3edeabbf781b7f6a2e56a71cc1955e202f"
+    ], 
+    "threshold": 1
+   }, 
+   "timestamp": {
+    "keyids": [
+     "c577a726a369d412247f1eb5d14234a90d84332b295d31bea42cf482fec0c885"
+    ], 
+    "threshold": 1
+   }
+  }, 
+  "ts": "2012-12-17 01:38:35"
+ }
+}
diff --git a/src/tuf/examples/repository_delegations/client/metadata/current/targets.txt b/src/tuf/examples/repository_delegations/client/metadata/current/targets.txt
new file mode 100644
index 00000000..79dcded2
--- /dev/null
+++ b/src/tuf/examples/repository_delegations/client/metadata/current/targets.txt
@@ -0,0 +1,22 @@
+{
+ "signatures": [
+  {
+   "keyid": "0e4b16ecd2fdde03651fe4d7e069ae3edeabbf781b7f6a2e56a71cc1955e202f", 
+   "method": "evp", 
+   "sig": "90f771fa0df7cdf4e55708ba7479e732de405e4b2fefe7eafebbd76f0d52734395c6610de17b6a0477918e1a35139a669bae6235999d50427d01defa7c8ad80b4c040164a1c0bb935f038fde000d02f0ce5ee30df27102fa16c8bec14ce4727a7f11c398b4f5539df2bfb8fb16565d2e07be4b73c09adb6017f336919240bf94a31ce527ddf5b031d77da90e2794ed1edda21673aef907ccfb99913617542b331bd7b6624409dea592e9dcff2420ab7a9f20e5debb83a5697ac18c3d9f53e7455ef56be414de6fe82b275e975e27a5f848427b056e2a1de773a6ee64a63310c3e8c1c10cd03da9c1b08b9284bba9d950855191ce4cb3e543a95a9c963cd1afc1f023a943bc38a145477599179f6d3ec851c3a7590f290ef8e37d3fa9233f36fbca1213c4000e86d329e581464761f592c8e4f10941a6e8fe67d81c9e54b82438f95fbabd02783b8ef036d5e9b02ef0b2944372de16db0781fde020bab54f74bf269f3b9df9f331288e80ba86ae398ca9aedb05ec42c2e8a33430fcf5d2365e85"
+  }
+ ], 
+ "signed": {
+  "_type": "Targets", 
+  "expires": "2013-12-17 01:38:35", 
+  "targets": {
+   "LICENSE.txt": {
+    "hashes": {
+     "sha256": "cd65721176ce5fdbb05773c0b1349f993b94ce77a51062cfa7a78b34cc82fc71"
+    }, 
+    "length": 3286
+   }
+  }, 
+  "ts": "2012-12-17 01:38:35"
+ }
+}
diff --git a/src/tuf/examples/repository_delegations/client/metadata/current/timestamp.txt b/src/tuf/examples/repository_delegations/client/metadata/current/timestamp.txt
new file mode 100644
index 00000000..9423ede3
--- /dev/null
+++ b/src/tuf/examples/repository_delegations/client/metadata/current/timestamp.txt
@@ -0,0 +1,22 @@
+{
+ "signatures": [
+  {
+   "keyid": "c577a726a369d412247f1eb5d14234a90d84332b295d31bea42cf482fec0c885", 
+   "method": "evp", 
+   "sig": "43e9e5c2474bc0a5b50f0b3bfb796fa8d0a255f2be3fa7100689614cd7516a06b305e72a193c39f49cd561d698d7ba8ac734e1516e4daf0cde111fe09fa94c83b4a062a387c34f892a6ee196ce29f4d0f1c97524cae404d8f4dad476db970a701e9bd1d940b93c0ff1276ff25b42f28fa8bc9b639c26a214e6f0d2058eb4c1a7b5ce3d415a8cc1a4067722deca5ba32f61440147623cf55297bde85e3e51c77a665c3884f08b7983fd20cd6e62e5a9246fb3c355f74e4e1a353319599cc04b115b04a0560a1fb81a3f45fdd7260e42aa07cb27f4249d1787fef04d9041e3a7395e444981f2b4af4be1506c793f2f8a86b131a2b8a4136eca73f4792fde3136adf5bb5acc22ebd84bf60d76b83e0f0ad2b6af51e16deaa8406f2a6b2dec2d3485c03d8017a7b933304d1f8b847e7df116cecfbcfe2cc191aa8961e75b527d99ae7b8c5c52f2490f7fb3ded81a4a9b841403638c2ff76b6eb54482d54c39f74f4eeac3f334ced98d9ecda7f28439b07a7947cb980f41a67fb9f2b24673532d4eb6"
+  }
+ ], 
+ "signed": {
+  "_type": "Timestamp", 
+  "expires": "2013-12-17 01:38:36", 
+  "meta": {
+   "release.txt": {
+    "hashes": {
+     "sha256": "c059dc4a07385cc3818491e25021169be1d35d405c6ea4aa53d2b7cc8c0801e6"
+    }, 
+    "length": 1340
+   }
+  }, 
+  "ts": "2012-12-17 01:38:36"
+ }
+}
diff --git a/src/tuf/examples/repository_delegations/client/metadata/previous/release.txt b/src/tuf/examples/repository_delegations/client/metadata/previous/release.txt
new file mode 100644
index 00000000..dfd82681
--- /dev/null
+++ b/src/tuf/examples/repository_delegations/client/metadata/previous/release.txt
@@ -0,0 +1,28 @@
+{
+ "signatures": [
+  {
+   "keyid": "b6422d4c8a4acb07317b032b89f7d03cc8b42a8b464355141d06a61c13849d92", 
+   "method": "evp", 
+   "sig": "4d8826441628b5d024478808ccb972a6869e357e31ce6770f1b1e5abf93640326f16441ded5c43a99beed7326757e1aec65f72707e9a38a52d8138d5880e628e6a4275fd245c12ca5c846ae031b1990a78699ed425efa0deb5187567661d4eb213b3977751d5b41550d795c063b07fdf601a69f0ec47a11f8ece99e1784bd8b2ab23766dc562dae739b32460331e2ae6dfce9b3e71ccca31ed566fa7be4ad00563e3ad71c95cb7794a689006a242e910036e503a465b2500a1b9ff3ae2c3cec86070c64fb4600a0d1f2d2dc424d770e4836904bc7b254c15511b5915c96303d5d50d175aa721bce98c50f7aad761abd057560dd2d8caef6b2c046bb6db76025ac8effc751d448d4ce4afe813de6e1ccc3a247b98c92497ddcbb8e87cf759a5e53d4c0f5e64440a530f39535771eee63761bb1f3bf65523b15284057c429204eab2eaccbd70307c91c2f313a3ee7a210fe9f6bceba0d390e160b2e25c141bd0c01963d5f12ec2ac10804be445bf15ccd4cef137cb896664b51b2db0a3950f9f34"
+  }
+ ], 
+ "signed": {
+  "_type": "Release", 
+  "expires": "2013-12-17 01:38:35", 
+  "meta": {
+   "root.txt": {
+    "hashes": {
+     "sha256": "5adad012a2d1b3a8d695ac4f17056d205f127d59686d1a4b0c446c8d0beb2acf"
+    }, 
+    "length": 4804
+   }, 
+   "targets.txt": {
+    "hashes": {
+     "sha256": "ca3f216421c9ebdc910c9416a294723d15bd0bd0747d56071b37560b738834a8"
+    }, 
+    "length": 1194
+   }
+  }, 
+  "ts": "2012-12-17 01:38:35"
+ }
+}
diff --git a/src/tuf/examples/repository_delegations/client/metadata/previous/root.txt b/src/tuf/examples/repository_delegations/client/metadata/previous/root.txt
new file mode 100644
index 00000000..8281165f
--- /dev/null
+++ b/src/tuf/examples/repository_delegations/client/metadata/previous/root.txt
@@ -0,0 +1,70 @@
+{
+ "signatures": [
+  {
+   "keyid": "caa188c0925736af382a61fcdc62ce68e360e9ac5f50abefacb749e20dad23d8", 
+   "method": "evp", 
+   "sig": "47a01d62fc6ffcaaca0c1e3de74306d603a67e554acf00c125aa8b2aaefe73269cfe5875f230e2359eacf75c2cf84f71ae43d4dad9415edc80973bfcc620579f7521fdbd00a8386c54ea9459f714fdc305ba8544b5f157632844cddb18b33c95419490db52cafb564456af403a2db33a4f5ba0588db8736e6bc1c8718979a3818b7c9309d9d6a9b0ad686d48fd3148128bb2b0749f27d8b9e2640e278f0082decd56468e3c1002316b0ea9dc1d244499774c9e4e20896307b6cfcb747f89ed953ab6523dade8de33bd5a5ae5351d6be3d3b4140f131e62d9236313a9df644cc4f365de2107427ce8785a454da122eae1dfca6ccbc9b48eca88ac5c7ded1efffc8b2b0ee9f8cecef170592438aed1153b111d0ca0259c6cc131708a17d901349d6e4a6694b7cd770a40613da3420408da1d83fc34c218e378e1862c893e6a91cd8e8313ce1aed4ef293139762b6b5ed5be15fcc06504ecdc3c18bed1c73b18eac0d55a9788faa99a1dbacf16000da941380a3368a726c3d94990090ce5a0eb0ed"
+  }
+ ], 
+ "signed": {
+  "_type": "Root", 
+  "expires": "2014-12-17 01:38:35", 
+  "keys": {
+   "0e4b16ecd2fdde03651fe4d7e069ae3edeabbf781b7f6a2e56a71cc1955e202f": {
+    "keytype": "rsa", 
+    "keyval": {
+     "private": "", 
+     "public": "-----BEGIN PUBLIC KEY-----\nMIIBojANBgkqhkiG9w0BAQEFAAOCAY8AMIIBigKCAYEAw3GRZaihBaYj7TkcoQdJ\n20Oj9GKJaT1P80G4HcjwuRTrP9bF6K2yEmVvsisM7ZXY0tCo7F4LLnVxUf00Y9Cb\nwf7wg238cAF72HfMCU4j8mbxwkEK3yh1+N6A8qXfhJGmmftGzfqqo1e3e4dejZXh\nERiUPc34c2T5Z+ReG0GHMOoQNqES1in90AIUvvCMXkHs7BvWTIMJ34b2+JqF6L1t\ngF4Yax/7nJ+BOGmb21lpfPYdijCnLdI7GWeovqVY+fy7DCtQrrpybCBIn2gp/Cn1\n0EXGhMvKDXNQN1sJsi3M/i81tyCfouTOy//p5/zygEd3WkK986JSzB9SX0oK1X7B\nmytRvG2hVfNb4UarZd4Jfi44y5UPOr5VWd/YiLBnI2QkOLChhpSCus8GGi+yXJr8\nmQ7X0sctgsYxAJoREGB4sm1XmYXnGNuSbH+KSD1jYFhJKYPnJQCth3YCs7p/lfER\nWxMw/YVy+JFT2azLC5dgBXz5dxtTeCPL7mM5OB0ea+/tAgMBAAE=\n-----END PUBLIC KEY-----\n"
+    }
+   }, 
+   "b6422d4c8a4acb07317b032b89f7d03cc8b42a8b464355141d06a61c13849d92": {
+    "keytype": "rsa", 
+    "keyval": {
+     "private": "", 
+     "public": "-----BEGIN PUBLIC KEY-----\nMIIBojANBgkqhkiG9w0BAQEFAAOCAY8AMIIBigKCAYEAxKsZG4IWgn1vMIzIQtxr\nbXrP2sfeGsqMFpGKJS0/KJXtwTpOAb25fqHW25m9Xku/tSWqZw6EiqKKugeQtPHU\nYV0msWLUiSVYG6UQ4MZkO9wMnEaqF85upf0VALm7uVTcqcoZs0Gc1gIzO0Kl75sq\nB+vo92cqo7/MNAi9Dk2D3rGeYmca0y1QphkRHt2wmtuZyVkurSyXHXERM7d0+gVT\n5eajbP+E9xk70Hm4j4o3VcLBJtldNEclPp70j/8nLoV8S06DcxuPG4szrDuzPLas\nGAtKpJLDsp5nxTFn+6BhC/F6fLdO+I5lsxNg4ZBHVUwkbiwDPMSBb+TRjszFHOZ+\nzYuM7f+r6Ed537LUIJEXu2RKdoY1wsKkyzXiKEo+4Asyzz3dPnuuvuXFAN5jRBhA\nitkKPnyrSL2l1wDUazOfXlcP8uMA3jQrKZam9SqLo8sFnEMwgXAHeK8sNITOrnj6\nVMC39D24sfOLBhRo+N6f2FtgP4p/3MoQ6aw/fvjirWqDAgMBAAE=\n-----END PUBLIC KEY-----\n"
+    }
+   }, 
+   "c577a726a369d412247f1eb5d14234a90d84332b295d31bea42cf482fec0c885": {
+    "keytype": "rsa", 
+    "keyval": {
+     "private": "", 
+     "public": "-----BEGIN PUBLIC KEY-----\nMIIBojANBgkqhkiG9w0BAQEFAAOCAY8AMIIBigKCAYEA4vn+PtG6ZJB7JnG7D5wJ\nz8QszLm8EmIznxt50e6nivVj9ttTbJFIk1Mgi/ob91ZvMlys23aYi8AjI74yZZlp\nkunvLSpwAgz4tPnbHy4G5WP/TzDjCsts+CSqcFAZZw7Tuk31Ewvh2cn0XpDWnFhF\ni8M1S6EEX+IifHndPa6pHQWCQHus+VieJuJXfr0COsL1tYFAEk1mOlm9EemBd4iI\nQUDKm89vwpj3/kcYT2EvfKDszF9SV7FO5DxcVNbqoUdkeUYuUVw5tUmFvHb0P00N\n4ak4LoHtR3x/ov4xOJ1IQt+qGa0DFYAre/KpRq+CYOH0OnAhOqmZ5t7zuMDJFhy9\nqiOi8tI2LU6LwUmTjgcmSta2dZudejFH/TxYsixQgY3l0sT27TZcPP9ul0rQHcav\nad1OUOyFtlk3SIM9UM1NA69L78EwEXrikIZCon68Vql56nKBb6XXSTPsQEUeH1gf\nw459RJOIA5iTBAEYJOYEd84QAR6Ut2DjApXSyJFzZAt3AgMBAAE=\n-----END PUBLIC KEY-----\n"
+    }
+   }, 
+   "caa188c0925736af382a61fcdc62ce68e360e9ac5f50abefacb749e20dad23d8": {
+    "keytype": "rsa", 
+    "keyval": {
+     "private": "", 
+     "public": "-----BEGIN PUBLIC KEY-----\nMIIBojANBgkqhkiG9w0BAQEFAAOCAY8AMIIBigKCAYEAm2ASrXfbkNOmQ/TQ4uUM\n2o95S6ebcIKhg/h6HWY/HctMblpPaLfJq/5GEFdsNKs3gyo7uJfDUk6Ab5+BjBKm\nMqIDubUUJ7TNrE7EJYM+ml+Wf1MQooglFk+L1sRAh8uFSFOR4Q39cFQ1TS5+BjUF\n0fISXYcPZGL2cp0Fbwo3dD1UM3bXeFGij8KeXZ18Aijjbmkbsfgx4x8/HRO3wsAQ\nKNyqyQvKfkHO0HrzC8r/CLas98rfK79Ib76fheBhizPez4Efom9BljsaAPEaTvYs\nRoYk1UTefXWf+J5cOZcst+C+f6a3Yd108O6FUTVzMZVGp4PUQjtR1GgWhNUPCsyM\nsKenk3X1qTeD2+n4wY69BtBPV4i+8YZ/Qdx1BV6kdFg+WWV8YrPER+0zyUCBZgKx\naKmC5xc1yrcWW1gRrdAZ8HPvzoo6eHUWWSewU40D3xCRHcRXuP3vsAzX62Kpa+Rv\nszCveUWJK8oiwVt0XhtpCHP2ifWGlnUG9MWvI5wdEdXxAgMBAAE=\n-----END PUBLIC KEY-----\n"
+    }
+   }
+  }, 
+  "roles": {
+   "release": {
+    "keyids": [
+     "b6422d4c8a4acb07317b032b89f7d03cc8b42a8b464355141d06a61c13849d92"
+    ], 
+    "threshold": 1
+   }, 
+   "root": {
+    "keyids": [
+     "caa188c0925736af382a61fcdc62ce68e360e9ac5f50abefacb749e20dad23d8"
+    ], 
+    "threshold": 1
+   }, 
+   "targets": {
+    "keyids": [
+     "0e4b16ecd2fdde03651fe4d7e069ae3edeabbf781b7f6a2e56a71cc1955e202f"
+    ], 
+    "threshold": 1
+   }, 
+   "timestamp": {
+    "keyids": [
+     "c577a726a369d412247f1eb5d14234a90d84332b295d31bea42cf482fec0c885"
+    ], 
+    "threshold": 1
+   }
+  }, 
+  "ts": "2012-12-17 01:38:35"
+ }
+}
diff --git a/src/tuf/examples/repository_delegations/client/metadata/previous/targets.txt b/src/tuf/examples/repository_delegations/client/metadata/previous/targets.txt
new file mode 100644
index 00000000..79dcded2
--- /dev/null
+++ b/src/tuf/examples/repository_delegations/client/metadata/previous/targets.txt
@@ -0,0 +1,22 @@
+{
+ "signatures": [
+  {
+   "keyid": "0e4b16ecd2fdde03651fe4d7e069ae3edeabbf781b7f6a2e56a71cc1955e202f", 
+   "method": "evp", 
+   "sig": "90f771fa0df7cdf4e55708ba7479e732de405e4b2fefe7eafebbd76f0d52734395c6610de17b6a0477918e1a35139a669bae6235999d50427d01defa7c8ad80b4c040164a1c0bb935f038fde000d02f0ce5ee30df27102fa16c8bec14ce4727a7f11c398b4f5539df2bfb8fb16565d2e07be4b73c09adb6017f336919240bf94a31ce527ddf5b031d77da90e2794ed1edda21673aef907ccfb99913617542b331bd7b6624409dea592e9dcff2420ab7a9f20e5debb83a5697ac18c3d9f53e7455ef56be414de6fe82b275e975e27a5f848427b056e2a1de773a6ee64a63310c3e8c1c10cd03da9c1b08b9284bba9d950855191ce4cb3e543a95a9c963cd1afc1f023a943bc38a145477599179f6d3ec851c3a7590f290ef8e37d3fa9233f36fbca1213c4000e86d329e581464761f592c8e4f10941a6e8fe67d81c9e54b82438f95fbabd02783b8ef036d5e9b02ef0b2944372de16db0781fde020bab54f74bf269f3b9df9f331288e80ba86ae398ca9aedb05ec42c2e8a33430fcf5d2365e85"
+  }
+ ], 
+ "signed": {
+  "_type": "Targets", 
+  "expires": "2013-12-17 01:38:35", 
+  "targets": {
+   "LICENSE.txt": {
+    "hashes": {
+     "sha256": "cd65721176ce5fdbb05773c0b1349f993b94ce77a51062cfa7a78b34cc82fc71"
+    }, 
+    "length": 3286
+   }
+  }, 
+  "ts": "2012-12-17 01:38:35"
+ }
+}
diff --git a/src/tuf/examples/repository_delegations/client/metadata/previous/timestamp.txt b/src/tuf/examples/repository_delegations/client/metadata/previous/timestamp.txt
new file mode 100644
index 00000000..9423ede3
--- /dev/null
+++ b/src/tuf/examples/repository_delegations/client/metadata/previous/timestamp.txt
@@ -0,0 +1,22 @@
+{
+ "signatures": [
+  {
+   "keyid": "c577a726a369d412247f1eb5d14234a90d84332b295d31bea42cf482fec0c885", 
+   "method": "evp", 
+   "sig": "43e9e5c2474bc0a5b50f0b3bfb796fa8d0a255f2be3fa7100689614cd7516a06b305e72a193c39f49cd561d698d7ba8ac734e1516e4daf0cde111fe09fa94c83b4a062a387c34f892a6ee196ce29f4d0f1c97524cae404d8f4dad476db970a701e9bd1d940b93c0ff1276ff25b42f28fa8bc9b639c26a214e6f0d2058eb4c1a7b5ce3d415a8cc1a4067722deca5ba32f61440147623cf55297bde85e3e51c77a665c3884f08b7983fd20cd6e62e5a9246fb3c355f74e4e1a353319599cc04b115b04a0560a1fb81a3f45fdd7260e42aa07cb27f4249d1787fef04d9041e3a7395e444981f2b4af4be1506c793f2f8a86b131a2b8a4136eca73f4792fde3136adf5bb5acc22ebd84bf60d76b83e0f0ad2b6af51e16deaa8406f2a6b2dec2d3485c03d8017a7b933304d1f8b847e7df116cecfbcfe2cc191aa8961e75b527d99ae7b8c5c52f2490f7fb3ded81a4a9b841403638c2ff76b6eb54482d54c39f74f4eeac3f334ced98d9ecda7f28439b07a7947cb980f41a67fb9f2b24673532d4eb6"
+  }
+ ], 
+ "signed": {
+  "_type": "Timestamp", 
+  "expires": "2013-12-17 01:38:36", 
+  "meta": {
+   "release.txt": {
+    "hashes": {
+     "sha256": "c059dc4a07385cc3818491e25021169be1d35d405c6ea4aa53d2b7cc8c0801e6"
+    }, 
+    "length": 1340
+   }
+  }, 
+  "ts": "2012-12-17 01:38:36"
+ }
+}
diff --git a/src/tuf/examples/repository_delegations/keystore/026d535ad9bd3a7b9dd399612f264fb4be4aa88f9668ac6fb86bfc1f891458d8.key b/src/tuf/examples/repository_delegations/keystore/026d535ad9bd3a7b9dd399612f264fb4be4aa88f9668ac6fb86bfc1f891458d8.key
new file mode 100644
index 00000000..f0f8b872
--- /dev/null
+++ b/src/tuf/examples/repository_delegations/keystore/026d535ad9bd3a7b9dd399612f264fb4be4aa88f9668ac6fb86bfc1f891458d8.key
@@ -0,0 +1 @@
+1a5175e145f19cc3@@@@f8a4b0b32b85ab689236b98ea04fed7d@@@@a430a994940b1a14aa499c184c221503a15229481ee8312e36a9e758898b1bd6abeb5f1c8786d6911bb8ab910374e380dec2df183a21d753a46be773f994fef02ac7ae12ba5b56833faa3c8925d1d0e9a07e71506ba6f846a6cd97fdd23656e9fd91b481c2fb2ad1fc5aa572445ea0c459b2bf267e2a3467d5d29f1abb3b8693d15eeb8a372266ed6c5a890dc4b86386d77d9579a08d24df2e8bcd35f51f7a418e0bd964516597a71a5d577167ca78975038a06a3105f33bb80ac320d7ee0bd87ee97ed1823dc501211b7bd0347d5ac00248a90275ae60d1f70bae09f167b376677909cb3dfb828009c7e46e7002c84d1d41b65d72872c8ef6ee8f3070bc328ce83bef12dda6c9a7b708728ce6aa09ab3eff4f538ed65fd17b17e2668061c5bf55e1254e52196b32042dd40be1d34552a54229ff59754198c15d3468cb6b4c673038353cf89491a599144d15e3eeabea320e369da3662de7849ec35ec1bb88bd6e655f329ebe724bd345cd04fdfe19c5ae2b6592ab744e6063117d65b1408fed5599937339b977c0f8fd6ed0d657460abd3bbc8c97e058574b1829538747f1ea1bcd0577db3165780cb1583e382e6acc5ea0194e9e1e8f017ec8c562460bf810b16f392e850331a4ca3bd078f6000f6f72361912a191c14aab5779246c12ed6c3e12e6f3845871be7b0c0634d806367bd2786e25d8689494bd92bc697d0a371cc0e35301bce0ac6e1e1d30a1e9f1c79fd15fae98381ace3452f214d5b62f77463dc47d571c547ab9aed902160c564523f6a9fc5bba13f0069d7bc08a6bb2f351b29749dd00bb1777e493317e7bed3d08b614fde58c33cba53ce35aff37337f0a83dd3f63c8dea76a90e3b7ac1e253b8231d7492dabb32f43ff7967d213b875d4a26681188bf96f72fe325533fd7300b83541f4a0149a0e57a50b8198d66179e6061c70c1d81146ce0e772fa4df5cf6339e66468e40137b57de558521a160166f491be1910e4161b359b9f5f70646138730a6ad4749dd2bd0f8e77b325f0830b74434de20f94641ebd6776d8a79014a35772da589bafeb9d99daf909677d7d6824ad570d421ba1a8d2663df705702c99eed420a08a6cede44c30eb8bca1ce65217a76066432b4f16e91c5ca49b8c02936a5257b319cfe08bfcf875b5f53dcd8dd5b4549b2450da2b263f1b4f644320556258f8a23d4df5235e79da0d89331c1c089577c47add48c10707bfc430bb0c76eaede0d02ff6c17a1ce5b769d9bcfb242ac40ab15c49664f6ce83aba30bbc2895affef84840a27b8c0350198c68f1ce15f5422a8bfcc43fde0c7c0b45d630173bccf778075c113b166654b3012b4fe95320573ded638ea34243c397013c00686fe67cb84bfaa8defc2a0bd2523ec1ebbb3af6b08af82d3a6c2ea04b2a18a67ce6f1bcab434a1408ccddf0b44e402742d2e2adf5ac10e6e5999d58a17674192759d2606c879762b9154c81feea5f5640d29ff5569db07ccda9d17d7df986affd2aa936deef329f4781ae12d84740186f70deb1a6a93913f4373522381550d6bf3d7d4ca35a5554460e17a7508c23dce3de73c45a4fdb7c706aa078177c59bc4ef81dbfcc99164341655e73083c0969a2cfacabde3fbc4c5c2154be8da4626010169fa7175637de93ef9dfe2c3f49cb7d657ed5124ae6b4187c19ce00cfa2bfe6431b837bb738531bfb0bf2bea745bcbda5f8d8c983a6af103ad358b6c7c07991d64ff02981011d694895b965e5c768ebb737ecc7c6e9ba3f77d43f4506b1d97b4c12125d1e47c629ea752ae955251c4d4ed9ed70b5aaa18e1ec3cabcdab20e0fea6ad4d636fd7d4fb1c494eba6079d6c6116c5396178ffe181752581eba84dee94247a41d88254bd00b09be6f5325d99a2dcc84f28e1606d9b017d612f5a370087b9e4f00188c8182ab6d216a2261a0e75e2dc884bf3c9ead9d513da66d2fc9fd4f5ff5f885b110af27bfaf633b7e1297ad55cca49b36388debfdb80631a6df266cfe5d4a63805dca1648919c81fe7847b5dc50d17f6a19b5d060ef3a71e1c43466594bc72ab6920ab91bc31ac3d5222776455ce5e8b4e09c683f19c5557677d73e46d7b0bad30bc8ba7876bd28a40eb78f96ff60b94498051c19e0f17c5d788f16c48221ba5cd3fb940ebe5e5f5f37938eb93214ceb242471616a5be478798154756b645a20ef1d3764033e67824cacafbbe09e7e09433d22d135c55603fc9368c8b0b06e0416655635f78bbf5873ee163ed5b38cea129c46f5202f0c97397da337344f77f2010ae088b002bc139086b57a5727a008c5854cc6c0f1358258150b26cbb221a95b968c943abea7774cc0b15ac898afab1c5edcd7b4b34bd9570430a21440306b5abc925b9575b479e2dfb81fd43a34b79f8bec6409c98bd159151ff8552f26cf8a500713dbb5f16d1ef4046eee96ce44f021bb694600565601cc12dda4c41e3fd9311ea206ef607ba9e442a4f34ac0c504341500e2024d600cd352c644c9052a9a875fc7ea0855bb3d025c8505fe3184d6bd83faf013ce8a6dd288283cbbf72c5f8aae0272cb7eced3522ca0f608bafca4b971b9620105e3786fa1f3848e31ef5f61022e1884900a0fec3df622df4064b080a7c469bdbd869e2d52f14071c9c73da93a3d2006a0929d0e7d116cabddf75c78999e2428f8492b28ff2a2157fd4d21a5a7db236421c0a42f077aa817f8e42038e09be40e50c02d6dd43d8666b587c519cdc114b85b750db3f769cde72a661f291fc842729926297a9f27b7c95b2252c7c5ef0b65c7e4351e6430987667d594ab24d9c1013c9fb273e469a5cfbe2aba5dba82af33ad56de4b3d36bfda6078d48b5f3388d94afb1c1c59796779c403fabf5adb67cdc1c26c18971423ce50295e338dddf18c06c7c1126f612378695c6ec65310b09f4960af5a89135355601e5e6a140b51d5f7a0abb26ed90767280ff64703b78282319f7dd695345b0a362fdf21b89781c45f31e7d663b1daa4d1291ae43c03198a0bf5883dae3950305a291b73eddb396637ed47be9a469313cffc3b91abdae946d8c603b04296e64a701fdabb4e0a68c2520268b7b0d97443e04c333b5bde364b1d8af24191b152edef24ee33f78f5328eb3ecf445272f33b12a819b255c64a6e86a7c8cd1fd143ff0c2620b1085424fde8f6902cc48d242ad9a326c8a5e6b291aeb22b0ddd37109b01f69d0f46bbdc5af02d8523451ab86947712cdad384f872e51881da198492bd3e679b4fef0769e940c54f58c58453f7d64b79348246b0dd587488c759007c62f034a1263d9c1da67507015958ca42524f500c987466c539b5d9bd04606abb308d3bf90d7200a38b5dc28628dbe663ef2de0a46f69d12d0e30da832dd4915df2e818ed167744c6b357b8504b3114088a611f385588b5ff16f9ee5a3aa14708e54727e3591181c77f10279d2d64062e3b492bd6141824b8d1f5cbf17b44d6109b4432f10de64a3295a0193495e10857f9cfedac08cf306f02f66d0e1714eeb93918e43a5e781e7f9a4467d13d84cc32e744c2127d1cce07cbc8c9c427e0275607308c92abbb262637e655b40b14c2f6669032ad18d98c8f5ce54b5cf790ba80a2c4715bf56660ff641278c6a3d8468cf05bf96e85b07ed5bc89a2912e9cde6da5abf36ab4ea2a5eeec67abdd15d58c25904e50d00552fb1ffe584fc74f2fb79eea62ff183a77bd47822451b807984e3cff1e6c3c0920044da02b54913dd945a56d1ab25ea440fc8d74a72b79a16d088322a7ce1dabea2e2934d9978ab4a0dde7457de9a99ab7c88d4f08e7c8849f390cd4e4db9d82926652af83c664f52cf30f2d8bf54b407b781e341b37091982c4f9f8e810d48d58bf33bb7c5ab8bbc013775eec88564f6e4f8a8835bbac1d978d614ffcffce3f17aa62b928482315244bd3a3e22f642bcf6fe88d9f76e9ead7135d6a2daf6548c2e5fdb251d6fc95376b7e910a17545213c703c7e375ad518f4b9da31d2ba9543896d4b4233766b6770402316ea7a8c4dcb4199980fc0a296f5f84c2b7e5ba18727d80cd99cabc186ff68a1b69fbc282d7af8cccbdd3220a62f4636683a4f61ca3cc4a83e2a592682bb2a4c47f8ff4f14da5d3958c3c7d31aeb21872a63f60cfc359488e95897e86f2024848128ad88f3ee15f110e42feeaf0e3dbd889e435f5d762865734992e20fc3f0baa0a5a98d5a015f9b6cd53159e3934799d63764f138a6bc0c0ca4e3ee4dbd68f460e9fca16294f9c2f4bbbde529d3e01fcd42c48287da5a11d3e907aeedc2bfa7e69b181f10f404fdc0946c9a1892610b3bdd2bc65c937663a9438231acce120ea7ded8606f7e00b7b1050a6b18674c358ab7e192e4625ff2a76b3039052eb0b2b040b219738b1a9febc362f09d88b5dec752221b67c58f6e5e218ed3c5dcd8132a64d9b18dc6531cfd1db2fe6c22ac175ebf5530c1e5cab05ef539d482c4ab3aee09bd8469eade456c88b3a04d19d6b78981cd91a7eb5d2bdb5b20ba67
\ No newline at end of file
diff --git a/src/tuf/examples/repository_delegations/keystore/0e4b16ecd2fdde03651fe4d7e069ae3edeabbf781b7f6a2e56a71cc1955e202f.key b/src/tuf/examples/repository_delegations/keystore/0e4b16ecd2fdde03651fe4d7e069ae3edeabbf781b7f6a2e56a71cc1955e202f.key
new file mode 100644
index 00000000..58fd420e
--- /dev/null
+++ b/src/tuf/examples/repository_delegations/keystore/0e4b16ecd2fdde03651fe4d7e069ae3edeabbf781b7f6a2e56a71cc1955e202f.key
@@ -0,0 +1 @@
+1255d329313ddc82@@@@e3e1fbcebbc08eb17b074a0f0305f80a@@@@a028eea791c8dcbfbf473c6b8229c824367d788bd3395c62ad4c8b8ad07b7a6ba738b6f3aaec74fe46c2a847064697d2bb3c362421f36a96f0179c55661f9b9e4daeb0d47f901aa1ff8a973096b251c94bd200cb87087098e2670ffbc4356e895ea058be587b3eb55bc9146cfc584c30af8369b15d2558e577221508d5e73bddd3668697dc39ce5f9fb733eaf6b687dc3ef11ee84bc1bd11603a0f8eb31893b75df11f08ff593766db9113d6e7b90b9538817c25314c9969a9490b4ac3e91239781f6dcf54e19f2a0d07626078a0760e36ea86b55e8706ea1ba2911703c3e03522365861ecb809202554a733be66b2a86aa733f77b44c41ca76a342c882fde2285fb7e16c14cb61eadff5b54a1adbf8aba46544fe6b37870e2ac3db4fdb38bb4d1faa6196a0523b0d70eea48bf5edc4d4db6382e9a061f76e0469a2ba0705d6e083474a540c274fe7e39f6a2c1c9db1f63695efd2ee8de12f4e49380df4a438e894c12002a6be29ec97f262bae418e0f1a8640c0c85e07a4b6e423b661f5393ae26de58228975e02419e687bbaf48e2e27db563db9aac7a289e8418b56ae02ee64c6c4bd805d5146f38e8cec5366bdfe5e014046517e4cf2162e8a12b8dad9c3d6437c72692ad2de316b3005b32997d54bf85de4ec43335efe2bd2f2227b3eb2a4eab080c939b9ed18953254fe8cc8141b4d7714703fcc101cef484577baa49a445d4eb06628e274388a1fa689355da87623094fcdd8c7ccff55807d62e0be1e4ee0b6bcab5256ca29405787fa3e25a6ebeea8e7898d92c9179ccb740ed138a8cc333314552e93337942cddf3cc4c9e2be64f5e0ea985e80adb058ad009326810eb0270938af24e74339c29afbbc383d6fa4197d730163a45728acf9ba2ca5c2932a38c1a83ba985633c3ac3b06732c69424aeb4718d1ca1fc72fcf92d526e9c1a61124e651083078b41e9c52dd940bdb8df5990214445087331e882fd4f7e9a62a9d39dd92e3b96d0e000605ffb368cd7c2ca39457ffa0235cd55c0a018578a4b88166a75cb976a54777401ec9ccf34fbdb714f37cd3a3147da69a11c3b0fc953c2bacd0a6bf8d2829852447d5fbb59ceef7a2bd5c2597cb2c7db50a9eae3e48ba06156d2ca6604fe0cbfdbc5889a03472b4cbbc4d67dc9dcfd5a6294e4fdbfcd2eacdfaa4f885115ccfd3805c93d73cbceab50169d30ea0a5deb40152cfa4bb97e447678d8b0153acaf03e6406f61a5f498537f605dfd516561f95991773f186bef765688a4bf9bb77ca9832a8e7007f0727e8be3927e1a785aa401a6f75ac4b94adfea0104f654738891543ff19b8e4be94967aa57ace8e96f1ccc8120f8ef53e96f3ff5a8f775f80d2b935e57a15bec0ed7e1ee9ab7076a96b964eff91306bb6547877587aa4eee466b1116b2eaeb48d2eb94e2d074b57a2d6d59545d95db5afdf5c27a4235bebb13e216d8baa5c940c37eabda9c5d530cfa73f336959a743e1933fad8a89f994d385ae72f04f4b1f0eae99ef057b66b230192c8ba365fb28d773f6e221348842be95de39debc3772b3fe1b2390431defccd0312cc281a9e543f031375798af9daf1fc2992a30a0317fc358d0d58375bac6e903fee16a50ee23d3536eb99b5a47f7b885660112a566ab95c0b6ae2f6ee36eca1e681fc8f4854189a4e8f4fd1cbc88dd61ac9aba6eea271edce35afc8b484df80af03047127e359acaaa31145d2bc6e338dc32eb234e2dfcf1ca099eb9a62c6da6e6832490d2f85f516574540ab3a4ed28bba9b729fad9ad4680fc993fe538aece0778e7722f7134b1d64638a5b9f5f0ada8db58c7a22199b80f80012b89034f4e53429bf88c7e7a7daf91fc444ee7a3b180acba37ffcb323230655a75041718386a3e0f603f532e22b4dc3262a2b0f6705f4d55f0582467c3709086e1b842d74c54d60f00066f203d2cfea01cd78b289548a1d13eefd1c0ca5c2277cf7bb4651e80b47479577a6f24843a6b555be1d97cb18aeed186c922525b495c1ec00bdebfa92973af0bf1993bb544dd4e437058b2661e908989696421afa6f30827f40c98b1501ed891b3b3e23a263c1bf1e0444841cddcd16aef4188313db32a0596b45741b9612b4d4a6f3a7541fb5f2109a0bf3cf6f9172afee70f8a242a20fef5043d3aac675e5b68ab7a5803d3912384ee4ead6ac8016d60245905facbafcad2a0fa36c5ad2e332898e24eade1debff1ce419e710037bf3c37cebaac95efed6646b8f41e1064bfdcdc69f32bbee80a5ddb0efc3e4d3006352672105b2290e1a30336a81c3413630af074ac5a36f58be842b01c469e2858a06ccc139f44ef1f06332eaa1e2ae66926621fb9d03a3960696eb447987ed985d33451fd1084a64e8984c69b4fab23a5d899d997358b8bd094d5dc8c6b0e5d92baf5174957603cefffe891bb4ed272299b8652d2126366f04b6aa8a6ce92c07564eed3eeb7acd9024ef3489e8ee6f536efe3eda422f874065ef0cc8794e4ab300abc562b794f4bdfe5e745c6d1e4e42f87c5d766a2d3ce72c666b5386eeea09d6d3ab97b6ce9f5951a1f63664ae15c2b4398bf072056c73e2dff9cc0afef2dd2261e440f4e735aa7bde8b4ff33791832c74e2ebb76a2c6349cbc971e6fe6c4eef3b9763367fb35f2f496181272174d12755a70617f53fc67842b91c844affd7adfab7ccff8117ef3e61bd7728b1b43366bc65fe679641810af7e1015950219b9b33231731eb28d1e991c9be205cd1ce9739125910ca756b7d9fef4533f63f5a0b88a441fb6567eaa01d45f736e1aa1b1a32dc865825b826fbb10fec196489f04b8ee578fa320bb4df58ce7ba1b7deb11c946ab10155cc2aa19622d62eb559cb51bd3cd74f776595fb20b66b9182b2cb407d27f064d2142f31ca068a0e27518c5cc2d2722128cf0c340fdc89dd3fa987e80775dc8120a9f87f62073ee8c1fdd9901e7c37fc17166de05dcf829591393d71e880c6034ddcf1ec283a5401ac6d869afed475610d7c85f0db4127a4c01ba721956d62f05bed2706e3b0c9bc223171a058b01d0602e48b9449e9b924cd0943f23e6aedcfb004075d8c7bb4648bb4a3a71291ef13d6569c57720b26d3907cdd65169997e5ca8565205fda4506f3ed78a861c6989d73034221d787520b9619be66ca89665d735b577443545d30ee43a3359e6b8171c2a4eafa1c140c8013711b20056ce851ec7767415a548c3e4bc4b58aa9fbda07502ecad347b5385b6749e8dd038c9a1ec653ae97420b711625cfec86c6572f30e178d84fa7e6e730675ea6b66e3377ac5844bbfdf5aabd4ee61ae92f16aee1878b819aa72beb82ccebec16ccec4d0b8ee4b1190f11041d01ff1a49013e711b4b7d38ec30c483ba286c5e174e0e2f2f0d7b46e17fadc50b444b001788e4ce1416add979474f723f513c0281e00a0df1219cad32cd1afbe9d7ebf48fe8f7d335bc7d64768f47a711b5922e317053d71f1fa42d3517cb0ef84eacc0f0d18a260ab015db42250c869ad0487adcb66382275b8d458b13a5dfac2d0aed259ede28465a24ba42e2699ef49e995956432d8f4858af59293299b258a4527881b0c5093c5a7e13e8c46a0d979a1c948f795ce978b0e688d2a0660b0633004d09bd5c3dc8be6cc329abc2adb853b26a0e4dd63baaffd44f2d562f0b9a33e0582cf764f9bdbf03fe601ca02804f1445946b5db53897dbe6ac39381b509f444b8417f2ac237e87982a52cad606dfb882700c65f0d0f6eda57fffee61ce516c764afea4a10a5e6a4a0ed8f0b7e74187653234969da396c758117e5e7c3fcdf9fc241a8798baa5741f83b29dd79f96937ef03876b090ed17b1505bc8c29d50248ea26c0587ea89a41824802d97a7b13185ebba95b93c2dd3ca7279fcd0a169ca1599b46d852ffdf74b7f2eb7f08c5af910bb4c3300de3497c432629cdeaadb3d762f4f68be036774c44efba6807b35a765090fc564dde4bdc8abd622304e8d879d11cc3d355056ce43d42c98c89db484d5494bd757684992bceb7fa72cd2f9abec605f6d25fa83f0df8e8cb72707dd97704be474b34697fd5d16530e2ca0651d27f15395d6bfce769e1b51844b261ec523c052da7804a6415e4413ff2645fc86b28f0e41186ebe98c6a384c6edae8560e4e0434e3aa590082110368530daf82ad48eae8aba308a7018c7bbb46752c349d683d302c2085a352c4ef05d5c31609566417a967e0f7d03b3943b5f0335ff8057765067a29d1cb62080efd700bb7a6e94122db607b94e35ffb23b77d040509709c79ebfb95354e7ad8378649ff6fb20bc52555de71bf9ff395d7cc7ee3d74138e33fcb7522dd60d4e759e619e844552377ed2a5bd5aac24d6dc138e18bd1b80bdbb01fa29e55a5bf10a3e2b8f2a8e71804c030ab94dcd7749c145ffdc0a19fb6bae0c782d97d5d1b4d14c73aae94af9dfad847b899a9cd446ae3a14ffe9fd0093ae95f12e588e012ac5f637b618b8b80f8a59e92a20f5197794a56640b88ce9dfa7
\ No newline at end of file
diff --git a/src/tuf/examples/repository_delegations/keystore/649077bc2acbc020e340a4c8f13a106787ca75d026ec60db5c2c0af3b9b60085.key b/src/tuf/examples/repository_delegations/keystore/649077bc2acbc020e340a4c8f13a106787ca75d026ec60db5c2c0af3b9b60085.key
new file mode 100644
index 00000000..9813642a
--- /dev/null
+++ b/src/tuf/examples/repository_delegations/keystore/649077bc2acbc020e340a4c8f13a106787ca75d026ec60db5c2c0af3b9b60085.key
@@ -0,0 +1 @@
+b6ab49cf97fb21e1@@@@a5943f3f3797797187bef750b877c634@@@@2e87e7b5823941d5b3a4414ed902c98b2195ef30173dfcc3b1441e33dd339c17e170bb3d01edfb3812416d8eecfd0679a77423b6f992736c8f48252e004c7e81aac8a8613219fcba1b4df4df21a203b0ae0b60fbc42130a19c4267413a3e4855baccffe01ba568fbc4f6a4edafab920b6f4e559b46976b5cf7a2f510b81bd23aa9a46859d461398b1582b5601ddac8b861ba8c944b3ba08262bd02aa4dffec0df54702c6701596be8e7e5669856a414a222709fcdf6b8a37498622f5aae467d289fd6d4458dbf8491d1a760603fda00ee4766d16517255d69989de592dd894e20d6bdb859ecfe81a41ebf80589ce75779c94c9fd9c9b2bc3e9d6f4e74c88ed439853449d9be9b6708d9b5163382416b93e23d94d267cf57c8f2d2d2b2206c0b38ddc3b72ca04370a9e1a567e53f6e9c1642bceca92c77b1337ccf9e7ba50a5d672b76a7cdc2233d51179b2367947c855f7c7bbfff67e02b39329f942bb66ae05126e1202eaf19b9c52a0e1a4e8c34f33c6dd24d2ce36995f2ddcd44ac339d94524d30346e6087dc479124887d3ad670771795c462e8898a69086632e9a026e822e3568664031c5268fac89162a079cd2083f1753fb156499d5f59ee19058d9ceb10a863605967032a5669869991f1215f511a87117489f4fac15912956b0888d4c108df05e667bba74afe9dc537103f1c40c76291c8a5fbec34bee3b488d5ad5e32e78d406fb8637eee7d086d4041bf58cdb5efe76c1b30b58419f07147a37ea1839afdd8c595f0ae6fa6f333908d7d954456e20b019459f1839c1865d60bf311db0fc3223eccccd6d2fde936b408f682bfcf50cd57dec95bacccfca46ecd0dac9f0528eab3c76892280b431e9ba39037e577d679a3db9f3d87e98b676dfd678e997b76e67cc450498caa0fb73a4777e8d267818f1b9a9c3771f843304fac0edf80f754c94082536428449a9e979ae019b2a0b786e84e21f40adc4ace8868ca5301720d8528ffced3ba5fcfe1ef8041e6e9bcf7f08e66eed5689ceec05a001b3187a9e4704fac5d5070e7da0e006a8ff3233f39ec6ac9f59d3be4b7f28bd06b2d767c67c200563c691afe95b0acca082c3268fd7ba5f99e319378b07d5038af5ec354995155bf528f5fb66907c9589b9e9a29719e3045d4295920ac86f00c71b2bc96a5b8c9b657b8cc5e5f33bba10bea02e56385f488b175b0b27b7ed28cdc77cafc6163a3ef57114496b6d5d1f70d661540bfb274ce98815b0b0b3ded0402d3e9d22208e0d53a0dcb59ad3eb43fd6cc9399bfdf9fd30f8765601fa7efe585ce621c49b743e10b45c1c110024f66b857c5e24e75c245b957531ebad3b79c7fa1f43b419963cfb5457a99cdcdfe0efc715db58f48bf660f2ca8ac115a5cac950945fbb21c9c3b513909271fd23d469c6cd7f65c80a76abac3b2f9e300c705018e53e64350990c152178f4c406afef17ea982df4020083fe0f5de4b30a93acaf1e863eb2ee99c7604958abb177f6014e9a798a3145f852b95c2876cb455c2f5eeb39cb7438b3ac7b85bc94ae92ae983016265c77237303877271736d6d23d1bb3862d659950c09ac592d97a580947e7f750ee4b456186277cab80d5db9f6f69836049319f8f9d72f416b8c05930ef43fc62b7f9e67713f783d9b9c8b3807f2590b0759b6b8f2c9ef0e48e5e5257b2e82e2091c0c1aeeca001d5ffd6a892c92e81d615e4ab219eb0d2b9b46d956fdcc0788f13992da16d5317900fac43a75a8b32c3f8cab8be62174c2749e3853a00513ed3ec8701423bf5dcd69a0eecc17bcce1e0a40827fe0c1fc1a5ee0484149922321705f6761203cd7d2f8463fa57a225a418ee8de404b6741a2e4cd86e7fd55001cae1ecc8128a7521fe69bb2f52a693479e4d96c6de85232d5a125e9ab92e473cb89f0e74b4238e67716186cda1c91079849392e640ab751eb01ed99cd2103026c3cfe7245407d81c6db80084baed4701d1dff5ad98d104202cced71d157a8d97850791109dc59bdb45a2600bdc5748868089a1b5d10492f2cb9e3c9cda024f51cd6f34d793fd486ecaaa91b5782cca274d9cecfec7d136549474981a85d17580ecc716d67fe454ac2d52faad5a2257317b48a0227286c99822d89e9183688a3beb141614732a8a57137dda64f030ea1cf8c0298da58237d84870757b11539d6b7ba40bfb5cdf6dd1fe2fc1ecc3a5f038f80d44cc99ba76bf992900752c1c084310c858ef8a6fb691a7fbe7bf6acd08deb2ab2ba9cff39a04a804b464316e6a962ff83019cc6056aa53dada7c47859dcb0f6973fccfdb5d0bee2f6df3e655bf4116f0340c3f4cf66e825cff239ca715f4008d16a86715e770722f59c657ec9b99a14fe64c9c0e45cc90aa5ead90793c69b8761d15a03ff20eb47e54fe026b342e929cb5749507843e4cc7c67b6aa242a4fd248dc981f48465db3aedddb42a7b15f7942646c0085ff93e40b5d9a13c890b309f0f81b3732171fe13ab2935e6a228080f7b88460b528ac624316867188db00f594354fee701b40d6be8dbed4455e3f071eac55d73827b6006622c009b5e139ab4f3c2d54dd9d48f407b570c587b8d72d839343eab04c657e05b2cb678d4705de2675b4a3741bac4642b33cf17a094d3ea6f211c614b33b5fc59988d4877226f4f197e0d541bcf8b4756c4f7758cc4741f0f14816bc80139ae7724bdf5837f50abe6c61aee60157e1ecbd138275abffb37de3bb18ebeba856c4c30033fa60dbf9079d7e2bae816290cf079d0983b2b5c1326b7b870ddbb716cd00c07e7cd8e3c7264a621014fbedabb85fbf67373b0e0b12e54d91a5315107c3dd8a793f19bd6dd10c2bd48a7ba9bd7e778582397a3cbdcefe04b945200ca82546d92eb177f50f97a15b432b65870a8ff1119ba5fa867be13b2e3458c1566b529cc98949044bf845a43eb579bed36cabaa766ad3813d62f3eb24c32575a3c95c8f1445b0a6b3eb9e967b81d4dd306cdb51ac4a5cf5bc041283b014a015fffa40ed054878c1313e9617a723c1faccc3600b7b6014245a56d9b004580cb715055ab9ab5e4c85c2f2f777207cc641ceaafe0ba163877138a991b7a3b5c21db84ba8dec77deb038e25ca1edbfdf6e39a83683f0f1936d0ce0effcfb96bab98985c01db6f2c5f3f56fb6e1d0d1785d2a13c7ad72a5f9b1cb0ad4e16f3c8bda7cf2776ced674cf47e3346fd9db7264e29f785c975d49d501c526cdb3cddfa544513b6af6fce8a3486eac5483d1a91ee175e2efd58c003a6e1006e76a996eeee3b47e7002add863f80cb2ceda6cdcb2b023b02fbcf1e3daad59048e2a3237e9fee8a5c4de424d7605669277594a0194d8b8c01b8499e426be314ce67415048d49dfc719f61a3ffa7f5d7bc39a4444118ea08bed765dc1c72f1c42012cb9eb5dd55bd1129a8aebb80ea77a3e9d44a3a66780988bda96d6d6762dc2a08f64a715d5d3463f3848a375dd7293111bcadfc346143dbe09ed222e50bf5d35a08e91b8b90bf2146a4bde28de2b89a6a3c85c6167dd77c7c0dd4cb4b52eac2ce1845e8c009bdbc90916bb98e05638ba5ba08fe4e566b8fc6aedb944918e64831c4a932b5f0e7e53a7b15ae8285e0e159792d281ac63a19be68d9f249f44beef4764e09546da8f01d62cf87f7fbba876fb409fba4f62b7584c7c341e19d94babcb601382dc39881551387b8a0bce9f34e6281879e3fb2c7dae776ae4fed869d3443b38f8f1b9e5abad40b44f39f1ae17cfba895fb536bd6dbece45e21cc1c98bf3272a268e85c45d23578f6a6be7370b2b8c81f250ddd9b47950b81c2abf04fa42b24db429783112ce9ee60c854f9909a181ff5d6bf93cebe8738063e9c419d27e44045a7eafbc66bde7d5996e9fce67a6a16e9893e42e0e0ead67ee50100704114005553f50520772cb783d62565f6a79d10afbdbde911377e4acf99b856e0bba2459d0824db4a4ed00d4d32527f61f26751a119a1f9cc72eb1cacb6b062facace3a7839556c2e3ebace07719677c48d2593562a96ea411fcc67cf65761bfcda3cf823f3c5f5dd046c24a19fdf20209787d1e529c32cc51b568a2a30b7c56b2087902c14f55b39944f0d1f8507bd433f982af894a797cb0ce0783b40c9eb597360e11b3e81b1927c78b3d44b721c326afa2a650955ca060aeb0f7857f4141779c244671a93f189fa1b604120e9163cfad6269bb7bb1326eaeab081206e20366f810ed2ea74e92851b5b516a3fe3fbb2fb940595a5d7d9344a5ab24663397c6931299062fa79b964e25912daffe9897ec3c149671f7da3111d41da0e24a8298eb9abf127e9f42c37d65d2b2ac6981d97cb4dbc078984c2bd06998b97c6d9b8f82b074e5d3fbf91c872592a288a7bfb6895c87a98657ece7dfcebd768f466e806c7f70123a38dc8d7cf65acde6526d113e2f262f2eb1a665a09b4552c00494f7a5abae760f8c4d633c29ad7344a7b94cf2a2fca277a3af9be8582a0c8968f6ac0b891c297a0cc3da536b80995c80
\ No newline at end of file
diff --git a/src/tuf/examples/repository_delegations/keystore/b6422d4c8a4acb07317b032b89f7d03cc8b42a8b464355141d06a61c13849d92.key b/src/tuf/examples/repository_delegations/keystore/b6422d4c8a4acb07317b032b89f7d03cc8b42a8b464355141d06a61c13849d92.key
new file mode 100644
index 00000000..39cbed87
--- /dev/null
+++ b/src/tuf/examples/repository_delegations/keystore/b6422d4c8a4acb07317b032b89f7d03cc8b42a8b464355141d06a61c13849d92.key
@@ -0,0 +1 @@
+fb0dcf018bce420a@@@@dd4d4a01930174c0d5d0005c504e803a@@@@f3f0470ba6bcdfd2f548af8b3976c3b102daff034ef430347cfcfd15ea516e39ba39dbcebdacec06cc3789c250a3f34af7710dfb8655ce31e68e393cb019a72a5e392f04fe70a821172eaed996acc25927cedd3342fcf12a31014aa724f2e5c65f5d11f09d7b5d56e825ec969e725d1992ffd7f00ac02b947a26e30a9c65f969f30491cf0ea23d2fed8369b0c3d6991c8b4285b099358ecb82670b9e6f7fde8476ec2899421a93df0ac928deb47b22a832056c5466a0323e162196ba364055b1e0c6f56b6b2d9b3746e7840881006acc66a1cf8c87a1d9e55522dea121536645ab4579fab26a29c4676bec1e4dda252af1ba3db2034da278535e9e7c2e410204e5d5e295fd86f47453826a8c175b223d23bf7f7ecffa3dcb88f31935acf3f8212c540e73f2012b04a38aca5e69501dfffde8e66bf61288da05cd20f767a5aa83779e8af444b86e67e3321d26b1be75281e6694a5d726a894c19541b5289d695d99767e9557a8a6deb0e4a0676f6ddf8b9ec218a16f2872211bce5a9c722b62f3cd6ad45cd1224b75b7eaaac721ec6d42997f01a55205b81010ab1db5df2ddba59e807ee917b0f8dda0e4e0d14c673a73d721104e19a51835ab7ed4b6ac5a1f57ebc969b50b45a8acaa14a229c24f3db8e42b46d04a4061c9c630dc90760fde343fe770b0b4b2d1a5921ba081e63b4a245d7ff4c84e6e6be5afb90db1fdaf8abf138d4d6f5e66f48653bde6089c9f8bfb9eaba1445ee9a20917d382e9fb3952d510182ced61471e9c9af553e08e8ddf2e34b71085a13ded6d86dadfdec19b1f250f4daeee6a0f2ab651a01c30cd50d29aa838cea667aa1d21155d85b275440ceac90c266c25add1049dfa247ceb17fa4da2718ffe0e2e1426db0328cbcf2060e24592d446aae1dc76bf5a757926dc9f1a2a410a1383d096328c2ffa0986717634cb77cee2320880789042edd10204883433591ccad4da2d84e5c9e601eff152786726c87542ca68da718a5eb42f12aa8d9b78e170d79dd4c1b3b86f470164db3a37449118afa2b758ad44185de7576f6833122b5f3fd198cb8af9c94e93d0aa3a3aa6824fc7a5083907864f062ead4f8fbe27a0717a51d4ff59db3b9ab9405eede82a7848d8da753fbdb1b8b5c36348671137394c89e36dd50762929ade84f2ad2a2dcb04e41665ee6122ca3f4e7843ff1bb810f84fa9428ba913332e9169ebb6b0a1ca76b2670d1b4c695742e2649e770d24c6e553f6efe30605d8d0060db09094033c3bf5806867b6a8a329e0780f977628c1d2b18a5d8915c3ccd5be92b47592b459db07f33b68cfef50e2d03b9acb8eccb54d145da838f4ac7516ceb37876a798d41e6f185e9843751d1c01fdc427ba8b650a8e4606f6d1dd31a8552e0d1111e726d635feaebcdb8350967153bf699031c91b4c75f0397b74bbd634f3fa6a4dfac39dcab743a2a2ad52b0b154c75061254a5af70415aa9919b5831c0b51a3f3b26c1111850d89612c1617ef79a32cc6864859de1f91f674d89001ce66d5f3c9a8ea9d2e34d1b175e81e84e7271c9b4e5876a5aa29363057f2121ebb017795d757b4fe0eb98ab78462a33edc5d3b5da4d2cd4c29119c6bb1e9970e529bd11a17cc48e3e7d6f1f523193f076685efcdca2b7b4a3c538dbf5ea710b7adfeafa7e3f377b7a26d1d88ef3f726df7e45159b68cff8fc054b05969f2d392adbd6f9c254609f1c97806b6864eb8ec666411d967c2b682b193539ea61585261852ea7d8cbb000a453ddd14c34ea8753bf78e18e262141c242bdcddf0f0d7f7ba9299243fb1629c826979614abe7885f1f2e95e33f092decaf50affe0171c6428d35300f170588dbdcb87efc7607a9734417177e6eae5b4a384eaf93f5b0dcff7b4d988b557c36a7329fb3d5c0d3fb66313c2a949deb6776f293f1eb5c6b847a062745c69686345752e67bc77dd0ab0c32ed74dd3a633da95105407257e91b63520ec1f95c04648474693d1fc396107d4ed8be5a0b4656ac155231b617cd17b58ae8f7c09d9f318beb7d5065f14e6ba1ad2f120d0f6240ccebecfdba9b3b4bbf8c5112bf17f52940357928efd06eeb58a2c66cb71d3a6e5a323032f7fc155ae657cb8c62699396f0c0f007b747599a6a45be593d0c5d7dd39d564c40fe82013932bf49582dc9d1438159e431cbb0019a14c34433c3f567228d8b45a7935938f317274e337d98ea8f6e33c10ce872644ff12ac6acd9bfb2ff2a4e8443c3e2742a15b5fe5164466d77a01368b8aa2c7a36713815dcc3cbdb12935f53827da6141cd0850ebb6bafa7ebd15234d56b2ed6da45a715d83108a418c1142da4598b9582f8c939c00e8613396218c25fb414cc5d749f3f27fdb769b1e65066107f306bb32412687f860897b9a81a1d8f643251d018288a4b804ba5b04e74ae3e0bb8db7f087969e70dd88eefba925b9db5c8ff35eaa643be4fb5b39ee55939e09b52e5520fa87bb95dc72e94eaab02a1fba163fd8545cb8bf0bf9d82dcc8805e246d17ca89107ae3a12d523b2abc91d35cc83239fba794981ad52b2613f5785523ddff7fd60d109b41dc141815f0f4cd689e5cd59ed4012037610cc6a01417ec58b7381f4d5085d71081578dc65b0c80b2bb5d8362f70fc8c8660347b3d248bd938ad2189fab3fa0f0b1d3c59a2c05a33ab5ab3156063eba2c698ad4d401ee1264c61b8ed538e5d0cd480cd2c7b825e423b0c567d96e6615b0f74672882b43c52d29d215574fc171de59a3f8fa053c0fbb20f72598f82df7f115ec2209136c004856c340bfc74ce1e92f3bb51bf1067d0a8a4bab11e2f1c737a4d4c22135f4163df0dc0f68818ad1644171baf5eb79c6361935f427d6604bd7b18c4a72cef9b6db4c45b63219ddc58213c668d952d3c3381e33691d8506c3e875a756cfae22c91a1a04079a1d702aac2c804d75b2f87922ffeb7d3bc1f4918b1b2340a3e38fe301e3841ae4b6931eb8ab7dbab8b2abd07c82b6d5a6b2b5f6c0957bf2b82a8687968b10db8b3ce8de8fc1c87bc252e1eb84516a8e923df353f5da9a7a88c5191d01303416ccb792dbca2e72a4794762783cabc070f28cb28673ba994d9ff9b8c2b0c3f6e54ec0a5b9dcc13b23e8209a7164624b3bc5cecae603d8a7d35d0a50962bc7acd75196b2e0a93310beac90d97aa3937b082fb1fea9c2d2b563849da4613be20071f2c7e944a7608b62b06c8d3646526efd0794294a24099bd984d819afeaaa5f5c37111b4a210a15b03cde35c95542950b0564963e217cf4e16554712ffc2bcb57c3cc994f58ced433637998b7c8ef9995df0059c9bfa4f550719148aaf77c8937b922d2303ca467ac17809fc7fc98a5d3606ad66d6733efbc943fbbcd25564e01f0e42897afedeb643d9419202ad1e4f062e41a40594a13ee95352c5986f7de3df8327b275f04972d2fe113bfc430490e164694170344dea9ec0b3f4b299e72147fad548cd54601a869a4c85f6824ba7eb4dc6b6d9809b4eb2562b898c7a87dfaa99852dbbdfd2123c6ec6c6cc458a186e5dbb0e7eb8356f4270faaaeac4c978ae5d59d2f401730f17904ddf807b0282701b40546e7b63f611ee69986dd7611d8afbd9e70468bee1cb60159d881366ee99055685778c34f960e42b8c59b2f9cc2301ee01e112fd47eb508788d0f902f2630342b1e6fbcfbcba39fd3e595f6b11f67a9e32c588d2cc1d5e4510215063fd9274ad7e4c0a6de2c3bddd5b4e30eaea2f7abdf0f5e869fcca95f287eb660281e4b88ab2cc04ca7035090bf3c6bcd5ccf4edcf766de03ec2778aafe09f5f2edee8ecdbd6cd261065a4474e4b96fb18e4d1ed4c9e6e1726ccba01a45c4114e92721757cd4ebeceecefb5e4f01e5a8ac37b19d29a861bd9645dc5aceb424e27c536bb479732046436f53cfcf1b9d374280d29cc4d0bf3adeaa7e7541dd297cc54697b87bb6c15bf690a34825fb39f65dc30e69ed780cebf7d39d6221dc66a64270aeffb01c3f683049a8da456e3e6dc8745cb082a69009712ae16794f8d8e5b1ee98ccb8bfffcac81b7e63f682f5572ca118c5c03d962a4ca092e5f13a8563c891114c7fd21e9b6bab25e02ff4eaecaee05f448c21621529a4d024cd3ac90d32828205a354c71bc996afbead0ae2d1e2320af83451de1766d75e166593d7c9505b69f470e55b6a14221a1cc63c4a4c0c96a3806a2b27afaad63df0d59c93626e92d3cd676e629e5c56dd13739c21f2adf2796e9d51fec57b4544d15060b0d2a8261ab24b67c3c9817aa4722288e3f033c184c66f0cf55d7b90e9b65d033fa14ab2b04dd33e4dbc037648e5462f53d5db6103936d93dc8e8ad51d3ca1c60145d08a5fd9540cba2464816257569a098457cbe8ec0047ba46c4640bf2eeb6854e00f08cb87d623978d7a58ab310027430ad547d16533e24d6c9a57efa88fa1e3f49e0b1b6b6efb7a16483e5604fd2cc963c834b8f0f4e072eda55b8666758937854cc53df734ccde6663af4f8cb47ef795c00aa0794fa
\ No newline at end of file
diff --git a/src/tuf/examples/repository_delegations/keystore/c577a726a369d412247f1eb5d14234a90d84332b295d31bea42cf482fec0c885.key b/src/tuf/examples/repository_delegations/keystore/c577a726a369d412247f1eb5d14234a90d84332b295d31bea42cf482fec0c885.key
new file mode 100644
index 00000000..b9efdfce
--- /dev/null
+++ b/src/tuf/examples/repository_delegations/keystore/c577a726a369d412247f1eb5d14234a90d84332b295d31bea42cf482fec0c885.key
@@ -0,0 +1 @@
+072a995952b63c10@@@@0c6b21b5ab8f41bce30d67e3d5764c85@@@@28b6285e7fe0e0c44a088cbd8389978328312196bd58dd63bd2ebe2a1c7cf30f003f081b5a98c3c94d2a439ff751179392910be0fcf5866654e2ce009b1d705ab35b7a269175ed627368e23def3095fcf8396755cd467dd0891798187f5fba7ba03d120912a643644d58f582a8c6f90cca50ed8608806a00d2f2be08a8efde3157315bf688b9304c510b80e845d9829a457d5c9d16944e33018905338efdce99c90a2eb090ac66a0347f5c4f2612b84e514fba870ef3478105cf1ca2a6028921ec1dcbfcf2c092dcfcfcb6e3a166c91ddecb0b0bfc949d83c94faca395edc9b731582ba89d3f15a362ce070dd565079a4702af9da72f05990801ae6e0582e9b4b1484f87216b6e832884213c0aa80081b75b78e78389faf5a5b8c779dc0b9e2dd0ada5c667cddb741224f797c710827f63cca3ffb591e68d6bacc516c87cc009bc52de026a067dc69b04b7c6aa0c52c1812bd9761ea08820fe4e523a352d677aa92fb8583bb6ea2157786d1bc77f7bc0d65e94ef56875a1a5321abf3a82bcab448c949991db986d69163ab0040a500543fa6f2e30f9cfa3acf23530db62e4c217ddbbfd827b560f0e4ed5ff327d60bea0f76d9fd71d8bee5be08926415874319929dbd7edfc05c7d653a0b0f0c56004eeb241770093ca531c764050235fdff98f3b0662130210396086613b3633f53884584cb84b8ec199fb1a2cf7aadd8797e629f90f7f8b070c9bdb74be1a8b05dabf2a07a699704b321d163cdef11bb7e1a5aa527218ba7147f83af61ec06f11c6ccbf8fa0792ee363c34c2f1f0292732452e3cfa95d5b8fe657789cf906a9a260758cfae63af117a70dd0b9592efb73c13b9985c31baf9d297a3696d5704a0a7c73f2d2e9728d5967c07856123293172f763f6b7409e91472b7258c3edb1011db4d8ffd8c71e72549c42332fe84f8ddeefb51572ea85ce793de98c53433926f35538046cfbe951557ac854b9fd9be4b91fbb5cfe3017891a0ba454f0324217f9631a24f0aa2d68d63bddfa861008207ad49fef24bc2d07405773776789ab51303f6b347e65d34c2cc1f9024173105b96f74fa1dfa5f4a72ae22716c544f5e4f8f7c078f415de7f260acaeca5bcc6f75077bd7c42dce9b7aeb08426cedb8c730a7536929b2088778d39836b8c40af01f9b8a56ab2e28df0a3a5e17afe856a7f871a3a26c8ae060bed2bb776fe8b72de37c623a4aa6b35f5041f58beb3f9fa79ce82f3966daa5fe7eaa497c90b7ff1454c7ecde8aab4c4894979f544ce3c1acc12d5cfc12de63e4767dc81442335c23b9a4a46c6cc478d76f5b9a43de507bb46246c04b810e90fe5ab18771eec526b6b0314c17e37043cf3691f8bb63741f4a1448e00d235170a3995327026084a3d2cc6214da5df901272ff433116e7bd1504a103183d2c20f126fb2b8b9580885785b3e6dd32fb2eba3c5c85df28c8e9930d84cc559b5375c98db005ab2c12c4cd7f20858fca68f88f964227520c449be65ba26398ae68ceacc51ff7fada9385f7e459e9946040c53e714676ad3bf77a351e64202b602487e295b65c24856a635532623126fae8c9fc1da96c34d95515975368f16a22d9f5af821093bdab6c2827aa0b1279dd3ad9ab92e0adde4e102cb3789861fb73e973c2c2e8e1841c628443278ba65a671873eb58bee92c76a8bd547246aeddfdc6b66e8d5dbb11bbf7f509f7e91e88ea7d6c514fb71dc6dfae9b42370769d4e9d2874e84714f995ddacdb2601cff322a7039a6c6f1e7489c738d270ed76c8980b23795ebd3a8e2a6df716715f544465889a04ba70f72d032543bbe9b7c662c630d1382f7d466313a8a8dc8b0bf99f403574d7ac1c430abcb552d950bb03418f20a8548edd93ac966ed542c4667efa3ce5423b1a9479dfa3e6897a4a8baffc7dc1c18091b962354394af51f81dec74854eb2d1e69cf7296c34643fccd73d14c1d2fe568e595358b5cfd52912d3fa03c0931dd1cb74ab68fb8c032e4b1f98e3eb0ee455dbd3376913e93d55b5f64904160241138fdf74f38f30cacb12a2c244c06312cf1eec39d480c624e1a867e8e08bcdd46881e74fc13164a7babcec35119bdcab73ea37038eccc9ec4057d66487097f3e481f437d92c5778dc73811cccb5fd11f4dffad9800acb79717d044151fbacd660fa621ff2ce0545d24b316d0fd11e1ea3bedcf9e241407db5a16806a99508f4c62dad4f22bdb04ec82bb850d82601f6e86980232ffed0558e8cda7f78df991ebb88c25ed62dfbcad4c9e772c90ae1311d4aa3040f0114f75149ab9402a60cdd9af9eccf582c143ca0d547d5a96b6ec7e3e3c8fe57dbe35056dcb9d7404f969929be20b27c286523bd5e2df3af91f330347ab5a13772146ab02c43f686bb9cbd5c662d548516114b5a752eee32971a877c60de67164c10e8652ab42d482b4bee818631b7e9e2e07c68f03e8be634dd7f4b42d92759f734d1473a1dd89f60bf42c37c4e1c0ea9760bd63fcf1ceac5274a33a7262f335adf15c6f9849650a13a7530b284a290e057cd4ab8ee771405fdad74b73556043a02b7641ff943d30230e4819d106b75a64ea03edc084faf5723dc48d6913d5de35379967e45aa11f94c8b2f24869c5f3370cc8b1a13f3ec044b726cb2ffa55d3bb3ac24c62a3e428b3caca5313c9694de21a70720083c4e33006b7d82c02d4a540e308e982e0868f4e284df4681e4a16fb97144ecae824d94e854f4808fef7733aa40825393e07b563d585aee7c2eccccc9d37ee72a3880417ddc1896199e75ee467fe8ccc301c1169df35b2962abe83c679a2458334bea1b3f0a6f9dfd370d0e8b79e622f5d0b6c08fa3d3a66188038434c98b10cedd652550cdb003433dc0f32ef4739e1661e678f3df0abaf2e42057bc8f2b154b0f9ded55dc96bd400de3ae9d151973a707423f98f7e3992c99e62e5edb7f473961b4d66e70d37c1b20956d983a1496f43324b50cfeb3af744a443a2b1954f348258f8948809b3744b6698c193b63de28845e2cd0627b3cc80a2d3e3a5efed87f0eb422b843b0b1aa24a662d979101b42161ea4eeb9f3b3c1a8c18aa9d753d9518b3fcbb258e6d07b4665ac5af06f929d13dc67305ca4ea16e8a8f634b98d9cbf9780a30c9c56052645edfed30d3a091b559ff51e02a9a305c2a7aea44a519b984abfb31165894eae9f5300c31296f7f243340aad2019bdb82f4bcdbef0a9fef7695c02b5e553864373badd5ecaa06c1ba3439a674b1f84f25344271b6da9bc705e9954e8260a43981f93b8b9989de1ff7a699ab3d55a97d9e70d13fb0424c51a8ac013cfae870292e3d144432f8bd7c6e6f301b9db4535a01806f61aa92b355e8d895eb67f6c95b7fe72133a219c9e15d1bb2d3f5b5c122a5f905e2944ae2d577e5b048e7f971f877efc10b17b270f6e677374c3ce3139b24c74c558c22ab6055e2b89326a08e1d0bc26ac8e33f46e27c180e65859d89a5813bfd70483ea4018a88edf78cc28328b6543095389471768057b77c869571dd902238cf217c5dfcdd15a784094a96443bb283542297d0863048258401cf061aa0eddb714e8385ecf40dce117030e2d11f5ff034a8ccf927e7694fd8d076a54c4e183698fc0d2551236b6a3c1f0437ad085929971e68c248d2e5dd137faab5ab1b2f3c7aa50dc2f03a21a2355c64a7d2dc01529307c5f8d816583fb887f1529f4f0474f8cb49b0585c6de083a21f3d9c1c924f2342bb38d8cd77aafa449ee6ce8233aab5c8761f01610abeb6cfb334362ef0f1330f414f140c8c7614b4feda8bd68a33e7993ac64764f077ef3de1201474ad6f0028e081c33451bbd377649e5ba91ed5c939c6da430cef5afd9681424b717c9fb9f3da9f4636613bac7b7e11773f5ed2ca5a69ce1a6dfd75eee3fabc50a361fe27bb4c959b8a3651ba407e95003127f80f0f222ecc00cc80d38c2b7c01e39fb7bab677bffe0edd04c4aaa8ef7b5e3e7cbd8b3167f62a7e0762d99c716f3b01c01611853af0cb8b7f27c54151532c3e9fb5fa4440475d3b2904bdf0edd9b07468075c235fa332cec4ce3cb6b36667447dec8c17fd240187764a1c50ef47b9bcd6cad8af9e2b8545eb0b33a02d77919b9eed02b90dd79c088aab910c78b3f703a1e66af47dfc1f21b7d75e4a4e3aeb0ab6b58100287e1abc3c296ba25ded79368e2e3dd528cd294ac1b006676c0c91ed06c2c3dea33eaa9524e3471b875c1b0277f7ad51028f62ca9506d841a728a545f40cb386007420e5524ece7e34ce4a32a9aeb3f45d0493345226b92e699fd51bf91498029e6d9daab2b633f3b5b130565d53aa687825cfeda5a9a6ca96407ceba91ac8ab1582388fcb6c2b9d71beeb7c0663660623a078508d6c4a6167778e4f5d05b5865304a8f26e4abb696bda4fc7453a4683ef79b2447c5ecf06f3b977e0b9134855d49ff2059a95f7adc623f5fa0c89bc0ff45bc311925b8ef63705185b012b944e34addbad5622a6a44292428c3a7cd04669b0e310d
\ No newline at end of file
diff --git a/src/tuf/examples/repository_delegations/keystore/caa188c0925736af382a61fcdc62ce68e360e9ac5f50abefacb749e20dad23d8.key b/src/tuf/examples/repository_delegations/keystore/caa188c0925736af382a61fcdc62ce68e360e9ac5f50abefacb749e20dad23d8.key
new file mode 100644
index 00000000..0c542003
--- /dev/null
+++ b/src/tuf/examples/repository_delegations/keystore/caa188c0925736af382a61fcdc62ce68e360e9ac5f50abefacb749e20dad23d8.key
@@ -0,0 +1 @@
+c218bb9f33de2b19@@@@13a61576549ddbee38e9dee3a150258f@@@@e77c49700914056cb2df0d03e8e4836a9d74429d0337ae63846fe2ed8a384bec01bafac18ca5d00a16189d7d698149affdad970b3b752cd74bde75277fa221892d36dfa8b7339311bf4ddfa418cfddaa0f54ecc44aee890a6ed2a3a32d713a46a96a48ab3feaed1a5edb388248c81069b2f500b75dcddbe56ec785ee5d5f3f57783e558ef30cb28cfa9d0f219dad13dd9abbe8080ea0091b0a256e5be847c66eed83af0387d28bb476ec053e9cb57d07d5a62a28204f608c16be5d07f8d33782834e5ddfe7c6ac4306bf523051f9ca5d803bc8537f9b9ae292a1015df402e1467ee2ae5adc58f0bda0247ecac09c3ac70c4e392413ec8b84cde53abd7195d4cf9ff4e1dfccea70f1748c9bf8f0f215930d117488b1c1914380fb0bdba44550f53905245fea6b1957be41d206ee5866fd613a6aeba6f59db28ed39f2950ae0f61c5772844efd4ccd9eb5b97f3daabd3fb94d97d826985359329160787922d3875bec6a4859eb7dc077a3acbfa805be06e4c126a067d64afa83dae2bebdf77e7d1f44df68df82bfa2dfca8b8ba508557351a7219eba4b9471f17a218910f754982dfa2e3390119e6119435be45eb8638ecb4db8b3c522e2abf3d0dfdff44e7458aae6ca3175cfc5aafaacf568979f1d83bac5f57bcc310b76d858948d2f80f0fa9677bba36ba3bea970c0f480900254ca446d64ad288b481238c6e4cc73fc2856996701e3c053ce4ef34471f9704e532bc046289994076500be0395d55f3394d59ea5adafbe77d49b5a0ec72616920f95c96d156f4738f165bff1dffa8de17eaec659e90083c9ee001323caa59b8f80f96417e88b0931053fdf4ded5fc3066a5353e3c4f1254573467d3748fb4bf0b0a03c9b6f3b840c470d7618529f43c4a9c69d02d806b165282abe78262ee83fccc3bd1197beda76f57c51ba76e3f4b52d9d9477fbaa60f1ae0a865b19f101d917daf2254cb0b837735f86972fef2f52f1992d23380e02a53096e2cdfd2dc869acd86c713c6fd20c71faa16ee0bf226d4ab5c1cf6f6ecce613162b95d46d2cbbbe26a660832bd7c6edbe119b7d892201e179b120c1596ecd11f8d9dd015d7e85f427b3ccc6171a051d1eeeb67107db9f5c84553adb86c0539977e26e04c170399a470dca209f7fd7039955edd64e605fae52dbb9b475a3cf2407179fc02c3196c73f27dadca2191efd7d02d4dec42f83aed119c07d4d6e2ff6d29aea7b77b9d31a0f9716eb14743106ae72b04b1bae4ae96339b64e8f6da21d81fdf8780cba0c16876cc7ceb7466d5a74ae5afe252d5d966dacba080563a6ff2e55f04fee54286b2a3fde89f4cf8216a703830f2fec3962e992131986d9883df51c05fe6d90af5a00744fb12a611aaea64576f8c4781ccb3b2c7705793b6b69eea9c872860acd56a635b8361a7572e18feb479b4eb53c8ca26c1a8a7fb9bd0b5579a50227b9686fb9f74136967e7fb3c19e6190321815413ad0916f717b3cd8a68125073eaf1bc8ab7b8670c3af196d8631e86da1c2bc2d581cc8b7ff3af52abc396a50e22b623eb607f3456017a398a937584e8f17fe53544d67e8d9c813cb50801b36d7a64b6150de0342e9f6fda5bbbd88fa592406e49aa1ee4da8a7f3e31abb3ae9143c599c74100df0a1ff8ffe8b82cf5a9fad2bdf095b78fe88d6c8ee9840c9fcbdbb82c53ec15b04aaf2a700e95182be83140390b78c10f66a668cabc9195d6998ae06b5982b447ec56c11d370aa6f48270e05c816cdf0c99ccb67061cbd059370c8cfba50dc91b81c8913d3ef58df863018cee669f7a515d92b36538736493b14511330a5c50c063e0f7b41e0bcc7cb08ff23bc5d8ad9f2e4128b1fe48796b30cc66f90a98eb4a612ec2f3e0807d21139e472adc97eb484abe56011b595606bd2fc55f9129ea2dee4f1bd3666d4b419c09c2cb9ab1549f7eb64131cbd14e3f0aaedc646f83af1293b9aa2bf3b52eff87182b7f7dc8d054c28367700c7752f6a35595c73d5bc959c15d2c17673c86c9089de27352f7884cb3cfb0fd55431ccb9ae987100d2b368bdc8614846f3f76ad68c34295b86a9ef219c798e27bebbf2f556e25079876c9950e66cbf29e1740ea226d5e2f8e89c32f2b2e60a2b0e7135bafedcfa00017ab85fa3ebf8a6ad143215f8e1fe48b87e420f38e87a9679bb7226a0e1624fcd07a8304b59de80c0baf1e205a9bb7b73ff24cf79e5b19df7d89fc8edc2a4ecee8833ca5cb46a8d5d35620f60d2a94bff7fb0097825ebb618f15b8c81e9da46bc6af640a9b99358cc7e856e6bc5a67dd2ce7223f0d62fd0ac6809dfc7da50803db04d80835d77414217f8a23cb7dc73b053a0c4060313e0cdebe1bd3cd4c94000791cae8bb63c3899997ceb65d6afebdd1fa06afe08dcc15ed9cff5d68a047d2eeb1dd6b79a4371a590e3b75f32932a9655059b1affa93fa8d4315615553932aaa7fb3170837bc7aa0c9638002d5aaa13f0764d1cc0ddc6213049ff5af2eb26ee02a10b880e99f82df3e07aabd755a821a0d2855745ed612377936768017a4a3f41055ff638dab2bffb67d308b98c3aa422d33d6d2c78083e32c5a7288f6cb7a5b7cd3e01e0faf0074f18be727247613913beabaf1460e9cf18d3a21bc7c1c494dd752bf61067df1a053e2427770ec4a5ed3945c6163c80564522e5869e08767b2680ba7de1c2b6a6baf4d78b703b1659af99fb7eba244521ca4f94e218b3ce6ad07262a67a1cca2ed33ba8f739a35fecb508d5c31e4150253f41f726b27fa20537ba7a0814dc81add27ab323ea2bbaa43c0497f937148bf4cff193318eb3729ae8e7ea1855fe1945c73a69587700c21d6b47d858c031396fd6276b033979cbefe6a90a26a7aaefc2d4c830be5901ff6b6a3fff7ce3242ee9be07a456013008acb318214405daf1824d53520593962a90a8a3d3beced17b6726c5bd2abb53a9df4e5dcbccc336546e050626f9506926934159ebe1820fca4613d39c024cb658691b25ade342af5f5b7a0c696f362d5edcc42c6237b564fd366ccfc9001ca7081739b5aba60c8a246853f06668882b09a6d76479db4053953eb9631356b1ecf528aca29ee5305e1dbee9f8db24471d41fd3a0fbe69a80f2ebaafd6e140a22d463cb40e828434d08942fa4253ebb1cd012be4aaca8250a73e62f3e93072247a0fd15ce850405bb4d2d7a3898ebaac2241ff38a5a5b1d24023d18f295e86a24300ab6cfb4603eb028c6977a9d2f209bfa3e466b08045f45399436c1884cda23c3fe2ea6a0c9b8828c0d3eb71b90dadbd05f326271d69bdecb68ae8f33f4e0701eb225d4f39cd7672c40d24be70e6f1a249b78b85cfff3a6e955dd662683ad4b25ee19efdba5da559b20d73284a0dfac9c49da5cb14ea0559d763115b254a6b0152186571a0d2a5c1b8f3629bbefcfa8bd2e80c6c26badf6210a93a30eeb66668da1985665a9528e68c7ae2f74f04108cdf9e8c23a9b375e3bd1b02c67222ad108b2846b251668b0045d8585d9d75c8a5861d195726e28cd60e9bd25191ce8321b8317d1e190c844a836babaa33c4915eaf3b05902ac19b31183af6f068ab2b7075da542ed02342186260a3ae362b544bd3d7e4e64c523733112295b5dcbf610a423c48c9e5c5ef80e55a0496fe109376e9a2bed03cc91058b25d321ebaf61d79a7526fde6070b16f8d68a6f16477aa9a0f62f82968e84bba959bb34b033ae23677227f2efe908904eb8bf4cda09540bb9e35dcbd8b934a4c7116bd19abba62dd7ff3db3102471dc9231e16bb30fca8b170819aaf6ac014111df5ee4e7fb4747800b1dfba91b02617d750027074977f0805576d72c69052eee50c9f29ba06e89dd1aaf3917b83ee728b8cc9bed9e7490845a79fc6aa40155cab08ddcc0fd543e258d0c80bc5f28544c58199d22cd27fc58214724d8c6adf0cee32ba76883c44d3737571b3d853e45fbb62f6d58de182508d691217ac2beb4a9b673dfac978b794f1002ae4d7cd95e8c8692bb447e2465ea886a726402fdb3e79bd03b432d9b3add6fcd21f77a8457df0f4a6cf923678e40f75797c8658e144f262e55dc990cf28180689268e7d3986315a8d58e7dd18e3a7a4cfcabbcd76feae360fc14723083188514b8e251e747b0b281ad3ca8a0d21bed7b2c4bb3e1e94ee004160e0c1778036fb2f1527d3e8478751843b617952387bfbc879679db63fdb1851278e3bfb493c7df4856831523346b6891f3f897aecc1e2764916bac8f68bc43066fff3d8fc7ef6b8330dd8f4acaa203c6e1bdff11d34db13eccb5bbc35911656723e8fac1134036da93bfbd87f20145b300a925601cc0eaed57e075fea211941f86229cf4adda57cce02032a87c7337ac49684744c2bc07db6b022a665ee83b5282256d2090e19d27114d0906541f5d48d3efab805a740f05382f4a30cf7bd8721c03a244c6924e30edeb3fdd221684d39a31ae580d62f7ee6ffab1ad3407462583de001033a951442080c101e6c7648ab516704621ee84
\ No newline at end of file
diff --git a/src/tuf/examples/repository_delegations/repository/config.cfg b/src/tuf/examples/repository_delegations/repository/config.cfg
new file mode 100644
index 00000000..8a771d20
--- /dev/null
+++ b/src/tuf/examples/repository_delegations/repository/config.cfg
@@ -0,0 +1,23 @@
+[expiration]
+days = 730
+years = 0
+minutes = 0
+hours = 0
+seconds = 0
+
+[release]
+keyids = b6422d4c8a4acb07317b032b89f7d03cc8b42a8b464355141d06a61c13849d92
+threshold = 1
+
+[timestamp]
+keyids = c577a726a369d412247f1eb5d14234a90d84332b295d31bea42cf482fec0c885
+threshold = 1
+
+[root]
+keyids = caa188c0925736af382a61fcdc62ce68e360e9ac5f50abefacb749e20dad23d8
+threshold = 1
+
+[targets]
+keyids = 0e4b16ecd2fdde03651fe4d7e069ae3edeabbf781b7f6a2e56a71cc1955e202f
+threshold = 1
+
diff --git a/src/tuf/examples/repository_delegations/repository/metadata/release.txt b/src/tuf/examples/repository_delegations/repository/metadata/release.txt
new file mode 100644
index 00000000..464d1e83
--- /dev/null
+++ b/src/tuf/examples/repository_delegations/repository/metadata/release.txt
@@ -0,0 +1,40 @@
+{
+ "signatures": [
+  {
+   "keyid": "b6422d4c8a4acb07317b032b89f7d03cc8b42a8b464355141d06a61c13849d92", 
+   "method": "evp", 
+   "sig": "6f9af25e35afe5bb450a48f9af3bb030a1a7665cfde346cd8e32a858608c86cf7cac21c9c61a01f7f466063b9956e09cc97bf480ecbe89be706474cc07b1d3c9ff67980bdc3196856eef59d3fe76856ab5f8a375a3c339057c68eeaf742ad7d78c22f9fea5935287ae458de3b294b42ba84d7447922b578daddf2dcf1d9188eea26351583878699ed1d7088d5e51612e24d6412f19c6bbfd307d3adb91471d740d7aec7a9fafdf0744fbe041cac4c8c4e36c50710e4b79f96e0d57f6d77bf4c9f081c2f68817cbfbe94ec5f3d987d7f60978c9f0594f095546aea25d838a89569ffca5a0d25fc45aa629b38f1551f19cbb948b7347294d6140a2113f526eec997b7dc72ad9250a83596ad5e80a81dbfbdce2d47f9d73dc2acd9313030d8b767e1837d10dcff9033199b24839f04d2bf43c8d893374a9223a920d1f81e6af5a24f75f511c5c26b8d1a4d713ec85969a173976d5efa86436e98ce602e9bda91d6c709695819e095e8e85f6b9fd28d35a66640c5a913b96c7bc9b9eea6a88c899fe"
+  }
+ ], 
+ "signed": {
+  "_type": "Release", 
+  "expires": "2013-12-17 02:19:33", 
+  "meta": {
+   "root.txt": {
+    "hashes": {
+     "sha256": "5adad012a2d1b3a8d695ac4f17056d205f127d59686d1a4b0c446c8d0beb2acf"
+    }, 
+    "length": 4804
+   }, 
+   "targets.txt": {
+    "hashes": {
+     "sha256": "3de89d8b0bea0a39aa533d08b57c76704f235428a274e21b55cf5f9e8ae05373"
+    }, 
+    "length": 2272
+   }, 
+   "targets/role1.txt": {
+    "hashes": {
+     "sha256": "666e84b3f67efe68e084a22584fbd1f554e232dadd8d0db14b1d43b86092006d"
+    }, 
+    "length": 2292
+   }, 
+   "targets/role1/role2.txt": {
+    "hashes": {
+     "sha256": "a1b60c9e758a9fe9812fb4a5fe0cf769bccb93a1eb066393c9252f0c702b3624"
+    }, 
+    "length": 1208
+   }
+  }, 
+  "ts": "2012-12-17 02:19:33"
+ }
+}
diff --git a/src/tuf/examples/repository_delegations/repository/metadata/root.txt b/src/tuf/examples/repository_delegations/repository/metadata/root.txt
new file mode 100644
index 00000000..8281165f
--- /dev/null
+++ b/src/tuf/examples/repository_delegations/repository/metadata/root.txt
@@ -0,0 +1,70 @@
+{
+ "signatures": [
+  {
+   "keyid": "caa188c0925736af382a61fcdc62ce68e360e9ac5f50abefacb749e20dad23d8", 
+   "method": "evp", 
+   "sig": "47a01d62fc6ffcaaca0c1e3de74306d603a67e554acf00c125aa8b2aaefe73269cfe5875f230e2359eacf75c2cf84f71ae43d4dad9415edc80973bfcc620579f7521fdbd00a8386c54ea9459f714fdc305ba8544b5f157632844cddb18b33c95419490db52cafb564456af403a2db33a4f5ba0588db8736e6bc1c8718979a3818b7c9309d9d6a9b0ad686d48fd3148128bb2b0749f27d8b9e2640e278f0082decd56468e3c1002316b0ea9dc1d244499774c9e4e20896307b6cfcb747f89ed953ab6523dade8de33bd5a5ae5351d6be3d3b4140f131e62d9236313a9df644cc4f365de2107427ce8785a454da122eae1dfca6ccbc9b48eca88ac5c7ded1efffc8b2b0ee9f8cecef170592438aed1153b111d0ca0259c6cc131708a17d901349d6e4a6694b7cd770a40613da3420408da1d83fc34c218e378e1862c893e6a91cd8e8313ce1aed4ef293139762b6b5ed5be15fcc06504ecdc3c18bed1c73b18eac0d55a9788faa99a1dbacf16000da941380a3368a726c3d94990090ce5a0eb0ed"
+  }
+ ], 
+ "signed": {
+  "_type": "Root", 
+  "expires": "2014-12-17 01:38:35", 
+  "keys": {
+   "0e4b16ecd2fdde03651fe4d7e069ae3edeabbf781b7f6a2e56a71cc1955e202f": {
+    "keytype": "rsa", 
+    "keyval": {
+     "private": "", 
+     "public": "-----BEGIN PUBLIC KEY-----\nMIIBojANBgkqhkiG9w0BAQEFAAOCAY8AMIIBigKCAYEAw3GRZaihBaYj7TkcoQdJ\n20Oj9GKJaT1P80G4HcjwuRTrP9bF6K2yEmVvsisM7ZXY0tCo7F4LLnVxUf00Y9Cb\nwf7wg238cAF72HfMCU4j8mbxwkEK3yh1+N6A8qXfhJGmmftGzfqqo1e3e4dejZXh\nERiUPc34c2T5Z+ReG0GHMOoQNqES1in90AIUvvCMXkHs7BvWTIMJ34b2+JqF6L1t\ngF4Yax/7nJ+BOGmb21lpfPYdijCnLdI7GWeovqVY+fy7DCtQrrpybCBIn2gp/Cn1\n0EXGhMvKDXNQN1sJsi3M/i81tyCfouTOy//p5/zygEd3WkK986JSzB9SX0oK1X7B\nmytRvG2hVfNb4UarZd4Jfi44y5UPOr5VWd/YiLBnI2QkOLChhpSCus8GGi+yXJr8\nmQ7X0sctgsYxAJoREGB4sm1XmYXnGNuSbH+KSD1jYFhJKYPnJQCth3YCs7p/lfER\nWxMw/YVy+JFT2azLC5dgBXz5dxtTeCPL7mM5OB0ea+/tAgMBAAE=\n-----END PUBLIC KEY-----\n"
+    }
+   }, 
+   "b6422d4c8a4acb07317b032b89f7d03cc8b42a8b464355141d06a61c13849d92": {
+    "keytype": "rsa", 
+    "keyval": {
+     "private": "", 
+     "public": "-----BEGIN PUBLIC KEY-----\nMIIBojANBgkqhkiG9w0BAQEFAAOCAY8AMIIBigKCAYEAxKsZG4IWgn1vMIzIQtxr\nbXrP2sfeGsqMFpGKJS0/KJXtwTpOAb25fqHW25m9Xku/tSWqZw6EiqKKugeQtPHU\nYV0msWLUiSVYG6UQ4MZkO9wMnEaqF85upf0VALm7uVTcqcoZs0Gc1gIzO0Kl75sq\nB+vo92cqo7/MNAi9Dk2D3rGeYmca0y1QphkRHt2wmtuZyVkurSyXHXERM7d0+gVT\n5eajbP+E9xk70Hm4j4o3VcLBJtldNEclPp70j/8nLoV8S06DcxuPG4szrDuzPLas\nGAtKpJLDsp5nxTFn+6BhC/F6fLdO+I5lsxNg4ZBHVUwkbiwDPMSBb+TRjszFHOZ+\nzYuM7f+r6Ed537LUIJEXu2RKdoY1wsKkyzXiKEo+4Asyzz3dPnuuvuXFAN5jRBhA\nitkKPnyrSL2l1wDUazOfXlcP8uMA3jQrKZam9SqLo8sFnEMwgXAHeK8sNITOrnj6\nVMC39D24sfOLBhRo+N6f2FtgP4p/3MoQ6aw/fvjirWqDAgMBAAE=\n-----END PUBLIC KEY-----\n"
+    }
+   }, 
+   "c577a726a369d412247f1eb5d14234a90d84332b295d31bea42cf482fec0c885": {
+    "keytype": "rsa", 
+    "keyval": {
+     "private": "", 
+     "public": "-----BEGIN PUBLIC KEY-----\nMIIBojANBgkqhkiG9w0BAQEFAAOCAY8AMIIBigKCAYEA4vn+PtG6ZJB7JnG7D5wJ\nz8QszLm8EmIznxt50e6nivVj9ttTbJFIk1Mgi/ob91ZvMlys23aYi8AjI74yZZlp\nkunvLSpwAgz4tPnbHy4G5WP/TzDjCsts+CSqcFAZZw7Tuk31Ewvh2cn0XpDWnFhF\ni8M1S6EEX+IifHndPa6pHQWCQHus+VieJuJXfr0COsL1tYFAEk1mOlm9EemBd4iI\nQUDKm89vwpj3/kcYT2EvfKDszF9SV7FO5DxcVNbqoUdkeUYuUVw5tUmFvHb0P00N\n4ak4LoHtR3x/ov4xOJ1IQt+qGa0DFYAre/KpRq+CYOH0OnAhOqmZ5t7zuMDJFhy9\nqiOi8tI2LU6LwUmTjgcmSta2dZudejFH/TxYsixQgY3l0sT27TZcPP9ul0rQHcav\nad1OUOyFtlk3SIM9UM1NA69L78EwEXrikIZCon68Vql56nKBb6XXSTPsQEUeH1gf\nw459RJOIA5iTBAEYJOYEd84QAR6Ut2DjApXSyJFzZAt3AgMBAAE=\n-----END PUBLIC KEY-----\n"
+    }
+   }, 
+   "caa188c0925736af382a61fcdc62ce68e360e9ac5f50abefacb749e20dad23d8": {
+    "keytype": "rsa", 
+    "keyval": {
+     "private": "", 
+     "public": "-----BEGIN PUBLIC KEY-----\nMIIBojANBgkqhkiG9w0BAQEFAAOCAY8AMIIBigKCAYEAm2ASrXfbkNOmQ/TQ4uUM\n2o95S6ebcIKhg/h6HWY/HctMblpPaLfJq/5GEFdsNKs3gyo7uJfDUk6Ab5+BjBKm\nMqIDubUUJ7TNrE7EJYM+ml+Wf1MQooglFk+L1sRAh8uFSFOR4Q39cFQ1TS5+BjUF\n0fISXYcPZGL2cp0Fbwo3dD1UM3bXeFGij8KeXZ18Aijjbmkbsfgx4x8/HRO3wsAQ\nKNyqyQvKfkHO0HrzC8r/CLas98rfK79Ib76fheBhizPez4Efom9BljsaAPEaTvYs\nRoYk1UTefXWf+J5cOZcst+C+f6a3Yd108O6FUTVzMZVGp4PUQjtR1GgWhNUPCsyM\nsKenk3X1qTeD2+n4wY69BtBPV4i+8YZ/Qdx1BV6kdFg+WWV8YrPER+0zyUCBZgKx\naKmC5xc1yrcWW1gRrdAZ8HPvzoo6eHUWWSewU40D3xCRHcRXuP3vsAzX62Kpa+Rv\nszCveUWJK8oiwVt0XhtpCHP2ifWGlnUG9MWvI5wdEdXxAgMBAAE=\n-----END PUBLIC KEY-----\n"
+    }
+   }
+  }, 
+  "roles": {
+   "release": {
+    "keyids": [
+     "b6422d4c8a4acb07317b032b89f7d03cc8b42a8b464355141d06a61c13849d92"
+    ], 
+    "threshold": 1
+   }, 
+   "root": {
+    "keyids": [
+     "caa188c0925736af382a61fcdc62ce68e360e9ac5f50abefacb749e20dad23d8"
+    ], 
+    "threshold": 1
+   }, 
+   "targets": {
+    "keyids": [
+     "0e4b16ecd2fdde03651fe4d7e069ae3edeabbf781b7f6a2e56a71cc1955e202f"
+    ], 
+    "threshold": 1
+   }, 
+   "timestamp": {
+    "keyids": [
+     "c577a726a369d412247f1eb5d14234a90d84332b295d31bea42cf482fec0c885"
+    ], 
+    "threshold": 1
+   }
+  }, 
+  "ts": "2012-12-17 01:38:35"
+ }
+}
diff --git a/src/tuf/examples/repository_delegations/repository/metadata/targets.txt b/src/tuf/examples/repository_delegations/repository/metadata/targets.txt
new file mode 100644
index 00000000..d2015721
--- /dev/null
+++ b/src/tuf/examples/repository_delegations/repository/metadata/targets.txt
@@ -0,0 +1,44 @@
+{
+ "signatures": [
+  {
+   "keyid": "0e4b16ecd2fdde03651fe4d7e069ae3edeabbf781b7f6a2e56a71cc1955e202f", 
+   "method": "evp", 
+   "sig": "aca8ff23c3a666c7c7fe9569db5c84751f1fa173165a2dd9bb7797de572fd6ffad2f4eda95d9fc1cef7e2da04f63e45a3ef39665be01806f8eabe665339016bd00781af7178f399c2b85d815dfc7db58db18485a4a6b5ecbf3e5117163917fd21d4dbfc33c568eb33476241f13b5168b2685e3cd16848d5a249bd90a0876fa6bc1956237c61a25816732c25665a4d6bb08c7fb4d0aee4a6f77a856b34581045cbbf20490756ef2dbb798f4972411abaeaae2e299c41f202f38d7c551026a20db1ca9e3944bd88a4feff9cd3eb2d989beb41b585942ffbe3b86d9971753c5cb9d6836af75748d875cca9c83800d55f3394ac9b13838121dd15c57ef38566f530d1b40130ba7d5f9c9bef34d7e478b33ada036d3dc55eafe542ac67bd932cffc2b93fe93317d919f104b0d2576d084f743f7185d9d899ea4fc6ded1aaba4c9de51ba30af909c49c33292eaf093eb8945b61066fc286eb65beabf8b1cd92afb34d03c49000a77571eb13ffd51bba4015dac87f5c60af7b4f192456e9b8e35620b18"
+  }
+ ], 
+ "signed": {
+  "_type": "Targets", 
+  "delegations": {
+   "keys": {
+    "649077bc2acbc020e340a4c8f13a106787ca75d026ec60db5c2c0af3b9b60085": {
+     "keytype": "rsa", 
+     "keyval": {
+      "private": "", 
+      "public": "-----BEGIN PUBLIC KEY-----\nMIIBojANBgkqhkiG9w0BAQEFAAOCAY8AMIIBigKCAYEAycGNqAn3w3H92H3uLnbw\nBoO/JHuPJSS+w/0d14h0Sn9lHigGKkDNBd3xyQNTTTL20WweFcYRS4T6Y/dLl6hH\njudMlHE6ieqDLKGT59zQdRM4X1L6kXxLH/0lwrF10MVz1KLhzFENQFe86sRqjoTP\nr6EoL72xnIvBiuUvRptpIIx5cighaOk7/3e72Xp27XMZWFW9rkjrMxP5MxEEU4Zk\nU9lmdKbYjVctVOtJ+b4XY6JgIGMgiNMUme+K7Jh/Ch7z4BGp83Bt1e6ZSlXAl51S\no/F8qzV32YlydRpbCZGdN0zXlsP46UhzWK08sehmL4o9BIlJEethVYHSl7tXq3jM\nq+BImbM/myghYyLvKKRt0yrdUz5k4Z1eRVtUnq8WAoXfJjLuQdJiPIZZIcL92GQu\nXfyEOef0Ov5V1dqrVrzUykO5S7VeE+hxrPOp/P1VS8GuK5AtVG4cUVXagevJRQ7x\n3mRikxFbXIkM+3NGu1PiulhceB06IQ0vB54bf97c03exAgMBAAE=\n-----END PUBLIC KEY-----\n"
+     }
+    }
+   }, 
+   "roles": {
+    "targets/role1": {
+     "keyids": [
+      "649077bc2acbc020e340a4c8f13a106787ca75d026ec60db5c2c0af3b9b60085"
+     ], 
+     "paths": [
+      "role1/delegated_target1.txt"
+     ], 
+     "threshold": 1
+    }
+   }
+  }, 
+  "expires": "2013-12-17 01:38:35", 
+  "targets": {
+   "LICENSE.txt": {
+    "hashes": {
+     "sha256": "cd65721176ce5fdbb05773c0b1349f993b94ce77a51062cfa7a78b34cc82fc71"
+    }, 
+    "length": 3286
+   }
+  }, 
+  "ts": "2012-12-17 01:38:35"
+ }
+}
diff --git a/src/tuf/examples/repository_delegations/repository/metadata/targets/role1.txt b/src/tuf/examples/repository_delegations/repository/metadata/targets/role1.txt
new file mode 100644
index 00000000..e81ab5cf
--- /dev/null
+++ b/src/tuf/examples/repository_delegations/repository/metadata/targets/role1.txt
@@ -0,0 +1,44 @@
+{
+ "signatures": [
+  {
+   "keyid": "649077bc2acbc020e340a4c8f13a106787ca75d026ec60db5c2c0af3b9b60085", 
+   "method": "evp", 
+   "sig": "773e4867b722a0a99d38403e03bbf8bd4ba6fbd9138358d1b5f53e2a5310be751ba13201ce1e922d3ce5ea5b5213226ef3eaecf0449db294f460e79b4c40ba086bdb469b9af2dea42338d31b376fde33f0ac91a45ab5df97f2b67ed71e17d86c03c292301e1fb63d5532a1a95cab9a5f9132feefbe7138799ea8fba8c963be696ef478a18f8be8162752aa2e2be14d123514762e1334aefabc6be5f84a22a947ed260fdf1d50dbf0bae7fff92af259c4f18ee16696c2f0b3e9d245bc9fba2ed9a4a770cfd6f51c6b0a75daf7896a943370af36c170b0e92b47cd17b6b5e68fd48e42a31ea12879c89a9914198e446c8cd60f9883545a5c8a59b1f7721c6e06669ecee4716934f5a02b583d0067670068656b00578b54ef0e0d84e1b620c52779d1550260b4c0dd8bfe3d20ecf19ad2e6381fb2de06a2d01729040c593d56da0208b2a3571eba2330efa907dfb467c524795012f3a776da0b3b84220cc89461fb67aa69f1f56bb521f211c0b8e8ecfd83b8495fbee433b9743923d57d864768a3"
+  }
+ ], 
+ "signed": {
+  "_type": "Targets", 
+  "delegations": {
+   "keys": {
+    "026d535ad9bd3a7b9dd399612f264fb4be4aa88f9668ac6fb86bfc1f891458d8": {
+     "keytype": "rsa", 
+     "keyval": {
+      "private": "", 
+      "public": "-----BEGIN PUBLIC KEY-----\nMIIBojANBgkqhkiG9w0BAQEFAAOCAY8AMIIBigKCAYEAvmDFVDT7uzuINW61XGNz\nAbQTmiyWJse/+oyucZNlVuGZgxlKur81eYyVFr0oEcFBDBk9hKlFZkJmGRENKL9l\nVELKFqtuBetl4ullCQL7wZrGlsBXIYelCTZL6jar+4jYY+pObE3VDa7EDOwOBfbi\nfOq61pom5fwJ04Aprwf4HAI1M/C7N0fo+1Oy1kZfI+PFOgT8Ed3adu7UfRq3I8VY\nsiJZTgsyrvHlD/wHhwIQsxWiZZgXy9ziSeIbjXISznMI6Xsi2rCoihepOT3VonwD\n6emgt69EeOamxjUH/AH5iorMd3yWD3pN6EP0SAxQMIK96005NgfTflQ6mN733wMQ\nkQ1xpXSHlP1XRMuNMH7TovjGE7T9bVsipuDcTQ9HrLMRZfchh/GSZIHu3nC3z8L8\nAgeeGqqin3cLjoHYpXJbtQKZ/qlqo7EsExEoPhC6XYS6A5KFoDWc7YmUhmtDb5KM\nvyXoqeivdGjWSDY2WdSqGPzxdFz6UnZ1LFSHAkLWcJWtAgMBAAE=\n-----END PUBLIC KEY-----\n"
+     }
+    }
+   }, 
+   "roles": {
+    "targets/role1/role2": {
+     "keyids": [
+      "026d535ad9bd3a7b9dd399612f264fb4be4aa88f9668ac6fb86bfc1f891458d8"
+     ], 
+     "paths": [
+      "role2/delegated_target2.txt"
+     ], 
+     "threshold": 1
+    }
+   }
+  }, 
+  "expires": "2013-12-17 01:57:16", 
+  "targets": {
+   "role1/delegated_target1.txt": {
+    "hashes": {
+     "sha256": "863309c54db9b7fb109dec25c54d0dabcbc931ff94516168e10c36de5c9107eb"
+    }, 
+    "length": 19
+   }
+  }, 
+  "ts": "2012-12-17 01:57:16"
+ }
+}
diff --git a/src/tuf/examples/repository_delegations/repository/metadata/targets/role1/role2.txt b/src/tuf/examples/repository_delegations/repository/metadata/targets/role1/role2.txt
new file mode 100644
index 00000000..e7ce00ae
--- /dev/null
+++ b/src/tuf/examples/repository_delegations/repository/metadata/targets/role1/role2.txt
@@ -0,0 +1,22 @@
+{
+ "signatures": [
+  {
+   "keyid": "026d535ad9bd3a7b9dd399612f264fb4be4aa88f9668ac6fb86bfc1f891458d8", 
+   "method": "evp", 
+   "sig": "b3df7b4eba55cd57fce111ee733f4befeb6f04d61c0bd7ea107142d87d36895e20ee90c13a1b346d9ad5399042ee101782d5b9399a6b8eb5b5ea58606dabd0aca5206ac7051bab37cb9e1a9251b22a26bcbc5745e524d847591eeef4c9e0c88c8bac9f0ec77a362fe279463e08307f5e712e6ccc1261fa406f7fe76aef463c2b6fb16368e85ae8c9816ed8fa1d808d9020ac7157a5ec58bb357cf0c815fd06f5c606c69d5aa40dad35d42c57f8ee4da16d0401454f65875e3f75976f2cd1413a7806adaef8d1f2fcb1afa7beae57196fc8ffb9484e597b60c6f5714fce33df462293f2d00a1e94b2159c016db3cc9af2bdb4497fe1d0879f22343574b803dc27b8c86bd6310981ce46e436ecf2dd50a61f49330fbc8bda42789c6c9e1720434d00fb006afe619a0a7a35b70b1dc5feca1a46fb5353827e37c19d0c5e84b8605ce130e80f8f781bddbdad2a452fb25107c28e26f3f8aa07b54b969971951bd20e8a13561c9b94801b216a5ab08f01ff1fe03177c3498820888c0097d18aceb77a"
+  }
+ ], 
+ "signed": {
+  "_type": "Targets", 
+  "expires": "2013-12-17 02:00:05", 
+  "targets": {
+   "role2/delegated_target2.txt": {
+    "hashes": {
+     "sha256": "a93f4bdd1cf4219da2ff4cb04e79f596d5bcc9948ef9400615967a2627d0256d"
+    }, 
+    "length": 19
+   }
+  }, 
+  "ts": "2012-12-17 02:00:05"
+ }
+}
diff --git a/src/tuf/examples/repository_delegations/repository/metadata/timestamp.txt b/src/tuf/examples/repository_delegations/repository/metadata/timestamp.txt
new file mode 100644
index 00000000..5e74a88c
--- /dev/null
+++ b/src/tuf/examples/repository_delegations/repository/metadata/timestamp.txt
@@ -0,0 +1,22 @@
+{
+ "signatures": [
+  {
+   "keyid": "c577a726a369d412247f1eb5d14234a90d84332b295d31bea42cf482fec0c885", 
+   "method": "evp", 
+   "sig": "1b1c21f942c337b4d3eaa69df927f11093ba17126ca1863442db146ecd81d6c949ff611f53b4f3192a265b422b86e8a832b27c20c15bbfe72cd8aadb036fcdbf6bbe7c1ba37f37f27eb44f610ba4c109421209a07e8a54b44f8817d430e11f64c29376f20802c8b0d0a2b4b79386c4582a9add07910ace07cf8e9a05ece325e4c6f2ae6af4eff4589f1038e07bf93aeca0a7da40aca6711259bc9f3a22a87bdcbaf313e2b0dd431ad3431d36604927047f74f2c24436a28d32676753f512081b1447a4f77354d3eb451dc47cb4d75a716856c9653f2a91e7d05c485ad966d7d990851fcfa007011d6545bb446c114ff486a226f71af36479a1cf7cb14f4525a27624bb837c26146deb6721820a577c233047b3bf7aa3fc1938702962fedbf933b8468f9f170cab4de707a40e9b7e708cfca9ba630c2922eb9a8dfc19d814060c101c6c576253d3fa85eb4a991ee52be8fb316ce26f15a0e5acb7affdcc8c0f899da7fb733952fb1cd19e22501a12f9d7cb98680c1abdbb811848cdd9cb07718d"
+  }
+ ], 
+ "signed": {
+  "_type": "Timestamp", 
+  "expires": "2013-12-17 02:20:17", 
+  "meta": {
+   "release.txt": {
+    "hashes": {
+     "sha256": "8675d50257f7e12d8fadd252e6a15b819c8b99c34ceca198e9f439ea63a8435b"
+    }, 
+    "length": 1662
+   }
+  }, 
+  "ts": "2012-12-17 02:20:17"
+ }
+}
diff --git a/src/tuf/examples/repository_delegations/repository/targets/LICENSE.txt b/src/tuf/examples/repository_delegations/repository/targets/LICENSE.txt
new file mode 100644
index 00000000..544f53dc
--- /dev/null
+++ b/src/tuf/examples/repository_delegations/repository/targets/LICENSE.txt
@@ -0,0 +1,66 @@
+        This file contains the license for TUF: The Update Framework.
+
+         It also lists license information for components and source
+                   code used by TUF: The Update Framework.
+
+             If you got this file as a part of a larger bundle,
+        there may be other license terms that you should be aware of.
+
+===============================================================================
+TUF: The Update Framework is distributed under this license:
+
+Copyright (c) 2010, Justin Samuel and Justin Cappos.
+
+Permission is hereby granted, free of charge, to any person obtaining a copy of
+this software and/or hardware specification (the “Work”) to deal in the Work
+without restriction, including without limitation the rights to use, copy,
+modify, merge, publish, distribute, sublicense, and/or sell copies of the Work,
+and to permit persons to whom the Work is furnished to do so, subject to the
+following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Work.
+
+THE WORK IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
+THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR
+OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE,
+ARISING FROM, OUT OF OR IN CONNECTION WITH THE WORK OR THE USE OR OTHER
+DEALINGS IN THE WORK.
+===============================================================================
+Many files are modified from Thandy and are licensed under the
+following license:
+
+Thandy is distributed under this license:
+
+Copyright (c) 2008, The Tor Project, Inc.
+
+Redistribution and use in source and binary forms, with or without
+modification, are permitted provided that the following conditions are
+met:
+
+    * Redistributions of source code must retain the above copyright
+notice, this list of conditions and the following disclaimer.
+
+    * Redistributions in binary form must reproduce the above
+copyright notice, this list of conditions and the following disclaimer
+in the documentation and/or other materials provided with the
+distribution.
+
+    * Neither the names of the copyright owners nor the names of its
+contributors may be used to endorse or promote products derived from
+this software without specific prior written permission.
+
+THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+"AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+===============================================================================
diff --git a/src/tuf/examples/repository_delegations/repository/targets/role1/delegated_target1.txt b/src/tuf/examples/repository_delegations/repository/targets/role1/delegated_target1.txt
new file mode 100644
index 00000000..cf0e2506
--- /dev/null
+++ b/src/tuf/examples/repository_delegations/repository/targets/role1/delegated_target1.txt
@@ -0,0 +1 @@
+delegated target 1
diff --git a/src/tuf/examples/repository_delegations/repository/targets/role2/delegated_target2.txt b/src/tuf/examples/repository_delegations/repository/targets/role2/delegated_target2.txt
new file mode 100644
index 00000000..775db353
--- /dev/null
+++ b/src/tuf/examples/repository_delegations/repository/targets/role2/delegated_target2.txt
@@ -0,0 +1 @@
+delegated target 2
diff --git a/src/tuf/formats.py b/src/tuf/formats.py
new file mode 100755
index 00000000..e24c3a2a
--- /dev/null
+++ b/src/tuf/formats.py
@@ -0,0 +1,1162 @@
+"""
+<Program Name>
+  formats.py
+
+<Author>
+  Geremy Condra
+  Vladimir Diaz <vladimir.v.diaz@gmail.com>
+
+<Started>
+  Refactored April 30, 2012. -Vlad
+
+<Copyright>
+  See LICENSE for licensing information.
+
+<Purpose>
+  A central location for all format-related checking of TUF objects.
+  Note: 'formats.py' depends heavily on 'schema.py', so the 'schema.py'
+  module should be read and understood before tackling this module.
+
+  'formats.py' can be broken down into three sections.  (1) Schemas and object
+  matching.  (2) Classes that represent Role Metadata and help produce correctly
+  formatted files.  (3) Functions that help produce or verify TUF objects.
+
+  The first section deals with schemas and object matching based on format.
+  There are two ways of checking the format of objects.  The first method
+  raises a 'tuf.FormatError' exception if the match fails and the other
+  returns a Boolean result.
+
+  tuf.formats.<SCHEMA>.check_match(object)
+  tuf.formats.<SCHEMA>.matches(object)
+
+  Example:
+  rsa_key = {'keytype': 'rsa'
+             'keyid': 34892fc465ac76bc3232fab 
+             'keyval': {'public': 'public_key',
+                        'private': 'private_key'}
+
+  tuf.formats.RSAKEY_SCHEMA.check_match(rsa_key)
+  tuf.formats.RSAKEY_SCHEMA.matches(rsa_key)
+
+  In this example, if a dict key or dict value is missing or incorrect,
+  the match fails.  There are numerous variations of object checking
+  provided by 'formats.py' and 'schema.py'.
+
+  The second section deals with the role metadata classes.  There are
+  multiple top-level roles, each with differing metadata formats.
+  Example:
+  
+  root_object = tuf.formats.RootFile.from_metadata(root_metadata_file)
+  targets_metadata = tuf.formats.TargetsFile.make_metadata(...)
+
+  The input and output of these classes are checked against their respective
+  schema to ensure correctly formatted metadata.
+
+  The last section contains miscellaneous functions related to the format of
+  TUF objects.
+  Example: 
+  
+  signable_object = make_signable(unsigned_object)
+
+"""
+
+
+import binascii
+import calendar
+import re
+import string
+import time
+
+import tuf.schema
+
+SCHEMA = tuf.schema
+
+
+# Note that in the schema definitions below, the 'SCHEMA.Object' types allow
+# additional keys which are not defined. Thus, any additions to them will be
+# easily backwards compatible with clients that are already deployed.
+
+# A date in 'YYYY-MM-DD HH:MM:SS' format.
+TIME_SCHEMA = SCHEMA.RegularExpression(r'\d{4}-\d{2}-\d{2} \d{2}:\d{2}:\d{2}')
+
+# A hexadecimal value in '23432df87ab..' format.
+HASH_SCHEMA = SCHEMA.RegularExpression(r'[a-fA-F0-9]+')
+
+# A dict in {'sha256': '23432df87ab..', 'sha512': '34324abc34df..', ...} format.
+HASHDICT_SCHEMA = SCHEMA.DictOf(
+  key_schema=SCHEMA.AnyString(),
+  value_schema=HASH_SCHEMA)
+
+# A hexadecimal value in '23432df87ab..' format.
+HEX_SCHEMA = SCHEMA.RegularExpression(r'[a-fA-F0-9]+')
+
+# A key identifier (e.g., a hexadecimal value identifying an RSA key).
+KEYID_SCHEMA = HASH_SCHEMA
+KEYIDS_SCHEMA = SCHEMA.ListOf(KEYID_SCHEMA)
+
+# The method used for a generated signature (e.g., 'evp').
+SIG_METHOD_SCHEMA = SCHEMA.AnyString()
+
+# A relative file path (e.g., 'metadata/root/').
+RELPATH_SCHEMA = SCHEMA.AnyString()
+RELPATHS_SCHEMA = SCHEMA.ListOf(RELPATH_SCHEMA)
+
+# An absolute path.
+PATH_SCHEMA = SCHEMA.AnyString()
+PATHS_SCHEMA = SCHEMA.ListOf(PATH_SCHEMA)
+
+# Uniform Resource Locator identifier (e.g., 'https://www.updateframework.com/').
+URL_SCHEMA = SCHEMA.AnyString()
+
+# A dictionary holding version information.
+VERSION_SCHEMA = SCHEMA.Object(
+  object_name='version',
+  major=SCHEMA.Integer(lo=0),
+  minor=SCHEMA.Integer(lo=0),
+  fix=SCHEMA.Integer(lo=0))
+
+# An integer representing length.  Must be 0 and greater.
+LENGTH_SCHEMA = SCHEMA.Integer(lo=0)
+
+# A string representing a named object.
+NAME_SCHEMA = SCHEMA.AnyString()
+
+# A value that is either True or False, on or off, etc.
+TOGGLE_SCHEMA = SCHEMA.Boolean()
+
+# A role's threshold value (i.e., the minimum number
+# of signatures required to sign a metadata file).
+# Must be 1 and greater.
+THRESHOLD_SCHEMA = SCHEMA.Integer(lo=1)
+
+# A string representing a role's name. 
+ROLENAME_SCHEMA = SCHEMA.AnyString()
+
+# The minimum number of bits for an RSA key.  Must be 2048 bits and greater.
+RSAKEYBITS_SCHEMA = SCHEMA.Integer(lo=2048)
+
+# A string representing a password.
+PASSWORD_SCHEMA = SCHEMA.AnyString()
+
+# A list of passwords.
+PASSWORDS_SCHEMA = SCHEMA.ListOf(PASSWORD_SCHEMA)
+
+# The actual values of a key, as opposed to meta data such as a key type and
+# key identifier ('rsa', 233df889cb).  For RSA keys, the key value is a pair of
+# public and private keys in PEM Format stored as strings.
+KEYVAL_SCHEMA = SCHEMA.Object(
+  object_name='keyval',
+  public=SCHEMA.AnyString(),
+  private=SCHEMA.AnyString())
+
+# A generic key.  All TUF keys should be saved to metadata files in this format.
+KEY_SCHEMA = SCHEMA.Object(
+  object_name='key',
+  keytype=SCHEMA.AnyString(),
+  keyval=KEYVAL_SCHEMA)
+
+# An RSA key.
+RSAKEY_SCHEMA = SCHEMA.Object(
+  object_name='rsakey',
+  keytype=SCHEMA.String('rsa'),
+  keyid=KEYID_SCHEMA,
+  keyval=KEYVAL_SCHEMA)
+
+# Info that describes both metadata and target files.
+# This schema allows the storage of multiple hashes for the same file
+# (e.g., sha256 and sha512 may be computed for the same file and stored).
+FILEINFO_SCHEMA = SCHEMA.Object(
+  object_name='fileinfo',
+  length=LENGTH_SCHEMA,
+  hashes=HASHDICT_SCHEMA,
+  custom=SCHEMA.Optional(SCHEMA.Object()))
+
+# A dict holding the information for a particular file.  The keys hold the
+# relative file path and the values the relevant file information.
+FILEDICT_SCHEMA = SCHEMA.DictOf(
+  key_schema=RELPATH_SCHEMA,
+  value_schema=FILEINFO_SCHEMA)
+
+# A dict holding a target file.
+TARGETFILE_SCHEMA = SCHEMA.Object(
+  object_name='targetfile',
+  filepath=RELPATH_SCHEMA,
+  fileinfo=FILEINFO_SCHEMA)
+TARGETFILES_SCHEMA = SCHEMA.ListOf(TARGETFILE_SCHEMA)
+
+# A single signature of an object.  Indicates the signature, the id of the
+# signing key, and the signing method.
+# I debated making the signature schema not contain the key id and instead have
+# the signatures of a file be a dictionary with the key being the keyid and the
+# value being the signature schema without the keyid. That would be under
+# the argument that a key should only be able to sign a file once. However,
+# one can imagine that maybe a key wants to sign multiple times with different
+# signature methods.
+SIGNATURE_SCHEMA = SCHEMA.Object(
+  object_name='signature',
+  keyid=KEYID_SCHEMA,
+  method=SIG_METHOD_SCHEMA,
+  sig=HEX_SCHEMA)
+
+# A schema holding the result of checking the signatures of a particular
+# 'SIGNABLE_SCHEMA' role.
+# For example, how many of the signatures for the 'Target' role are
+# valid?  This SCHEMA holds this information.  See 'sig.py' for
+# more information.
+SIGNATURESTATUS_SCHEMA = SCHEMA.Object(
+  object_name='signaturestatus',
+  threshold=SCHEMA.Integer(),
+  good_sigs=SCHEMA.ListOf(KEYID_SCHEMA),
+  bad_sigs=SCHEMA.ListOf(KEYID_SCHEMA),
+  unknown_sigs=SCHEMA.ListOf(KEYID_SCHEMA),
+  untrusted_sigs=SCHEMA.ListOf(KEYID_SCHEMA),
+  unknown_method_sigs=SCHEMA.ListOf(KEYID_SCHEMA))
+
+# A signable object.  Holds the signing role and its associated signatures.
+SIGNABLE_SCHEMA = SCHEMA.Object(
+  object_name='signable',
+  signed=SCHEMA.Any(),
+  signatures=SCHEMA.ListOf(SIGNATURE_SCHEMA))
+
+# A dict where the dict keys hold a keyid and the dict values a key object.
+KEYDICT_SCHEMA = SCHEMA.DictOf(
+  key_schema=KEYID_SCHEMA,
+  value_schema=KEY_SCHEMA)
+
+# The format used by the key database to store keys.  The dict keys hold a key
+# identifier and the dict values any object.  The key database should store
+# key objects in the values (e.g., 'RSAKEY_SCHEMA', 'DSAKEY_SCHEMA').
+KEYDB_SCHEMA = SCHEMA.DictOf(
+  key_schema=KEYID_SCHEMA,
+  value_schema=SCHEMA.Any())
+
+# The format of the resulting "scp config dict" after extraction from the
+# push configuration file (i.e., push.cfg).  In the case of a config file
+# utilizing the scp transfer module, it must contain the 'general' and 'scp'
+# sections, where 'general' must contain a 'transfer_module' and
+# 'metadata_path' entry, and 'scp' the 'host', 'user', 'identity_file', and
+# 'remote_directory' entries.  See 'tuf/pushtools/pushtoolslib.py' and
+# 'tuf/pushtools/push.py'.
+SCPCONFIG_SCHEMA = SCHEMA.Object(
+  object_name='scp_config',
+  general=SCHEMA.Object(
+    object_name='[general]',
+    transfer_module=SCHEMA.String('scp'),
+    metadata_path=PATH_SCHEMA,
+    targets_directory=PATH_SCHEMA),
+  scp=SCHEMA.Object(
+    object_name='[scp]',
+    host=URL_SCHEMA,
+    user=NAME_SCHEMA,
+    identity_file=PATH_SCHEMA,
+    remote_directory=PATH_SCHEMA))
+
+# The format of the resulting "receive config dict" after extraction from the
+# receive configuration file (i.e., receive.cfg).  The receive config file
+# must contain a 'general' section, and this section the 'pushroots',
+# 'repository_directory', 'metadata_directory', 'targets_directory', and
+# 'backup_directory' entries.
+# see 'tuf/pushtools/pushtoolslib.py' and 'tuf/pushtools/receive/receive.py'
+RECEIVECONFIG_SCHEMA = SCHEMA.Object(
+  object_name='receive_config',
+  general=SCHEMA.Object(
+    object_name='[general]',
+    pushroots=SCHEMA.ListOf(PATH_SCHEMA),
+    repository_directory=PATH_SCHEMA,
+    metadata_directory=PATH_SCHEMA,
+    targets_directory=PATH_SCHEMA,
+    backup_directory=PATH_SCHEMA)) 
+
+# Role object in {'keyids': [keydids..], 'threshold': 1, 'paths':[filepaths..]}
+# format.
+ROLE_SCHEMA = SCHEMA.Object(
+  object_name='role',
+  keyids=SCHEMA.ListOf(KEYID_SCHEMA),
+  threshold=THRESHOLD_SCHEMA,
+  paths=SCHEMA.Optional(SCHEMA.ListOf(RELPATH_SCHEMA)))
+
+# A dict of roles where the dict keys are role names and the dict values holding 
+# the role data/information.
+ROLEDICT_SCHEMA = SCHEMA.DictOf(
+  key_schema=ROLENAME_SCHEMA,
+  value_schema=ROLE_SCHEMA)
+
+# The root: indicates root keys and top-level roles.
+ROOT_SCHEMA = SCHEMA.Object(
+  object_name='root',
+  _type=SCHEMA.String('Root'),
+  ts=TIME_SCHEMA,
+  expires=TIME_SCHEMA,
+  keys=KEYDICT_SCHEMA,
+  roles=ROLEDICT_SCHEMA)
+
+# Targets. Indicates targets and delegates target paths to other roles.
+TARGETS_SCHEMA = SCHEMA.Object(
+  object_name='targets',
+  _type=SCHEMA.String('Targets'),
+  ts=TIME_SCHEMA,
+  expires=TIME_SCHEMA,
+  targets=FILEDICT_SCHEMA,
+  delegations=SCHEMA.Optional(SCHEMA.Object(
+    keys=KEYDICT_SCHEMA,
+    roles=ROLEDICT_SCHEMA)))
+
+# A Release: indicates the latest versions of all metadata (except timestamp).
+RELEASE_SCHEMA = SCHEMA.Object(
+  object_name='release',
+  _type=SCHEMA.String('Release'),
+  ts=TIME_SCHEMA,
+  expires=TIME_SCHEMA,
+  meta=FILEDICT_SCHEMA)
+
+# A Timestamp: indicates the latest version of the release file.
+TIMESTAMP_SCHEMA = SCHEMA.Object(
+  object_name='timestamp',
+  _type=SCHEMA.String('Timestamp'),
+  ts=TIME_SCHEMA,
+  expires=TIME_SCHEMA,
+  meta=FILEDICT_SCHEMA)
+
+# A schema containing information a repository mirror may require,
+# such as a url, the path of the directory metadata files, etc.
+MIRROR_SCHEMA = SCHEMA.Object(
+  object_name='mirror',
+  url_prefix=URL_SCHEMA,
+  metadata_path=RELPATH_SCHEMA,
+  targets_path=RELPATH_SCHEMA,
+  confined_target_paths=SCHEMA.ListOf(PATH_SCHEMA),
+  custom=SCHEMA.Optional(SCHEMA.Object()))
+
+# A dictionary of mirrors where the dict keys hold the mirror's name and
+# and the dict values the mirror's data (i.e., 'MIRROR_SCHEMA').
+# The repository class of 'updater.py' accepts dictionaries
+# of this type provided by the TUF client.
+MIRRORDICT_SCHEMA = SCHEMA.DictOf(
+  key_schema=SCHEMA.AnyString(),
+  value_schema=MIRROR_SCHEMA)
+
+# A Mirrorlist: indicates all the live mirrors, and what documents they
+# serve.
+MIRRORLIST_SCHEMA = SCHEMA.Object(
+  object_name='mirrorlist',
+  _type=SCHEMA.String('Mirrors'),
+  ts=TIME_SCHEMA,
+  expires=TIME_SCHEMA,
+  mirrors=SCHEMA.ListOf(MIRROR_SCHEMA))
+
+
+
+
+
+class MetaFile(object):
+  """
+  <Purpose>
+    Base class for all metadata file classes.
+    Classes representing metadata files such as RootFile
+    and ReleaseFile all inherit from MetaFile.  The
+    __eq__, __ne__, perform 'equal' and 'not equal' comparisons
+    between Metadata File objects.
+
+  """
+
+  info = None
+
+  def __eq__(self, other):
+    return isinstance(other, MetaFile) and self.info == other.info
+
+
+  def __ne__(self, other):
+    return not self.__eq__(other)
+
+
+  def __getattr__(self, name):
+    """
+      Allow all metafile objects to have their interesting attributes
+      referred to directly without the info dict. The info dict is just
+      to be able to do the __eq__ comparison generically.
+    
+    """
+    
+    if name in self.info:
+      return self.info[name]
+    raise AttributeError, name
+
+
+
+
+
+class TimestampFile(MetaFile):
+  def __init__(self, timestamp, expires, filedict):
+    self.info = {}
+    self.info['ts'] = timestamp
+    self.info['expires'] = expires
+    self.info['meta'] = filedict
+
+
+  @staticmethod
+  def from_metadata(object):
+    # Is 'object' a Timestamp metadata file?
+    # Raise tuf.FormatError if not.
+    TIMESTAMP_SCHEMA.check_match(object) 
+
+    timestamp = parse_time(object['ts'])
+    expires = parse_time(object['expires'])
+    filedict = object['meta']
+    return TimestampFile(timestamp, expires, filedict)
+    
+    
+  @staticmethod
+  def make_metadata(filedict):
+    result = {'_type' : 'Timestamp'}
+    # TODO: set the expires time another way.
+    result['ts'] = format_time(time.time())
+    result['expires'] = format_time(time.time() + 3600 * 24 * 365)
+    result['meta'] = filedict
+
+    # Is 'result' a Timestamp metadata file?
+    # Raise 'tuf.FormatError' if not.
+    TIMESTAMP_SCHEMA.check_match(result)
+
+    return result
+
+
+
+
+
+class RootFile(MetaFile):
+  def __init__(self, timestamp, expires, keys, roles):
+    self.info = {}
+    self.info['ts'] = timestamp
+    self.info['expires'] = expires
+    self.info['keys'] = keys
+    self.info['roles'] = roles
+
+
+  @staticmethod
+  def from_metadata(object):
+    # Is 'object' a Root metadata file?
+    # Raise tuf.FormatError if not.
+    ROOT_SCHEMA.check_match(object) 
+    
+    timestamp = parse_time(object['ts'])
+    expires = parse_time(object['expires'])
+    keys = object['keys']
+    roles = object['roles']
+    
+    return RootFile(timestamp, expires, keys, roles)
+
+
+  @staticmethod
+  def make_metadata(keydict, roledict, expiration_seconds):
+    # Is 'expiration_seconds' properly formatted?
+    # Raise 'tuf.FormatError' if not.
+    LENGTH_SCHEMA.check_match(expiration_seconds)
+    
+    result = {'_type' : 'Root'}
+    # TODO: set the expires time another way.
+    result['ts'] = format_time(time.time())
+    result['expires'] = format_time(time.time() + expiration_seconds)
+    result['keys'] = keydict
+    result['roles'] = roledict
+    
+    # Is 'result' a Root metadata file?
+    # Raise 'tuf.FormatError' if not.
+    ROOT_SCHEMA.check_match(result)
+    
+    return result
+
+
+
+
+
+class ReleaseFile(MetaFile):
+  def __init__(self, timestamp, expires, filedict):
+    self.info = {}
+    self.info['ts'] = timestamp
+    self.info['expires'] = expires
+    self.info['meta'] = filedict
+
+
+  @staticmethod
+  def from_metadata(object):
+    # Is 'object' a Release metadata file?
+    # Raise tuf.FormatError if not.
+    RELEASE_SCHEMA.check_match(object)
+    
+    timestamp = parse_time(object['ts'])
+    expires = parse_time(object['expires'])
+    filedict = object['meta']
+    
+    return ReleaseFile(timestamp, expires, filedict)
+
+
+  @staticmethod
+  def make_metadata(filedict):
+    result = {'_type' : 'Release'}
+    # TODO: set the expires time another way.
+    result['ts'] = format_time(time.time())
+    result['expires'] = format_time(time.time() + 3600 * 24 * 365)
+    result['meta'] = filedict
+
+    # Is 'result' a Release metadata file?
+    # Raise 'tuf.FormatError' if not.
+    RELEASE_SCHEMA.check_match(result)
+    
+    return result
+
+
+
+
+
+class TargetsFile(MetaFile):
+  def __init__(self, timestamp, expires, filedict=None, delegations=None):
+    if filedict is None:
+      filedict = {}
+    if delegations is None:
+      delegations = {}
+    self.info = {}
+    self.info['ts'] = timestamp
+    self.info['expires'] = expires
+    self.info['targets'] = filedict
+    self.info['delegations'] = delegations
+
+
+  @staticmethod
+  def from_metadata(object):
+    # Is 'object' a Targets metadata file?
+    # Raise tuf.FormatError if not.
+    TARGETS_SCHEMA.check_match(object)
+    
+    timestamp = parse_time(object['ts'])
+    expires = parse_time(object['expires'])
+    filedict = object.get('targets')
+    delegations = object.get('delegations')
+    
+    return TargetsFile(timestamp, expires, filedict, delegations)
+
+
+  @staticmethod
+  def make_metadata(filedict=None, delegations=None):
+    if filedict is None and delegations is None:
+      raise tuf.Error('We don\'t allow completely empty targets metadata.')
+
+    result = {'_type' : 'Targets'}
+    # TODO: set the expires time another way.
+    result['ts'] = format_time(time.time())
+    result['expires'] = format_time(time.time() + 3600 * 24 * 365)
+    if filedict is not None:
+      result['targets'] = filedict
+    if delegations is not None:
+      result['delegations'] = delegations
+
+    # Is 'result' a Targets metadata file?
+    # Raise 'tuf.FormatError' if not.
+    TARGETS_SCHEMA.check_match(result)
+    
+    return result
+
+
+
+
+
+class MirrorsFile(MetaFile):
+  def __init__(self, timestamp, expires):
+    self.info = {}
+    self.info['ts'] = timestamp
+    self.info['expires'] = expires
+
+
+  @staticmethod
+  def from_metadata(object):
+    raise NotImplementedError
+
+
+  @staticmethod
+  def make_metadata():
+    raise NotImplementedError
+
+
+
+
+
+# A dict holding the recognized schemas for the top-level roles.
+SCHEMAS_BY_TYPE = {
+  'Root' : ROOT_SCHEMA,
+  'Targets' : TARGETS_SCHEMA,
+  'Release' : RELEASE_SCHEMA,
+  'Timestamp' : TIMESTAMP_SCHEMA,
+  'Mirrors' : MIRRORLIST_SCHEMA}
+
+# A dict holding the recognized class names for the top-level roles.
+# That is, the role classes listed in this module (e.g., class TargetsFile()).
+ROLE_CLASSES_BY_TYPE = {
+  'Root' : RootFile,
+  'Targets' : TargetsFile,
+  'Release' : ReleaseFile,
+  'Timestamp' : TimestampFile,
+  'Mirrors' : MirrorsFile}
+
+
+
+
+
+def format_time(timestamp):
+  """
+  <Purpose>
+    Encode 'timestamp' in YYYY-MM-DD HH:MM:SS format.
+    'timestamp' is a Unix timestamp value.  For example, it is the time
+    format returned by calendar.timegm(). 
+
+    >>> format_time(499137720)
+    '1985-10-26 01:22:00'
+
+  <Arguments>
+    timestamp:
+      The time to format.
+
+  <Exceptions>
+    tuf.Error, if 'timestamp' is invalid.
+
+  <Side Effects>
+    None.
+
+  <Returns>
+    A string in 'YYYY-MM-DD HH:MM:SS' format.
+
+  """
+   
+  try:
+    return time.strftime('%Y-%m-%d %H:%M:%S', time.gmtime(timestamp))
+  except (ValueError, TypeError):
+    raise tuf.FormatError('Invalid argument value')
+
+
+
+
+def parse_time(string):
+  """
+  <Purpose>
+    Parse 'string' in YYYY-MM-DD HH:MM:SS format.
+
+  <Arguments>
+    string:
+      A string representing the time (e.g., '1985-10-26 01:20:00').
+
+  <Exceptions>
+    tuf.FormatError, if parsing 'string' fails.
+
+  <Side Effects>
+    None.
+
+  <Returns>
+    A timestamp (e.g., 499137660).
+
+  """
+  
+  # Is 'string' properly formatted?
+  # Raise 'tuf.FormatError' if there is a mismatch.
+  TIME_SCHEMA.check_match(string)
+  
+  try:
+    return calendar.timegm(time.strptime(string, '%Y-%m-%d %H:%M:%S'))
+  except ValueError:
+    raise tuf.FormatError('Malformed time '+repr(string))
+
+
+
+
+
+def format_base64(data):
+  """
+  <Purpose>
+    Return the base64 encoding of 'data' with whitespace
+    and '=' signs omitted.
+
+  <Arguments>
+    data:
+      A string or buffer of data to convert.
+
+  <Exceptions>
+    tuf.FormatError, if the base64 encoding fails or the argument
+    is invalid.
+
+  <Side Effects>
+    None.
+
+  <Returns>
+    A base64-encoded string.
+
+  """
+  
+  try:
+    return binascii.b2a_base64(data).rstrip('=\n ')
+  except (TypeError, binascii.Error), e:
+    raise tuf.FormatError('Invalid base64 encoding: '+str(e))
+
+
+
+
+
+def parse_base64(base64_string):
+  """
+  <Purpose>
+    Parse a base64 encoding with whitespace and '=' signs omitted.
+  
+  <Arguments>
+    base64_string:
+      A string holding a base64 value.
+
+  <Exceptions>
+    tuf.FormatError, if 'base64_string' cannot be parsed due to
+    an invalid base64 encoding.
+
+  <Side Effects>
+    None.
+
+  <Returns>
+    A byte string representing the parsed based64 encoding of
+    'base64_string'.
+
+  """
+
+  if not isinstance(base64_string, basestring):
+    message = 'Invalid argument: '+repr(base64_string)
+    raise tuf.FormatError(message)
+
+  extra = len(base64_string) % 4
+  if extra:
+    padding = '=' * (4 - extra)
+    base64_string = base64_string + padding
+
+  try:
+    return binascii.a2b_base64(base64_string)
+  except (TypeError, binascii.Error), e:
+    raise tuf.FormatError('Invalid base64 encoding: '+str(e))
+
+
+
+
+
+def make_signable(object):
+  """
+  <Purpose>
+    Return the role metadata 'object' in 'SIGNABLE_SCHEMA' format.
+    'object' is added to the 'signed' key, and an empty list
+    initialized to the 'signatures' key.  The caller adds signatures
+    to this second field.
+    Note: check_signable_object_format() should be called after
+    make_signable() and signatures added to ensure the final
+    signable object has a valid format (i.e., a signable containing
+    a supported role metadata).
+
+  <Arguments>
+    object:
+      A role schema dict (e.g., 'ROOT_SCHEMA', 'RELEASE_SCHEMA'). 
+
+  <Exceptions>
+    None.
+
+  <Side Effects>
+    None.
+
+  <Returns>
+    A dict in 'SIGNABLE_SCHEMA' format.
+
+  """
+
+  if not isinstance(object, dict) or 'signed' not in object:
+    return { 'signed' : object, 'signatures' : [] }
+  else:
+    return object
+
+
+
+
+
+def make_fileinfo(length, hashes, custom=None):
+  """
+  <Purpose>
+    Create a dictionary conformant to 'FILEINFO_SCHEMA'.
+    This dict describes both metadata and target files.
+
+  <Arguments>
+    length:
+      An integer representing the size of the file.
+
+    hashes:
+      A dict of hashes in 'HASHDICT_SCHEMA' format, which has the form:
+       {'sha256': 123df8a9b12, 'sha512': 324324dfc121, ...}
+
+    custom:
+      An optional object providing additional information about the file.
+
+  <Exceptions>
+    tuf.FormatError, if the 'FILEINFO_SCHEMA' to be returned
+    does not have the correct format.
+
+  <Side Effects>
+    If any of the arguments are incorrectly formatted, the dict
+    returned will be checked for formatting errors, and if found,
+    will raise a 'tuf.FormatError' exception.
+
+  <Returns>
+    A dictionary conformant to 'FILEINFO_SCHEMA', representing the file
+    information of a metadata or target file.
+
+  """
+
+  fileinfo = {'length' : length, 'hashes' : hashes}
+  if custom is not None:
+    fileinfo['custom'] = custom
+
+  # Raise 'tuf.FormatError' if the check fails.
+  FILEINFO_SCHEMA.check_match(fileinfo)
+
+  return fileinfo
+
+
+
+
+
+def make_role_metadata(keyids, threshold, paths=None):
+  """
+  <Purpose>
+    Create a dictionary conforming to 'tuf.formats.ROLE_SCHEMA',
+    representing the role with 'keyids', 'threshold', and 'paths'
+    as field values.  'paths' is optional (i.e., used only by the
+    'Target' role).
+
+  <Arguments>
+    keyids: a list of key ids.
+
+    threshold:
+      An integer denoting the number of required keys
+      for the signing role.
+
+    paths:
+      The 'Target' role stores the paths of target files
+      in its metadata file.  'paths' is a list of
+      file paths.
+  
+  <Exceptions>
+    tuf.FormatError, if the returned role meta is
+    formatted incorrectly.
+
+  <Side Effects>
+    If any of the arguments do not have a proper format, a 
+    tuf.formats exception is raised when the 'ROLE_SCHEMA' dict
+    is created.
+
+  <Returns>
+    A properly formatted role meta dict, conforming to
+    'ROLE_SCHEMA'.
+    
+  """
+
+  role_meta = {}
+  role_meta['keyids'] = keyids
+  role_meta['threshold'] = threshold
+  if paths is not None:
+    role_meta['paths'] = paths
+
+  # Does 'role_meta' have the correct type?
+  # This check ensures 'role_meta' conforms to
+  # tuf.formats.ROLE_SCHEMA.
+  ROLE_SCHEMA.check_match(role_meta)
+
+  return role_meta
+
+
+
+
+
+def get_role_class(expected_rolename):
+  """
+  <Purpose>
+    Return the role class corresponding to
+    'expected_rolename'.  The role name returned
+    by expected_meta_rolename() should be the name
+    passed as an argument to this function.  If
+    'expected_rolename' is 'Root', the class
+    RootFile is returned.
+
+  <Arguments>
+    expected_rolename:
+      The role name used to determine which role class
+      to return.
+
+  <Exceptions>
+    tuf.FormatError, if 'expected_rolename' is not a
+    supported role.
+
+  <Side Effects>
+    None.
+
+  <Returns>
+    The class corresponding to 'expected_rolename'.
+    E.g., 'Release' as an argument to this function causes
+    'ReleaseFile' to be returned. 
+
+  """
+ 
+  # Does 'expected_rolename' have the correct type?
+  # This check ensures 'expected_rolename' conforms to
+  # 'tuf.formats.NAME_SCHEMA'.
+  # Raise 'tuf.FormatError' if there is a mismatch.
+  NAME_SCHEMA.check_match(expected_rolename)
+  
+  try:
+    role_class = ROLE_CLASSES_BY_TYPE[expected_rolename]
+  except KeyError:
+    raise tuf.FormatError(repr(expected_rolename)+' not supported.')
+  else:
+    return role_class
+
+
+
+
+
+def expected_meta_rolename(meta_rolename):
+  """
+  <Purpose>
+    Ensure 'meta_rolename' is properly formatted.
+    'targets' is returned as 'Targets'.
+    'targets role1' is returned as 'Targets Role1'.
+
+    The words in the string (i.e., separated by whitespace)
+    are capitalized.
+
+  <Arguments>
+    meta_rolename:
+      A string representing the rolename.
+      E.g., 'root', 'targets'.
+
+  <Exceptions>
+    tuf.FormatError, if 'meta_rolename' is improperly formatted.
+
+  <Side Effects>
+    None.
+
+  <Returns>
+    A string (e.g., 'Root', 'Targets').
+    
+  """
+   
+  # Does 'meta_rolename' have the correct type?
+  # This check ensures 'meta_rolename' conforms to
+  # 'tuf.formats.NAME_SCHEMA'.
+  # Raise 'tuf.FormatError' if there is a mismatch.
+  NAME_SCHEMA.check_match(meta_rolename)
+  
+  return string.capwords(meta_rolename)
+
+
+
+
+
+def check_signable_object_format(object):
+  """
+  <Purpose>
+    Ensure 'object' is properly formatted, conformant to
+    'tuf.formats.SIGNABLE_SCHEMA'.  Return the signing role on success.
+    Note: The 'signed' field of a 'SIGNABLE_SCHEMA' is checked against
+    tuf.schema.Any().  The 'signed' field, however, should actually
+    hold one of the supported role schemas (e.g., 'ROOT_SCHEMA',
+    'TARGETS_SCHEMA').  The role schemas all differ in their format, so this
+    function determines exactly which schema is listed in the 'signed'
+    field.
+
+  <Arguments>
+    object:
+     The object compare against 'SIGNABLE.SCHEMA'. 
+
+  <Exceptions>
+    tuf.FormatError, if 'object' does not have the correct format.
+
+  <Side Effects>
+    None.
+
+  <Returns>
+    A string representing the signing role (e.g., 'root', 'targets').
+    The role string is returned with characters all lower case.
+
+  """
+  
+  # Does 'object' have the correct type?
+  # This check ensures 'object' conforms to
+  # 'tuf.formats.SIGNABLE_SCHEMA'.
+  SIGNABLE_SCHEMA.check_match(object)
+
+  try:
+    role_type = object['signed']['_type']
+  except (KeyError, TypeError):
+    raise tuf.FormatError('Untyped object')
+  try:
+    schema = SCHEMAS_BY_TYPE[role_type]
+  except KeyError:
+    raise tuf.FormatError('Unrecognized type '+repr(role_type))
+  
+  # 'tuf.FormatError' raised if 'object' does not have a properly
+  # formatted role schema.
+  schema.check_match(object['signed'])
+
+  return role_type.lower()
+
+
+
+
+
+def _canonical_string_encoder(string):
+  """
+  <Purpose>
+    Encode 'string' to canonical string format.
+    
+  <Arguments>
+    string:
+      The string to encode.
+
+  <Exceptions>
+    None.
+
+  <Side Effects>
+    None.
+
+  <Returns>
+    A string with the canonical-encoded 'string' embedded.
+
+  """
+
+  string = '"%s"' % re.sub(r'(["\\])', r'\\\1', string)
+  if isinstance(string, unicode):
+    return string.encode('utf-8')
+  else:
+    return string
+
+
+
+
+
+def _encode_canonical(object, output_function):
+  # Helper for encode_canonical.  Older versions of json.encoder don't
+  # even let us replace the separators.
+
+  if isinstance(object, basestring):
+    output_function(_canonical_string_encoder(object))
+  elif object is True:
+    output_function("true")
+  elif object is False:
+    output_function("false")
+  elif object is None:
+    output_function("null")
+  elif isinstance(object, (int, long)):
+    output_function(str(object))
+  elif isinstance(object, (tuple, list)):
+    output_function("[")
+    if len(object):
+      for item in object[:-1]:
+        _encode_canonical(item, output_function)
+        output_function(",")
+      _encode_canonical(object[-1], output_function)
+    output_function("]")
+  elif isinstance(object, dict):
+    output_function("{")
+    if len(object):
+      items = object.items()
+      items.sort()
+      for key, value in items[:-1]:
+        output_function(_canonical_string_encoder(key))
+        output_function(":")
+        _encode_canonical(value, output_function)
+        output_function(",")
+      key, value = items[-1]
+      output_function(_canonical_string_encoder(key))
+      output_function(":")
+      _encode_canonical(value, output_function)
+    output_function("}")
+  else:
+    raise tuf.FormatError('I cannot encode '+repr(object))
+
+
+
+
+
+def encode_canonical(object, output_function=None):
+  """
+  <Purpose>
+    Encode 'object' in canonical JSON form, as specified at
+    http://wiki.laptop.org/go/Canonical_JSON .  It's a restricted
+    dialect of JSON in which keys are always lexically sorted,
+    there is no whitespace, floats aren't allowed, and only quote
+    and backslash get escaped.  The result is encoded in UTF-8,
+    and the resulting bits are passed to output_function (if provided),
+    or joined into a string and returned.
+
+    Note: This function should be called prior to computing the hash or
+    signature of a JSON object in TUF.  For example, generating a signature
+    of a signing role object such as 'ROOT_SCHEMA' is required to ensure
+    repeatable hashes are generated across different json module versions
+    and platforms.  Code elsewhere is free to dump JSON objects in any format
+    they wish (e.g., utilizing indentation and single quotes around object
+    keys).  These objects are only required to be in "canonical JSON" format
+    when their hashes or signatures are needed.
+
+    >>> encode_canonical("")
+    '""'
+    >>> encode_canonical([1, 2, 3])
+    '[1,2,3]'
+    >>> encode_canonical([])
+    '[]'
+    >>> encode_canonical({"A": [99]})
+    '{"A":[99]}'
+    >>> encode_canonical({"x" : 3, "y" : 2})
+    '{"x":3,"y":2}'
+  
+  <Arguments>
+    object:
+      The object to be encoded.
+
+    output_function:
+      The result will be passed as arguments to 'output_function'
+      (e.g., output_function('result')).
+
+  <Exceptions>
+    tuf.FormatError, if 'object' cannot be encoded or 'output_function'
+    is not callable.
+
+  <Side Effects>
+    The results are fed to 'output_function()' if 'output_function' is set.  
+
+  <Returns>
+    A string representing the 'object' encoded in canonical JSON form.
+
+  """
+
+  result = None
+  # If 'output_function' is unset, treat it as
+  # appending to a list.
+  if output_function is None:
+    result = []
+    output_function = result.append
+
+  try:
+    _encode_canonical(object, output_function)
+  except TypeError, e:
+    message = 'Could not encode '+repr(object)+': '+str(e)
+    raise tuf.FormatError(message)
+
+  # Return the encoded 'object' as a string.
+  # Note: Implies 'output_function' is None,
+  # otherwise results are sent to 'output_function'.
+  if result is not None:
+    return ''.join(result)
+
+
+
+
+
+if __name__ == '__main__':
+  # The interactive sessions of the documentation strings can
+  # be tested by running formats.py as a standalone module.
+  # python -B formats.py
+  import doctest
+  doctest.testmod()
diff --git a/src/tuf/hash.py b/src/tuf/hash.py
new file mode 100755
index 00000000..7cce6d91
--- /dev/null
+++ b/src/tuf/hash.py
@@ -0,0 +1,299 @@
+"""
+<Program Name>
+  hash.py
+
+<Author>
+  Vladimir Diaz <vladimir.v.diaz@gmail.com>
+
+<Started>
+  February 28, 2012.  Based on a previous version of this module.
+
+<Copyright>
+  See LICENSE for licensing information.
+
+<Purpose>
+  Support multiple implementations of secure hash and message digest
+  algorithms. Any hash-related routines that TUF requires should be
+  located in this module.  Ensuring that a secure hash algorithm is
+  available to TUF, simplifying the creation of digest objects, and
+  providing a central location for hash routines are the main goals
+  of this module.  Support routines implemented include functions to 
+  create digest objects given a filename or file object.
+  Hashlib and pycrypto hash algorithms currently supported.
+
+"""
+
+
+# Import tuf Exceptions.
+import tuf
+
+# Import tuf logger to log warning messages.
+import logging
+logger = logging.getLogger('tuf.hash')
+
+# The list of hash libraries imported successfully.
+_supported_libraries = []
+
+# Hash libraries currently supported by tuf.hash.
+_SUPPORTED_LIB_LIST = ['hashlib', 'pycrypto'] 
+
+# Let's try importing the pycrypto hash algorithms.  Pycrypto will
+# not be added to the supported list of libraries if the specified
+# hash algorithms below cannot all be imported.
+try:
+  from Crypto.Hash import MD5
+  from Crypto.Hash import SHA
+  from Crypto.Hash import SHA224
+  from Crypto.Hash import SHA256
+  from Crypto.Hash import SHA384
+  from Crypto.Hash import SHA512
+  _supported_libraries.append('pycrypto')
+except ImportError:
+  logger.warn('Pycrypto hash algorithms could not be imported.  '
+              'Supported libraries: '+str(_SUPPORTED_LIB_LIST))
+
+  pass
+
+# Python <=2.4 does not have the hashlib module by default.
+# Let's try importing hashlib and adding it to our supported list.
+try:
+  import hashlib
+  _supported_libraries.append('hashlib')
+except ImportError:
+  logger.warn('Hashlib could not be imported.  '
+              'Supported libraries: '+str(_SUPPORTED_LIB_LIST)) 
+  pass
+
+# Were we able to import any hash libraries?
+if not _supported_libraries:
+  # This is fatal, we'll have no way of generating hashes.
+  raise tuf.Error('Unable to import a hash library from the '
+                  'following supported list: '+str(_SUPPORTED_LIB_LIST)) 
+
+
+_DEFAULT_HASH_ALGORITHM = 'sha256'
+_DEFAULT_HASH_LIBRARY = 'hashlib'
+
+
+
+
+
+def digest(algorithm=_DEFAULT_HASH_ALGORITHM, 
+           hash_library=_DEFAULT_HASH_LIBRARY):
+  """
+  <Purpose>
+    Provide the caller with the ability to create
+    digest objects without having to worry about hash
+    library availability or which library to use.  
+    The caller also has the option of specifying which
+    hash algorithm and/or library to use.
+
+    # Creation of a digest object using defaults
+    # or by specifying hash algorithm and library.
+    digest_object = tuf.hash.digest()
+    digest_object = tuf.hash.digest('sha384')
+    digest_object = tuf.hash.digest('pycrypto')
+
+    # The expected interface for digest objects. 
+    digest_object.digest_size
+    digest_object.hexdigest()
+    digest_object.update('data')
+    digest_object.digest()
+    
+    # Added hash routines by this module.
+    digest_object = tuf.hash.digest_fileobject(file_object)
+    digest_object = tuf.hash.digest_filename(filename)
+  
+  <Arguments>
+    algorithm:
+      The hash algorithm (e.g., md5, sha1, sha256).
+
+    hash_library:
+      The library providing the hash algorithms 
+      (e.g., pycrypto, hashlib).
+      
+  <Exceptions>
+    tuf.UnsupportedAlgorithmError
+    tuf.UnsupportedLibraryError
+
+  <Side Effects>
+    None.
+
+  <Returns>
+    Digest object (e.g., hashlib.new(algorithm) or 
+    algorithm.new() # pycrypto).
+
+  """
+
+  # Was a hashlib digest object requested and is it supported?
+  # If so, return the digest object.
+  if hash_library == 'hashlib' and hash_library in _supported_libraries:
+    try:
+      return hashlib.new(algorithm)
+    except ValueError:
+      raise tuf.UnsupportedAlgorithmError(algorithm)
+
+  # Was a pycrypto digest object requested and is it supported?
+  elif hash_library == 'pycrypto' and hash_library in _supported_libraries:
+    # Pycrypto does not offer a comparable hashlib.new(hashname).
+    # Let's first check the 'algorithm' argument before returning
+    # the correct pycrypto digest object using pycrypto's object construction. 
+    if algorithm == 'md5':
+      return MD5.new()
+    elif algorithm == 'sha1':
+      return SHA.new()
+    elif algorithm == 'sha224':
+      return SHA224.new()
+    elif algorithm == 'sha256':
+      return SHA256.new()
+    elif algorithm == 'sha384':
+      return SHA384.new()
+    elif algorithm == 'sha512':
+      return SHA512.new()
+    else:
+      raise tuf.UnsupportedAlgorithmError(algorithm)
+  
+  # The requested hash library is not supported. 
+  else:
+    raise tuf.UnsupportedLibraryError('Unsupported library requested.  '
+                    'Supported hash libraries: '+str(_SUPPORTED_LIB_LIST)) 
+
+
+
+
+
+def digest_fileobject(file_object, algorithm=_DEFAULT_HASH_ALGORITHM,
+                      hash_library=_DEFAULT_HASH_LIBRARY):
+  """
+  <Purpose>
+    Generate a digest object given a file object.  The new digest object
+    is updated with the contents of 'file_object' prior to returning the
+    object to the caller.
+      
+  <Arguments>
+    file_object:
+      File object whose contents will be used as the data
+      to update the hash of a digest object to be returned.
+
+    algorithm:
+      The hash algorithm (e.g., md5, sha1, sha256).
+
+    hash_library:
+      The library providing the hash algorithms 
+      (e.g., pycrypto, hashlib).
+
+  <Exceptions>
+    tuf.UnsupportedAlgorithmError
+    tuf.Error
+
+  <Side Effects>
+    Calls tuf.hash.digest() to create the actual digest object.
+
+  <Returns>
+    Digest object (e.g., hashlib.new(algorithm) or 
+    algorithm.new() # pycrypto).
+
+  """
+
+  # Digest object returned whose hash will be updated using 'file_object'.
+  # digest() raises:
+  # tuf.UnsupportedAlgorithmError
+  # tuf.Error
+  digest_object = digest(algorithm, hash_library)
+
+  # Defensively seek to beginning, as there's no case where we don't
+  # intend to start from the beginning of the file.
+  file_object.seek(0)
+
+  # Read the contents of the file object in at most 4096-byte chunks.
+  # Update the hash with the data read from each chunk and return after
+  # the entire file is processed. 
+  while True:
+    chunksize = 4096
+    data = file_object.read(chunksize)
+    if not data:
+      break
+    digest_object.update(data_to_string(data))
+  return digest_object
+
+
+
+
+
+def digest_filename(filename, algorithm=_DEFAULT_HASH_ALGORITHM,
+                    hash_library=_DEFAULT_HASH_LIBRARY):
+  """
+  <Purpose>
+    Generate a digest object, update its hash using a file object
+    specified by filename, and then return it to the caller.
+
+  <Arguments>
+    filename:
+      The filename belonging to the file object to be used. 
+    
+    algorithm:
+      The hash algorithm (e.g., md5, sha1, sha256).
+
+    hash_library:
+      The library providing the hash algorithms 
+      (e.g., pycrypto, hashlib).
+
+  <Exceptions>
+    tuf.UnsupportedAlgorithmError
+    tuf.Error 
+
+  <Side Effects>
+    Calls tuf.hash.digest_fileobject() after opening 'filename'.
+    File closed before returning.
+
+  <Returns>
+    Digest object (e.g., hashlib.new(algorithm) or 
+    algorithm.new() # pycrypto).
+
+  """
+
+  # Open 'filename' in read+binary mode.
+  file_object = open(filename, 'rb')
+  
+  # Create digest_object and update its hash data from file_object.
+  # digest_fileobject() raises:
+  # tuf.UnsupportedAlgorithmError
+  # tuf.Error
+  digest_object = digest_fileobject(file_object, algorithm, hash_library)
+  
+  file_object.close()
+  return digest_object
+
+
+
+
+
+def data_to_string(data):
+  """
+  <Purpose>
+    Return 'data' as a string.  The update() function of a digest object
+    only accepts strings, however, TUF will often need to feed this function
+    non-strings.  This utility function circumvents this issue and decides how
+    exactly to convert these objects TUF might use.
+
+  <Arguments>
+    data:
+      The data object to be returned as a string. 
+
+  <Exceptions>
+    None.
+
+  <Side Effects>
+    None.
+
+  <Returns>
+    String.
+
+  """
+
+  if isinstance(data, str):
+    return data
+  elif isinstance(data, unicode):
+    return data.encode("utf-8")
+  else:
+    return str(data)
diff --git a/src/tuf/keydb.py b/src/tuf/keydb.py
new file mode 100755
index 00000000..a1c79674
--- /dev/null
+++ b/src/tuf/keydb.py
@@ -0,0 +1,269 @@
+"""
+<Program Name>
+  keydb.py
+
+<Author>
+  Vladimir Diaz <vladimir.v.diaz@gmail.com>
+
+<Started>
+  March 21, 2012.  Based on a previous version of this module by Geremy Condra.
+
+<Copyright>
+  See LICENSE for licensing information.
+
+<Purpose>
+  Represent a collection of keys and their organization.  This module ensures
+  the layout of the collection remain consistent and easily verifiable.
+  Provided are functions to add and delete keys from the database, retrieve a
+  single key, and assemble a collection from keys stored in TUF 'Root' Metadata
+  files.
+  
+  RSA keys are currently supported and a collection of keys is organized as a 
+  dictionary indexed by key ID.  Key IDs are used as identifiers for keys (e.g.,
+  RSA key).  They are the hexadecimal representations of the hash of key objects
+  (specifically, the key object containing only the public key).  See 'rsa_key.py'
+  and the '_get_keyid()' function to see precisely how keyids are generated.
+  One may get the keyid of a key object by simply accessing the dictionary's
+  'keyid' key (i.e., rsakey['keyid']).
+
+"""
+
+
+import logging
+
+import tuf.formats
+import tuf.rsa_key
+
+# See 'log.py' to learn how logging is handled in TUF.
+logger = logging.getLogger('tuf.keydb')
+
+# The key database.
+_keydb_dict = {}
+
+
+def create_keydb_from_root_metadata(root_metadata):
+  """
+  <Purpose>
+    Populate the key database with the unique keys found in 'root_metadata'.
+    The database dictionary will conform to 'tuf.formats.KEYDB_SCHEMA' and
+    have the form: {keyid: key, ...}.  
+    The 'keyid' conforms to 'tuf.formats.KEYID_SCHEMA' and 'key' to its
+    respective type.  In the case of RSA keys, this object would match
+    'RSAKEY_SCHEMA'.
+
+  <Arguments>
+    root_metadata:
+      A dictionary conformant to 'tuf.formats.ROOT_SCHEMA'.  The keys found
+      in the 'keys' field of 'root_metadata' are needed by this function.
+
+  <Exceptions>
+    tuf.FormatError, if 'root_metadata' does not have the correct format.
+
+  <Side Effects>
+    A function to add the key to the database is called.  In the case of RSA
+    keys, this function is add_rsakey().
+    
+    The old keydb key database is replaced.
+
+  <Returns>
+    None.
+
+  """
+
+  # Does 'root_metadata' have the correct format?
+  # This check will ensure 'root_metadata' has the appropriate number of objects
+  # and object types, and that all dict keys are properly named.
+  # Raise 'tuf.FormatError' if the check fails.
+  tuf.formats.ROOT_SCHEMA.check_match(root_metadata)
+
+  # Clear the key database.
+  _keydb_dict.clear()
+
+  # Iterate through the keys found in 'root_metadata' by converting
+  # them to 'RSAKEY_SCHEMA' if their type is 'rsa', and then
+  # adding them the database.  Duplicates are avoided.
+  for keyid, key_metadata in root_metadata['keys'].items():
+    if key_metadata['keytype'] == 'rsa':
+      # 'key_metadata' is stored in 'KEY_SCHEMA' format.  Call
+      # create_from_metadata_format() to get the key in 'RSAKEY_SCHEMA'
+      # format, which is the format expected by 'add_rsakey()'.
+      rsakey_dict = tuf.rsa_key.create_from_metadata_format(key_metadata)
+      try:
+        add_rsakey(rsakey_dict, keyid)
+      # 'tuf.Error' raised if keyid does not match the keyid for 'rsakey_dict'.
+      except tuf.Error, e:
+        logger.error(e)
+        continue
+      except tuf.KeyAlreadyExistsError, e:
+        logger.warn(e)
+        continue
+    else:
+      logger.warn('Root Metadata file contains a key with an invalid keytype.')
+
+
+
+
+
+def add_rsakey(rsakey_dict, keyid=None):
+  """
+  <Purpose>
+    Add 'rsakey_dict' to the key database while avoiding duplicates.
+    If keyid is provided, verify it is the correct keyid for 'rsakey_dict'
+    and raise an exception if it is not.
+  
+  <Arguments>
+    rsakey_dict:
+      A dictionary conformant to 'tuf.formats.RSAKEY_SCHEMA'.
+      It has the form:
+      {'keytype': 'rsa',
+       'keyid': keyid,
+       'keyval': {'public': '-----BEGIN RSA PUBLIC KEY----- ...',
+                  'private': '-----BEGIN RSA PRIVATE KEY----- ...'}}
+    
+    keyid:
+      An object conformant to 'KEYID_SCHEMA'.  It is used as an identifier
+      for RSA keys.
+
+  <Exceptions>
+    tuf.FormatError, if 'rsakey_dict' or 'keyid' does not have the 
+    correct format.
+
+    tuf.Error, if 'keyid' does not match the keyid for 'rsakey_dict'.
+
+    tuf.KeyAlreadyExistsError, if 'rsakey_dict' is found in the key database.
+
+  <Side Effects>
+    The keydb key database is modified.
+
+  <Returns>
+    None.
+
+  """
+ 
+
+  # Does 'rsakey_dict' have the correct format?
+  # This check will ensure 'rsakey_dict' has the appropriate number of objects
+  # and object types, and that all dict keys are properly named.
+  # Raise 'tuf.FormatError if the check fails.
+  tuf.formats.RSAKEY_SCHEMA.check_match(rsakey_dict)
+
+  # Does 'keyid' have the correct format?
+  if keyid is not None:
+    # Raise 'tuf.FormatError' if the check fails. 
+    tuf.formats.KEYID_SCHEMA.check_match(keyid)
+
+    # Check if the keyid found in 'rsakey_dict' matches 'keyid'.
+    if keyid != rsakey_dict['keyid']:
+      raise tuf.Error('Incorrect keyid '+rsakey_dict['keyid']+' expected '+keyid)
+ 
+  # Check if the keyid belonging to 'rsakey_dict' is not already
+  # available in the key database before returning.
+  keyid = rsakey_dict['keyid']
+  if keyid in _keydb_dict:
+    raise tuf.KeyAlreadyExistsError('Key: '+keyid)
+ 
+  _keydb_dict[keyid] = rsakey_dict
+
+
+
+
+
+def get_key(keyid):
+  """ 
+  <Purpose>
+    Return the key belonging to 'keyid'.
+
+  <Arguments>
+    keyid:
+      An object conformant to 'tuf.formats.KEYID_SCHEMA'.  It is used as an
+      identifier for keys.
+
+  <Exceptions>
+    tuf.FormatError, if 'keyid' does not have the correct format.
+
+    tuf.UnknownKeyError, if 'keyid' is not found in the keydb database.
+
+  <Side Effects>
+    None.
+
+  <Returns>
+    The key matching 'keyid'.  In the case of RSA keys, a dictionary conformant
+    to 'tuf.formats.RSAKEY_SCHEMA' is returned.
+
+  """
+
+  # Does 'keyid' have the correct format?
+  # This check will ensure 'keyid' has the appropriate number of objects
+  # and object types, and that all dict keys are properly named.
+  # Raise 'tuf.FormatError' is the match fails.
+  tuf.formats.KEYID_SCHEMA.check_match(keyid)
+
+  # Return the key belonging to 'keyid', if found in the key database.
+  try:
+    return _keydb_dict[keyid]
+  except KeyError:
+    raise tuf.UnknownKeyError('Key: '+keyid)
+
+
+
+
+
+def remove_key(keyid):
+  """ 
+  <Purpose>
+    Remove the key belonging to 'keyid'.
+
+  <Arguments>
+    keyid:
+      An object conformant to 'tuf.formats.KEYID_SCHEMA'.  It is used as an
+      identifier for keys.
+
+  <Exceptions>
+    tuf.FormatError, if 'keyid' does not have the correct format.
+
+    tuf.UnknownKeyError, if 'keyid' is not found in key database.
+
+  <Side Effects>
+    The key, identified by 'keyid', is deleted from the key database.
+
+  <Returns>
+    None.
+
+  """
+
+  # Does 'keyid' have the correct format?
+  # This check will ensure 'keyid' has the appropriate number of objects
+  # and object types, and that all dict keys are properly named.
+  # Raise 'tuf.FormatError' is the match fails.
+  tuf.formats.KEYID_SCHEMA.check_match(keyid)
+
+  # Remove the key belonging to 'keyid' if found in the key database.
+  if keyid in _keydb_dict: 
+    del _keydb_dict[keyid]
+  else:
+    raise tuf.UnknownKeyError('Key: '+keyid)
+
+
+
+
+
+def clear_keydb():
+  """
+  <Purpose>
+    Clear the keydb key database.
+
+  <Arguments>
+    None.
+
+  <Exceptions>
+    None.
+
+  <Side Effects>
+    The keydb key database is reset.
+
+  <Returns>
+    None.
+
+  """
+  
+  _keydb_dict.clear()
diff --git a/src/tuf/log.py b/src/tuf/log.py
new file mode 100755
index 00000000..b34c0a5c
--- /dev/null
+++ b/src/tuf/log.py
@@ -0,0 +1,106 @@
+"""
+<Program Name>
+  log.py
+
+<Author>
+  Vladimir Diaz <vladimir.v.diaz@gmail.com>
+
+<Started>
+  April 4, 2012.  Based on a previous version of this module by Geremy Condra.
+
+<Copyright>
+  See LICENSE for licensing information.
+
+<Purpose>
+  A central location for all logging-related configuration.
+  This module should be imported once by the main program.
+  If other modules wish to incorporate 'tuf' logging, they
+  should do the following:
+
+  import logging
+  logger = logging.getLogger('tuf')
+
+  'logging' refers to the module name.  logging.getLogger() is a function of
+  the module 'logging'.  logging.getLogger(name) returns a Logger instance
+  associated with 'name'.  Calling getLogger(name) will always return the same
+  instance.  In this 'log.py' module, we perform the initial setup for the name
+  'tuf'.  The 'log.py' module should only be imported once by the main program.
+  When any other module does a logging.getLogger('tuf'), it is referring to the
+  same 'tuf' instance and its associated settings we set up here in 'log.py'.
+  See http://docs.python.org/library/logging.html#logger-objects
+  for more information.
+
+  We use multiple handlers to process log messages in various ways and to
+  configure each one independently.  Instead of using one single manner of
+  processing log messages, we can use two built-in handlers that have already
+  been configured for us.  For example, the built-in FileHandler will catch
+  log message and dump them to a file.  If we wanted, we could set this file
+  handler to only catch CRITICAL (and greater)  messages and save them to a
+  file.  The other stream handler would still handle DEBUG-level (and greater)
+  messages.
+
+"""
+
+
+import logging
+
+
+_DEFAULT_LOG_LEVEL = logging.INFO
+_DEFAULT_LOG_FILENAME = 'tuf.log'
+
+# Set the format for logging messages.
+_FORMAT_STRING = "[%(asctime)s] [%(name)s] [%(levelname)s] %(message)s"
+formatter = logging.Formatter(_FORMAT_STRING)
+
+# Set the handlers for the logger.
+# The built-in stream handler will log
+# messages to 'sys.stderr' and capture
+# '_DEFAULT_LOG_LEVEL' messages.
+stream_handler = logging.StreamHandler()
+stream_handler.setLevel(_DEFAULT_LOG_LEVEL)
+stream_handler.setFormatter(formatter)
+
+# Set the built-in file handler.  Messages
+# will be logged to '_DEFAULT_LOG_FILENAME'
+# and use the logger's default log level.
+# The file will be opened in append mode.
+file_handler = logging.FileHandler(_DEFAULT_LOG_FILENAME)
+file_handler.setFormatter(formatter)
+
+# Set the logger and its settings.
+logger = logging.getLogger('tuf')
+logger.setLevel(_DEFAULT_LOG_LEVEL)
+logger.addHandler(stream_handler)
+logger.addHandler(file_handler)
+
+# Silently ignore logger exceptions.
+logging.raiseExceptions = False
+
+
+
+
+
+def set_log_level(log_level):
+  """
+  <Purpose>
+    Allow the default log level to be overridden.
+
+  <Arguments>
+    log_level:
+      The log level to set for the logger and handler(s).
+      E.g., logging.INFO; logging.CRITICAL.
+      
+  <Exceptions>
+    None.
+
+  <Side Effects>
+    Overrides the logging level for the internal 
+    'logger' and 'handler'.
+
+  <Returns>
+    None.
+
+  """
+
+  logger.setLevel(log_level)
+  stream_handler.setLevel(log_level)
diff --git a/src/tuf/mirrors.py b/src/tuf/mirrors.py
new file mode 100755
index 00000000..23aa216f
--- /dev/null
+++ b/src/tuf/mirrors.py
@@ -0,0 +1,96 @@
+"""
+<Program Name>
+  mirrors.py
+
+<Author>
+  Konstantin Andrianov
+  Derived from original mirrors.py written by Geremy Condra.
+
+<Started>
+  March 12, 2012
+
+<Copyright>
+  See LICENSE for licensing information.
+
+<Purpose>
+  This module extracts a list of mirror urls corresponding to the file type and
+  the location of the file with respect to the base url.
+
+"""
+
+import os
+import urllib
+
+import tuf.util
+import tuf.formats
+
+
+def get_list_of_mirrors(file_type, file_path, mirrors_dict):
+  """
+  <Purpose>
+    Gets a list of mirror urls from a mirrors dictionary, provided the type of
+    the file and the path of the file with respect to the base url.
+
+  <Arguments>
+    file_type:
+      Type of data needed for download, must correspond to one of the strings in
+      the list ['meta', 'target', 'targets'].  'meta' for metadata file type or
+      'target' or 'targets' for target file type.  It should correspond to
+      FILETYPE_SCHEMA format.
+
+    file_path:
+      Path to the file.  For instance if the file is a target then we
+      will have something like this: 'http://urlbase/targets_path/file_path'.
+      It should correspond to RELPATH_SCHEMA format.
+
+    mirrors_dict:
+      A mirrors_dict object that corresponds to MIRRORDICT_SCHEMA, where the
+      dict keys are strings and the dict values MIRROR_SCHEMA. An example format
+      of MIRROR_SCHEMA:
+
+    {'url_prefix':
+     'metadata_path': 'metadata/'
+     'targets_path': 'targets/'
+     'confined_target_paths': ['targets/release1', ...]
+     'custom': {...}}
+
+    The 'custom' field is optional.
+
+  <Exceptions>
+    tuf.Error on unknown file type.
+    tuf.FormatError on bad argument.
+
+  <Return>
+    List of mirror urls corresponding to the file_type and file_path.  If no
+    match is found, empty list is returned.
+
+  """
+
+  # Checking if all the arguments have appropriate format.
+  tuf.formats.RELPATH_SCHEMA.check_match(file_path)
+  tuf.formats.MIRRORDICT_SCHEMA.check_match(mirrors_dict)
+  tuf.formats.NAME_SCHEMA.check_match(file_type)
+
+  # Reference to 'path_in_confined_paths' function.
+  in_confined = tuf.util.path_in_confined_paths
+
+  list_of_mirrors = []
+  for mirror_name, mirror_info in mirrors_dict.items():
+    if file_type == 'meta':
+      base = mirror_info['url_prefix']+'/'+mirror_info['metadata_path']
+
+    else:
+      targets_path = mirror_info['targets_path']
+      full_filepath = os.path.join(targets_path, file_path)
+      if not in_confined(full_filepath, mirror_info['confined_target_paths']):
+        continue
+      base = mirror_info['url_prefix']+'/'+mirror_info['targets_path']
+
+    # urllib.quote(string) replaces special characters in string using the %xx
+    # escape.  This is done to avoid parsing issues of the URL on the server
+    # side.
+    file_path = urllib.quote(file_path)
+    url = base+'/'+file_path
+    list_of_mirrors.append(url)
+
+  return list_of_mirrors
diff --git a/src/tuf/pushtools/__init__.py b/src/tuf/pushtools/__init__.py
new file mode 100644
index 00000000..e69de29b
diff --git a/src/tuf/pushtools/push.cfg.sample b/src/tuf/pushtools/push.cfg.sample
new file mode 100755
index 00000000..59730bdc
--- /dev/null
+++ b/src/tuf/pushtools/push.cfg.sample
@@ -0,0 +1,10 @@
+[general]
+transfer_module = scp
+metadata_path = targets.txt
+
+[scp]
+host = 
+user = 
+identity_file =
+# remote_dir must be similarly configured on the repository side.
+remote_dir = ~/test/pushes 
diff --git a/src/tuf/pushtools/push.py b/src/tuf/pushtools/push.py
new file mode 100755
index 00000000..426fd043
--- /dev/null
+++ b/src/tuf/pushtools/push.py
@@ -0,0 +1,104 @@
+#!/usr/bin/env python
+# Copyright 2010 The Update Framework.  See LICENSE for licensing information.
+"""
+This script provides a way for developers to push a signed targets metadata
+file and the referenced targets to a repository. The repository adds these
+files to the repository by running the receivetools/receive.py script.
+
+Usage:
+    ./push.py COMMAND COMMAND_ARGS
+    
+    Known commands:
+        push
+
+Example:
+    ./push.py push push.cfg targets.txt targetfile1 targetfile2
+
+Details of 'push' command:
+
+The developer provides the path to a configuration file that lists:
+    * The path to the targets metadata file.
+    * The name of the transfer module to use for transferring the
+      files to the repository (e.g. 'scp').
+    * Configuration information that is specific to the transfer
+      module.
+
+See the push.cfg.sample file for an example configuration file.
+
+The transfer module needs the following functionality:
+    * A way to transfer target files and the new metadata file to the
+      repository.
+      
+The transfer module may also include the following functionality:
+    * A way to determine whether the repository has rejected the push and, if
+      so, the reason for the rejection.
+"""
+
+import ConfigParser
+import sys
+
+import tuf
+
+
+def _read_config_file(filename):
+    """Return a dictionary where the keys are section names and the values
+       are dictionaries of keys/values in that section.
+    """
+    config = ConfigParser.RawConfigParser()
+    config.read(filename)
+    configdict = {}
+    for section in config.sections():
+        configdict[section] = {}
+        for key, value in config.items(section):
+            if key in ['seconds', 'minutes', 'days', 'hours']:
+                value = int(value)
+            elif key in ['keyids']:
+                value = value.split(',')
+            if key in configdict[section]:
+                configdict[section][key] = []
+            else:
+                configdict[section][key] = value
+    return configdict
+
+
+def _get_transfer_module(modulename):
+    __import__("transfer.%s" % modulename)
+    return sys.modules["transfer.%s" % modulename]
+
+
+def push(args):
+    config = _read_config_file(args[0])
+    targets = args[1:]
+    transfermod = _get_transfer_module(config['general']['transfer_module'])
+
+    context = transfermod.TransferContext(config['scp'])
+    context.transfer(targets, config['general']['metadata_path'])
+    context.finalize()
+
+
+def getstatus():
+    raise NotImplementedError
+
+
+def usage():
+    print "Known commands:"
+    print "  push config_file target [target ...]"
+    sys.exit(1)
+
+
+def main():
+    if len(sys.argv) < 2:
+        usage()
+    cmd = sys.argv[1]
+    args = sys.argv[2:]
+    if cmd in ["push", "getstatus"]:
+        try:
+            globals()[cmd](args)
+        except tuf.BadPasswordError:
+            print >> sys.stderr, "Password incorrect."
+    else:
+        usage()
+
+
+if __name__ == '__main__':
+    main()
diff --git a/src/tuf/pushtools/receivetools/receive.py b/src/tuf/pushtools/receivetools/receive.py
new file mode 100755
index 00000000..9d720ae6
--- /dev/null
+++ b/src/tuf/pushtools/receivetools/receive.py
@@ -0,0 +1,463 @@
+#!/usr/bin/env python
+# Copyright 2010 The Update Framework.  See LICENSE for licensing information.
+"""
+This script can be run on a repository to import new targets metadata and
+target files into the repository. This is intended to work with the
+developer push tools. When this script finds a new directory pushed
+by a developer, it checks the metadata and target files and, if everything
+is good, adds the files to the repository.
+
+Usage:
+    ./receive.py
+
+Arguments:
+    None
+
+Details:
+
+The script looks in a set of pre-defined push locations that one or more
+developers may have uploaded files to using the push tools. If it finds
+a valid push, it moves the push directory to a 'processing' directory and
+also copies the pushed files to a temporary directory (these files are the
+ones used by this script).
+
+Once the repository has received and copied a set of target files and the
+corresponding targets metadata file, it performs the following checks that:
+
+    * The metadata file is newer than the last metadata file of that type.
+    * The metadata has not expired.
+    * The metadata is signed by a threshold of keys that belong to the
+      appropriate role.
+    * The target files described in the metadata are the same target files as
+      were provided.
+
+Once the verification is completed, the script backs up the files to be replaced
+or obsoleted and then adds the new files to the repository. The script then
+moves the push directory from the pushroot's 'processing' directory to its
+'processed' directory and write a 'received.result' file to the push directory
+that contains either the word SUCCESS or FAILURE. There may also be a
+received.log file written, as well. The client can check these files to determine
+whether the push was accepted and, if not, what the problem was.
+
+This script does not generate a new release.txt file or timestamp.txt file.
+That needs to be done after this script runs if any pushes have been received.
+In some cases, it may make sense to have this script operate on a non-live
+copy of the repository and then rsync the files after all changes have been
+made.
+
+This script does not handle delegated targets metadata. When the time comes to
+implement that here, care needs to be taken to ensure that a delegated targets
+metadata file can't replace a target it shouldn't. Such untrusted files would
+not trick clients, but they would prevent clients from obtaining updates. It
+may be the case that making this script general enough to handle delegated
+targets metadata may not be worth it. Such situations may be better suited to
+customization per-project because the script could then leverage knowledge
+about how the delegation is supposed to be done.
+
+Example output of this script:
+
+$ python receivetools/receive.py 
+[2010-05-12 15:54:55,683] [tuf] [DEBUG] Looking for pushes in pushroot /tmp/tuf/test/pushes
+[2010-05-12 15:54:55,684] [tuf] [INFO] Processing /tmp/tuf/test/pushes/1273704893.55
+[2010-05-12 15:54:55,684] [tuf] [DEBUG] Moving push directory to
+    /tmp/tuf/test/pushes/processing/1273704893.55
+[2010-05-12 15:54:55,693] [tuf] [DEBUG] Metadata timestamp is 2010-05-06 00:13:46
+    (replacing metdata with timestamp 2010-05-06 00:13:46)
+[2010-05-12 15:54:55,693] [tuf] [DEBUG] Metadata will expire at 2011-05-06 00:13:46
+[2010-05-12 15:54:55,693] [tuf] [DEBUG] Signatures: threshold: 1 / good:
+    [u'50792c6713637cf09e1aeb3805fc6d18f80d0a4f4ab7895f4a7cdf1abd7f5b0a'] / bad [] /
+    unrecognized: [] / unauthorized: [] / unknown method: []
+[2010-05-12 15:54:55,693] [tuf] [INFO] Number of targets specified: 1
+[2010-05-12 15:54:55,694] [tuf] [DEBUG] Size of target
+    /tmp/tuf/test/pushes/processing/1273704893.55/targets/test.txt is correct (5 bytes).
+[2010-05-12 15:54:55,694] [tuf] [DEBUG] 1 hashes to check.
+[2010-05-12 15:54:55,694] [tuf] [DEBUG] sha256 hash of target
+    /tmp/tuf/test/pushes/processing/1273704893.55/targets/test.txt is correct
+    (f2ca1bb6c7e907d06dafe4687e579fce76b37e4e93b7605022da52e6ccc26fd2).
+[2010-05-12 15:54:55,694] [tuf] [INFO] Backing up target
+    /var/tuf/repo/targets/test.txt to /var/tuf/replaced/1273704893.55Tsr9QJ/targets/test.txt
+[2010-05-12 15:54:55,695] [tuf] [INFO] Backing up old metadata
+    /var/tuf/repo/meta/targets.txt to /var/tuf/replaced/1273704893.55Tsr9QJ/targets.txt
+[2010-05-12 15:54:55,695] [tuf] [INFO] Adding target to repo: /var/tuf/repo/targets/test.txt
+[2010-05-12 15:54:55,695] [tuf] [INFO] Adding new targets metadata to repo:
+    /var/tuf/repo/meta/targets.txt
+[2010-05-12 15:54:55,696] [tuf] [DEBUG] Moving push directory to
+    /tmp/tuf/test/pushes/processed/1273704893.55
+[2010-05-12 15:54:55,696] [tuf] [INFO] Completed processing of all push roots.
+    Push successes = 1, failures = 0.
+
+"""
+
+import errno
+import os
+import shutil
+import sys
+import tempfile
+import time
+
+import tuf.formats
+import tuf.hash
+import tuf.keydb
+import tuf.log
+import tuf.sig
+
+logger = tuf.log.get_logger()
+
+
+# These are the locations where developers may push files to using the
+# push tools. Each push will be in its own directory with the
+# developer's push root. Each developer's push either must have the
+# directories 'processed' and 'processing' which are writable by this
+# script.
+PUSHROOTS = ['/home/SOMEUSER/pushes']
+
+# This is the directory where the repository resides. As far as this
+# script is concerned, this is the live repository. Changes will be made
+# directory to this repository.
+REPODIR = '/var/tuf/repo'
+
+# This is the metadata directory within the repository.
+METADIR = os.path.join(REPODIR, 'meta')
+
+# This is the targets directory within the repository.
+TARGETSDIR = os.path.join(REPODIR, 'targets')
+
+# Where replaced files will be stored. This will be used globally rather
+# than a separate backup/replaced files directory for each pushroot.
+BACKUPDIR = '/var/tuf/replaced'
+
+
+def run():
+    """Look for and process pushes found in any PUSHROOTS."""
+    successcount = 0
+    failurecount = 0
+    for pushroot in PUSHROOTS:
+        if not os.path.exists(pushroot):
+            logger.error("The pushroot %s does not exist. Skipping." % pushroot)
+            continue
+        logger.debug('Looking for pushes in pushroot %s' % pushroot)
+        if not os.path.exists(os.path.join(pushroot, 'processed')):
+            os.mkdir(os.path.join(pushroot), 'processed')
+        if not os.path.exists(os.path.join(pushroot, 'processing')):
+            os.mkdir(os.path.join(pushroot), 'processing')
+        # TODO: use only the newest push and move the others to the 'processed'
+        #       directory, adding an appropriate log file.
+        for name in os.listdir(pushroot):
+            pushpath = os.path.join(pushroot, name)
+            if name == 'processed' or name == 'processing':
+                continue
+            if os.path.isdir(pushpath):
+                if not os.path.exists(os.path.join(pushpath, 'info')):
+                    logger.warn("Skipping incomplete push %s (no info file)."
+                                % pushpath)
+                    continue
+                success = process_new_push(pushroot, name)
+                if success:
+                    successcount += 1
+                else:
+                    failurecount += 1
+        logger.info("Completed processing of all push roots. "
+                    "Push successes = %s, failures = %s." %
+                    (successcount, failurecount))
+
+
+def process_old_push(pushroot, pushname):
+    """When there are multiple pushes, only the newest is used. All of the
+       older ones are ignored. This function makes the appropriate logs for
+       an old push and moves it into the 'processed' directory."""
+    raise NotImplementedError
+
+
+def append_to_receive_log(pushpath, msg):
+    """Appends msg to [pushpath]/receive.log"""
+    try:
+        fp = open(os.path.join(pushpath, 'receive.log'), 'a')
+    except IOError, e:
+        raise tuf.Error('Unable to open receive log file: %s' % e)
+    try:
+        fp.write(msg)
+        fp.write('\n')
+    finally:
+        fp.close()
+
+
+def record_receive_result(pushpath, success):
+    """Writes the [pushpath]/receive.result file that indicates SUCCESS or
+       FAILURE."""
+    try:
+        fp = open(os.path.join(pushpath, 'receive.result'), 'w')
+    except IOError, e:
+        raise tuf.Error('Unable to open receive result file: %s' % e)
+    try:
+        if success:
+            fp.write("SUCCESS")
+        else:
+            fp.write("FAILURE")
+        fp.write('\n')
+    finally:
+        fp.close()
+
+
+def process_new_push(pushroot, pushname):
+    """Process a push.
+    
+    This will check the validity of targets metadata in the push (including
+    whether the signatures are trusted) and, if valid, will copy the targets
+    metadata and target files to the repository.
+
+    Args:
+        pushroot:
+        pushname:
+    """
+    logger.info("Processing %s/%s" % (pushroot, pushname))
+
+    pushpath = os.path.join(pushroot, 'processing', pushname)
+    logger.debug("Moving push directory to %s" % pushpath)
+    os.rename(os.path.join(pushroot, pushname), pushpath)
+
+    # Copy the contents of pushpath to a temp directory. We don't want the
+    # user to be able to modify the files we work with.
+    tempdir = tempfile.mkdtemp()
+    pushtempdir = os.path.join(tempdir, 'push')
+    shutil.copytree(pushpath, pushtempdir)
+
+    try:
+        try:
+            _process_copied_push(pushpath)
+            record_receive_result(pushpath, True)
+            return True
+        except (tuf.Error, OSError), e:
+            record_receive_result(pushpath, False)
+            append_to_receive_log(pushpath, str(e))
+            logger.exception("Processing failed for push: %s/%s" %
+                             (pushroot, pushname))
+            return False
+    finally:
+        processedpath = os.path.join(pushroot, 'processed', pushname)
+        logger.debug("Moving push directory to %s" % processedpath)
+        os.rename(pushpath, processedpath)
+
+
+def _process_copied_push(pushpath):
+    """Helper function for process_new_push.
+    
+    This does the actual work of copying pushpath to a temp directory,
+    checking the metadata and targets, and copying the files to the
+    repository on success. The push is valid and successfully processed
+    if no exception is raised.
+    
+    Raises:
+        OSError or tuf.Error.
+    """
+    pushname = os.path.basename(pushpath)
+
+    # Read the metadata of the current repository.
+    rootmetapath = os.path.join(METADIR, 'root.txt')
+    root_json = tuf.util.load_json_file(rootmetapath)
+    root_meta = root_json['signed']
+    root_obj = tuf.formats.RootFile.from_meta(root_meta)
+    keydb = tuf.keydb.KeyDB.create_from_root(root_obj)
+
+    # Determine the name of the targets metadata file that was pushed.
+    targetsmetafile = None
+    try:
+        fp = open(os.path.join(pushpath, 'info'), 'r')
+    except IOError, e:
+        raise tuf.Error('Unable to open push info file: %s' % e)
+    try:
+        for line in fp:
+            parts = line.strip().split('=')
+            if parts[0] == 'metadata':
+                if parts[1] != 'targets.txt':
+                    raise NotImplementedError('No support yet for pushing ' +
+                                              'delegated targets metadata.')
+                else:
+                    targetsmetafile = parts[1]
+                    break
+        else:
+            raise tuf.Error('No metadata= line in push info file.')
+    finally:
+        fp.close()
+
+    # Read the new metadata that was pushed.
+    targetsmetapath = os.path.join(pushpath, targetsmetafile)
+    targets_json = tuf.util.load_json_file(targetsmetapath)
+
+    # Read the existing metadata from the repository.
+    repotargetsmetapath = os.path.join(METADIR, targetsmetafile)
+
+    # Check the metadata. This is mostly to make sure we don't replace good
+    # metadata with bad metadata as clients do their own security checking.
+    # This is what we check:
+    #    * it is newer than the last metadata.
+    #    * it has not expired.
+    #    * all signatures valid.
+    #    * a threshold of trusted signatures. only check the delegating
+    #        role rather than the trust hierachy all the way up.
+    #    * all of the files listed in the metadata were provided and have
+    #        the sizes and hashes listed in the metadata.
+
+    # Check that the new metadata is newer than the existing metadata.
+    if os.path.exists(repotargetsmetapath):
+        repo_targets_json = tuf.util.load_json_file(targetsmetapath)
+        cur_timestamp_string = repo_targets_json['signed']['ts']
+        cur_meta_timestamp = tuf.formats.parse_time(cur_timestamp_string)
+
+        new_timestamp_string = targets_json['signed']['ts']
+        new_meta_timestamp = tuf.formats.parse_time(new_timestamp_string)
+
+        # Allowing equality makes testing/development easier.
+        if cur_meta_timestamp > new_meta_timestamp:
+            raise tuf.Error("Existing metadata timestamp (%s) is newer than "
+                            "the new metadata's timestamp (%s)" %
+                            (cur_timestamp_string, new_timestamp_string))
+        else:
+            logger.debug('Metadata timestamp is %s (replacing metdata with '
+                         'timestamp %s)' %
+                         (new_timestamp_string, cur_timestamp_string))
+
+    else:
+        logger.warn("The old targets metadata file %s doesn't exist in "
+                    "the repo. Skipping timestamp check." %
+                    repotargetsmetapath)
+
+    # Ensure the metadata is not expired.
+    expiration_string = repo_targets_json['signed']['expires']
+    expiration_timestamp = tuf.formats.parse_time(expiration_string)
+    if expiration_timestamp <= time.time():
+        raise tuf.Error("Pushed metadata expired at %s" % expiration_string)
+    else:
+        logger.debug('Metadata will expire at %s' % expiration_string)
+
+    # This raises tuf.BadSignature if the check fails.
+    status = tuf.sig.check_signatures(targets_json, keydb, role='targets')
+    logger.debug('Signatures: %s' % status)
+
+    logger.info("Number of targets specified: %s" %
+                len(targets_json['signed']['targets'].keys()))
+
+    for targetrelpath, targetinfo in targets_json['signed']['targets'].items():
+        targetpath = os.path.join(pushpath, 'targets', targetrelpath)
+
+        # Check that the target was provided.
+        if not os.path.exists(targetpath):
+            raise tuf.Error('The specified target file was not provided: %s',
+                            targetrelpath)
+
+        # Check size.
+        actualsize = os.path.getsize(targetpath)
+        if actualsize != targetinfo['length']:
+            raise tuf.Error('The size of target file %s is incorrect: ' +
+                            'was %s, expected %s' % (targetrelpath, actualsize,
+                                                     targetinfo['length']))
+        else:
+            logger.debug('Size of target %s is correct (%s bytes).' %
+                         (targetpath, actualsize))
+
+        # Check hashes.
+        hashcount = len(targetinfo['hashes'].items())
+        if hashcount == 0:
+            raise tuf.Error('Empty hashes dictionary.')
+        else:
+            logger.debug('%s hashes to check.' % hashcount)
+        for hashalg, hashval in targetinfo['hashes'].items():
+            d_obj = tuf.hash.Digest(hashalg)
+            d_obj.update_filename(targetpath)
+            if d_obj.format() != hashval:
+                raise tuf.Error('%s hash does not match: was %s, expected %s' %
+                                (hashalg, d_obj.format(), hashval))
+            else:
+                logger.debug('%s hash of target %s is correct (%s).' %
+                             (hashalg, targetpath, hashval))
+
+    # At this point, the targets metadata and all specified files have been
+    # verified. 
+
+    # Remove the files referenced by the old targets metadata as well as the
+    # old targets metadata itself.
+    _remove_old_files(repotargetsmetapath, pushname)
+
+    # Copy the new target files into place on the repository. 
+    for targetrelpath in targets_json['signed']['targets'].keys():
+        srcpath = os.path.join(pushpath, 'targets', targetrelpath)
+        destpath = os.path.join(TARGETSDIR, targetrelpath)
+        logger.info("Adding target to repo: %s" % destpath)
+        destdir = os.path.dirname(destpath)
+        if not os.path.exists(destdir):
+            os.mkdir(destdir)
+        shutil.copy(srcpath, destpath)
+
+    # Copy the targets metadata into place on the repository.
+    logger.info("Adding new targets metadata to repo: %s" %
+                repotargetsmetapath)
+    shutil.copy(targetsmetapath, repotargetsmetapath)
+
+
+def _remove_old_files(oldtargetsfile, pushname):
+    """Remove metadata and target files that will be replaced.
+    
+    This does not take into account any targets that are the same between
+    the old and new metadata. For simplicity, all old targets are removed
+    and thus even targets that remained the same will need to be copied
+    into place after this has been called.
+    
+    This function currently assumes that the the metadata file is the
+    top-level targets.txt file rather than a delegated metadata file.
+    
+    Args:
+        oldtargetsfile: The old targets metadata file that is to be
+            replaced, along with all of its referenced targets.
+    """
+    if not os.path.exists(oldtargetsfile):
+        logger.warn("The old targets metadata file %s doesn't exist in "
+                    "the repo. Skipping file backup." % oldtargetsfile)
+        return
+
+    backupdestdir = tempfile.mktemp(prefix=pushname, dir=BACKUPDIR)
+    os.mkdir(backupdestdir)
+    backuptargetsdir = os.path.join(backupdestdir, 'targets')
+    os.mkdir(backuptargetsdir)
+
+    targets_json = tuf.util.load_json_file(oldtargetsfile)
+    for targetrelpath in targets_json['signed']['targets'].keys():
+        curtargetpath = os.path.join(TARGETSDIR, targetrelpath)
+        baktargetpath = os.path.join(backuptargetsdir, targetrelpath)
+        logger.info("Backing up target %s to %s" % (curtargetpath, baktargetpath))
+        if os.path.exists(curtargetpath):
+            mkdir_p(os.path.dirname(baktargetpath))
+            os.rename(curtargetpath, baktargetpath)
+        else:
+            logger.warn("The old target %s doesn't exist in the repo." %
+                        curtargetpath)
+
+    baktargetsmetafile = os.path.join(backupdestdir, 'targets.txt')
+    logger.info("Backing up old metadata %s to %s" % (oldtargetsfile,
+                                                      baktargetsmetafile))
+    os.rename(oldtargetsfile, baktargetsmetafile)
+
+
+def mkdir_p(path):
+    try:
+        os.makedirs(path)
+    except OSError, err:
+        if err.errno == errno.EEXIST:
+            pass
+        else: raise
+
+
+def _check_directories_exist():
+    """Check that the various defined directories exist."""
+    # We don't check the PUSHROOTS here because we consider it non-fatal
+    # if those are missing. A log message is issued if any of those are
+    # missing.
+    dirs_to_check = {'REPODIR':REPODIR, 'METADIR':METADIR,
+                     'TARGETSDIR':TARGETSDIR, 'BACKUPDIR':BACKUPDIR}
+    for name, path in dirs_to_check.items():
+        if not os.path.exists(path):
+            logger.error("%s directory does not exist: %s" % (name, path))
+            sys.exit(1)
+
+
+if __name__ == "__main__":
+    _check_directories_exist()
+    run()
diff --git a/src/tuf/pushtools/transfer/__init__.py b/src/tuf/pushtools/transfer/__init__.py
new file mode 100755
index 00000000..e69de29b
diff --git a/src/tuf/pushtools/transfer/scp.py b/src/tuf/pushtools/transfer/scp.py
new file mode 100755
index 00000000..fea0c0b3
--- /dev/null
+++ b/src/tuf/pushtools/transfer/scp.py
@@ -0,0 +1,112 @@
+# Copyright 2010 The Update Framework.  See LICENSE for licensing information.
+"""
+SCP transfer module for the developer push mechanism.
+
+This will use scp to upload a push directory to the repository. The directory
+will be named with the current timestamp in the format XXXXXXXXXX.XX. The
+directory will contain a file named 'info' that provides information about
+the push, the signed metadata file, and a 'targets' directory that contains
+the targets specified in the metadata.
+
+Use of this module requires the following section to be present in the push
+configuration file provided to push.py:
+
+[scp]
+host = somehost
+user = someuser
+identity_file = optional_path_to_ssh_key
+remote_dir = ~/pushes
+
+The remote_dir should correspond to a pushroot configured in the repository's
+receive.py script.
+
+This transfer module will output to stdout the commands it runs and the output
+of those commands.
+
+Example:
+
+$ python pushtools/push.py push push.cfg test.txt 
+Running command: scp -r /tmp/tmpc8PiXo somehost:~/test/pushes/1273704893.55
+info                                         100%   21     0.0KB/s   00:00    
+targets.txt                                  100%  771     0.8KB/s   00:00    
+test.txt                                     100%    5     0.0KB/s   00:00
+"""
+
+import os
+import shutil
+import subprocess
+import tempfile
+import time
+
+
+class TransferContext(object):
+
+    def __init__(self, config):
+        self.host = config['host']
+        self.user = config.get('user')
+        self.identity_file = config.get('identity_file')
+        self.remote_dir = config.get('remote_dir', '.')
+
+    def transfer(self, target_paths, metadata_path):
+        """
+        Create a local temporary directory with an additional file used to
+        communicate additional information to the repository. This directory
+        will be transferred to the repository.
+        """
+
+        basecommand = ['scp']
+        if self.identity_file:
+            basecommand.extend(['-i', self.identity_file])
+
+        timestamp = time.time()
+        dest = ""
+        if self.user:
+            dest += "%s@"
+        dest += "%s:%s/%s" % (self.host, self.remote_dir, timestamp)
+
+        tempdir = tempfile.mkdtemp()
+        try:
+            # Make sure the temp directory is world-readable as the permissions
+            # get carried over in the scp'ing.
+            os.chmod(tempdir, 0755)
+
+            # Create a file that tells the repository the name of the targets
+            # metadata file. For delegation, this will be the only way the
+            # the repository knows the full role name.
+            fp = open(os.path.join(tempdir, 'info'), 'w')
+            fp.write("metadata=%s\n" % metadata_path)
+            fp.close()
+
+            # Copy the metadata.
+            basename = os.path.basename(metadata_path)
+            shutil.copy(metadata_path, os.path.join(tempdir, basename))
+
+            # Create a directory that all target files will be put in before
+            # being transferred.
+            targetsdir = os.path.join(tempdir, 'targets')
+            os.mkdir(targetsdir)
+
+            # This is quite inefficient for large files, but just copy all
+            # targets into the correct directory structure.
+            for path in target_paths:
+                dirname = os.path.dirname(path)
+                basename = os.path.basename(path)
+                if dirname and not os.path.exists(dirname):
+                    os.makedirs(dirname)
+                shutil.copy(path, os.path.join(targetsdir, basename))
+
+            # This will create the 'timestamp' directory on the remote host and
+            # it will contain the info file and an empty targets directory.
+            command = basecommand[:]
+            command.append('-r') # recursive
+            command.append(tempdir)
+            command.append(dest)
+            print "Running command: %s" % ' '.join(command)
+            # Raises subprocess.CalledProcessError on failure.
+            subprocess.check_call(command)
+
+        finally:
+            shutil.rmtree(tempdir)
+
+    def finalize(self):
+        pass
diff --git a/src/tuf/repo/__init__.py b/src/tuf/repo/__init__.py
new file mode 100755
index 00000000..e69de29b
diff --git a/src/tuf/repo/keystore.py b/src/tuf/repo/keystore.py
new file mode 100755
index 00000000..1641a69c
--- /dev/null
+++ b/src/tuf/repo/keystore.py
@@ -0,0 +1,485 @@
+"""
+<Program Name>
+  keystore.py
+  
+<Author>
+  Vladimir Diaz <vladimir.v.diaz@gmail.com>
+  
+<Started>
+  March 28, 2012.  Based on a previous version of this module by Geremy Condra.
+
+<Copyright>
+  See LICENSE for licensing information.
+
+<Purpose>
+  Help store private keys in encrypted files and provide functions to load and
+  save a keystore database. The database contains all of the keys needed to
+  sign a repository's Metadata files, such as 'root.txt' and 'release.txt'.
+
+  Originally, this stored the keys in one file- we've changed that so that it
+  instead encrypts them separately, naming them according to their keyid value.
+
+  This changes the semantics of the system considerably- first, the 'fname'
+  passed in was originally treated as a filename. We now treat it as the name
+  of a directory.
+
+  Secondly, it no longer makes sense to provide access to keys which do not
+  match the given decryption key.
+
+  Thirdly, the semantics of adding keys has changed. It does not make sense to 
+  have only one key for the entire keystore, and as a result, we're requiring 
+  that the password be set at the point where the key is added.
+
+"""
+
+import os
+import binascii
+import logging
+
+import evpy.cipher
+
+import tuf.rsa_key
+import tuf.util
+
+# See 'log.py' to learn how logging is handled in TUF.
+logger = logging.getLogger('tuf.keystore')
+
+json = tuf.util.import_json()
+
+# The delimeter symbol used to separate the different sections
+# of encrypted files (i.e., salt, IV, ciphertext, passphrase).
+# This delimeter is arbitrarily chosen and should not occur in
+# the hexadecimal representations of the fields it is separating.
+_ENCRYPTION_DELIMETER = '@@@@'
+
+# A password is set for each key added to the keystore.
+# The passwords dict has the form: {keyid: 'password', ...}
+_key_passwords = {}
+
+# The keystore database, which has the form:
+# {keyid: key, ...}.
+_keystore = {}
+
+
+def add_rsakey(rsakey_dict, password, keyid=None):
+  """
+  <Purpose>
+    Add 'rsakey_dict' to the keystore database while ensuring only
+    unique keys are added.  If 'keyid' is provided, verify it is the
+    correct keyid for 'rsakey_dict' and raise an exception otherwise.
+  
+  <Arguments>
+    rsakey_dict:
+      A dictionary conformant to 'tuf.formats.RSAKEY_SCHEMA', which
+      has the form:
+      {'keytype': 'rsa',
+       'keyid': keyid,
+       'keyval': {'public': '-----BEGIN RSA PUBLIC KEY----- ...',
+                  'private': '-----BEGIN RSA PRIVATE KEY----- ...'}}
+
+    password:
+      The object containing the password needed to encrypt and decrypt
+      the key file (i.e., '<keyid>.key').  It must conform to
+      'PASSWORD_SCHEMA'.
+
+    keyid:
+      An object conformant to 'KEYID_SCHEMA'.  It is used as an identifier
+      for RSA keys.  This particular keyid should be extracted by the caller
+      from the file name used by the key file ('<keyid>.key') to ensure it
+      was correctly named.
+
+  <Exceptions>
+    tuf.FormatError, if 'rsakey_dict' or 'keyid' has an incorrect format.
+
+    tuf.Error, if 'keyid' argument does not match the keyid for 'rsakey_dict'.
+
+    tuf.KeyAlreadyExistsError, if 'rsakey_dict' is found in the keystore.
+
+  <Side Effects>
+    The '_keystore' and '_key_passwords' dictionaries are modified.
+
+  <Returns>
+    None.
+
+  """
+  
+  # Does 'rsakey_dict' have the correct format?
+  # This check will ensure 'rsakey_dict' has the appropriate number of objects
+  # and object types, and that all dict keys are properly named.
+  # Raise 'tuf.FormatError' if the check fails.
+  tuf.formats.RSAKEY_SCHEMA.check_match(rsakey_dict)
+
+  # Does 'password' have the correct format?
+  # Raise 'tuf.FormatError' if the check fails.
+  tuf.formats.PASSWORD_SCHEMA.check_match(password)
+
+  # If 'keyid' was passed as an argument, does it
+  # have the correct format?
+  if keyid:
+    # Raise 'tuf.FormatError' if the check fails.
+    tuf.formats.KEYID_SCHEMA.check_match(keyid)
+
+    # Check if the keyid found in 'rsakey_dict' matches
+    # the 'keyid' supplied as an argument. 
+    if keyid != rsakey_dict['keyid']:
+      raise tuf.Error('Incorrect keyid '+rsakey_dict['keyid']+' expected '+keyid)
+ 
+  # Check if the keyid belonging to 'rsakey_dict' is not already
+  # available in the key database.
+  keyid = rsakey_dict['keyid']
+  if keyid in _keystore:
+    raise tuf.KeyAlreadyExistsError('keyid: '+keyid)
+  
+  _key_passwords[keyid] = password
+  _keystore[keyid] = rsakey_dict
+
+
+
+
+
+def load_keystore_from_keyfiles(directory_name, keyids, passwords):
+  """
+  <Purpose>
+    Populate the keystore database with the key files found in
+    'directory_name'.  Use the user-supplied passwords in 'passwords' to
+    decrypt the key files.  Each key file has a corresponding password.
+
+  <Arguments>
+    directory_name:
+      The name of the directory containing the key files ('<keyid>.key'),
+      conformant to tuf.formats.RELPATH_SCHEMA.
+
+    keyids:
+      A list containing the keyids of the signing keys to load.
+
+    passwords:
+      A list containing the password objects to encrypt and decrypt
+      the key files ('<keyid>.key').
+
+  <Exceptions>
+    tuf.FormatError, if 'directory_name' or 'passwords' has an incorrect
+    format.
+
+  <Side Effects>
+    The '_keystore' and '_key_passwords' dictionaries are modified.
+    The key files found in 'directory_name' are read.
+
+  <Returns>
+    A list containing the keyids of the loaded keys.
+
+  """
+
+  # Does 'directory_name' have the correct format?
+  # This check will ensure 'directory_name' has the appropriate number of
+  # objects and object types, and that all dict keys are properly named.
+  # Raise 'tuf.FormatError' if the check fails.
+  tuf.formats.RELPATH_SCHEMA.check_match(directory_name)
+
+  # Does 'keyids' have the correct format?
+  # Raise 'tuf.FormatError' if the check fails.
+  tuf.formats.KEYIDS_SCHEMA.check_match(keyids)
+  
+  # Does 'passwords' have the correct format?
+  # Raise 'tuf.FormatError' if the check fails.
+  tuf.formats.PASSWORDS_SCHEMA.check_match(passwords)
+
+  # Keep a list of the keys loaded.
+  loaded_keys = [] 
+  
+  logger.info('Loading private key(s) from '+repr(directory_name))
+
+  # Make sure the directory exists.
+  if not os.path.exists(directory_name):
+    logger.info('...no such directory.  Keystore cannot be loaded.')
+    return 
+
+  # Get the list of filenames with a '.key' extension from 'directory_name'.
+  keypaths = []
+  for filename in os.listdir(directory_name):
+    if filename.endswith('.key'):
+      keypaths.append(filename) 
+
+  # Decrypt the keys we can from those stored in 'keypaths'.
+  for keypath in keypaths:
+    full_filepath = os.path.join(directory_name, keypath)
+    raw_contents = open(full_filepath, 'rb').read()
+
+    # Try to decrypt the file using one of the passwords in 'passwords'.
+    for password in passwords:
+      try:
+        json_data = _decrypt(raw_contents, password)
+      except tuf.CryptoError:
+        continue
+     
+      try: 
+        keydata = tuf.util.load_json_string(json_data)
+      except ValueError:
+        # 'keydata' could not be decoded.  This will be the case
+        # if the encrypted file could not be decrypted (e.g.,
+        # invalid password).
+        continue
+
+      # Create the key based on its key type.  RSA keys currently
+      # supported.
+      if keydata['keytype'] == 'rsa':
+        # 'keydata' is stored in KEY_SCHEMA format.  Call
+        # create_from_metadata_format() to get the key in RSAKEY_SCHEMA
+        # format, which is the format expected by 'add_rsakey()'.
+        rsa_key = tuf.rsa_key.create_from_metadata_format(keydata)
+
+        # Ensure the keyid for 'rsa_key' is one of the keys specified in
+        # 'keyids'.  If not, do not load the key.
+        if rsa_key['keyid'] not in keyids:
+          continue
+        
+        # Ensure the '.key' extension is removed (keypath[:-4]), as we only
+        # need the basefilename containing the full keyid.
+        add_rsakey(rsa_key, password, keyid=keypath[:-4])
+        logger.info('Loaded key: '+rsa_key['keyid'])
+        loaded_keys.append(rsa_key['keyid'])
+        continue
+      else:
+        logger.warn(repr(full_filepath)+' contains an invalid key type.')
+        continue
+
+  logger.info('Done.')
+  return loaded_keys
+
+
+
+
+
+def save_keystore_to_keyfiles(directory_name):
+  """
+  <Purpose>
+    Save all the keys found in the keystore to separate files.  The password
+    for each key is stored when it is added to the keystore.  Use these 
+    passwords to encrypt the key files and save them in encrypted form to
+    'directory_name'.
+
+  <Arguments>
+    directory_name:
+      The name of the directory containing the key files ('<keyid>.key'),
+      conformant to tuf.formats.RELPATH_SCHEMA.
+
+  <Exceptions>
+    tuf.FormatError if 'directory_name is incorrectly formatted.
+
+  <Side Effects>
+    'directory_name' created if it does not exist.
+
+  <Returns>
+    None.
+
+  """
+
+  # Does 'directory_name' have the correct format?
+  # This check will ensure 'directory_name' has the appropriate number of
+  # objects and object types, and that all dict keys are properly named.
+  # Raise 'tuf.FormatError' if the check fails.
+  tuf.formats.RELPATH_SCHEMA.check_match(directory_name)
+
+  logger.info('Saving private key(s) to '+repr(directory_name))
+
+  # Make sure the directory exists, otherwise create it.
+  if not os.path.exists(directory_name):
+    logger.info('...no such directory.  The directory will be created.')
+    os.mkdir(directory_name)
+
+  # Iterate through the keystore keys and save them individually to a file.
+  for keyid, key in _keystore.items():
+    basefilename = os.path.join(directory_name, str(keyid)+'.key')
+    file_object = open(basefilename, 'w')
+    
+    # Determine the appropriate format to save the key based on its key type.
+    if key['keytype'] == 'rsa':
+      key_metadata_format = \
+            tuf.rsa_key.create_in_metadata_format(key['keyval'], private=True)
+    else:
+      logger.warn('The keystore has a key with an unrecognized key type.')
+      continue
+    
+    # Encrypt 'key_metadata_format' and save it.
+    encrypted_key = _encrypt(json.dumps(key_metadata_format), _key_passwords[keyid])
+    file_object.write(encrypted_key)
+    file_object.close()
+    logger.info(repr(basefilename)+' saved.')
+
+  logger.info('Done.')
+
+
+
+
+
+def clear_keystore():
+  """
+  <Purpose>
+    Clear the keystore and key passwords.
+
+  <Arguments>
+    None.
+
+  <Exceptions>
+    None.
+
+  <Side Effect>
+    The keystore and password dicts are reset.
+
+  <Returns>
+    None.
+
+  """
+
+  _keystore.clear()
+  _key_passwords.clear()
+
+
+
+
+
+def change_password(keyid, old_password, new_password):
+  """
+  <Purpose>
+    Change the password for 'keyid'.
+
+  <Arguments>
+    keyid:
+      The keyid for the signing key.
+
+    old_password:
+      The old password for the signing key to modify.
+
+    new_password:
+      The new password to set for the signing key.
+
+  <Exceptions>
+    tuf.UnknownKeyError, if 'keyid' is not found in the
+    keystore.
+    
+    tuf.BadPasswordError, if 'old_password' is invalid or
+    'new_password' does not have to correct format.
+
+  <Side Effects>
+    The old password for 'keyid' is changed to 'new_password'.
+
+  <Returns>
+    None.
+
+  """
+  
+  # Check if 'keyid' is the keystore.
+  if keyid not in _keystore or keyid not in _key_passwords:
+    raise tuf.UnknownKeyError(keyid+' not recognized.')
+
+  # Check if the old password matches.
+  if _key_passwords[keyid] != old_password:
+    raise tuf.BadPasswordError('Old password invalid')
+
+  # If 'new_password' has the correct format, update '_key_passwords'.
+  if tuf.formats.PASSWORD_SCHEMA.matches(new_password):
+    _key_passwords[keyid] = new_password
+
+
+
+
+
+def get_key(keyid):
+  """
+  <Purpose>
+    Return the key for 'keyid'.  If 'keyid' corresponds to an
+    RSA key, the object returned would conform to
+    'tuf.formats.RSAKEY_SCHEMA'.  A different key type would return
+    its corresponding key schema.
+
+  <Arguments>
+    keyid:
+      The key identifier.
+
+  <Exceptions>
+    tuf.FormatError, if 'keyid' does not have the correct format.
+
+    tuf.UnknownKeyError, if 'keyid' is not found in the keystore.
+
+  <Side Effects>
+    None.
+
+  <Returns>
+    The key belonging to 'keyid' (e.g., RSA key).
+
+  """
+
+  # Does 'keyid' have the correct format?
+  # Raise 'tuf.FormatError' if the check fails.
+  tuf.formats.KEYID_SCHEMA.check_match(keyid)
+
+  try:
+    key = _keystore[keyid]
+  except KeyError:
+    raise tuf.UnknownKeyError('The keyid was not found in the keystore')
+
+  return key
+
+
+
+
+
+def _encrypt(key_data, password):
+  """
+  Encrypt 'key_data' using the Advanced Encryption Standard algorithm.
+  'password' is treated as the symmetric key, strengthened using SHA512.
+  The key size is 192 bits and AES's mode of operation is set to CBC
+  (Cipher-Block Chaining).
+
+  'key_data' is the JSON string representation of the key.  In the case
+  of RSA keys, this format would be 'tuf.formats.RSAKEY_SCHEMA':
+  {'keytype': 'rsa',
+   'keyval': {'public': '-----BEGIN RSA PUBLIC KEY----- ...',
+              'private': '-----BEGIN RSA PRIVATE KEY----- ...'}}
+
+  tuf.CryptoError raised if the encryption fails.
+  
+  """
+  
+  # Use AES192 to encrypt 'key_data'.
+  try:
+    salt, iv, ciphertext = evpy.cipher.encrypt(key_data, password)
+  except evpy.cipher.CipherError:
+    raise tuf.CryptoError
+
+  # Return the salt, initialization vector, and ciphertext as a single string.
+  # These three values are delimited by '_ENCRYPTION_DELIMETER' to make
+  # extraction easier.  This delimeter is arbitrarily chosen and should not
+  # occur in the hexadecimal representations of the fields it is separating.
+  return binascii.hexlify(salt) + _ENCRYPTION_DELIMETER + \
+         binascii.hexlify(iv) + _ENCRYPTION_DELIMETER + \
+         binascii.hexlify(ciphertext)
+
+
+
+
+
+def _decrypt(key_data, password):
+  """
+  The corresponding decryption routine for _encrypt().
+
+  tuf.CryptoError raised if the decryption fails.
+  
+  """
+ 
+  # Extract the salt, initialization vector, and ciphertext from 'key_data'. 
+  # These three values are delimited by '_ENCRYPTION_DELIMETER'.
+  # This delimeter is arbitrarily chosen and should not occur in the
+  # hexadecimal representations of the fields it is separating.
+  salt, iv, ciphertext = key_data.split(_ENCRYPTION_DELIMETER)
+
+  # The following decryption routine assumes 'key_data' was encrypted
+  # using AES192.
+  try:
+    key_plaintext = evpy.cipher.decrypt(binascii.unhexlify(salt),
+                                        binascii.unhexlify(iv),
+                                        binascii.unhexlify(ciphertext),
+                                        password)
+  except evpy.cipher.CipherError:
+    raise tuf.CryptoError
+
+  return key_plaintext
diff --git a/src/tuf/repo/signercli.py b/src/tuf/repo/signercli.py
new file mode 100755
index 00000000..ac1f7b02
--- /dev/null
+++ b/src/tuf/repo/signercli.py
@@ -0,0 +1,1298 @@
+"""
+<Program Name>
+  signercli.py
+
+<Author>
+  Vladimir Diaz <vladimir.v.diaz@gmail.com>
+
+<Started>
+  April 5, 2012.  Based on a previous version of this module by Geremy Condra.
+
+<Copyright>
+  See LICENSE for licensing information.
+
+<Purpose>
+  Provide an interactive command-line interface to create and sign metadata.
+  This script can be used to create all of the top-level role files required
+  by TUF, which include 'root.txt', 'targets.txt', 'release.txt', and
+  'timestamp.txt'. It also provides options to generate RSA keys, change the
+  encryption/decryption keys of encrypted key files, list the keyids of
+  the signing keys stored in a keystore directory, create delegated roles,
+  and dump the contents of signing keys (i.e., public and private keys, key
+  type, etc.)
+
+  This module can be best understood if read starting with the parse_option()
+  call in __main__.  All of the options accept a single keystore
+  directory argument.  Beyond this point, the script is interactive.
+  If any additional arguments is required, the user will be asked to input
+  these values.  The script will process one command-line option and
+  raise an error for any other options that might be supplied.
+
+  Initially, the 'quickstart.py' script is utilized when the repository is
+  first created.  'signercli.py' would then be executed to update the state
+  of the repository.  For example, the repository owner wants to change the
+  'targets.txt' signing key.  The owner would run 'signercli.py' to
+  generate a new RSA key, add the new key to the configuration file created
+  by 'quickstart.py', and then run 'signercli' to update the metadata files.
+
+<Usage>
+  $ python signercli.py --<option> <keystore_directory>
+
+  Examples:
+  S python signercli.py --genrsakey ./keystore
+  $ python signercli.py --changepass ./keystore
+
+<Options>
+  See the parse_options() function for the full list of supported options.
+
+"""
+
+import os
+import optparse
+import getpass
+import sys
+import logging
+import errno
+
+import tuf
+import tuf.repo.signerlib
+import tuf.repo.keystore
+import tuf.util
+import tuf.log
+
+json = tuf.util.import_json()
+
+# See 'log.py' to learn how logging is handled in TUF.
+logger = logging.getLogger('tuf.signercli')
+
+# The maximum number of attempts the user has to enter
+# valid input.
+MAX_INPUT_ATTEMPTS = 3
+
+
+def _check_directory(directory):
+  try:
+    directory = tuf.repo.signerlib.check_directory(directory)
+  except (tuf.FormatError, tuf.Error), e:
+    message = str(e)+'\n'
+    raise tuf.RepositoryError(message)
+
+  return directory
+
+
+
+
+def _get_password(prompt='Password: ', confirm=False):
+  """
+    Return the password entered by the user.  If 'confirm'
+    is True, the user is asked to enter the previously
+    entered password once again.  If they match, the
+    password is returned to the caller.
+
+  """
+
+  while True:
+    password = getpass.getpass(prompt, sys.stderr)
+    if not confirm:
+      return password
+    password2 = getpass.getpass('Confirm: ', sys.stderr)
+    if password == password2:
+      return password
+    else:
+      print 'Mismatch; try again.'
+
+
+
+
+
+def _prompt(message, result_type=str):
+  """
+    Prompt the user for input by printing 'message', converting
+    the input to 'result_type', and returning the value to the
+    caller.
+
+  """
+
+  return result_type(raw_input(message))
+
+
+
+
+
+def _get_metadata_directory():
+  """
+    Get the metadata directory from the user.  The user
+    is asked to enter the directory, and if validated, is
+    returned to the caller.  'tuf.FormatError' is raised
+    if the directory is not properly formatted, and 'tuf.Error'
+    if it does not exist.
+
+  """
+
+  metadata_directory = _prompt('\nEnter the metadata directory: ', str)
+
+  # Raises 'tuf.RepositoryError'.
+  metadata_directory = _check_directory(metadata_directory)
+
+  return metadata_directory
+
+
+
+
+
+def _list_keyids(keystore_directory):
+  """
+    List the key files found in 'keystore_directory'.
+    It is assumed the directory exists and has been validated by
+    the caller.  The keyids are listed without the '.key' extension.
+
+  """
+
+  # Extract the key files ending in a '.key' extension.
+  key_paths = []
+  for filename in os.listdir(keystore_directory):
+    full_path = os.path.join(keystore_directory, filename)
+    if filename.endswith('.key') and not os.path.isdir(full_path):
+      key_paths.append(filename)
+
+  # Print the keys without the '.key' extension.
+  print '\nListing the keyids in '+repr(keystore_directory)
+  for keyid in key_paths:
+    print keyid[0:keyid.rfind('.key')]
+
+
+
+
+
+def _get_keyids(keystore_directory):
+  """
+    Load the keyids in 'keystore_directory'.  The keystore
+    database is populated with the keyids that are found
+    and successfully loaded.  A list containing the keyids
+    of the loaded keys is returned to the caller.  Since the
+    key files are stored in encrypted form, the user is asked
+    to enter the password that was used to encrypt the key
+    file.
+
+  """
+
+  # The keyids list containing the keys loaded.
+  loaded_keyids = []
+
+  # Save the 'load_keystore_from_keyfiles' function call.
+  load_key = tuf.repo.keystore.load_keystore_from_keyfiles
+
+  # Ask the user for the keyid and password.  Next, try to load the specified
+  # keyid/password combination.  If loaded, append the loaded key's keyid to
+  # 'loaded_keyids'.  Loop the steps above or exit when the user enters 'quit'.
+  while True:
+    keyid_prompt = '\nEnter the keyid or "quit" when done: '
+    keyid = _prompt(keyid_prompt, str)
+    if keyid.lower() == 'quit':
+      break
+
+    # Get the password from the user so we can decrypt the key file.
+    password = _get_password('\nEnter the keyid\'s password: ')
+
+    # Try to load the keyfile with the keyid and password credentials.
+    loaded_keyid = load_key(keystore_directory, [keyid], [password])
+    # Was 'keyid' loaded?
+    if keyid not in loaded_keyid:
+      logger.error('Could not load keyid: '+keyid)
+      continue
+
+    # Append 'keyid' to the loaded list of keyids.
+    loaded_keyids.append(loaded_keyid[0])
+
+  return loaded_keyids
+
+
+
+
+
+def _get_all_config_keyids(config_filepath, keystore_directory):
+  """
+    Retrieve the contents of the config file and load
+    the keys for the top-level roles.  After this function
+    returns successfully, all the required roles are loaded
+    in the keystore.  The arguments should be absolute paths.
+
+    <Exceptions>
+      tuf.Error, if the required top-level keys could
+      not be loaded.
+
+    <Returns>
+      A dictionary containing the keyids for the top-level roles.
+      loaded_keyids = {'root': [1233d3d, 598djdks, ..],
+                       'release': [sdfsd323, sdsd9090s, ..]
+                       ...}
+
+  """
+
+  # Save the 'load_keystore_from_keyfiles' function call.
+  load_key = tuf.repo.keystore.load_keystore_from_keyfiles
+
+  # 'tuf.Error' raised if the configuration file cannot be read.
+  config_dict = tuf.repo.signerlib.read_config_file(config_filepath)
+
+  loaded_keyids = {}
+  # Extract the sections from the config file.  We are only
+  # interested in role sections.
+  for key, value in config_dict.items():
+    if key in ['root', 'targets', 'release', 'timestamp']:
+      # Try to load the keyids for each role.
+      loaded_keyids[key] = []
+      for keyid in value['keyids']:
+        for attempt in range(MAX_INPUT_ATTEMPTS):
+          message = '\nEnter the password for the '+key+' role ('+keyid+'): '
+          password = _get_password(message)
+          loaded_key = load_key(keystore_directory, [keyid], [password])
+          if not loaded_key or keyid not in loaded_key:
+            logger.error('Could not load keyid: '+keyid)
+            continue
+          loaded_keyids[key].append(keyid)
+          break
+        if keyid not in loaded_keyids[key]:
+          raise tuf.Error('Could not load a required top-level role key')
+
+  # Ensure we loaded keys for the required top-level roles.
+  for key in ['root', 'targets', 'release', 'timestamp']:
+    if key not in loaded_keyids:
+      message = 'The configuration file did not contain the required roles'
+      raise tuf.Error(message)
+
+  return loaded_keyids
+
+
+
+
+
+def _get_role_config_keyids(config_filepath, keystore_directory, role):
+  """
+    Retrieve and load the key(s) for 'role', as listed in the keyids
+    found in 'config_filepath'.  'config_filepath' and 'keystore_directory'
+    should be absolute paths.
+
+  <Exceptions>
+    tuf.Error, if the required keys could not be loaded.
+
+  """
+
+  # Save the 'load_keystore_from_keyfiles' function call.
+  load_key = tuf.repo.keystore.load_keystore_from_keyfiles
+
+  # 'tuf.Error' raised if the configuration file cannot be read.
+  config_dict = tuf.repo.signerlib.read_config_file(config_filepath)
+
+  role_keyids = []
+  # Extract the sections from the config file.  We are only interested
+  # in the 'role' section.
+  for key, value in config_dict.items():
+    if key == role:
+      for keyid in value['keyids']:
+        for attempt in range(MAX_INPUT_ATTEMPTS):
+          message = '\nEnter the password for the '+key+' role ('+keyid+'): '
+          password = _get_password(message)
+          loaded_key = load_key(keystore_directory, [keyid], [password])
+          if not loaded_key or keyid not in loaded_key:
+            print 'Could not load keyid: '+keyid
+            logger.error('Could not load keyid: '+keyid)
+            continue
+          role_keyids.append(keyid)
+          break
+      # Ensure we loaded all the keyids.
+      for keyid in value['keyids']:
+        if keyid not in role_keyids:
+          raise tuf.Error('Could not load a required role key')
+  if not role_keyids:
+    raise tuf.Error('Could not load the required keys for '+role)
+
+  return role_keyids
+
+
+
+
+
+def _sign_and_write_metadata(metadata, keyids, filename):
+  """
+    Sign 'metadata' and write it to 'filename' (an absolute path),
+    overwriting the original file if it exists.  If any of the
+    keyids have already signed the file, the old signatures of
+    those keyids will be replaced.
+
+  <Exceptions>
+    tuf.FormatError, if any of the arguments are incorrectly formatted.
+
+    tuf.Error, if an error is encountered.
+
+  """
+
+  # Sign the metadata object.  The 'signable' object contains the keyids
+  # used in the signing process, including the signatures generated.
+  signable = tuf.repo.signerlib.sign_metadata(metadata, keyids, filename)
+
+  # Write the 'signable' object to 'filename'.  The 'filename' file is
+  # the final metadata file, such as 'root.txt' and 'targets.txt'.
+  tuf.repo.signerlib.write_metadata_file(signable, filename)
+
+
+
+
+
+def change_password(keystore_directory):
+  """
+  <Purpose>
+    Change the password for the signing key specified by the user.
+    All the values required by the user will be interactively
+    retrieved by this function.
+
+  <Arguments>
+    keystore_directory:
+      The directory containing the signing keys (i.e., key files ending
+      in '.key').
+
+  <Exceptions>
+    tuf.RepositoryError, if a bad password was given, the keystore directory
+      was invalid, or a required key could not be loaded.
+
+  <Side Effects>
+    The key file specified by the user is modified, including the encryption
+    key.
+
+  <Returns>
+    None.
+
+  """
+
+  # Save the 'load_keystore_from_keyfiles' function call.
+  load_key = tuf.repo.keystore.load_keystore_from_keyfiles
+
+  # Verify the 'keystore_directory' argument.
+  keystore_directory = _check_directory(keystore_directory)
+
+  # List the keyids in the keystore and prompt the user for the keyid they
+  # wish to modify.
+  _list_keyids(keystore_directory)
+
+  # Retrieve the keyid from the user.
+  message = '\nEnter the keyid for the password you wish to change: '
+  keyid = _prompt(message, str)
+
+  # Get the old password from the user.
+  old_password_prompt = '\nEnter the old password for the keyid: '
+  old_password = _get_password(old_password_prompt)
+
+  # Try to load the keyfile
+  loaded_keys = load_key(keystore_directory, [keyid], [old_password])
+
+  # Was 'keyid' loaded?
+  if keyid not in loaded_keys:
+    message = 'Could not load keyid: '+keyid+'\n'
+    raise tuf.RepositoryError(message)
+
+  # Retrieve the new password.
+  new_password = _get_password('\nNew password: ', confirm=True)
+
+  # Now that we have all the required information, try to change the password.
+  try:
+    tuf.repo.keystore.change_password(keyid, old_password, new_password)
+  except (tuf.BadPasswordError, tuf.UnknownKeyError), e:
+    message = str(e)+'\n'
+    raise tuf.RepositoryError(message)
+
+  # Save the changes.
+  tuf.repo.keystore.save_keystore_to_keyfiles(keystore_directory)
+
+
+
+
+
+def generate_rsa_key(keystore_directory):
+  """
+  <Purpose>
+    Generate an RSA key and save it to the keystore directory.
+
+  <Arguments>
+    keystore_directory:
+      The directory containing the signing keys (i.e., key files ending
+      in '.key').
+
+  <Exceptions>
+    tuf.RepositoryError, if the keystore directory is invalid or an rsa key
+      cannot be generated.
+
+  <Side Effects>
+    An RSA key will be generated and added to tuf.repo.keystore.
+    The RSA key will be saved to the keystore directory specified
+    on the command-line.
+
+  <Returns>
+    None.
+
+  """
+
+  # Save a reference to the generate_and_save_rsa_key() function.
+  save_rsa_key = tuf.repo.signerlib.generate_and_save_rsa_key
+
+  # Verify the 'keystore_directory' argument.
+  keystore_directory = _check_directory(keystore_directory)
+
+  # Retrieve the number of bits for the RSA key from the user.
+  rsa_key_bits = _prompt('\nEnter the number of bits for the RSA key: ', int)
+
+  # Retrieve the password used to encrypt/decrypt the key file from the user.
+  message = '\nEnter a password to encrypt the generated RSA key: '
+  password = _get_password(message, confirm=True)
+
+  # Generate the RSA key and save it to 'keystore_directory'.
+  try:
+    save_rsa_key(keystore_directory=keystore_directory,
+                 password=password, bits=rsa_key_bits)
+  except (tuf.FormatError, tuf.CryptoError), e:
+    message = 'The RSA key could not be generated. '+str(e)+'\n'
+    raise tuf.RepositoryError(message)
+
+
+
+
+
+def list_signing_keys(keystore_directory):
+  """
+  <Purpose>
+    Print the key IDs of the signing keys listed in the keystore
+    directory.
+
+  <Arguments>
+    keystore_directory:
+      The directory containing the signing keys (i.e., key files ending
+      in '.key').
+
+  <Exceptions>
+    tuf.RepositoryError, if the keystore directory is invalid.
+
+  <Side Effects>
+    None.
+
+  <Returns>
+    None.
+
+  """
+
+  # Verify the 'keystore_directory' argument.
+  keystore_directory = _check_directory(keystore_directory)
+
+  _list_keyids(keystore_directory)
+
+
+
+
+
+def dump_key(keystore_directory):
+  """
+  <Purpose>
+    Dump the contents of the signing key specified by the user.
+    This dumped information includes the keytype, signing method,
+    the public key, and the private key (if requested by the user).
+
+  <Arguments>
+    keystore_directory:
+      The directory containing the signing keys (i.e., key files ending
+      in '.key').
+
+  <Exceptions>
+    tuf.RepositoryError, if the keystore directory is invalid, a required
+      key cannot be loaded, or the keystore contains an invalid key,
+
+  <Side Effects>
+    The contents of encrypted key files are extracted and printed.
+
+  <Returns>
+    None.
+
+  """
+
+  # Save the 'load_keystore_from_keyfiles' function call.
+  load_key = tuf.repo.keystore.load_keystore_from_keyfiles
+
+  # Verify the 'keystore_directory' argument.
+  keystore_directory = _check_directory(keystore_directory)
+
+  # List the keyids found in 'keystore_directory', minus the '.key' extension.
+  _list_keyids(keystore_directory)
+
+  # Retrieve the keyid and password from the user.
+  message = '\nEnter the keyid for the signing key you wish to dump: '
+  keyid = _prompt(message, str)
+  password = _get_password('\nEnter the password for the keyid: ')
+
+  # Try to load the keyfile
+  loaded_keys = load_key(keystore_directory, [keyid], [password])
+
+  # Was 'keyid' loaded?
+  if keyid not in loaded_keys:
+    message = 'Could not load keyid: '+keyid+'\n'
+    raise tuf.RepositoryError(message)
+
+  # Get the key object.
+  key = tuf.repo.keystore.get_key(keyid)
+
+  # Ask the user if they would like to print the private key as well.
+  show_private = False
+  prompt = 'Should the private key be printed as well?' \
+           ' (if yes, enter \'private\'): '
+  print '\n*WARNING* Printing the private key reveals' \
+        ' sensitive information *WARNING*'
+  input = _prompt(prompt, str)
+  if input.lower() == 'private':
+    show_private = True
+
+  # Retrieve the key metadata according to the keytype.
+  if key['keytype'] == 'rsa':
+    key_metadata = tuf.rsa_key.create_in_metadata_format(key['keyval'],
+                                                         private=show_private)
+  else:
+    message = 'The keystore contains an invalid key type.'
+    raise tuf.RepositoryError(message)
+
+  # Print the contents of the key metadata.
+  print json.dumps(key_metadata, indent=2, sort_keys=True)
+
+
+
+
+
+def make_root_metadata(keystore_directory):
+  """
+  <Purpose>
+    Create the 'root.txt' file.
+
+  <Arguments>
+    keystore_directory:
+      The directory containing the signing keys (i.e., key files ending
+      in '.key').
+
+  <Exceptions>
+    tuf.RepositoryError, if required directories cannot be valided, 
+      required keys cannot be loaded, or a properly formatted root
+      metadata file cannot be created.
+
+  <Side Effects>
+    The contents of an existing root metadata file is overwritten.
+
+  <Returns>
+    None.
+
+  """
+
+  # Verify the 'keystore_directory' argument.
+  keystore_directory = _check_directory(keystore_directory)
+
+  # Get the metadata directory and the metadata filenames.
+  try:
+    metadata_directory = _get_metadata_directory()
+  except (tuf.FormatError, tuf.Error), e:
+    message = str(e)+'\n'
+    raise tuf.RepositoryError(message)
+  filenames = tuf.repo.signerlib.get_metadata_filenames(metadata_directory)
+
+  # Get the configuration file.
+  config_filepath = _prompt('\nEnter the configuration file path: ', str)
+  config_filepath = os.path.abspath(config_filepath)
+
+  # Load the keys for the top-level roles.
+  try:
+    loaded_keyids = _get_all_config_keyids(config_filepath, keystore_directory)
+  except (tuf.Error, tuf.FormatError), e:
+    message = str(e)+'\n'
+    raise tuf.RepositoryError(message)
+  root_keyids = loaded_keyids['root']
+
+  # Generate the root metadata and write it to 'root.txt'.
+  try:
+    tuf.repo.signerlib.build_root_file(config_filepath, root_keyids,
+                                       metadata_directory)
+  except (tuf.FormatError, tuf.Error), e:
+    message = str(e)+'\n'
+    raise tuf.RepositoryError(message)
+
+
+
+
+def make_targets_metadata(keystore_directory):
+  """ 
+  <Purpose>
+    Create the 'targets.txt' metadata file.  The targets must exist at the
+    same path they should on the repository.  This takes a list of targets.
+    We're not worrying about custom metadata at the moment. It's allowed to
+    not provide keys.
+
+  <Arguments>
+    keystore_directory:
+      The directory containing the signing keys (i.e., key files ending
+      in '.key').
+
+  <Exceptions>
+    tuf.RepositoryError, if required directories cannot be valided, 
+      required keys cannot be loaded, or a properly formatted targets
+      metadata file cannot be created.
+
+  <Side Effects>
+    The contents of an existing targets metadata file is overwritten.
+
+  <Returns>
+    None.
+
+  """
+
+  # Verify the 'keystore_directory' argument.
+  keystore_directory = _check_directory(keystore_directory)
+
+  # Retrieve the target files.
+  prompt_targets = '\nEnter the directory containing the target files: '
+  target_directory = _prompt(prompt_targets, str)
+
+  # Verify 'target_directory'.
+  target_directory = _check_directory(target_directory)
+
+  # Retrieve the metadata directory and the 'targets' filename.
+  try:
+    metadata_directory = _get_metadata_directory()
+  except (tuf.FormatError, tuf.Error), e:
+    message = str(e)+'\n'
+    raise tuf.RepositoryError(message)
+
+  # Get the configuration file.
+  config_filepath = _prompt('\nEnter the configuration file path: ', str)
+
+  config_filepath = os.path.abspath(config_filepath)
+
+  try:
+    # Retrieve and load the 'targets' signing keys.
+    targets_keyids = _get_role_config_keyids(config_filepath,
+                                           keystore_directory, 'targets')
+  except (tuf.FormatError, tuf.Error), e:
+    message = str(e)+'\n'
+    raise tuf.RepositoryError(message)
+
+  try:
+    # Create, sign, and write the "targets.txt" file.
+    tuf.repo.signerlib.build_targets_file(target_directory, targets_keyids,
+                                       metadata_directory)
+  except (tuf.FormatError, tuf.Error), e:
+    message = str(e)+'\n'
+    raise tuf.RepositoryError(message)
+
+
+
+
+
+
+def make_release_metadata(keystore_directory):
+  """
+  <Purpose>
+    Create the release metadata file.
+    The minimum metadata must exist. This is root.txt and targets.txt.
+
+  <Arguments>
+    keystore_directory:
+      The directory containing the signing keys (i.e., key files ending
+      in '.key').
+
+  <Exceptions>
+    tuf.RepositoryError, if required directories cannot be valided, 
+      required keys cannot be loaded, or a properly formatted release
+      metadata file cannot be created.
+
+  <Side Effects>
+    The contents of an existing release metadata file is overwritten.
+
+  <Returns>
+    None.
+
+  """
+
+  # Verify the 'keystore_directory' argument.
+  keystore_directory = _check_directory(keystore_directory)
+
+  # Retrieve the metadata directory and the release filename.
+  try:
+    metadata_directory = _get_metadata_directory()
+  except (tuf.FormatError, tuf.Error), e:
+    message = str(e)+'\n'
+    raise tuf.RepositoryError(message)
+  filenames = tuf.repo.signerlib.get_metadata_filenames(metadata_directory)
+  release_filename = filenames['release']
+
+  # Get the configuration file.
+  config_filepath = _prompt('\nEnter the configuration file path: ', str)
+  config_filepath = os.path.abspath(config_filepath)
+
+  # Retrieve and load the 'release' signing keys.
+  try:
+    release_keyids = _get_role_config_keyids(config_filepath,
+                                              keystore_directory, 'release')
+    # Generate the root metadata and write it to 'release.txt'
+    tuf.repo.signerlib.build_release_file(release_keyids, metadata_directory)
+  except (tuf.FormatError, tuf.Error), e:
+    message = str(e)+'\n'
+    raise tuf.RepositoryError(message)
+
+
+
+
+
+def make_timestamp_metadata(keystore_directory):
+  """
+  <Purpose>
+    Create the timestamp metadata file.  The 'release.txt' file must exist.
+
+  <Arguments>
+    keystore_directory:
+      The directory containing the signing keys (i.e., key files ending
+      in '.key').
+
+  <Exceptions>
+    tuf.RepositoryError, if required directories cannot be valided, 
+      required keys cannot be loaded, or a properly formatted timestamp
+      metadata file cannot be created.
+
+  <Side Effects>
+    The contents of an existing timestamp metadata file is overwritten.
+
+  <Returns>
+    None.
+
+  """
+
+  # Verify the 'keystore_directory' argument.
+  keystore_directory = _check_directory(keystore_directory)
+
+
+  # Retrieve the metadata directory and the timestamp filename.
+  try:
+    metadata_directory = _get_metadata_directory()
+  except (tuf.FormatError, tuf.Error), e:
+    message = str(e)+'\n'
+    raise tuf.RepositoryError(message)
+  filenames = tuf.repo.signerlib.get_metadata_filenames(metadata_directory)
+  timestamp_filename = filenames['timestamp']
+
+  # Get the configuration file.
+  config_filepath = _prompt('\nEnter the configuration file path: ', str)
+  config_filepath = os.path.abspath(config_filepath)
+
+  # Retrieve and load the 'timestamp' signing keys.
+  try:
+    timestamp_keyids = _get_role_config_keyids(config_filepath,
+                                               keystore_directory, 'timestamp')
+    # Generate the root metadata and write it to 'timestamp.txt'
+    tuf.repo.signerlib.build_timestamp_file(timestamp_keyids,
+                                            metadata_directory)
+  except (tuf.FormatError, tuf.Error), e:
+    message = str(e)+'\n'
+    raise tuf.RepositoryError(message)
+
+
+
+
+
+def sign_metadata_file(keystore_directory):
+  """
+  <Purpose>
+    Sign the metadata file specified by the user.
+
+  <Arguments>
+    keystore_directory:
+      The directory containing the signing keys (i.e., key files ending
+      in '.key').
+
+  <Exceptions>
+    tuf.RepositoryError, if required directories cannot be valided, 
+      required keys cannot be loaded, or the specified metadata file
+      is invalid.
+
+  <Side Effects>
+    The contents of an existing metadata file is overwritten.
+
+  <Returns>
+    None.
+
+  """
+
+  # Verify the 'keystore_directory' argument.
+  keystore_directory = _check_directory(keystore_directory)
+
+  # List the keyids available in the keystore.
+  _list_keyids(keystore_directory)
+
+  # Retrieve the keyids of the signing keys from the user.
+  print '\nThe keyids that will sign the metadata file must be loaded.'
+  loaded_keyids = _get_keyids(keystore_directory)
+
+  if len(loaded_keyids) == 0:
+    message = 'No keyids were loaded\n'
+    raise tuf.RepositoryError(message)
+
+  # Retrieve the metadata file the user intends to sign.
+  metadata_filename = _prompt('\nEnter the metadata filename: ', str)
+
+  metadata_filename = os.path.abspath(metadata_filename)
+  if not os.path.isfile(metadata_filename):
+    message = repr(metadata_filename)+' is an invalid file.\n'
+    raise tuf.RepositoryError(message)
+
+  # Create, sign, and write the metadata file.
+  metadata = tuf.repo.signerlib.read_metadata_file(metadata_filename)
+  _sign_and_write_metadata(metadata, loaded_keyids, metadata_filename)
+
+
+
+
+
+def make_delegation(keystore_directory):
+  """
+  <Purpose>
+    Create a delegation by updating the 'delegations' field of a parent's
+    metadata file (targets) and creating the delegated role's metadata file.
+    The user specifies the delegated role's name and target files.
+    The parent's metadata file must exist.
+
+  <Arguments>
+    keystore_directory:
+      The directory containing the signing keys (i.e., key files ending
+      in '.key').
+
+  <Exceptions>
+    tuf.RepositoryError, if required directories cannot be valided, the
+      parent role cannot be loaded, the delegated role metadata file
+      cannot be created, or the parent role metadata file cannot be updated. 
+
+  <Side Effects>
+    The targets metadata file is modified.  The 'delegations' field of
+    'targets.txt' is added.
+
+  <Returns>
+    None.
+
+  """
+
+  # Verify the 'keystore_directory' argument.
+  keystore_directory = _check_directory(keystore_directory)
+
+  # Get the metadata directory.
+  try:
+    metadata_directory = _get_metadata_directory()
+  except (tuf.FormatError, tuf.Error), e:
+    message = str(e)+'\n'
+    raise tuf.RepositoryError(message)
+
+  # Get the delegated role's target directory, which should be located within
+  # the repository's targets directory.  We need this directory to generate the
+  # delegated role's target paths.
+  prompt = '\nNOTE: The directory entered below should be located within the '+\
+    'repository\'s targets directory.\nEnter the directory containing the '+\
+    'delegated role\'s target files: '
+  delegated_targets_directory = _prompt(prompt, str)
+
+  # Verify 'delegated_targets_directory'.
+  try:
+    tuf.repo.signerlib.check_directory(delegated_targets_directory)
+  except (tuf.FormatError, tuf.Error), e:
+    message = str(e)+'\n'
+    raise tuf.RepositoryError(message)
+
+  # Get all the target roles and their respective keyids.
+  # These keyids will let the user know which roles are currently known.
+  # signerlib.get_target_keyids() returns a dictionary that looks something
+  # like this: {'targets': [keyid1, ...], 'targets/role1': [keyid], ...}
+  targets_roles = tuf.repo.signerlib.get_target_keyids(metadata_directory)
+
+  # Load the parent role specified by the user.  The parent role must be loaded
+  # so its delegation field can be updated.
+  parent_role, parent_keyids = _load_parent_role(metadata_directory,
+                                                 keystore_directory,
+                                                 targets_roles)
+
+  # Load the delegated role specified by the user.  The delegated role must be
+  # loaded so its metadata file can be created.
+  delegated_role, delegated_keyid = _get_delegated_role(keystore_directory)
+
+  # Create, sign, and write the delegated role's metadata file.
+  delegated_paths = _make_delegated_metadata(metadata_directory,
+                                             delegated_targets_directory,
+                                             parent_role, delegated_role,
+                                             delegated_keyid)
+
+  # Update the parent roles metadata file.  The parent role's delegation
+  # field must be updated with the newly created delegated role.
+  _update_parent_metadata(metadata_directory, delegated_role, delegated_keyid,
+                          delegated_paths, parent_role, parent_keyids)
+
+
+
+
+
+def _load_parent_role(metadata_directory, keystore_directory, targets_roles):
+  """
+    Load the parent role specified by the user.  The user is presented with a
+    list of known repository roles and asked to enter the parent role to load.
+    Ensure the parent role is loaded properly and return a string containing
+    the parent role's full rolename and a list of keyids belong to the parent.
+
+  """
+
+  # 'load_key' is a reference to the 'load_keystore_from_keyfiles function'.
+  load_key = tuf.repo.keystore.load_keystore_from_keyfiles
+  
+  # Get the parent role.  We need to modify the parent role's metadata file.
+  print '\nListing "targets" and all available delegated roles.'
+  for section in targets_roles.keys():
+    print section
+  parent_role = None
+  # Retrieve the parent role from the user.
+  for attempt in range(MAX_INPUT_ATTEMPTS):
+    prompt = '\nChoose and enter the parent role\'s full name: '
+    parent_role = _prompt(prompt, str)
+    if parent_role not in targets_roles:
+      print '\nInvalid role name entered'
+      parent_role = None
+      continue
+    else:
+      break
+
+  # Ensure we loaded a valid parent role.
+  if parent_role is None:
+    message = 'Could not get a valid parent role.\n'
+    raise tuf.RepositoryError(message)
+
+  # Load the parent's key(s).  The key needs to be loaded because
+  # its metadata file will be modified.
+  parent_keyids = []
+  for keyid in targets_roles[parent_role]:
+    for attempt in range(MAX_INPUT_ATTEMPTS):
+      prompt = 'Enter the password for '+parent_role+' ('+keyid+'): '
+      password = _get_password(prompt)
+      loaded_keyid = load_key(keystore_directory, [keyid], [password])
+      if keyid not in loaded_keyid:
+        print '\nThe keyid could not be loaded.'
+        continue
+      parent_keyids.append(loaded_keyid[0])
+      break
+    if keyid not in parent_keyids:
+      message = 'Could not load the keys for the parent role.\n'
+      raise tuf.RepositoryError(message)
+  
+  return parent_role, parent_keyids
+
+
+
+
+
+def _get_delegated_role(keystore_directory):
+  """
+    Get the delegated role specified by the user.  The user is presented with
+    a list of keyids available in the keystore and asked to enter the keyid
+    belonging to the delegated role.  Return a string containing
+    the delegated role's full rolename and its keyid.
+
+  """
+  
+  # Retrieve the delegated rolename from the user (e.g., 'role1').
+  delegated_role = _prompt('\nEnter the delegated role\'s name: ', str)
+
+  # List the keyids available in the keystore.  The user will next
+  # identify the keyid for the new delegated role.
+  _list_keyids(keystore_directory)
+
+  # Retrieve the delegated role\'s keyid from the user.
+  print '\nThe keyid of the delegated role must be loaded.'
+  delegated_keyid = _get_keyids(keystore_directory)
+
+  # Ensure we actually loaded one delegated key.  Delegated roles
+  # should have only one signing key.
+  if len(delegated_keyid) != 1:
+    message = 'Only one key must be loaded for the delegated role\n'
+    raise tuf.RepositoryError(message)
+  delegated_keyid = delegated_keyid[0]
+
+  return delegated_role, delegated_keyid
+
+
+
+
+
+def _make_delegated_metadata(metadata_directory, delegated_targets_directory,
+                             parent_role, delegated_role, delegated_keyid):
+  """
+    Create, sign, and write the metadata file for the newly added delegated
+    role.  Determine the delegated paths for the target files found in
+    'delegated_targets_directory' and the other information needed
+    to generate the targets metadata file for 'delegated_keyid'.  Return
+    the delegated paths to the caller.
+
+  """
+
+  # Retrieve the file paths for the delegated targets.
+  delegated_paths = []
+  for filename in os.listdir(delegated_targets_directory):
+    full_path = os.path.join(delegated_targets_directory, filename)
+    if os.path.isfile(full_path):
+      # The target paths need to be relative to the repository's targets
+      # directory (e.g., 'targets/role1/target_file.gif').
+      # [len(repository_directory)+1:] strips the repository path, including
+      # its trailing path separator.
+      repository_directory, junk = os.path.split(metadata_directory)
+      delegated_path = delegated_targets_directory[len(repository_directory)+1:]
+      target_path = os.path.join(delegated_path, filename)
+      delegated_paths.append(target_path)
+  message = 'The target paths for '+repr(delegated_role)+': '+\
+    repr(delegated_paths)                                                     
+  logger.info(message)
+
+  # Create, sign, and write the delegated role's metadata file.
+  # The first time a parent role creates a delegation, a directory
+  # containing the parent role's name is created in the metadata
+  # directory.  For example, if the targets roles creates a delegated
+  # role 'role1', the metadata directory would then contain:
+  # '{metadata_directory}/targets/role1.txt', where 'role1.txt' is the
+  # delegated role's metadata file.
+  # If delegated role 'role1' creates its own delegated role 'role2', the
+  # metadata directory would then contain:
+  # '{metadata_directory}/targets/role1/role2.txt'.
+  # When creating a delegated role, if the parent directory already
+  # exists, this means a prior delegation has been perform by the parent. 
+  parent_directory = os.path.join(metadata_directory, parent_role)
+  try:
+    os.mkdir(parent_directory)
+  except OSError, e:
+    if e.errno == errno.EEXIST:
+      pass
+    else:
+      raise
+  delegated_role_filename = delegated_role+'.txt'
+  metadata_filename = os.path.join(parent_directory, delegated_role_filename)
+  repository_directory, junk = os.path.split(metadata_directory)
+  generate_metadata = tuf.repo.signerlib.generate_targets_metadata
+  delegated_metadata = generate_metadata(repository_directory, delegated_paths)
+  _sign_and_write_metadata(delegated_metadata, [delegated_keyid],
+                           metadata_filename)
+
+  return delegated_paths
+
+
+
+
+
+def _update_parent_metadata(metadata_directory, delegated_role, delegated_keyid,
+                            delegated_paths, parent_role, parent_keyids):
+  """
+    Update the parent role's metadata file.  The delegations field of the
+    metadata file is updated with the key and role information belonging
+    to the newly added delegated role.  Finally, the metadata file
+    is signed and written to the metadata directory.
+
+  """
+  
+  # Retrieve the key belonging to 'delegated_keyid' from the keystore.
+  role_key = tuf.repo.keystore.get_key(delegated_keyid)
+
+  # Extract the metadata from the parent role's file.
+  parent_filename = os.path.join(metadata_directory, parent_role)
+  parent_filename = parent_filename+'.txt'
+  parent_signable = tuf.repo.signerlib.read_metadata_file(parent_filename)
+  parent_metadata = parent_signable['signed']
+
+  # Extract the delegations structure if it exists.
+  delegations = parent_metadata.get('delegations', {})
+
+  # Update the keys field.
+  keys = delegations.get('keys', {})
+  if role_key['keytype'] == 'rsa':
+    keyval = role_key['keyval']
+    keys[delegated_keyid] = tuf.rsa_key.create_in_metadata_format(keyval)
+  else:
+    message = 'Invalid keytype encountered: '+delegated_keyid+'\n'
+    raise tuf.RepositoryError(message)
+  delegations['keys'] = keys
+
+  # Update the 'roles' field.
+  roles = delegations.get('roles', {})
+  threshold = 1
+  delegated_role = parent_role+'/'+delegated_role
+  relative_paths = []
+  for path in delegated_paths:
+    relative_paths.append(os.path.sep.join(path.split(os.path.sep)[1:]))
+  roles[delegated_role] = tuf.formats.make_role_metadata([delegated_keyid],
+                                                         threshold,
+                                                         relative_paths)
+  delegations['roles'] = roles
+
+  # Update the larger metadata structure.
+  parent_metadata['delegations'] = delegations
+
+  # Try to write the modified targets file.
+  parent_signable = tuf.formats.make_signable(parent_metadata)
+  _sign_and_write_metadata(parent_signable, parent_keyids, parent_filename)
+
+
+
+
+
+def process_option(options):
+  """
+  <Purpose>
+    Determine the command-line option chosen by the user and call its
+    corresponding function.  If 'signercli' is invoked with the --genrsakey
+    command-line option, its corresponding 'generate_rsa_key()' function
+    is called.
+
+  <Arguments>
+    options:
+      An optparse OptionValues instance, returned by parser.parse_args().
+
+  <Exceptions>
+    tuf.RepositoryError, raised by one of the supported option
+    functions.
+
+    tuf.Error, if a valid option was not encountered.
+
+  <Side Effects>
+    Files in the repository are either created or modified
+    depending on the command-line option chosen by the user.
+
+  <Returns>
+    None.
+
+  """
+
+  # Determine which option was chosen and call its corresponding
+  # internal function with the option's keystore directory argument.
+  if options.genrsakey is not None:
+    generate_rsa_key(options.genrsakey)
+  elif options.listkeys is not None:
+    list_signing_keys(options.listkeys)
+  elif options.changepass is not None:
+    change_password(options.changepass)
+  elif options.dumpkey is not None:
+    dump_key(options.dumpkey)
+  elif options.makeroot is not None:
+    make_root_metadata(options.makeroot)
+  elif options.maketargets is not None:
+    make_targets_metadata(options.maketargets)
+  elif options.makerelease is not None:
+    make_release_metadata(options.makerelease)
+  elif options.maketimestamp is not None:
+    make_timestamp_metadata(options.maketimestamp)
+  elif options.sign is not None:
+    sign_metadata_file(options.sign)
+  elif options.makedelegation is not None:
+    make_delegation(options.makedelegation)
+  else:
+    raise tuf.Error('A valid option was not encountered.\n')
+
+
+
+
+def parse_options():
+  """
+  <Purpose>
+    Parse the command-line options.  'signercli' expects a single
+    command-line option and one keystore directory argument.
+    Example:
+      $ python signercli.py --genrsakey ./keystore
+
+    All supported command-line options expect a single keystore
+    directory argument.  If 'signercli' is invoked with an incorrect
+    number of command-line options or arguments, a parser error
+    is printed and the script exits.
+
+  <Arguments>
+    None.
+
+  <Exceptions>
+    None.
+
+  <Side Effects>
+    A file is a created or modified depending on the option
+    encountered on the command-line.
+
+  <Returns>
+    The options object returned by the parser's parse_args() method.
+
+  """
+
+  usage = 'usage: %prog [option] <keystore_directory>'
+  option_parser = optparse.OptionParser(usage=usage)
+
+  # Add the options supported by 'signercli' to the option parser.
+  option_parser.add_option('--genrsakey', action='store', type='string',
+                           help='Generate an RSA key and save it to '
+                           'the keystore.')
+
+  option_parser.add_option('--listkeys', action='store', type='string',
+                           help='List the key IDs of the signing '
+                           'keys located in the keystore.')
+
+  option_parser.add_option('--changepass', action='store', type='string',
+                           help='Change the password for one of '
+                           'the signing keys.')
+
+  option_parser.add_option('--dumpkey', action='store', type='string',
+                           help='Dump the contents of an encrypted '
+                           'key file.')
+
+  option_parser.add_option('--makeroot', action='store', type='string',
+                           help='Create the Root metadata file '
+                           '(root.txt).')
+
+  option_parser.add_option('--maketargets', action='store', type='string',
+                           help='Create the Targets metadata file '
+                           '(targets.txt).')
+
+  option_parser.add_option('--makerelease', action='store', type='string',
+                           help='Create the Release metadata file '
+                           '(release.txt).')
+
+  option_parser.add_option('--maketimestamp', action='store', type='string',
+                           help='Create the Timestamp metadata file '
+                           '(timestamp.txt).')
+
+  option_parser.add_option('--sign', action='store', type='string',
+                           help='Sign a metadata file.')
+
+  option_parser.add_option('--makedelegation', action='store', type='string',
+                           help='Create a delegated role by creating '
+                           'its metadata file and updating the parent '
+                           'role\'s metadata file.')
+
+  (options, remaining_arguments) = option_parser.parse_args()
+
+  # Ensure the script was invoked with the correct number of arguments
+  # (i.e., one command-line option and a single keystore directory argument).
+  # Return the options object to the caller to determine the option chosen
+  # by the user.  option_parser.error() will print the argument error message
+  # and exit.
+  if len(sys.argv) != 3:
+    option_parser.error('Expected a single option and one keystore argument.')
+
+  return options
+
+
+
+
+
+if __name__ == '__main__':
+  options = parse_options()
+
+  # Process the command-line option chosen by the user.
+  # 'tuf.RepositoryError' raised by the option's corresponding
+  # function if an error occurs.  'tuf.Error' raised if a valid
+  # option is not provided by the user.
+  try:
+    process_option(options)
+  except (tuf.RepositoryError, tuf.Error), e:
+    sys.stderr.write('Error: '+str(e))
+    sys.exit(1)
+
+  # The command-line option was processed successfully.
+  sys.exit(0)
diff --git a/src/tuf/repo/signerlib.py b/src/tuf/repo/signerlib.py
new file mode 100755
index 00000000..c710c4be
--- /dev/null
+++ b/src/tuf/repo/signerlib.py
@@ -0,0 +1,1143 @@
+"""
+<Program Name>
+  signerlib.py
+
+<Author>
+  Vladimir Diaz <vladimir.v.diaz@gmail.com>
+
+<Started>
+  April 5, 2012.  Based on a previous version of this module by Geremy Condra.
+
+<Copyright>
+  See LICENSE for licensing information.
+
+<Purpose>
+  Provide helper functions to the 'signercli.py' and 'quickstart.py' scripts.
+  These functions contain code that can extract or create needed repository
+  data, such as the extraction of role and keyid information from a config file,
+  and the generation of actual metadata content.
+
+"""
+
+import os
+import ConfigParser
+import logging
+
+import tuf.formats
+import tuf.rsa_key
+import tuf.repo.keystore
+import tuf.sig
+import tuf.util
+
+# See 'log.py' to learn how logging is handled in TUF.
+logger = logging.getLogger('tuf.signerlib')
+
+json = tuf.util.import_json()
+
+# Recommended RSA key sizes: http://www.rsa.com/rsalabs/node.asp?id=2004
+# According to the document above, revised May 6, 2003, RSA keys of
+# size 3072 provide security through 2031 and beyond.  2048-bit keys
+# are the recommended minimum and are good from the present through 2030.
+DEFAULT_RSA_KEY_BITS = 3072
+
+# The metadata filenames for the top-level roles.
+ROOT_FILENAME = 'root.txt'
+TARGETS_FILENAME = 'targets.txt'
+RELEASE_FILENAME = 'release.txt'
+TIMESTAMP_FILENAME = 'timestamp.txt'
+
+# The filename for the repository configuration file.
+# This file holds the keyids and threshold values for
+# the top-level roles and their expiration date.
+CONFIG_FILENAME = 'config.cfg'
+
+
+def read_config_file(filename):
+  """
+  <Purpose>
+    Read the TUF configuration file at filepath 'filename'.  Return a
+    dictionary where the keys are section names and the values dictionaries
+    of the keys/values in that section.
+    For example:
+    config_dict = {'expiration': {'days': 290, 'years': 8, ...},
+                   'root': {'keyids': [1234bc33dfba, 13213123dbfdd]},
+                   ...}
+
+  <Arguments>
+    filename:
+      The absolute path of the configuration file.
+
+  <Exceptions>
+    tuf.FormatError, if 'filename' is improperly formatted.
+
+    tuf.Error, if 'filename' could not be read.
+
+  <Side Effects>
+    The contents of 'filename' are read and stored.
+
+  <Returns>
+    A dictionary containing the data loaded from the configuration file.
+
+  """
+
+  # Does 'filename' have the correct format?
+  # Raise 'tuf.FormatError' if there is a mismatch.
+  tuf.formats.PATH_SCHEMA.check_match(filename)
+
+  # Ensure 'filename' is an absolutized path and is a valid file.
+  if not os.path.isabs(filename):
+    raise tuf.Error(repr(filename)+' is not an absolute path.')
+  if not os.path.isfile(filename):
+    raise tuf.Error(repr(filename)+' is not a valid file.')
+
+  # Check if 'filename' is an appropriately named config file.  If it is not,
+  # we want to indicate this and prevent the reading of an invalid file.
+  if not filename.endswith(CONFIG_FILENAME):
+    raise tuf.Error(repr(filename)+' is not a config file.')
+
+  # RawConfigParser is used because unlike ConfigParser,
+  # it does not provide magical interpolation/expansion
+  # of variables (e.g., '%(option)s' would be ignored).
+  config = ConfigParser.RawConfigParser()
+  config.read(filename)
+  config_dict = {}
+
+  # Extract the relevant information from the config and build the
+  # 'config_dict' dictionary.
+  for section in config.sections():
+    config_dict[section] = {}
+    for key, value in config.items(section):
+      if key in ['threshold', 'years', 'seconds', 'minutes', 'days', 'hours']:
+        value = int(value)
+      elif key in ['keyids']:
+        value = value.split(',')
+      config_dict[section][key] = value
+
+  return config_dict
+
+
+
+
+
+def get_metadata_file_info(filename):
+  """
+  <Purpose>
+    Retrieve the file information for 'filename'.  The object returned
+    conforms to 'tuf.formats.FILEINFO_SCHEMA'.  The information
+    generated for 'filename' is stored in metadata files like 'targets.txt'.
+    The fileinfo object returned has the form:
+    fileinfo = {'length': 1024,
+                'hashes': {'sha256': 1233dfba312, ...},
+                'custom': {...}}
+
+  <Arguments>
+    filename:
+      The metadata file whose file information is needed.
+
+  <Exceptions>
+    tuf.FormatError, if 'filename' is improperly formatted.
+
+    tuf.Error, if 'filename' doesn't exist.
+
+  <Side Effects>
+    The file is opened and information about the file is generated,
+    such as file size and its hash.
+
+  <Returns>
+    A dictionary conformant to 'tuf.formats.FILEINFO_SCHEMA'.  This
+    dictionary contains the length, hashes, and custom data about
+    the 'filename' metadata file.
+
+  """
+
+  # Does 'filename' have the correct format?
+  # Raise 'tuf.FormatError' if there is a mismatch.
+  tuf.formats.PATH_SCHEMA.check_match(filename)
+
+  if not os.path.isfile(filename):
+    message = repr(filename)+' is not a file.'
+    raise tuf.Error(message)
+  
+  # Note: 'filehashes' is a dictionary of the form
+  # {'sha256': 1233dfba312, ...}.  'custom' is an optional
+  # dictionary that a client might define to include additional
+  # file information, such as the file's author, version/revision
+  # numbers, etc.
+  filesize, filehashes = tuf.util.get_file_details(filename)
+  custom = None
+
+  return tuf.formats.make_fileinfo(filesize, filehashes, custom)
+
+
+
+
+
+def get_metadata_filenames(metadata_directory=None):
+  """
+  <Purpose>
+    Return a dictionary containing the filenames of the top-level roles.
+    If 'metadata_directory' is set to 'metadata', the dictionary
+    returned would contain:
+
+    filenames = {'root': 'metadata/root.txt',
+                 'targets': 'metadata/targets.txt',
+                 'release': 'metadata/release.txt',
+                 'timestamp': 'metadata/timestamp.txt'}
+
+    If the metadata directory is not set by the caller, the current
+    directory is used.
+
+  <Arguments>
+    metadata_directory:
+      The directory containing the metadata files.
+
+  <Exceptions>
+    tuf.FormatError, if 'metadata_directory' is improperly formatted.
+
+  <Side Effects>
+    None.
+
+  <Returns>
+    A dictionary containing the expected filenames of the top-level
+    metadata files, such as 'root.txt' and 'release.txt'.
+
+  """
+
+  if metadata_directory is None:
+    metadata_directory = '.'
+
+  # Does 'metadata_directory' have the correct format?
+  # Raise 'tuf.FormatError' if there is a mismatch. 
+  tuf.formats.PATH_SCHEMA.check_match(metadata_directory)
+
+  filenames = {}
+  filenames['root'] = os.path.join(metadata_directory, ROOT_FILENAME)
+  filenames['targets'] = os.path.join(metadata_directory, TARGETS_FILENAME)
+  filenames['release'] = os.path.join(metadata_directory, RELEASE_FILENAME)
+  filenames['timestamp'] = os.path.join(metadata_directory, TIMESTAMP_FILENAME)
+
+  return filenames
+
+
+
+
+
+def generate_root_metadata(config_filepath):
+  """
+  <Purpose>
+    Create the root metadata.  'config_filepath' is read
+    and the information contained in this file will be
+    used to generate the root metadata object.
+
+  <Arguments>
+    config_filepath:
+      The file containing metadata information such as the keyids
+      of the top-level roles and expiration data.  'config_filepath'
+      is an absolute path.
+
+  <Exceptions>
+    tuf.FormatError, if the generated root metadata object could not
+    be generated with the correct format.
+
+    tuf.Error, if an error is encountered while generating the root
+    metadata object.
+  
+  <Side Effects>
+    'config_filepath' is read and its contents stored.
+
+  <Returns>
+    A root 'signable' object conformant to 'tuf.formats.SIGNABLE_SCHEMA'.
+
+  """
+
+  # Does 'config_filepath' have the correct format?
+  # Raise 'tuf.FormatError' if the match fails.
+  tuf.formats.PATH_SCHEMA.check_match(config_filepath)
+
+  # 'tuf.Error' raised if 'config_filepath' cannot be read. 
+  config = read_config_file(config_filepath)
+
+  # The role and key dictionaries to be saved in the root metadata object.
+  roledict = {}
+  keydict = {}
+
+  # Extract the role, threshold, and keyid information from the config.
+  # The necessary role metadata is generated from this information.
+  for rolename in ['root', 'targets', 'release', 'timestamp']:
+    # If a top-level role is missing from the config, raise an exception.
+    if rolename not in config:
+      raise tuf.Error('No '+rolename+' section found in config file.')
+    keyids = []
+    # Generate keys for the keyids listed by the role being processed.
+    for config_keyid in config[rolename]['keyids']:
+      key = tuf.repo.keystore.get_key(config_keyid)
+
+      # If 'key' is an RSA key, it would conform to 'tuf.formats.RSAKEY_SCHEMA',
+      # and have the form:
+      # {'keytype': 'rsa',
+      #  'keyid': keyid,
+      #  'keyval': {'public': '-----BEGIN RSA PUBLIC KEY----- ...',
+      #             'private': '-----BEGIN RSA PRIVATE KEY----- ...'}}
+      keyid = key['keyid']
+      # This appears to be a new keyid.  Let's generate the key for it.
+      if keyid not in keydict:
+        if key['keytype'] == 'rsa':
+          keydict[keyid] = tuf.rsa_key.create_in_metadata_format(key['keyval'])
+        # This is not a recognized key.  Raise an exception.
+        else:
+          raise tuf.Error('Unsupported keytype: '+keyid)
+      # Do we have a duplicate?  Raise an exception if so.
+      if keyid in keyids:
+        raise tuf.Error('Same keyid listed twice: '+keyid)
+      # Add the loaded keyid for the role being processed.
+      keyids.append(keyid)
+    # Generate and store the role data belonging to the processed role.
+    role_metadata = tuf.formats.make_role_metadata(keyids, config[rolename]['threshold'])
+    roledict[rolename] = role_metadata
+
+  # Extract the expiration information from the config.  The root metadata
+  # object stores this expiration information in total seconds.
+  expiration = config['expiration']
+  expiration_seconds = (expiration['seconds'] + 60 * expiration['minutes'] +
+                        3600 * expiration['hours'] +
+                        3600 * 24 * expiration['days'])
+
+  # Generate the root metadata object.
+  root_metadata = tuf.formats.RootFile.make_metadata(keydict, roledict,
+                                                     expiration_seconds)
+
+  # Note: make_signable() returns the following dictionary:
+  # {'signed' : role_metadata, 'signatures' : []}
+  return tuf.formats.make_signable(root_metadata)
+
+
+
+
+
+def generate_targets_metadata(repository_directory, target_files):
+  """
+  <Purpose>
+    Generate the targets metadata object. The targets must exist at the same
+    path they should on the repo.  'target_files' is a list of targets. We're
+    not worrying about custom metadata at the moment. It is allowed to not
+    provide keys.
+
+  <Arguments>
+    target_files:
+      The target files tracked by 'targets.txt'.  'target_files' is a list of
+      paths/directories of target files that are relative to the repository
+      (e.g., ['targets/file1.txt', ...]).  If the target files are saved in
+      the root folder 'targets' on the repository, then 'targets' must be
+      included in the target paths.  The repository does not have to name
+      this folder 'targets'.
+
+    repository_directory:
+      The directory (absolute path) containing the metadata and target
+      directories.
+
+  <Exceptions>
+    tuf.FormatError, if an error occurred trying to generate the targets
+    metadata object.
+
+    tuf.Error, if any of the target files could not be read. 
+
+  <Side Effects>
+    The target files are read and file information generated about them.
+
+  <Returns>
+    A targets 'signable' object, conformant to 'tuf.formats.SIGNABLE_SCHEMA'.
+
+  """
+
+  # Do the arguments have the correct format.
+  # Raise 'tuf.FormatError' if there is a mismatch.
+  tuf.formats.PATHS_SCHEMA.check_match(target_files)
+  tuf.formats.PATH_SCHEMA.check_match(repository_directory)
+
+  filedict = {}
+
+  repository_directory = check_directory(repository_directory)
+
+  # Generate the file info for all the target files listed in 'target_files'.
+  for target in target_files:
+    relative_targetpath = os.path.sep.join(target.split(os.path.sep)[1:])
+    # Ex: 'targets/more_targets/somefile.txt' -> 'more_targets/somefile.txt'
+    # i.e. 'targets/' is removed from 'target'.
+    target_path = os.path.join(repository_directory, target)
+    if not os.path.exists(target_path):
+      message = repr(target_path)+' could not be read.  Unable to generate '+\
+        'targets metadata.'
+      raise tuf.Error(message)
+    filedict[relative_targetpath] = get_metadata_file_info(target_path)
+
+  # Generate the targets metadata object.
+  targets_metadata = tuf.formats.TargetsFile.make_metadata(filedict)
+
+  return tuf.formats.make_signable(targets_metadata)
+
+
+
+
+
+def generate_release_metadata(metadata_directory):
+  """
+  <Purpose>
+    Create the release metadata.  The minimum metadata must exist
+    (i.e., 'root.txt' and 'targets.txt'). This will also look through
+    the 'targets/' directory in 'metadata_directory' and the resulting
+    release file will list all the delegated roles.
+
+  <Arguments>
+    metadata_directory:
+      The directory containing the 'root.txt' and 'targets.txt' metadata
+      files.
+
+  <Exceptions>
+    tuf.FormatError, if 'metadata_directory' is improperly formatted.
+
+    tuf.Error, if an error occurred trying to generate the release metadata
+    object.
+
+  <Side Effects>
+    The 'root.txt' and 'targets.txt' files are read.
+
+  <Returns>
+    The release 'signable' object, conformant to 'tuf.formats.SIGNABLE_SCHEMA'.
+
+  """
+
+  # Does 'metadata_directory' have the correct format?
+  # Raise 'tuf.FormatError' if there is a mismatch.
+  tuf.formats.PATH_SCHEMA.check_match(metadata_directory)
+
+  metadata_directory = check_directory(metadata_directory)
+
+  # Retrieve the full filepath of the root and targets metadata file.
+  root_filename = os.path.join(metadata_directory, 'root.txt')
+  targets_filename = os.path.join(metadata_directory, 'targets.txt')
+
+  # Retrieve the file info of 'root.txt' and 'targets.txt'.  This file
+  # information includes data such as file length, hashes of the file, etc.
+  filedict = {}
+  filedict['root.txt'] = get_metadata_file_info(root_filename)
+  filedict['targets.txt'] = get_metadata_file_info(targets_filename)
+
+  # Walk the 'targets/' directory and generate the file info for all
+  # the files listed there.  This information is stored in the 'meta'
+  # field of the release metadata object.
+  targets_metadata = os.path.join(metadata_directory, 'targets')
+  if os.path.exists(targets_metadata) and os.path.isdir(targets_metadata):
+    for directory_path, junk, files in os.walk(targets_metadata):
+      # 'files' here is a list of target file names.
+      for basename in files:
+        metadata_path = os.path.join(directory_path, basename)
+        metadata_name = metadata_path[len(metadata_directory):].lstrip(os.path.sep)
+        filedict[metadata_name] = get_metadata_file_info(metadata_path)
+
+  # Generate the release metadata object.
+  release_metadata = tuf.formats.ReleaseFile.make_metadata(filedict)
+
+  return tuf.formats.make_signable(release_metadata)
+
+
+
+
+
+def generate_timestamp_metadata(release_filename, compressions=()):
+  """
+  <Purpose>
+    Generate the timestamp metadata object.  The 'release.txt' file must exist.
+
+  <Arguments>
+    release_filename:
+      The required filename of the release metadata file.
+
+    compressions:
+      Compression extensions (e.g., 'gz' and 'tgz').  If 'release.txt' is also
+      saved in compressed form, these compression extensions should be stored
+      in 'compressions' so the compressed timestamp files can be added to the
+      timestamp metadata object.
+
+  <Exceptions>
+    tuf.FormatError, if the generated timestamp metadata object could
+    not be formatted correctly.
+
+  <Side Effects>
+    None.
+
+  <Returns>
+    A timestamp 'signable' object, conformant to 'tuf.formats.SIGNABLE_SCHEMA'.
+
+  """
+
+  # Does 'release_filename' have the correct format?
+  # Raise 'tuf.FormatError' if there is  mismatch.
+  tuf.formats.PATH_SCHEMA.check_match(release_filename)
+
+  # Retrieve the file info for the release metadata file.
+  # This file information contains hashes, file length, custom data, etc.
+  fileinfo = {}
+  fileinfo['release.txt'] = get_metadata_file_info(release_filename)
+
+  # Save the file info of the compressed versions of 'timestamp.txt'.
+  for file_extension in compressions:
+    compressed_filename = release_filename + '.' + file_extension
+    compressed_fileinfo = get_metadata_file_info(compressed_filename)
+    fileinfo['release.txt.' + file_extension] = compressed_fileinfo
+
+  # Generate the timestamp metadata object.
+  timestamp_metadata = tuf.formats.TimestampFile.make_metadata(fileinfo)
+
+  return tuf.formats.make_signable(timestamp_metadata)
+
+
+
+
+
+def write_metadata_file(metadata, filename):
+  """
+  <Purpose>
+    Create the file containing the metadata.
+
+  <Arguments>
+    metadata:
+      The object that will be saved to 'filename'.
+
+    filename:
+      The filename (absolute path) of the metadata to be
+      written (e.g., 'root.txt').
+
+  <Exceptions>
+    tuf.FormatError, if the arguments are improperly formatted.
+
+    tuf.Error, if 'filename' doesn't exist.
+
+  <Side Effects>
+    The 'filename' file is created or overwritten if it exists.
+
+  <Returns>
+    The path to the written metadata file.
+
+  """
+
+  # Are the arguments properly formatted?
+  # Raise 'tuf.FormatError' if there is a mismatch.
+  tuf.formats.SIGNABLE_SCHEMA.check_match(metadata)
+  tuf.formats.PATH_SCHEMA.check_match(filename)
+
+  # Split 'filename' into head and tail.  Verify that head exists.
+  check_directory(os.path.split(filename)[0])
+
+  logger.info('Writing to '+repr(filename))
+  file_object = open(filename, 'w')
+
+  # The metadata object is saved to 'file_object'.  The keys
+  # of the objects are sorted and indentation is used.
+  json.dump(metadata, file_object, indent=1, sort_keys=True)
+
+  file_object.write('\n')
+  file_object.close()
+
+  return filename
+
+
+
+
+
+def read_metadata_file(filename):
+  """
+  <Purpose>
+    Extract the metadata object from 'filename'.
+
+  <Arguments>
+    filename:
+      The filename of the file containing the metadata object.
+
+  <Exceptions>
+    tuf.FormatError, if 'filename' is improperly formatted.
+
+  <Side Effects>
+    The contents of 'filename' are extracted.
+
+  <Returns>
+   The metadata object.
+
+  """
+
+  return tuf.util.load_json_file(filename)
+
+
+
+
+
+def sign_metadata(metadata, keyids, filename):
+  """
+  <Purpose>
+    Sign a metadata object. If any of the keyids have already signed the file,
+    the old signature will be replaced.  The keys in 'keyids' must already be
+    loaded in the keystore.
+
+  <Arguments>
+    metadata:
+      The metadata object to sign.  For example, 'metadata' might correspond to
+      'tuf.formats.ROOT_SCHEMA' or 'tuf.formats.TARGETS_SCHEMA'.
+
+    keyids:
+      The keyids list of the signing keys.
+
+    filename:
+      The intended filename of the signed metadata object.
+      For example, 'root.txt' or 'targets.txt'.  This function
+      does NOT save the signed metadata to this filename.
+
+  <Exceptions>
+    tuf.FormatError, if a valid 'signable' object could not be generated.
+
+    tuf.Error, if an invalid keytype was found in the keystore. 
+  
+  <Side Effects>
+    None.
+
+  <Returns>
+    A signable object conformant to 'tuf.formats.SIGNABLE_SCHEMA'.
+
+  """
+
+  # Does 'keyids' and 'filename' have the correct format?
+  # Raise 'tuf.FormatError' if there is a mismatch.
+  tuf.formats.KEYIDS_SCHEMA.check_match(keyids)
+  tuf.formats.PATH_SCHEMA.check_match(filename)
+
+  # Make sure the metadata is in 'signable' format.  That is,
+  # it contains a 'signatures' field containing the result
+  # of signing the 'signed' field of 'metadata' with each
+  # keyid of 'keyids'.
+  signable = tuf.formats.make_signable(metadata)
+
+  # Sign the metadata with each keyid in 'keyids'.
+  for keyid in keyids:
+    # Load the signing key.
+    key = tuf.repo.keystore.get_key(keyid)
+    logger.info('Signing '+repr(filename)+' with '+key['keyid'])
+
+    # Create a new signature list.  If 'keyid' is encountered,
+    # do not add it to new list.
+    signatures = []
+    for signature in signable['signatures']:
+      if not keyid == signature['keyid']:
+        signatures.append(signature)
+    signable['signatures'] = signatures
+
+    # Generate the signature using the appropriate signing method.
+    if key['keytype'] == 'rsa':
+      signed = signable['signed']
+      signature = tuf.sig.generate_rsa_signature(signed, key)
+      signable['signatures'].append(signature)
+    else:
+      raise tuf.Error('The keystore contains a key with an invalid key type')
+
+  # Raise 'tuf.FormatError' if the resulting 'signable' is not formatted
+  # correctly.
+  tuf.formats.check_signable_object_format(signable)
+
+  return signable
+
+
+
+
+
+def generate_and_save_rsa_key(keystore_directory, password,
+                              bits=DEFAULT_RSA_KEY_BITS):
+  """
+  <Purpose>
+    Generate a new RSA key and save it as an encrypted key file
+    to 'keystore_directory'.  The encrypted key file is named:
+    <keyid>.key.  'password' is used as the encryption key.
+
+  <Arguments>
+    keystore_directory:
+      The directory to save the generated encrypted key file.
+
+    password:
+      The password used to encrypt the RSA key file.
+
+    bits:
+      The key size, or key length, of the RSA key.
+
+  <Exceptions>
+    tuf.FormatError, if 'bits' or 'password' does not have the
+    correct format.
+
+    tuf.CryptoError, if there was an error while generating the key.
+
+  <Side Effects>
+    An encrypted key file is created in 'keystore_directory'.
+
+  <Returns>
+    The generated RSA key.
+    The object returned conforms to 'tuf.formats.RSAKEY_SCHEMA' of the form:
+    {'keytype': 'rsa',
+     'keyid': keyid,
+     'keyval': {'public': '-----BEGIN RSA PUBLIC KEY----- ...',
+                'private': '-----BEGIN RSA PRIVATE KEY----- ...'}}
+
+  """
+
+  # Are the arguments correctly formatted?
+  # Raise 'tuf.FormatError' if there is a mismatch.
+  tuf.formats.PATH_SCHEMA.check_match(keystore_directory)
+  tuf.formats.PASSWORD_SCHEMA.check_match(password)
+
+  keystore_directory = check_directory(keystore_directory)
+
+  # tuf.FormatError or tuf.CryptoError raised.
+  rsakey = tuf.rsa_key.generate(bits)
+
+  logger.info('Generated a new key: '+rsakey['keyid'])
+
+  # Store the generated RSA key in the keystore and save the
+  # key file '<keyid>.key' in 'keystore_directory'.
+  try:
+    tuf.repo.keystore.add_rsakey(rsakey, password)
+    tuf.repo.keystore.save_keystore_to_keyfiles(keystore_directory)
+  except tuf.FormatError:
+    raise
+  except tuf.KeyAlreadyExistsError:
+    logger.warn('The generated RSA key already exists.')
+
+  return rsakey
+
+
+
+
+
+def check_directory(directory):
+  """
+  <Purpose>
+    Ensure 'directory' is valid and it exists.  This is not a security check,
+    but a way for the caller to determine the cause of an invalid directory
+    provided by the user.  If the directory argument is valid, it is returned
+    normalized and as an absolute path.
+
+  <Arguments>
+    directory:
+      The directory (absolute path) to check.
+
+  <Exceptions>
+    tuf.Error, if 'directory' could not be validated.
+
+    tuf.FormatError, if 'directory' is not properly formatted.
+
+  <Side Effects>
+    None.
+
+  <Returns>
+    The normalized absolutized path of 'directory'.
+
+  """
+
+  # Does 'directory' have the correct format?
+  # Raise 'tuf.FormatError' if there is a mismatch.
+  tuf.formats.PATH_SCHEMA.check_match(directory)
+
+  directory = os.path.abspath(directory)
+
+  if not os.path.isabs(directory):
+    raise tuf.Error(repr(directory)+' is not an absolute path.')
+
+  # Check if the directory exists.
+  if not os.path.isdir(directory):
+    raise tuf.Error(repr(directory)+' directory does not exist')
+
+  return directory
+
+
+
+
+
+def get_target_keyids(metadata_directory):
+  """
+  <Purpose>
+    Retrieve the role keyids for all the target roles located
+    in 'metadata_directory'.  The target's '.txt' metadata
+    file is inspected and the keyids extracted.  The 'targets.txt'
+    role, including delegated roles (e.g., 'targets/role1.txt'),
+    are all read.
+
+  <Arguments>
+    metadata_directory:
+      The directory containing the 'targets.txt' metadata file and
+      the metadata for optional delegated roles.  The delegated role
+      'role1' whose parent is 'targets', would be located in the
+      '{metadata_directory}/targets/role1' directory.
+
+  <Exceptions>
+    tuf.FormatError, if any of the arguments are improperly formatted.
+
+    tuf.RepositoryError, if there was an error reading a target file.
+
+  <Side Effects>
+    Reads all of the target metadata found in 'metadata_directory'
+    and stores the information extracted.
+
+  <Returns>
+    A dictionary containing the role information extracted from the
+    metadata.
+    Ex: {'targets':[keyid1, ...], 'targets/role1':[keyid], ...}
+
+  """
+
+  # Does 'metadata_directory' have the correct format?
+  # Raise 'tuf.FormatError, if there is a mismatch.
+  tuf.formats.PATH_SCHEMA.check_match(metadata_directory)
+
+  metadata_directory = check_directory(metadata_directory)
+
+  # The dict holding the keyids for all the target roles.
+  # This dict will be returned to the caller. 
+  role_keyids = {}
+
+  # Read the 'targets.txt' file.  This file must exist.
+  targets_filepath = os.path.join(metadata_directory, 'targets.txt')
+  if not os.path.exists(targets_filepath):
+    raise RepositoryError('"targets.txt" not found')
+
+  # Read the contents of 'targets.txt' and save the signable.
+  targets_signable = tuf.util.load_json_file(targets_filepath)
+
+  # Ensure the signable is properly formatted.
+  try:
+    tuf.formats.check_signable_object_format(targets_signable)
+  except tuf.FormatError, e:
+    raise RepositoryError('"targets.txt" is improperly formatted')
+
+  # Store the keyids of the 'targets' role.  This target role is
+  # required.
+  role_keyids['targets'] = []
+  for signature in targets_signable['signatures']:
+    role_keyids['targets'].append(signature['keyid'])
+
+  # Walk the 'targets/' directory and generate the file info for all
+  # the targets.  This information is stored in the 'meta' field of
+  # the release metadata object.  The keyids for the optional
+  # delegated roles will now be extracted.
+  targets_metadata = os.path.join(metadata_directory, 'targets')
+  if os.path.exists(targets_metadata) and os.path.isdir(targets_metadata):
+    for directory_path, junk, files in os.walk(targets_metadata):
+      for basename in files:
+        # Store the metadata's file path and the role's full name (without
+        # the '.txt').   The target role is identified by its full name.
+        # The metadata's file path is needed so it can be loaded.
+        metadata_path = os.path.join(directory_path, basename)
+        metadata_name = metadata_path[len(metadata_directory):].lstrip(os.path.sep)
+        metadata_name = metadata_name[:-len('.txt')]
+
+        # Read the contents of 'metadata_path' and save the signable.
+        targets_signable = tuf.util.load_json_file(metadata_path)
+
+        # Ensure the signable is properly formatted.
+        try:
+          tuf.formats.check_signable_object_format(targets_signable)
+        except tuf.FormatError, e:
+          continue
+
+        # Store the signature keyids of the 'metadata_name' role.
+        role_keyids[metadata_name] = []
+        for signature in targets_signable['signatures']:
+          role_keyids[metadata_name].append(signature['keyid'])
+
+  return role_keyids
+
+
+
+
+
+def build_config_file(config_file_directory, timeout, role_info):
+  """
+  <Purpose>
+    Build the configuration file containing the keyids, threshold,
+    and expiration time for the top-level metadata files.
+
+  <Arguments>
+    config_file_directory:
+      The absolute path of the directory to save the configuration file.
+
+    timeout:
+      The the number of days left before the top-level metadata files expire.
+
+    role_info:
+      A dictionary containing the keyids and threshold values for the
+      top-level roles.  Must conform to 'tuf.formats.ROLEDICT_SCHEMA':
+      {'rolename': {'keyids': ['34345df32093bd12...'],
+                    'threshold': 1
+                    'paths': ['path/to/role.txt']}}
+
+  <Exceptions>
+    tuf.FormatError, if any of the arguments are improperly formatted.
+
+  <Side Effects>
+    The configuration file is written to 'config_filepath'.
+
+  <Returns>
+    The normalized absolutized path of the saved configuration file.
+
+  """
+
+  # Do the arguments have the correct format?
+  # Raise 'tuf.FormatError' if any of them is a mismatch.
+  tuf.formats.PATH_SCHEMA.check_match(config_file_directory)
+  tuf.formats.LENGTH_SCHEMA.check_match(timeout)
+  tuf.formats.ROLEDICT_SCHEMA.check_match(role_info)
+
+  config_file_directory = check_directory(config_file_directory) 
+  
+  # Construct the configuration file parser (hint: .ini).
+  config_parser = ConfigParser.ConfigParser()
+
+  # Verify that only the top-level roles are presented.
+  for role in role_info.keys():
+    if role not in ['root', 'targets', 'release', 'timestamp']:
+      msg = ('\nCannot build configuration file: role '+repr(role)+
+             ' is not a top-level role.')
+      raise tuf.Error(msg)
+
+  # Handle the expiration data.
+  config_parser.add_section('expiration')
+  config_parser.set('expiration', 'days', timeout)
+  config_parser.set('expiration', 'years', 0)
+  config_parser.set('expiration', 'minutes', 0)
+  config_parser.set('expiration', 'hours', 0)
+  config_parser.set('expiration', 'seconds', 0)
+
+  # Build the role data.
+  for role in role_info:
+    config_parser.add_section(role)
+
+    # Each role has an associated list of keyids and a threshold.
+    keyids = role_info[role]['keyids']
+    threshold = role_info[role]['threshold']
+
+    # Convert 'keyids' into a string list it can read.
+    # This is done because in ConfigParser.set(section, option, value)
+    # the 'value' parameter should always be a string.
+    # keyid_list has the form: 'keyid1, keyid2, keyid3'
+    keyid_list = ','.join(keyids)
+
+    # And add that data to the appropriate section.
+    config_parser.set(role, 'keyids', keyid_list)
+    config_parser.set(role, 'threshold', threshold)
+
+  # We want to write this to '{config_file_directory}/CONFIG_FILENAME'.
+  file_path = os.path.join(config_file_directory, CONFIG_FILENAME)
+  file_object = open(file_path, 'w')
+  config_parser.write(file_object)
+  file_object.close()
+
+  return file_path
+
+
+
+
+
+def build_root_file(config_filepath, root_keyids, metadata_directory):
+  """
+  <Purpose>
+    Build the root metadata file using the information available in the
+    configuration file and sign the root file with 'root_keyids'.
+    The generated metadata file is saved to 'metadata_directory'.
+
+  <Arguments>
+    config_filepath:
+      The absolute path of the configuration file.
+
+    root_keyids:
+      The list of keyids to be used as the signing keys for the root file.
+
+    metadata_directory:
+      The directory to save the root metadata file.
+
+  <Exceptions>
+    tuf.FormatError, if any of the arguments are improperly formatted.
+
+    tuf.Error, if there was an error building the root file.
+
+  <Side Effects>
+    The root metadata file is written to a file.
+
+  <Returns>
+    The path for the written root metadata file.
+
+  """
+
+  # Do the arguments have the correct format?
+  # Raise 'tuf.FormatError' if there is a mismatch.
+  tuf.formats.PATH_SCHEMA.check_match(config_filepath)
+  tuf.formats.KEYIDS_SCHEMA.check_match(root_keyids)
+  tuf.formats.PATH_SCHEMA.check_match(metadata_directory)
+
+  metadata_directory = check_directory(metadata_directory)
+  
+  root_filepath = os.path.join(metadata_directory, ROOT_FILENAME)
+
+  root_metadata = generate_root_metadata(config_filepath)
+  signable = sign_metadata(root_metadata, root_keyids, root_filepath)
+
+  return write_metadata_file(signable, root_filepath)
+
+
+
+
+
+def build_targets_file(targets_directory, targets_keyids, metadata_directory):
+  """
+  <Purpose>
+    Build the targets metadata file using the signing keys in 'targets_keyids'.
+    The generated metadata file is saved to 'metadata_directory'.  The target
+    files located in 'targets_directory' will be tracked by the built targets
+    metadata.
+
+  <Arguments>
+    targets_directory:
+      The directory (absolute path) containing all the target files.
+
+    targets_keyids:
+      The list of keyids to be used as the signing keys for the targets file.
+
+    metadata_directory:
+      The metadata directory (absolute path) containing all the metadata files.
+
+  <Exceptions>
+    tuf.FormatError, if any of the arguments are improperly formatted.
+
+    tuf.Error, if there was an error while building the targets file.
+
+  <Side Effects>
+    The targets metadata file is written to a file.
+
+  <Returns>
+    The path for the written targets metadata file.
+
+  """
+
+  # Do the arguments have the correct format?
+  # Raise 'tuf.FormatError' if there is a mismatch.
+  tuf.formats.PATH_SCHEMA.check_match(targets_directory)
+  tuf.formats.KEYIDS_SCHEMA.check_match(targets_keyids)
+  tuf.formats.PATH_SCHEMA.check_match(metadata_directory)
+
+  # Check if 'targets_directory' and 'metadata_directory' are valid.
+  targets_directory = check_directory(targets_directory)
+  metadata_directory = check_directory(metadata_directory)
+
+  repository_directory, junk = os.path.split(metadata_directory)
+  repository_directory_length = len(repository_directory)
+
+  # Get the list of targets.
+  targets = []
+  for root, directories, files in os.walk(targets_directory):
+    for target_file in files:
+      # Note: '+1' in the line below is there to remove '/'.
+      filename = os.path.join(root, target_file)[repository_directory_length+1:]
+      targets.append(filename)
+
+  # Create the targets metadata object.
+  targets_metadata = generate_targets_metadata(repository_directory, targets)
+
+  # Sign it.
+  targets_filepath = os.path.join(metadata_directory, TARGETS_FILENAME)
+  signable = sign_metadata(targets_metadata, targets_keyids, targets_filepath)
+
+  return write_metadata_file(signable, targets_filepath)
+
+
+
+
+
+def build_release_file(release_keyids, metadata_directory):
+  """
+  <Purpose>
+    Build the release metadata file using the signing keys in 'release_keyids'.
+    The generated metadata file is saved in 'metadata_directory'.
+
+  <Arguments>
+    release_keyids:
+      The list of keyids to be used as the signing keys for the release file.
+
+    metadata_directory:
+      The directory (absolute path) to save the release metadata file.
+
+  <Exceptions>
+    tuf.FormatError, if any of the arguments are improperly formatted.
+
+    tuf.Error, if there was an error while building the release file.
+
+  <Side Effects>
+    The release metadata file is written to a file.
+
+  <Returns>
+    The path for the written release metadata file.
+
+  """
+
+  # Do the arguments have the correct format?
+  # Raise 'tuf.FormatError' if there is a mismatch.
+  tuf.formats.KEYIDS_SCHEMA.check_match(release_keyids)
+  tuf.formats.PATH_SCHEMA.check_match(metadata_directory)
+
+  metadata_directory = check_directory(metadata_directory)
+
+  # Generate the file path of the release metadata.
+  release_filepath = os.path.join(metadata_directory, RELEASE_FILENAME)
+
+  # Generate and sign the release metadata.
+  release_metadata = generate_release_metadata(metadata_directory)
+  signable = sign_metadata(release_metadata, release_keyids, release_filepath)
+
+  return write_metadata_file(signable, release_filepath)
+
+
+
+
+
+def build_timestamp_file(timestamp_keyids, metadata_directory):
+  """
+  <Purpose>
+    Build the timestamp metadata file using the signing keys in 'timestamp_keyids'.
+    The generated metadata file is saved in 'metadata_directory'.
+
+  <Arguments>
+    timestamp_keyids:
+      The list of keyids to be used as the signing keys for the timestamp file.
+
+    metadata_directory:
+      The directory (absolute path) to save the timestamp metadata file.
+
+  <Exceptions>
+    tuf.FormatError, if any of the arguments are improperly formatted.
+
+    tuf.Error, if there was an error while building the timestamp file.
+
+  <Side Effects>
+    The timestamp metadata file is written to a file.
+
+  <Returns>
+    The path for the written timestamp metadata file.
+
+  """
+
+  # Do the arguments have the correct format?
+  # Raise 'tuf.FormatError' if there is a mismatch.
+  tuf.formats.KEYIDS_SCHEMA.check_match(timestamp_keyids)
+  tuf.formats.PATH_SCHEMA.check_match(metadata_directory)
+
+  metadata_directory = check_directory(metadata_directory)
+
+  # Generate the file path of the release and timestamp metadata.
+  release_filepath = os.path.join(metadata_directory, RELEASE_FILENAME)
+  timestamp_filepath = os.path.join(metadata_directory, TIMESTAMP_FILENAME)
+
+  # Generate and sign the release metadata.
+  timestamp_metadata = generate_timestamp_metadata(release_filepath)
+  signable = sign_metadata(timestamp_metadata, timestamp_keyids, timestamp_filepath)
+
+  return write_metadata_file(signable, timestamp_filepath)
diff --git a/src/tuf/roledb.py b/src/tuf/roledb.py
new file mode 100755
index 00000000..f8032f4e
--- /dev/null
+++ b/src/tuf/roledb.py
@@ -0,0 +1,625 @@
+"""
+<Program Name>
+  roledb.py
+
+<Author>
+  Vladimir Diaz <vladimir.v.diaz@gmail.com>
+
+<Started>
+  March 21, 2012.  Based on a previous version of this module by Geremy Condra.
+  
+<Copyright>
+  See LICENSE for licensing information.
+
+<Purpose>
+  Represent a collection of roles and their organization.  The caller may create
+  a collection of roles from those found in the 'root.txt' metadata file by
+  calling 'create_roledb_from_rootmeta()', or individually by adding roles with
+  'add_role()'.  There are many supplemental functions included here that yield
+  useful information about the roles contained in the database, such as
+  extracting all the parent rolenames for a specified rolename, deleting all the
+  delegated roles, retrieving role paths, etc.
+
+  The role database is a dictionary conformant to 'tuf.formats.ROLEDICT_SCHEMA'
+  and has the form:
+  {'rolename': {'keyids': ['34345df32093bd12...'],
+                'threshold': 1
+                'paths': ['path/to/role.txt']}}
+
+"""
+
+import tuf.formats
+import logging
+
+import tuf.log
+
+# See 'tuf.log' to learn how logging is handled in TUF.
+logger = logging.getLogger('tuf.roledb')
+
+# The role database.
+_roledb_dict = {}
+
+
+def create_roledb_from_root_metadata(root_metadata):
+  """
+  <Purpose>
+    Create a role database containing all of the unique roles found in
+    'root_metadata'.
+
+  <Arguments>
+    root_metadata:
+      A dictionary conformant to 'tuf.formats.ROOT_SCHEMA'.  The roles found
+      in the 'roles' field of 'root_metadata' is needed by this function.  
+
+  <Exceptions>
+    tuf.FormatError, if 'root_metadata' does not have the correct object format.
+
+    tuf.Error, if one of the roles found in 'root_metadata' contains an invalid
+    delegation (i.e., a nonexistent parent role).
+
+  <Side Effects>
+    Calls add_role().
+    
+    The old role database is replaced.
+
+  <Returns>
+    None.
+
+  """
+
+  # Does 'root_metadata' have the correct object format?
+  # This check will ensure 'root_metadata' has the appropriate number of objects 
+  # and object types, and that all dict keys are properly named.
+  # Raises tuf.FormatError.
+  tuf.formats.ROOT_SCHEMA.check_match(root_metadata)
+
+  # Clear the role database.
+  _roledb_dict.clear()
+
+  # Iterate through the roles found in 'root_metadata'
+  # and add them to '_roledb_dict'.  Duplicates are avoided.
+  for rolename, roleinfo in root_metadata['roles'].items():
+    try:
+      add_role(rolename, roleinfo)
+    # tuf.Error raised if the parent role of 'rolename' does not exist.  
+    except tuf.Error, e:
+      logger.error(e)
+      raise
+
+
+
+
+
+def add_role(rolename, roleinfo, require_parent=True):
+  """
+  <Purpose>
+    Add to the role database the 'roleinfo' associated with 'rolename'.
+
+  <Arguments>
+    rolename:
+      An object representing the role's name, conformant to 'ROLENAME_SCHEMA'
+      (e.g., 'root', 'release', 'timestamp').
+
+    roleinfo:
+      An object representing the role associated with 'rolename', conformant to
+      ROLE_SCHEMA.  'roleinfo' has the form: 
+      {'keyids': ['34345df32093bd12...'],
+       'threshold': 1}
+
+      The 'target' role has an additional 'paths' key.  Its value is a list of
+      strings representing the path of the target file(s).
+
+    require_parent:
+      A boolean indicating whether to check for a delegating role.  add_role()
+      will raise an exception if this parent role does not exist.
+
+  <Exceptions>
+    tuf.FormatError, if 'rolename' or 'roleinfo' does not have the correct
+    object format.
+
+    tuf.RoleAlreadyExistsError, if 'rolename' has already been added.
+
+    tuf.InvalidNameError, if 'rolename' is improperly formatted.
+
+  <Side Effects>
+    The role database is modified.
+
+  <Returns>
+    None.
+
+  """
+
+  # Does 'rolename' have the correct object format?
+  # This check will ensure 'rolename' has the appropriate number of objects 
+  # and object types, and that all dict keys are properly named.
+  tuf.formats.ROLENAME_SCHEMA.check_match(rolename)
+
+  # Does 'roleinfo' have the correct object format?
+  tuf.formats.ROLE_SCHEMA.check_match(roleinfo)
+
+  # Does 'require_parent' have the correct format?
+  tuf.formats.TOGGLE_SCHEMA.check_match(require_parent)
+
+  # Raises tuf.InvalidNameError.
+  _validate_rolename(rolename)
+
+  if rolename in _roledb_dict:
+    raise tuf.RoleAlreadyExistsError('Role already exists: '+rolename)
+
+  # Make sure that the delegating role exists. This should be just a
+  # sanity check and not a security measure.
+  if require_parent and '/' in rolename:
+    # Get parent role.  'a/b/c/d' --> 'a/b/c'. 
+    parent_role = '/'.join(rolename.split('/')[:-1])
+
+    if parent_role not in _roledb_dict:
+      raise tuf.Error('Parent role does not exist: '+parent_role)
+
+  _roledb_dict[rolename] = roleinfo
+
+
+
+
+
+def get_parent_rolename(rolename):
+  """
+  <Purpose>
+    Return the name of the parent role for 'rolename'.
+    Given the rolename 'a/b/c/d', return 'a/b/c'.
+    Given 'a', return ''.
+
+  <Arguments>
+    rolename:
+      An object representing the role's name, conformant to 'ROLENAME_SCHEMA'
+      (e.g., 'root', 'release', 'timestamp').
+
+  <Exceptions>
+    tuf.FormatError, if 'rolename' does not have the correct object format.
+
+    tuf.UnknownRoleError, if 'rolename' cannot be found in the role database.
+
+    tuf.InvalidNameError, if 'rolename' is incorrectly formatted.
+
+  <Side Effects>
+    None.
+
+  <Returns>
+    A string representing the name of the parent role.
+
+  """
+
+  # Raises tuf.FormatError, tuf.UnknownRoleError, or tuf.InvalidNameError.
+  _check_rolename(rolename)
+
+  parts = rolename.split('/')
+  parent_rolename = '/'.join(parts[:-1])
+
+  return parent_rolename
+
+
+
+
+
+def get_all_parent_roles(rolename):
+  """
+  <Purpose>
+    Return a list of roles that are parents of 'rolename'.
+    Given the rolename 'a/b/c/d', return the list:
+    ['a', 'a/b', 'a/b/c'].
+
+    Given 'a', return ['a'].
+  
+  <Arguments>
+    rolename:
+      An object representing the role's name, conformant to 'ROLENAME_SCHEMA'
+      (e.g., 'root', 'release', 'timestamp').
+
+  <Exceptions>
+    tuf.FormatError, if 'rolename' does not have the correct object format. 
+
+    tuf.UnknownRoleError, if 'rolename' cannot be found in the role database.
+
+    tuf.InvalidNameError, if 'rolename' is improperly formatted.
+
+  <Side Effects>
+    None.
+
+  <Returns>
+    A list containing all the parent roles.
+
+  """
+    
+  # Raises tuf.FormatError, tuf.UnknownRoleError, or tuf.InvalidNameError.
+  _check_rolename(rolename)
+
+  # List of parent roles returned.
+  parent_roles = []
+
+  parts = rolename.split('/')
+
+  # Append the first role to the list.
+  parent_roles.append(parts[0])
+
+  # The 'roles_added' string contains the roles already added.  If 'a' and 'a/b'
+  # have been added to 'parent_roles', 'roles_added' would contain 'a/b'
+  roles_added = parts[0]
+
+  # Add each subsequent role to the previous string (with a '/' separator).
+  # This only goes to -1 because we only want to return the parents (so we
+  # ignore the last element).
+  for next_role in parts[1:-1]:
+    parent_roles.append(roles_added+'/'+next_role)
+    roles_added = roles_added+'/'+next_role
+
+  return parent_roles
+
+
+
+
+
+def role_exists(rolename):
+  """
+  <Purpose>
+    Verify whether 'rolename' is stored in the role database.
+
+  <Arguments>
+    rolename:
+      An object representing the role's name, conformant to 'ROLENAME_SCHEMA'
+      (e.g., 'root', 'release', 'timestamp').
+
+  <Exceptions>
+    tuf.FormatError, if 'rolename' does not have the correct object format.
+
+    tuf.InvalidNameError, if 'rolename' is incorrectly formatted.
+
+  <Side Effects>
+    None.
+
+  <Returns>
+    Boolean.  True if 'rolename' is found in the role database, False otherwise.
+
+  """
+
+  # Raise tuf.FormatError, tuf.InvalidNameError.
+  try: 
+    _check_rolename(rolename)
+  except (tuf.FormatError, tuf.InvalidNameError):
+    raise
+  except tuf.UnknownRoleError:
+    return False
+  
+  return True
+
+
+
+
+
+def remove_role(rolename):
+  """
+  <Purpose>
+    Remove 'rolename', including its delegations.
+
+  <Arguments>
+    rolename:
+      An object representing the role's name, conformant to 'ROLENAME_SCHEMA'
+      (e.g., 'root', 'release', 'timestamp').
+
+  <Exceptions>
+    tuf.FormatError, if 'rolename' does not have the correct object format.
+
+    tuf.UnknownRoleError, if 'rolename' cannot be found in the role database.
+
+    tuf.InvalidNameError, if 'rolename' is incorrectly formatted.
+
+  <Side Effects>
+    A role, or roles, may be removed from the role database.
+
+  <Returns>
+    None.
+  
+  """
+ 
+  # Raises tuf.FormatError, tuf.UnknownRoleError, or tuf.InvalidNameError.
+  _check_rolename(rolename)
+  
+  remove_delegated_roles(rolename)
+  if rolename in _roledb_dict:
+    del _roledb_dict[rolename]
+
+
+
+
+
+def remove_delegated_roles(rolename):
+  """
+  <Purpose>
+    Remove a role's delegations (leaving the rest of the role alone).
+    All levels of delegation are removed, not just the directly delegated roles.
+    If 'rolename' is 'a/b/c' and the role database contains
+    ['a/b/c/d/e', 'a/b/c/d', 'a/b/c', 'a/b', 'a'], return
+    ['a/b/c', 'a/b', 'a'].
+
+  <Arguments>
+    rolename:
+      An object representing the role's name, conformant to 'ROLENAME_SCHEMA'
+      (e.g., 'root', 'release', 'timestamp').
+
+  <Exceptions>
+    tuf.FormatError, if 'rolename' does not have the correct object format. 
+   
+    tuf.UnknownRoleError, if 'rolename' cannot be found in the role database.
+
+    tuf.InvalidNameError, if 'rolename' is incorrectly formatted.
+
+  <Side Effects>
+    Role(s) from the role database may be deleted.
+
+  <Returns>
+    None.
+
+  """
+  
+  # Raises tuf.FormatError, tuf.UnknownRoleError, or tuf.InvalidNameError.
+  _check_rolename(rolename)
+
+  for name in get_rolenames():
+    if name.startswith(rolename) and name != rolename:
+      del _roledb_dict[name]
+
+
+
+
+
+def get_rolenames():
+  """
+  <Purpose>
+    Return a list of the rolenames found in the role database.
+
+  <Arguments>
+    None.
+
+  <Exceptions>
+    None.
+
+  <Side Effects>
+    None.
+  
+  <Returns>
+    A list of rolenames.
+
+  """
+  
+  return _roledb_dict.keys()
+
+
+
+
+
+def get_role_keyids(rolename):
+  """
+  <Purpose>
+    Return a list of the keyids associated with 'rolename'.
+    Keyids are used as identifiers for keys (e.g., rsa key).
+    A list of keyids are associated with each rolename.
+    Signing a metadata file, such as 'root.txt' (Root role),
+    involves signing or verifying the file with a list of
+    keys identified by keyid.
+
+  <Arguments>
+    rolename:
+      An object representing the role's name, conformant to 'ROLENAME_SCHEMA'
+      (e.g., 'root', 'release', 'timestamp').
+
+  <Exceptions>
+    tuf.FormatError, if 'rolename' does not have the correct object format. 
+
+    tuf.UnknownRoleError, if 'rolename' cannot be found in the role database.
+
+    tuf.InvalidNameError, if 'rolename' is incorrectly formatted.
+
+  <Side Effects>
+    None.
+
+  <Returns>
+    A list of keyids.
+
+  """
+  
+  # Raises tuf.FormatError, tuf.UnknownRoleError, or tuf.InvalidNameError.
+  _check_rolename(rolename)
+
+  roleinfo = _roledb_dict[rolename]
+  
+  return roleinfo['keyids']
+
+
+
+
+
+def get_role_threshold(rolename):
+  """
+  <Purpose>
+    Return the threshold value of the role associated with 'rolename'.
+
+  <Arguments>
+    rolename:
+      An object representing the role's name, conformant to 'ROLENAME_SCHEMA'
+      (e.g., 'root', 'release', 'timestamp').
+
+  <Exceptions>
+    tuf.FormatError, if 'rolename' does not have the correct object format. 
+
+    tuf.UnknownRoleError, if 'rolename' cannot be found in in the role database.
+
+    tuf.InvalidNameError, if 'rolename' is incorrectly formatted.
+
+  <Side Effects>
+    None.
+
+  <Returns>
+    A threshold integer value.
+
+  """
+
+  # Raises tuf.FormatError, tuf.UnknownRoleError, or tuf.InvalidNameError.
+  _check_rolename(rolename)
+
+  roleinfo = _roledb_dict[rolename]
+  
+  return roleinfo['threshold']
+
+
+
+
+
+def get_role_paths(rolename):
+  """
+  <Purpose>
+    Return the paths of the role associated with 'rolename'.
+
+  <Arguments>
+    rolename:
+      An object representing the role's name, conformant to 'ROLENAME_SCHEMA'
+      (e.g., 'root', 'release', 'timestamp').
+
+  <Exceptions>
+    tuf.FormatError, if 'rolename' does not have the correct object format.
+
+    tuf.UnknownRoleError, if 'rolename' cannot be found in the role database.
+
+    tuf.InvalidNameError, if 'rolename' is incorrectly formatted.
+
+  <Side Effects>
+    None.
+
+  <Returns>
+    A list of paths. 
+
+  """
+
+  # Raises tuf.FormatError, tuf.UnknownRoleError, or tuf.InvalidNameError.
+  _check_rolename(rolename)
+
+  roleinfo = _roledb_dict[rolename]
+  
+  # Paths won't exist for non-target roles.
+  try:
+    return roleinfo['paths']
+  except KeyError:
+    return list()
+
+
+
+
+
+def get_delegated_rolenames(rolename):
+  """
+  <Purpose>
+    Return the delegations of a role.  If 'rolename' is 'a/b/c'
+    and the role database contains ['a/b/c/d', 'a/b/c/d/e', 'a/b/c'], 
+    return ['a/b/c/d', 'a/b/c/d/e']
+
+  <Arguments>
+    rolename:
+      An object representing the role's name, conformant to 'ROLENAME_SCHEMA'
+      (e.g., 'root', 'release', 'timestamp').
+
+  <Exceptions>
+    tuf.FormatError, if 'rolename' does not have the correct object format.
+
+    tuf.UnknownRoleError, if 'rolename' cannot be found in the role database.
+
+    tuf.InvalidNameError, if 'rolename' is incorrectly formatted.
+
+  <Side Effects>
+    None.
+
+  <Returns>
+    A list of rolenames.
+
+  """
+
+  # Raises tuf.FormatError, tuf.UnknownRoleError, or tuf.InvalidNameError.
+  _check_rolename(rolename)
+
+  # The list of delegated roles to be returned. 
+  delegated_roles = []
+
+  rolename_with_slash = rolename + '/'
+  for name in get_rolenames():
+    if name.startswith(rolename_with_slash) and name != rolename:
+      delegated_roles.append(name)
+  
+  return delegated_roles
+
+
+
+
+
+def clear_roledb():
+  """
+  <Purpose>
+    Reset the roledb database.
+
+  <Arguments>
+    None.
+
+  <Exceptions>
+    None.
+
+  <Side Effects>
+    None.
+
+  <Returns>
+    None.
+
+  """
+
+  _roledb_dict.clear()
+
+
+
+
+
+def _check_rolename(rolename):
+  """
+  Raise tuf.FormatError if 'rolename' does not match
+  'tuf.formats.ROLENAME_SCHEMA', tuf.UnknownRoleError if 'rolename' is not
+  found in the role database, or tuf.InvalidNameError if 'rolename' is
+  not formatted correctly.
+
+  """
+  
+  # Does 'rolename' have the correct object format?
+  # This check will ensure 'rolename' has the appropriate number of objects 
+  # and object types, and that all dict keys are properly named.
+  tuf.formats.ROLENAME_SCHEMA.check_match(rolename)
+
+  # Raises tuf.InvalidNameError.
+  _validate_rolename(rolename)
+  
+  if rolename not in _roledb_dict:
+    raise tuf.UnknownRoleError('Role name does not exist: '+rolename)
+
+
+
+
+
+def _validate_rolename(rolename):
+  """
+  Raise tuf.InvalidNameError if 'rolename' is not formatted correctly.
+  It is assumed 'rolename' has been checked against 'ROLENAME_SCHEMA'
+  prior to calling this function.
+
+  """
+
+  if rolename == '':
+    raise tuf.InvalidNameError('Rolename must not be an empty string')
+
+  if rolename != rolename.strip():
+    raise tuf.InvalidNameError(
+             'Invalid rolename. Cannot start or end with whitespace: '+rolename)
+
+  if rolename.startswith('/') or rolename.endswith('/'):
+    raise tuf.InvalidNameError(
+             'Invalid rolename. Cannot start or end with "/": '+rolename)
diff --git a/src/tuf/rsa_key.py b/src/tuf/rsa_key.py
new file mode 100755
index 00000000..075315ce
--- /dev/null
+++ b/src/tuf/rsa_key.py
@@ -0,0 +1,425 @@
+"""
+<Program Name>
+  rsa_key.py
+
+<Author>
+  Vladimir Diaz <vladimir.v.diaz@gmail.com>
+
+<Started>
+  March 9, 2012.  Based on a previous version of this module by Geremy Condra.
+
+<Copyright>
+  See LICENSE for licensing information.
+
+<Purpose>
+  The goal of this module is to support public-key cryptography using
+  the RSA algorithm.  The RSA-related functions provided include
+  generate(), create_signature(), and verify_signature().  The 'evpy' package
+  used by 'rsa_key.py' generates the actual RSA keys and the functions listed
+  above can be viewed as an easy-to-use public interface.  Additional functions
+  contained here include create_in_metadata_format() and
+  create_from_metadata_format().  These last two functions produce or use RSA
+  keys compatible with the key structures listed in TUF Metadata files.
+  The generate() function returns a dictionary containing all the information
+  needed of RSA keys, such as public and private keys, keyIDs, and an iden-
+  fier.  create_signature() and verify_signature() are supplemental functions
+  used for generating RSA signatures and verifying them.
+
+  Key IDs are used as identifiers for keys (e.g., RSA key).  They are the
+  hexadecimal representation of the hash of key object (specifically, the key
+  object containing only the public key).  See 'rsa_key.py' and the
+  '_get_keyid()' function to see precisely how keyids are generated.  One may
+  get the keyid of a key object by simply accessing the dictionary's 'keyid'
+  key (i.e., rsakey['keyid']).
+
+"""
+
+
+# Required for hexadecimal conversions.
+import binascii
+
+# Needed to generate, sign, and verify RSA keys. 
+import evpy.signature
+import evpy.envelope
+
+# Digest objects needed to generate hashes.
+import tuf.hash
+
+# Perform object format-checking.
+import tuf.formats
+
+
+_KEY_ID_HASH_ALGORITHM = 'sha256'
+
+# Recommended RSA key sizes: http://www.rsa.com/rsalabs/node.asp?id=2004
+# According to the document above, revised May 6, 2003, RSA keys of
+# size 3072 provide security through 2031 and beyond.
+_DEFAULT_RSA_KEY_BITS = 3072
+
+
+def generate(bits=_DEFAULT_RSA_KEY_BITS):
+  """
+  <Purpose> 
+    Generate public and private RSA keys, with modulus length 'bits'.
+    In addition, a keyid used as an identifier for RSA keys is generated.
+    The object returned conforms to tuf.formats.RSAKEY_SCHEMA and as the form:
+    {'keytype': 'rsa',
+     'keyid': keyid,
+     'keyval': {'public': '-----BEGIN RSA PUBLIC KEY----- ...',
+                'private': '-----BEGIN RSA PRIVATE KEY----- ...'}}
+    
+    The public and private keys are in PEM format and stored as strings.
+  
+  <Arguments>
+    bits:
+      The key size, or key length, of the RSA key.
+
+  <Exceptions>
+    tuf.CryptoError, if an exception occurs after calling evpy.envelope.keygen().
+
+    tuf.FormatError, if 'bits' does not contain the correct format.
+
+  <Side Effects>
+    The RSA keys are generated by calling evpy.envelope.keygen().
+
+  <Returns>
+    A dictionary containing the RSA keys and other identifying information.
+  
+  """
+
+
+  # Does 'bits' have the correct format?
+  # This check will ensure 'bits' conforms to 'tuf.formats.RSAKEYBITS_SCHEMA'.
+  # 'bits' must be an integer object, with a minimum value of 2048.
+  # Raise 'tuf.FormatError' if the check fails.
+  tuf.formats.RSAKEYBITS_SCHEMA.check_match(bits)
+  
+  # Begin building the RSA key dictionary. 
+  rsakey_dict = {}
+  keytype = 'rsa'
+  
+  # Generate the public and private keys.  'public_key' and 'private_key'
+  # will both be strings containing RSA keys in PEM format.
+  # The evpy.envelope module performs the actual key generation.  The 
+  # evpy.envelope.keygen() function returns a (public, private) tuple. 
+  
+  try:
+    public_key, private_key = evpy.envelope.keygen(bits, pem=True)
+  except (EnvelopeError, KeygenError, MemoryError), e:
+    raise tuf.CryptoError(e)
+
+  # Generate the keyid for the RSA key.  'key_value' corresponds to the
+  # 'keyval' entry of the RSAKEY_SCHEMA dictionary.
+  key_value = {'public': public_key,
+               'private': ''}
+
+  keyid = _get_keyid(key_value)
+
+  # Build the 'rsakey_dict' dictionary.
+  # Update 'key_value' with the RSA private key prior to adding
+  # 'key_value' to 'rsakey_dict'.
+  key_value['private'] = private_key
+
+  rsakey_dict['keytype'] = keytype
+  rsakey_dict['keyid'] = keyid
+  rsakey_dict['keyval'] = key_value
+
+  return rsakey_dict
+
+
+
+
+
+def create_in_metadata_format(key_value, private=False):
+  """
+  <Purpose>
+    Return a dictionary conformant to tuf.formats.KEY_SCHEMA.
+    If 'private' is True, include the private key.  The dictionary
+    returned has the form:
+    {'keytype': 'rsa',
+     'keyval': {'public': '-----BEGIN RSA PUBLIC KEY----- ...',
+                'private': '-----BEGIN RSA PRIVATE KEY----- ...'}}
+    or
+
+    {'keytype': 'rsa',
+     'keyval': {'public': '-----BEGIN RSA PUBLIC KEY----- ...',
+                'private': ''}} if 'private' is False.
+    
+    The private and public keys are in PEM format.
+    
+    RSA keys are stored in Metadata files (e.g., root.txt) in the format
+    returned by this function.
+  
+  <Arguments>
+    key_value:
+      A dictionary containing a private and public RSA key.
+      'key_value' is of the form:
+
+      {'public': '-----BEGIN RSA PUBLIC KEY----- ...',
+       'private': '-----BEGIN RSA PRIVATE KEY----- ...'}},
+      conformat to tuf.formats.KEYVAL_SCHEMA.
+
+    private:
+      Indicates if the private key should be included in the
+      returned dictionary.
+
+  <Exceptions>
+    tuf.FormatError, if 'key_value' does not conform to 
+    tuf.formats.KEYVAL_SCHEMA.
+
+  <Side Effects>
+    None.
+
+  <Returns>
+    An KEY_SCHEMA dictionary.
+
+  """
+	
+
+  # Does 'key_value' have the correct format?
+  # This check will ensure 'key_value' has the appropriate number
+  # of objects and object types, and that all dict keys are properly named.
+  # Raise 'tuf.FormatError' if the check fails.
+  tuf.formats.KEYVAL_SCHEMA.check_match(key_value)
+
+  if private and key_value['private']:
+    return {'keytype': 'rsa', 'keyval': key_value}
+  else:
+    public_key_value = {'public': key_value['public'], 'private': ''}
+    return {'keytype': 'rsa', 'keyval': public_key_value}
+
+
+
+
+
+def create_from_metadata_format(key_metadata):
+  """
+  <Purpose>
+    Construct an RSA key dictionary (i.e., tuf.formats.RSAKEY_SCHEMA)
+    from 'key_metadata'.  The dict returned by this function has the exact
+    format as the dict returned by generate().  It is of the form:
+   
+    {'keytype': 'rsa',
+     'keyid': keyid,
+     'keyval': {'public': '-----BEGIN RSA PUBLIC KEY----- ...',
+                'private': '-----BEGIN RSA PRIVATE KEY----- ...'}}
+
+    The public and private keys are in PEM format and stored as strings.
+
+    RSA key dictionaries in RSAKEY_SCHEMA format should be used by
+    modules storing a collection of keys, such as a keydb and keystore.
+    RSA keys as stored in metadata files use a different format, so this 
+    function should be called if an RSA key is extracted from one of these 
+    metadata files and needs converting.  Generate() creates an entirely
+    new key and returns it in the format appropriate for keydb and keystore.
+
+  <Arguments>
+    key_metadata:
+      The RSA key dictionary as stored in Metadata files, conforming to
+      tuf.formats.KEY_SCHEMA.
+
+  <Exceptions>
+    tuf.FormatError, if 'key_metadata' does not conform to
+    tuf.formats.KEY_SCHEMA.
+
+  <Side Effects>
+    None.
+
+  <Returns>
+    A dictionary containing the RSA keys and other identifying information.
+
+  """
+
+
+  # Does 'key_metadata' have the correct format?
+  # This check will ensure 'key_metadata' has the appropriate number
+  # of objects and object types, and that all dict keys are properly named.
+  # Raise 'tuf.FormatError' if the check fails.
+  tuf.formats.KEY_SCHEMA.check_match(key_metadata)
+
+  # Construct the dictionary to be returned.
+  rsakey_dict = {}
+  keytype = 'rsa'
+  key_value = key_metadata['keyval']
+
+  keyid = _get_keyid(key_value)
+
+  # We now have all the required key values.
+  # Build 'rsakey_dict'.
+  rsakey_dict['keytype'] = keytype
+  rsakey_dict['keyid'] = keyid
+  rsakey_dict['keyval'] = key_value
+
+  return rsakey_dict
+
+
+
+
+
+def _get_keyid(key_value):
+  """Return the keyid for 'key_value'."""
+
+  # 'keyid' will be generated from an object conformant to KEY_SCHEMA,
+  # which is the format Metadata files (e.g., root.txt) store keys.
+  # 'create_in_metadata_format()' returns the object needed by _get_keyid().
+  rsakey_meta = create_in_metadata_format(key_value, private=False)
+
+  # Convert the RSA key to JSON Canonical format suitable for adding
+  # to digest objects.
+  rsakey_update_data = tuf.formats.encode_canonical(rsakey_meta)
+
+  # Create a digest object and call update(), using the JSON 
+  # canonical format of 'rskey_meta' as the update data.
+  digest_object = tuf.hash.digest(_KEY_ID_HASH_ALGORITHM)
+  digest_object.update(rsakey_update_data)
+
+  # 'keyid' becomes the hexadecimal representation of the hash.  
+  keyid = digest_object.hexdigest()
+
+  return keyid
+
+
+
+
+
+def create_signature(rsakey_dict, data):
+  """
+  <Purpose>
+    Return a signature dictionary of the form:
+    {'keyid': keyid, 'method': 'evp', 'sig': sig}.
+
+    The signing process will use the private key
+    rsakey_dict['keyval']['private'] and 'data' to generate the signature.
+
+  <Arguments>
+    rsakey_dict:
+      A dictionary containing the RSA keys and other identifying information.
+      'rsakey_dict' has the form:
+    
+      {'keytype': 'rsa',
+       'keyid': keyid,
+       'keyval': {'public': '-----BEGIN RSA PUBLIC KEY----- ...',
+                  'private': '-----BEGIN RSA PRIVATE KEY----- ...'}}
+
+      The public and private keys are in PEM format and stored as strings.
+
+    data:
+      Data object used by create_signature() to generate the signature.
+
+  <Exceptions>
+    TypeError, if a private key is not defined for 'rsakey_dict'.
+
+    tuf.FormatError, if an incorrect format is found for the
+    'rsakey_dict' object.
+
+  <Side Effects>
+    evpy.signature.sign() called to perform the actual signing.
+
+  <Returns>
+    A signature dictionary conformat to tuf.format.SIGNATURE_SCHEMA.
+
+  """
+
+
+  # Does 'rsakey_dict' have the correct format?
+  # This check will ensure 'rsakey_dict' has the appropriate number
+  # of objects and object types, and that all dict keys are properly named.
+  # Raise 'tuf.FormatError' if the check fails.
+  tuf.formats.RSAKEY_SCHEMA.check_match(rsakey_dict)
+
+  # Signing the 'data' object requires a private key.
+  # The 'evp' (i.e., evpy) signing method is the only method
+  # currently supported.
+  signature = {} 
+  private_key = rsakey_dict['keyval']['private']
+  keyid = rsakey_dict['keyid']
+  method = 'evp'
+  
+  if private_key:
+    sig = evpy.signature.sign(data, key=private_key)
+  else:
+    raise TypeError('The required private key is not defined for rsakey_dict.')
+
+  # Build the signature dictionary to be returned.
+  # The hexadecimal representation of 'sig' is stored in the signature.
+  signature['keyid'] = keyid
+  signature['method'] = method
+  signature['sig'] = binascii.hexlify(sig)
+
+  return signature
+
+
+
+
+
+def verify_signature(rsakey_dict, signature, data):
+  """
+  <Purpose>
+    Determine whether the private key belonging to 'rsakey_dict' produced
+    'signature'.  verify_signature() will use the public key found in
+    'rsakey_dict', the 'method' and 'sig' objects contained in 'signature',
+    and 'data' to complete the verification.  Type-checking performed on both
+    'rsakey_dict' and 'signature'.
+
+  <Arguments>
+    rsakey_dict:
+      A dictionary containing the RSA keys and other identifying information.
+      'rsakey_dict' has the form:
+     
+      {'keytype': 'rsa',
+       'keyid': keyid,
+       'keyval': {'public': '-----BEGIN RSA PUBLIC KEY----- ...',
+                  'private': '-----BEGIN RSA PRIVATE KEY----- ...'}}
+
+      The public and private keys are in PEM format and stored as strings.
+      
+    signature:
+      The signature dictionary produced by tuf.rsa_key.create_signature().
+      'signature' has the form:
+      {'keyid': keyid, 'method': 'method', 'sig': sig}.  Conformant to
+      tuf.formats.SIGNATURE_SCHEMA.
+      
+    data:
+      Data object used by tuf.rsa_key.create_signature() to generate
+      'signature'.  'data' is needed here to verify the signature.
+
+  <Exceptions>
+    tuf.UnknownMethodError.  Raised if the signing method used by
+    'signature' is not one supported by tuf.rsa_key.create_signature().
+    
+    tuf.FormatError. Raised if either 'rsakey_dict'
+    or 'signature' do not match their respective tuf.formats schema.
+    'rsakey_dict' must conform to tuf.formats.RSAKEY_SCHEMA.
+    'signature' must conform to tuf.formats.SIGNATURE_SCHEMA.
+
+  <Side Effects>
+    evpy.signature_verify() called to do the actual verification.
+
+  <Returns>
+    Boolean.
+
+  """
+
+
+  # Does 'rsakey_dict' have the correct format?
+  # This check will ensure 'rsakey_dict' has the appropriate number
+  # of objects and object types, and that all dict keys are properly named.
+  # Raise 'tuf.FormatError' if the check fails.
+  tuf.formats.RSAKEY_SCHEMA.check_match(rsakey_dict)
+
+  # Does 'signature' have the correct format?
+  tuf.formats.SIGNATURE_SCHEMA.check_match(signature)
+
+  # Using the public key belonging to 'rsakey_dict'
+  # (i.e., rsakey_dict['keyval']['public']), verify whether 'signature'
+  # was produced by rsakey_dict's corresponding private key
+  # rsakey_dict['keyval']['private'].  Before returning the Boolean result,
+  # ensure 'evp' was used as the signing method.
+
+  method = signature['method']
+  sig = signature['sig']
+  public_key = rsakey_dict['keyval']['public']
+
+  if method != 'evp':
+    raise tuf.UnknownMethodError(method)
+  return evpy.signature.verify(data, binascii.unhexlify(sig), key=public_key)
diff --git a/src/tuf/schema.py b/src/tuf/schema.py
new file mode 100755
index 00000000..df8258c0
--- /dev/null
+++ b/src/tuf/schema.py
@@ -0,0 +1,797 @@
+"""
+<Program Name>
+  schema.py
+
+<Author>
+  Geremy Condra
+  Vladimir Diaz <vladimir.v.diaz@gmail.com>
+
+<Started>
+  Refactored April 30, 2012 (previously named checkjson.py). -Vlad
+
+<Copyright>
+  See LICENSE for licensing information.
+
+<Purpose>
+  Provide a variety of classes that compare objects
+  based on their format and determine if they match.
+  These classes, or schemas, do not simply check the
+  type of the objects being compared, but inspect
+  additional aspects of the objects like names and
+  the number of items included.
+
+  For example:
+  >>> good = {'first': 'Marty', 'last': 'McFly'}
+  >>> bad = {'sdfsfd': 'Biff', 'last': 'Tannen'} 
+  >>> schema = Object(first=AnyString(), last=AnyString())
+  >>> schema.matches(good)
+  True
+  >>> schema.matches(bad)
+  False
+
+  In the process of determining if the two objects matched the template,
+  tuf.schema.Object() inspected the named keys of both dictionaries.
+  In the case of the 'bad' dict, a 'first' dict key could not be found.
+  As a result, 'bad' was flagged a mismatch.
+  
+  'schema.py' provides additional schemas for testing objects based on other
+  criteria.  See 'tuf.formats.py' and the rest of this module for extensive
+  examples.  Anything related to the checking of TUF objects and their formats
+  can be found in 'formats.py'.
+
+"""
+
+
+import re
+import sys
+
+import tuf
+
+
+class Schema:
+  """
+  <Purpose>
+    A schema matches a set of possible Python objects, of types
+    that are encodable in JSON.  'Schema' is the base class for
+    the other classes defined in this module.  All derived classes
+    should implement check_match().
+  
+  """
+
+  def matches(self, object):
+    """
+    <Purpose> 
+      Return True if 'object' matches this schema, False if it doesn't.
+      If the caller wishes to signal an error on a failed match, check_match()
+      should be called, which will raise a 'tuf.FormatError' exception.
+      
+    """
+    
+    try:
+      self.check_match(object)
+    except tuf.FormatError:
+      return False
+    else:
+      return True
+
+
+  def check_match(self, object):
+    """
+    <Purpose> 
+      Abstract method.  Classes that inherit from 'Schema' must
+      implement check_match().  If 'object' matches the schema, check_match()
+      should simply return.  If 'object' does not match the schema,
+      'tuf.FormatError' should be raised.
+    
+    """
+    
+    raise NotImplementedError()
+
+
+
+
+
+class Any(Schema):
+  """
+  <Purpose>
+    Matches any single object.  Whereas other schemas explicitly state
+    the required type of its argument, Any() does not. It simply does a
+    'pass' when 'check_match()' is called and at the point where the schema
+    is instantiated.
+
+    Supported methods include
+      matches(): returns a Boolean result.
+      check_match(): raises 'tuf.FormatError' on a mismatch.
+
+  <Example Use>
+    
+    >>> schema = Any()
+    >>> schema.matches('A String')
+    True
+    >>> schema.matches([1, 'list'])
+    True
+
+  """
+
+  def __init__(self):
+    pass
+
+
+  def check_match(self, object):
+    pass
+
+
+
+
+
+class String(Schema):
+  """
+  <Purpose>
+    Matches a particular string.  The argument object
+    must be a string and be equal to a specific string value.
+    At instantiation, the string is set and any future comparisons
+    are checked against this internal string value.
+
+    Supported methods include
+      matches(): returns a Boolean result.
+      check_match(): raises 'tuf.FormatError' on a mismatch.
+
+  <Example Use>
+    
+    >>> schema = String('Hi')
+    >>> schema.matches('Hi')
+    True
+    >>> schema.matches('Not hi')
+    False
+  
+  """
+
+  def __init__(self, string):
+    self._string = string
+
+
+  def check_match(self, object):
+    if self._string != object:
+      raise tuf.FormatError('Expected '+repr(self._string)+' got '+repr(object))
+
+
+
+
+
+class AnyString(Schema):
+  """
+  <Purpose>
+    Matches any string, but not a non-string object.  This schema
+    can be viewed as the Any() schema applied to Strings, but an
+    additional check is performed to ensure only strings are considered.
+
+    Supported methods include
+      matches(): returns a Boolean result.
+      check_match(): raises 'tuf.FormatError' on a mismatch.
+
+  <Example Use>
+    
+    >>> schema = AnyString()
+    >>> schema.matches('')
+    True
+    >>> schema.matches('a string')
+    True
+    >>> schema.matches(['a'])
+    False
+    >>> schema.matches(3)
+    False
+    >>> schema.matches(u'a unicode string')
+    True
+    >>> schema.matches({})
+    False
+    
+  """
+
+  def __init__(self):
+    pass
+
+
+  def check_match(self, object):
+    if not isinstance(object, basestring):
+      raise tuf.FormatError('Expected a string but got '+repr(object))
+
+
+
+
+
+class OneOf(Schema):
+  """
+  <Purpose>
+    Matches an object that matches any one of several schemas.  OneOf()
+    returns a result as soon as one of its recognized sub-schemas is encountered
+    in the object argument.  When OneOf() is instantiated, its supported
+    sub-schemas are specified by a sequence type (e.g., a list, tuple, etc.).
+    A mismatch is returned after checking all sub-schemas and not finding
+    a supported type.
+
+    Supported methods include
+      matches(): returns a Boolean result.
+      check_match(): raises 'tuf.FormatError' on a mismatch.
+
+  <Example Use>
+
+    >>> schema = OneOf([ListOf(Integer()), String('Hello'), String('bye')])
+    >>> schema.matches(3)
+    False
+    >>> schema.matches('bye')
+    True
+    >>> schema.matches([])
+    True
+    >>> schema.matches([1,2])
+    True
+    >>> schema.matches(['Hi'])
+    False
+
+  """
+
+  def __init__(self, alternatives):
+    self._alternatives = alternatives
+
+
+  def check_match(self, object):
+    # Simply return as soon as we find a match.
+    # Raise 'tuf.FormatError' if no matches are found.
+    for alternative in self._alternatives:
+      if alternative.matches(object):
+        return
+    raise tuf.FormatError('Object did not match a recognized alternative.')
+
+
+
+
+
+class AllOf(Schema):
+  """
+  <Purpose>  
+    Matches the intersection of a list of schemas.  The object being tested
+    must match all of the required sub-schemas.  Unlike OneOf(), which can
+    return a result as soon as a match is found in one of its supported
+    sub-schemas, AllOf() must verify each sub-schema before returning a 
+    result.
+
+    Supported methods include
+      matches(): returns a Boolean result.
+      check_match(): raises 'tuf.FormatError' on a mismatch.
+
+  <Example Use>
+
+    >>> schema = AllOf([Any(), AnyString(), String('a')])
+    >>> schema.matches('b')
+    False
+    >>> schema.matches('a')
+    True
+  
+  """
+
+  def __init__(self, required_schemas):
+    self._required_schemas = required_schemas[:]
+
+
+  def check_match(self, object):
+    for required_schema in self._required_schemas:
+      required_schema.check_match(object)
+
+
+
+
+
+class Boolean(Schema):
+  """
+  <Purpose>
+    Matches a boolean.  The object argument must be one
+    of True or False.  All other types are flagged as mismatches.
+
+    Supported methods include
+      matches(): returns a Boolean result.
+      check_match(): raises 'tuf.FormatError' on a mismatch.
+
+  <Example Use>
+
+    >>> schema = Boolean()
+    >>> schema.matches(True) and schema.matches(False)
+    True
+    >>> schema.matches(11)
+    False
+ 
+ """
+
+  def __init__(self):
+    pass
+
+
+  def check_match(self, object):
+    if not isinstance(object, bool):
+      raise tuf.FormatError('Got '+repr(object)+' instead of a boolean.')
+
+
+
+
+
+class ListOf(Schema):
+  """
+  <Purpose>
+    Matches a homogeneous list of some sub-schema.  That is, all the
+    sub-schema must be of the same type.  The object argument must
+    be a sequence type (e.g., a list, tuple, etc.).  When ListOf()
+    is instantiated, a minimum and maximum count can be specified
+    for the homogeneous sub-schema list.  If min_count is set to
+    'n', the object argument sequence must contain 'n' items.  See
+    ListOf()'s __init__ method for the expected arguments.
+
+    Supported methods include
+      matches(): returns a Boolean result.
+      check_match(): raises 'tuf.FormatError' on a mismatch.
+
+  <Example Use>
+
+    >>> schema = ListOf(RegularExpression('(?:..)*'))
+    >>> schema.matches('hi')
+    False
+    >>> schema.matches([])
+    True
+    >>> schema.matches({})
+    False
+    >>> schema.matches(['Hi', 'this', 'list', 'is', 'full', 'of', 'even', 'strs'])
+    True
+    >>> schema.matches(['This', 'one', 'is not'])
+    False
+
+    >>> schema = ListOf(Integer(), min_count=3, max_count=10)
+    >>> schema.matches([3]*2)
+    False
+    >>> schema.matches([3]*3)
+    True
+    >>> schema.matches([3]*10)
+    True
+    >>> schema.matches([3]*11)
+    False
+
+  """
+
+  def __init__(self, schema, min_count=0, max_count=sys.maxint, list_name='list'):
+    """
+    <Purpose> 
+      Create a new ListOf schema.
+
+    <Arguments>
+      schema:  The pattern to match.
+      min_count: The minimum number of sub-schema in 'schema'.
+      max_count: The maximum number of sub-schema in 'schema'.
+      list_name: A string identifier for the ListOf object.
+        
+    """
+    
+    self._schema = schema
+    self._min_count = min_count
+    self._max_count = max_count
+    self._list_name = list_name
+
+  
+  def check_match(self, object):
+    if not isinstance(object, (list, tuple)):
+      raise tuf.FormatError('Expected '+repr(self._list_name)+'; got '+repr(object))
+
+    # Check if all the items in the 'object' list
+    # match 'schema'.
+    for item in object:
+      try:
+        self._schema.check_match(item)
+      except tuf.FormatError, e:
+        raise tuf.FormatError(str(e)+' in '+repr(self._list_name))
+
+    # Raise exception if the number of items in the list is
+    # not within the expected range.
+    if not (self._min_count <= len(object) <= self._max_count):
+        raise tuf.FormatError('Length of '+repr(self._list_name)+' out of range')
+
+
+
+
+
+class Integer(Schema):
+  """
+  <Purpose>
+    Matches an integer.  A range can be specified.
+    For example, only integers between 8 and 42 can be set as
+    a requirement.  The object argument is also checked against
+    a Boolean type, since booleans have historically been considered
+    a sub-type of integer.
+
+    Supported methods include
+      matches(): returns a Boolean result.
+      check_match(): raises 'tuf.FormatError' on a mismatch.
+
+  <Example Use>
+
+    >>> schema = Integer()
+    >>> schema.matches(99)
+    True
+    >>> schema.matches(False)
+    False
+    >>> schema.matches(0L)
+    True
+    >>> schema.matches('a string')
+    False
+    >>> Integer(lo=10, hi=30).matches(25)
+    True
+    >>> Integer(lo=10, hi=30).matches(5)
+    False
+
+  """
+
+  def __init__(self, lo= -sys.maxint, hi=sys.maxint):
+    """
+    <Purpose> 
+      Create a new Integer schema.
+
+    <Arguments>
+      lo: The minimum value the int object argument can be.
+      hi: The maximum value the int object argument can be.
+        
+    """
+    
+    self._lo = lo
+    self._hi = hi
+
+
+  def check_match(self, object):
+    if isinstance(object, bool) or not isinstance(object, (int, long)):
+      # We need to check for bool as a special case, since bool
+      # is for historical reasons a subtype of int.
+      raise tuf.FormatError('Got '+repr(object)+' instead of an integer')
+    
+    elif not (self._lo <= object <= self._hi):
+      int_range = '['+repr(self._lo)+','+repr(self._hi)+']'
+      raise tuf.FormatError(repr(object)+' not in range '+int_range)
+
+
+
+
+
+class DictOf(Schema):
+  """
+  <Purpose>
+    Matches a mapping from items matching a particular key-schema
+    to items matching a value-schema (i.e., the object being checked
+    must be a dict).  Note that in JSON, keys must be strings.  In the
+    example below, the keys of the dict must be one of the letters
+    contained in 'aeiou' and the value must be a structure containing
+    any two strings.
+
+    Supported methods include
+      matches(): returns a Boolean result.
+      check_match(): raises 'tuf.FormatError' on a mismatch.
+
+  <Example Use>
+
+    >>> schema = DictOf(RegularExpression(r'[aeiou]+'), Struct([AnyString(), AnyString()]))
+    >>> schema.matches('')
+    False
+    >>> schema.matches({})
+    True
+    >>> schema.matches({'a': ['x', 'y'], 'e' : ['', '']})
+    True
+    >>> schema.matches({'a': ['x', 3], 'e' : ['', '']})
+    False
+    >>> schema.matches({'a': ['x', 'y'], 'e' : ['', ''], 'd' : ['a', 'b']})
+    False
+
+  """
+
+  def __init__(self, key_schema, value_schema):
+    """
+    <Purpose> 
+      Create a new DictOf schema.
+
+    <Arguments>
+      key_schema:  The dictionary's key.
+      value_schema: The dictionary's value.
+        
+    """
+    
+    self._key_schema = key_schema
+    self._value_schema = value_schema
+
+
+  def check_match(self, object):
+    if not isinstance(object, dict): 
+      raise tuf.FormatError('Expected a dict but got '+repr(object))
+
+    for key, value in object.items():
+      self._key_schema.check_match(key)
+      self._value_schema.check_match(value)
+
+
+
+
+
+class Optional(Schema):
+  """
+  <Purpose> 
+    Provide a way for the Object() schema to accept optional
+    dictionary keys.  The Object() schema outlines how a dictionary
+    should look, such as the names for dict keys and the object type
+    of the dict values.  Optional()'s intended use is as a sub-schema
+    to Object().  Object() flags an object as a mismatch if a required
+    key is not encountered, however, dictionary keys labeled Optional()
+    are not required to appear in the object's list of required keys.
+    If an Optional() key IS found, Optional()'s sub-schemas are
+    then verified.
+    
+    Supported methods include
+      matches(): returns a Boolean result.
+      check_match(): raises 'tuf.FormatError' on a mismatch.
+
+  <Example Use>
+
+    >>> schema = Object(k1=String('X'), k2=Optional(String('Y')))
+    >>> schema.matches({'k1': 'X', 'k2': 'Y'})
+    True
+    >>> schema.matches({'k1': 'X', 'k2': 'Z'})
+    False
+    >>> schema.matches({'k1': 'X'})
+    True
+    
+  """
+
+  def __init__(self, schema):
+    self._schema = schema
+
+  
+  def check_match(self, object):
+    self._schema.check_match(object)
+
+
+
+
+
+class Object(Schema):
+  """
+  <Purpose>
+    Matches a dict from specified keys to key-specific types.  Unrecognized
+    keys are allowed.  The Object() schema outlines how a dictionary
+    should look, such as the names for dict keys and the object type of the
+    dict values.  See schema.Optional() to learn how Object() incorporates
+    optional sub-schemas.
+    
+    Supported methods include
+      matches(): returns a Boolean result.
+      check_match(): raises 'tuf.FormatError' on a mismatch.
+
+  <Example Use>
+
+    >>> schema = Object(a=AnyString(), bc=Struct([Integer(), Integer()]))
+    >>> schema.matches({'a':'ZYYY', 'bc':[5,9]})
+    True
+    >>> schema.matches({'a':'ZYYY', 'bc':[5,9], 'xx':5})
+    True
+    >>> schema.matches({'a':'ZYYY', 'bc':[5,9,3]})
+    False
+    >>> schema.matches({'a':'ZYYY'})
+    False
+    
+  """
+
+  def __init__(self, object_name='object', **required):
+    """
+    <Purpose> 
+      Create a new Object schema.
+
+    <Arguments>
+      object_name: A string identifier for the object argument.
+      
+      A variable number of keyword arguments is accepted.
+        
+    """
+    
+    self._object_name = object_name
+    self._required = required.items()
+
+
+  def check_match(self, object):
+    if not isinstance(object, dict):
+      raise tuf.FormatError('Wanted a '+repr(self._object_name)+' did not get a dict')
+    
+    # (key, schema) = (a, AnyString()) = (a=AnyString())
+    for key, schema in self._required:
+      # Check if 'object' has all the required dict keys.
+      # If not one of the required keys, check if it is an Optional().
+      try:
+        item = object[key]
+      except KeyError:
+        # If not an Optional schema, raise an exception.
+        if not isinstance(schema, Optional):
+          message = 'Missing key '+repr(key)+' in '+repr(self._object_name)
+          raise tuf.FormatError(message)
+      # Check that 'object's schema matches Object()'s schema for this
+      # particular 'key'.
+      else:
+        try:
+          schema.check_match(item)
+        except tuf.FormatError, e:
+          raise tuf.FormatError(str(e)+' in '+self._object_name+'.'+key)
+
+
+
+
+
+class Struct(Schema):
+  """
+  <Purpose>
+    Matches a non-homogeneous list of items.  The sub-schemas
+    are allowed to vary.  The object argument must be a sequence type
+    (e.g., a list, tuple, etc.).  There is also an option to specify
+    that additional schemas not explicitly defined at instantiation
+    are allowed.  See __init__() for the complete list of arguments
+    accepted.
+
+    Supported methods include
+      matches(): returns a Boolean result.
+      check_match(): raises 'tuf.FormatError' on a mismatch.
+
+  <Example Use>
+
+    >>> schema = Struct([ListOf(AnyString()), AnyString(), String('X')])
+    >>> schema.matches(False)
+    False
+    >>> schema.matches('Foo')
+    False
+    >>> schema.matches([[], 'Q', 'X'])
+    True
+    >>> schema.matches([[], 'Q', 'D'])
+    False
+    >>> schema.matches([[3], 'Q', 'X'])
+    False
+    >>> schema.matches([[], 'Q', 'X', 'Y'])
+    False
+
+    >>> schema = Struct([String('X')], allow_more=True)
+    >>> schema.matches([])
+    False
+    >>> schema.matches(['X'])
+    True
+    >>> schema.matches(['X', 'Y'])
+    True
+    >>> schema.matches(['X', ['Y', 'Z']])
+    True
+    >>> schema.matches([['X']])
+    False
+
+    >>> schema = Struct([String('X'), Integer()], [Integer()])
+    >>> schema.matches([])
+    False
+    >>> schema.matches({})
+    False
+    >>> schema.matches(['X'])
+    False
+    >>> schema.matches(['X', 3])
+    True
+    >>> schema.matches(['X', 3, 9])
+    True
+    >>> schema.matches(['X', 3, 9, 11])
+    False
+    >>> schema.matches(['X', 3, 'A'])
+    False
+
+  """
+
+  def __init__(self, sub_schemas, optional_schemas=[], allow_more=False,
+               struct_name='list'):
+    """
+    <Purpose> 
+      Create a new Struct schema.
+
+    <Arguments>
+      sub_schemas: The sub-schemas recognized.
+      optional_schemas: The optional list of schemas.
+      allow_more: Specifies that an optional list of types is allowed.
+      struct_name: A string identifier for the Struct object.
+        
+    """
+    
+    self._sub_schemas = sub_schemas + optional_schemas
+    self._min = len(sub_schemas)
+    self._allow_more = allow_more
+    self._struct_name = struct_name
+
+
+  def check_match(self, object):
+    if not isinstance(object, (list, tuple)):
+      raise tuf.FormatError('Expected '+repr(self._struct_name)+'; got '+repr(object))
+    elif len(object) < self._min:
+      raise tuf.FormatError('Too few fields in '+self._struct_name)
+    elif len(object) > len(self._sub_schemas) and not self._allow_more:
+      raise tuf.FormatError('Too many fields in '+self._struct_name)
+    
+    # Iterate through the items of 'object', checking against each schema
+    # in the list of schemas allowed (i.e., the sub-schemas and also
+    # any optional schemas.  The lenth of 'object' must be less than
+    # the length of the required schemas + the optional schemas.  However,
+    # 'object' is allowed to be only as large as the length of the required
+    # schemas.  In the while loop below, we check against these two cases.
+    index = 0
+    while index < len(object) and index < len(self._sub_schemas):
+      item = object[index]
+      schema = self._sub_schemas[index]
+      schema.check_match(item)
+      index = index + 1
+
+
+
+
+
+class RegularExpression(Schema):
+  """
+  <Purpose> 
+    Matches any string that matches a given regular expression.
+    The RE pattern set when RegularExpression is instantiated
+    must not be None.  See __init__() for a complete list of
+    accepted arguments.
+
+    Supported methods include
+      matches(): returns a Boolean result.
+      check_match(): raises 'tuf.FormatError' on a mismatch.
+
+  <Example Use>
+
+    >>> schema = RegularExpression('h.*d')
+    >>> schema.matches('hello world')
+    True
+    >>> schema.matches('Hello World')
+    False
+    >>> schema.matches('hello world!')
+    False
+    >>> schema.matches([33, 'Hello'])
+    False
+    
+  """
+
+  def __init__(self, pattern=None, modifiers=0, re_object=None, re_name=None):
+    """
+    <Purpose> 
+      Create a new regular expression schema.
+
+    <Arguments>
+      pattern:  The pattern to match, or None if re_object is provided.
+      modifiers:  Flags to use when compiling the pattern.
+      re_object:  A compiled regular expression object.
+      re_name: Identifier for the regular expression object.
+        
+    """
+        
+    if re_object is None:
+      if pattern is None:
+        error = 'Cannot compare against an unset regular expression'
+        raise tuf.FormatError(error)
+      if not pattern.endswith('$'):
+        pattern += '$'
+      re_object = re.compile(pattern, modifiers)
+    self._re_object = re_object
+        
+    if re_name is None:
+      if pattern is not None:
+        re_name = 'pattern /'+pattern+'/'
+      else:
+        re_name = 'pattern'
+    self._re_name = re_name
+
+
+  def check_match(self, object):
+    if not isinstance(object, basestring) or not self._re_object.match(object):
+      raise tuf.FormatError(repr(object)+' did not match '+repr(self._re_name))
+
+
+
+
+
+if __name__ == '__main__':
+  # The interactive sessions of the documentation strings can
+  # be tested by running schema.py as a standalone module.
+  # python -B schema.py.
+  import doctest
+  doctest.testmod()
diff --git a/src/tuf/sig.py b/src/tuf/sig.py
new file mode 100755
index 00000000..32faae89
--- /dev/null
+++ b/src/tuf/sig.py
@@ -0,0 +1,313 @@
+"""
+<Program Name>
+  sig.py
+
+<Author>
+  Vladimir Diaz <vladimir.v.diaz@gmail.com>
+
+<Started>
+  February 28, 2012.   Based on a previous version by Geremy Condra.
+
+<Copyright>
+  See LICENSE for licensing information.
+
+<Purpose>
+  Survivable key compromise is one feature of a secure update system
+  incorporated into TUF's design. Responsibility separation through
+  the use of multiple roles, multi-signature trust, and explicit and
+  implicit key revocation are some of the mechanisms employed towards
+  this goal of survivability.  These mechanisms can all be seen in
+  play by the functions available in this module.
+
+  The signed metadata files utilized by TUF to download target files
+  securely are used and represented here as the 'signable' object.
+  More precisely, the signature structures contained within these metadata
+  files are packaged into 'signable' dictionaries.  This module makes it
+  possible to capture the states of these signatures by organizing the
+  keys into different categories.  As keys are added and removed, the
+  system must securely and efficiently verify the status of these signatures.
+  For instance, a bunch of keys have recently expired. How many valid keys
+  are now available to the Release role?  This question can be answered by
+  get_signature_status(), which will return a full 'status report' of these 
+  'signable' dicts.  This module also provides a convenient verify() function
+  that will determine if a role still has a sufficient number of valid keys.
+  If a caller needs to update the signatures of a 'signable' object, there
+  is also a function for that.
+
+"""
+
+import tuf.formats
+import tuf.keydb
+import tuf.roledb
+
+
+def get_signature_status(signable, role=None):
+  """
+  <Purpose>
+    Return a dictionary representing the status of the signatures listed
+    in 'signable'.  Given an object conformant to SIGNABLE_SCHEMA, a set
+    of public keys in 'tuf.keydb', a set of roles in 'tuf.roledb',
+    and a role, the status of these signatures can be determined.  This
+    method will iterate through the signatures in 'signable' and enumerate
+    all the keys that are valid, invalid, unrecognized, unauthorized, or
+    generated using an unknown method.
+
+  <Arguments>
+    signable:
+      A dictionary containing a list of signatures and a 'signed' identifier.
+      signable = {'signed': 'signer',
+                  'signatures': [{'keyid': keyid,
+                                  'method': 'evp',
+                                  'sig': sig}]}
+      Conformant to tuf.formats.SIGNABLE_SCHEMA.
+
+    role:
+      TUF role (e.g., 'root', 'targets', 'release').
+
+  <Exceptions>
+    tuf.FormatError, if 'signable' does not have the correct format.
+
+    tuf.UnknownRoleError, if 'role' is not recognized.
+
+  <Side Effects>
+    None.
+
+  <Returns>
+    A dictionary representing the status of the signatures in 'signable'.
+    Conformant to tuf.formats.SIGNATURESTATUS_SCHEMA.
+
+  """
+
+  # Does 'signable' have the correct format?
+  # This check will ensure 'signable' has the appropriate number of objects 
+  # and object types, and that all dict keys are properly named.
+  # Raise 'tuf.FormatError' if the check fails.
+  tuf.formats.SIGNABLE_SCHEMA.check_match(signable)
+
+  # The signature status dictionary returned.
+  signature_status = {}
+
+  # The fields of the signature_status dict.  A description of each field:
+  # good_sigs = keys confirmed to have produced 'sig' and 'method' using
+  # 'signed' and that are associated with 'role'; bad_sigs = negation of
+  # good_sigs; unknown_sigs = keys not found in the 'keydb' database; 
+  # untrusted_sigs = keys that are not in the list of keyids associated
+  # with 'role'; unknown_method_sigs = keys found to have used an 
+  # unsupported method of generating signatures. 
+  good_sigs = []
+  bad_sigs = []
+  unknown_sigs = []
+  untrusted_sigs = []
+  unknown_method_sigs = []
+
+  # Extract the relevant fields from 'signable' that will allow us to identify
+  # the different classes of keys (i.e., good_sigs, bad_sigs, etc.).
+  signed = signable['signed']
+  signatures = signable['signatures']
+
+  # 'signed' needed in canonical JSON format.
+  data = tuf.formats.encode_canonical(signed)
+
+  # Iterate through the signatures and enumerate the signature_status fields.
+  # (i.e., good_sigs, bad_sigs, etc.).
+  for signature in signatures:
+    sig = signature['sig']
+    keyid = signature['keyid']
+    method = signature['method']
+
+    # Identify unrecognized key.
+    try:
+      key = tuf.keydb.get_key(keyid)
+    except tuf.UnknownKeyError:
+      unknown_sigs.append(keyid)
+      continue
+
+    # Identify key using an unknown key signing method.
+    try:
+      valid_sig = tuf.rsa_key.verify_signature(key, signature, data)
+    except tuf.UnknownMethodError:
+      unknown_method_sigs.append(keyid)
+      continue
+
+    # We are now dealing with a valid key. 
+    if valid_sig:
+      if role is not None:
+        try:
+          # Identify unauthorized key. 
+          if keyid not in tuf.roledb.get_role_keyids(role):
+            untrusted_sigs.append(keyid)
+            continue
+        # Unknown role, re-raise exception. 
+        except tuf.UnknownRoleError:
+          raise
+      # Identify good/authorized key.
+      good_sigs.append(keyid)
+    else:
+      # Identify bad key.
+      bad_sigs.append(keyid)
+
+  # Retrieve the threshold value for 'role'.  Raise tuf.UnknownRoleError
+  # if we were given an invalid role.
+  if role is not None:
+    try:
+      threshold = tuf.roledb.get_role_threshold(role)
+    except tuf.UnknownRoleError:
+      raise
+  else:
+    threshold = 0
+
+  # Build the signature_status dict.
+  signature_status['threshold']  = threshold
+  signature_status['good_sigs'] = good_sigs
+  signature_status['bad_sigs'] = bad_sigs
+  signature_status['unknown_sigs'] = unknown_sigs
+  signature_status['untrusted_sigs'] = untrusted_sigs
+  signature_status['unknown_method_sigs'] = unknown_method_sigs
+
+  return signature_status
+
+
+
+
+
+def verify(signable, role):
+  """
+  <Purpose> 
+    Verify whether the authorized signatures of 'signable' meet the minimum
+    required by 'role'.  Authorized signatures are those with valid keys
+    associated with 'role'.  'signable' must conform to SIGNABLE_SCHEMA
+    and 'role' must not equal 'None' or be less than zero.
+
+  <Arguments>
+    signable:
+      A dictionary containing a list of signatures and a 'signed' identifier.
+      signable = {'signed':, 'signatures': [{'keyid':, 'method':, 'sig':}]}
+
+    role:
+      TUF role (e.g., 'root', 'targets', 'release').
+
+  <Exceptions>
+    tuf.UnknownRoleError, if 'role' is not recognized.
+
+    tuf.FormatError, if 'signable' is not formatted correctly.
+
+    tuf.Error, if an invalid threshold is encountered.
+
+  <Side Effects>
+    tuf.sig.get_signature_status() called.  Any exceptions thrown by
+    get_signature_status() will be caught here and re-raised.
+
+  <Returns>
+    Boolean.  True if the number of good signatures >= the role's threshold,
+    False otherwise.
+
+  """
+
+  # Retrieve the signature status.  tuf.sig.get_signature_status() raises
+  # tuf.UnknownRoleError
+  # tuf.FormatError
+  status = get_signature_status(signable, role)
+  
+  # Retrieve the role's threshold and the authorized keys of 'status'
+  threshold = status['threshold']
+  good_sigs = status['good_sigs']
+
+  # Does 'status' have the required threshold of signatures?
+  # First check for invalid threshold values before returning result.
+  if threshold is None or threshold <= 0:
+      raise tuf.Error("Invalid threshold: "+str(threshold))
+
+  return len(good_sigs) >= threshold
+
+
+
+
+
+def may_need_new_keys(signature_status):
+  """
+  <Purpose> 
+    Return true iff downloading a new set of keys might tip this
+    signature status over to valid.  This is determined by checking
+    if either the number of unknown or untrused keys is > 0.
+
+  <Arguments>
+    signature_status:
+      The dictionary returned by tuf.sig.get_signature_status().
+
+  <Exceptions>
+    tuf.FormatError, if 'signature_status does not have the correct format.
+
+  <Side Effects>
+    None.
+
+  <Returns>
+    Boolean.
+
+  """
+
+
+  # Does 'signature_status' have the correct format?
+  # This check will ensure 'signature_status' has the appropriate number
+  # of objects and object types, and that all dict keys are properly named.
+  # Raise 'tuf.FormatError' if the check fails.
+  tuf.formats.SIGNATURESTATUS_SCHEMA.check_match(signature_status)
+
+  unknown = signature_status['unknown_sigs']
+  untrusted = signature_status['untrusted_sigs']
+
+  return len(unknown) or len(untrusted)
+
+
+
+
+
+def generate_rsa_signature(signed, rsakey_dict):
+  """
+  <Purpose>
+    Generate a new signature dict presumably to be added to the 'signatures'
+    field of 'signable'.  The 'signable' dict is of the form:
+
+    {'signed': 'signer',
+               'signatures': [{'keyid': keyid,
+                               'method': 'evp',
+                               'sig': sig}]}
+
+    The 'signed' argument is needed here for the signing process.
+    The 'rsakey_dict' argument is used to generate 'keyid', 'method', and 'sig'.
+
+    The caller should ensure the returned signature is not already in
+    'signable'.
+
+  <Arguments>
+    signed:
+      The data used by 'tuf.rsa_key.create_signature()' to generate signatures.
+      It is stored in the 'signed' field of 'signable'.
+
+    rsakey_dict:
+      The RSA key, a tuf.formats.RSAKEY_SCHEMA dictionary.
+      Used here to produce 'keyid', 'method', and 'sig'.
+
+  <Exceptions>
+    tuf.FormatError, if 'rsakey_dict' does not have the correct format.
+
+    TypeError, if a private key is not defined for 'rsakey_dict'.
+
+  <Side Effects>
+    None.
+
+  <Returns>
+    Signature dictionary conformant to tuf.formats.SIGNATURE_SCHEMA.
+    Has the form:
+    {'keyid': keyid, 'method': 'evp', 'sig': sig}
+
+  """
+
+  # We need 'signed' in canonical JSON format to generate
+  # the 'method' and 'sig' fields of the signature.
+  signed = tuf.formats.encode_canonical(signed)
+
+  # Generate the RSA signature.
+  # Raises tuf.FormatError and TypeError.
+  signature = tuf.rsa_key.create_signature(rsakey_dict, signed)
+
+  return signature
diff --git a/src/tuf/tests/__init__.py b/src/tuf/tests/__init__.py
new file mode 100755
index 00000000..e69de29b
diff --git a/src/tuf/tests/repository_setup.py b/src/tuf/tests/repository_setup.py
new file mode 100755
index 00000000..f2a32cd2
--- /dev/null
+++ b/src/tuf/tests/repository_setup.py
@@ -0,0 +1,354 @@
+"""
+<Program Name>
+  repository_setup.py
+
+<Author>
+  Konstantin Andrianov
+
+<Started>
+  October 15, 2012
+
+<Copyright>
+  See LICENSE for licensing information.
+
+<Purpose>
+  To provide a quick repository structure to be used in conjunction with
+  test modules like test_updater.py for instance.
+
+"""
+
+import os
+import sys
+import shutil
+import tempfile
+
+import tuf.rsa_key as rsa_key
+import tuf.repo.keystore as keystore
+import tuf.repo.signerlib as signerlib
+import tuf.repo.signercli as signercli
+import tuf.tests.unittest_toolbox as unittest_toolbox
+
+
+# Populating 'rsa_keystore' and 'rsa_passwords' dictionaries.
+# We will need them in creating keystore directory.
+unittest_toolbox.Modified_TestCase.bind_keys_to_roles()
+
+
+#  Role:keyids dictionary.
+role_keyids = {}
+for role in unittest_toolbox.Modified_TestCase.semi_roledict.keys():
+  role_keyids[role] = unittest_toolbox.Modified_TestCase.semi_roledict[role]['keyids']
+
+
+
+
+
+def _create_keystore(keystore_directory):
+  """
+  <Purpose>
+    Populate 'keystore_directory' with keys (.key files).
+  """
+  
+  _rsa_keystore = unittest_toolbox.Modified_TestCase.rsa_keystore
+  _rsa_passwords = unittest_toolbox.Modified_TestCase.rsa_passwords
+  if not _rsa_keystore or not _rsa_passwords:
+    msg = 'Populate \'rsa_keystore\' and \'rsa_passwords\''+\
+          ' before invoking this method.'
+    sys.exit(msg)
+
+  keystore._keystore = _rsa_keystore
+  keystore._key_passwords = _rsa_passwords
+  keystore.save_keystore_to_keyfiles(keystore_directory)
+
+
+
+
+
+def build_server_repository(server_repository_dir, targets_dir):
+  """
+  <Purpose>
+    'build_server_repository' builds a complete repository based on target
+    files provided in the 'targets_dir'.  Delegated roles are included.
+  """
+  
+  server_metadata_dir = os.path.join(server_repository_dir, 'metadata')
+  keystore_dir = os.path.join(server_repository_dir, 'keystore')
+
+  #  Remove 'server_metadata_dir' and 'keystore_dir' if they already exist.
+  if os.path.exists(server_metadata_dir):
+    shutil.rmtree(server_metadata_dir)
+  if os.path.exists(keystore_dir):
+    shutil.rmtree(keystore_dir)
+
+  #  Make metadata directory inside server repository dir.
+  os.mkdir(server_metadata_dir)
+
+  #  Make a keystore directory inside server's repository and populate it.
+  os.mkdir(keystore_dir)
+  _create_keystore(keystore_dir)
+
+  #  Build config file.
+  build_config = signerlib.build_config_file
+  top_level_role_info = unittest_toolbox.Modified_TestCase.top_level_role_info
+  config_filepath = build_config(server_repository_dir, 365, top_level_role_info)
+
+
+  # BUILD ROLE FILES.
+  #  Build root file.
+  signerlib.build_root_file(config_filepath, role_keyids['root'],
+                            server_metadata_dir)
+
+  #  Build targets file.
+  signerlib.build_targets_file(targets_dir, role_keyids['targets'],
+                            server_metadata_dir)
+
+  # MAKE DELEGATIONS.
+  #  We will need to patch a few signercli prompts.
+  #  Specifically, signercli.make_delegations() asks user input for:
+  #  metadata directory, delegated targets directory, parent role,
+  #  passwords for parent role's keyids, delegated role's name, and
+  #  the keyid to be assigned to the delegated role.  Take a look at
+  #  signercli's make_delegation() to gain bit more insight in what is
+  #  happening.
+
+  # 'load_key' is a reference to the 'load_keystore_from_keyfiles function'.
+  load_keys = keystore.load_keystore_from_keyfiles
+
+  #  Setup first level delegated role.
+  delegated_level1 = os.path.join(targets_dir, 'delegated_level1')
+  delegated_targets_dir = delegated_level1
+  parent_role = 'targets'
+  delegated_role_name = 'delegated_role1'
+  signing_keyids = role_keyids['targets/delegated_role1'] 
+  
+
+  #  Patching the 'signercli' prompts.
+  
+  #  Mock method for signercli._get_metadata_directory().
+  def _mock_get_metadata_directory():
+    return server_metadata_dir
+
+  #  Mock method for signercli._prompt().
+  def _mock_prompt(msg, junk):
+    if msg.startswith('\nNOTE: The directory entered'):
+      return delegated_targets_dir
+    elif msg.startswith('\nChoose and enter the parent'):
+      return parent_role
+    elif msg.endswith('\nEnter the delegated role\'s name: '):
+      return delegated_role_name
+    else:
+      error_msg = ('Prompt: '+'\''+msg+'\''+
+                   ' did not match any predefined mock prompts.')
+      sys.exit(error_msg)
+   
+  #  Mock method for signercli._get_password().
+  def _mock_get_password(msg):
+    for keyid in unittest_toolbox.Modified_TestCase.rsa_keyids:
+      if msg.endswith('('+keyid+'): '):
+        return unittest_toolbox.Modified_TestCase.rsa_passwords[keyid]
+
+
+  #  Method to patch signercli._get_keyids()
+  def _mock_get_keyids(junk):
+    if signing_keyids:
+      for keyid in signing_keyids:
+        password = unittest_toolbox.Modified_TestCase.rsa_passwords[keyid]
+        #  Load the keyfile.
+        load_keys(keystore_dir, [keyid], [password])
+    return signing_keyids
+
+
+  #  Patch signercli._get_metadata_directory().
+  signercli._get_metadata_directory = _mock_get_metadata_directory
+  
+  #  Patch signercli._prompt().
+  signercli._prompt = _mock_prompt
+
+  #  Patch signercli._get_password().
+  signercli._get_password = _mock_get_password
+
+  #  Patch signercli._get_keyids().
+  signercli._get_keyids = _mock_get_keyids
+ 
+  #  Clear kestore's dictionaries, by detaching them from unittest_toolbox's
+  #  dictionaries.
+  keystore._keystore = {}
+  keystore._key_passwords = {}
+
+  #  Make first level delegation.
+  signercli.make_delegation(keystore_dir)
+
+  #  Setup second level delegated role.
+  delegated_level2 =  os.path.join(delegated_level1, 'delegated_level2')
+  delegated_targets_dir = delegated_level2
+  parent_role = 'targets/delegated_role1'
+  delegated_role_name = 'delegated_role2'
+  signing_keyids = role_keyids['targets/delegated_role1/delegated_role2']
+
+  #  Clear kestore's dictionaries.
+  keystore.clear_keystore()
+
+  #  Make second level delegation.
+  signercli.make_delegation(keystore_dir)
+
+
+  keystore._keystore = unittest_toolbox.Modified_TestCase.rsa_keystore
+  keystore._key_passwords = unittest_toolbox.Modified_TestCase.rsa_passwords
+
+  #  Build release file.
+  signerlib.build_release_file(role_keyids['release'], server_metadata_dir)
+
+  #  Build timestamp file.
+  signerlib.build_timestamp_file(role_keyids['timestamp'], server_metadata_dir)
+
+  keystore._keystore = {}
+  keystore._key_passwords = {}
+
+
+
+
+
+#  Create a complete server and client repositories.
+def create_repositories():
+  """
+  Main directories have the following structure:
+
+                        main_repository
+                             |
+                     ------------------
+                     |                |
+       client_repository_dir      server_repository_dir
+
+
+
+                      client_repository
+                             |
+                          metadata
+                             |
+                      ----------------
+                      |              |
+                  previous        current
+
+
+                      server_repository
+                             |
+                 ----------------------------
+                 |           |              |
+             metadata     targets        keystore
+                             |
+                      delegation_level1
+                             |
+                      delegation_level2
+
+
+
+  NOTE: Do not forget to remove the directory using remove_all_repositories
+        after the tests.
+
+  <Return>
+    A dictionary of all repositories, with the following keys:
+    (main_repository, client_repository, server_repository)
+
+  """
+
+
+  #  Make a temporary general repository directory.
+  repository_dir = tempfile.mkdtemp()
+
+
+  #  Make server repository and client repository directories.
+  server_repository_dir  = os.path.join(repository_dir, 'server_repository')
+  client_repository_dir  = os.path.join(repository_dir, 'client_repository')
+  os.mkdir(server_repository_dir)
+  os.mkdir(client_repository_dir)
+
+
+  #  Make metadata directory inside client repository dir.
+  client_metadata_dir = os.path.join(client_repository_dir, 'metadata')
+  os.mkdir(client_metadata_dir)
+
+  #  Create a 'targets' directory.
+  targets = os.path.join(server_repository_dir, 'targets')
+  delegated_level1 = os.path.join(targets, 'delegated_level1')
+  delegated_level2 = os.path.join(delegated_level1, 'delegated_level2')
+  os.makedirs(delegated_level2)
+
+  #  Populate the project directory with files.
+  file_path_1 = tempfile.mkstemp(suffix='.txt', dir=targets)
+  file_path_2 = tempfile.mkstemp(suffix='.txt', dir=targets)
+  file_path_3 = tempfile.mkstemp(suffix='.txt', dir=delegated_level1)
+  file_path_4 = tempfile.mkstemp(suffix='.txt', dir=delegated_level2)
+
+  def data():
+    return 'Stored data: '+unittest_toolbox.Modified_TestCase.random_string()
+
+  file_1 = open(file_path_1[1], 'wb')
+  file_1.write(data())
+  file_1.close()
+  file_2 = open(file_path_2[1], 'wb')
+  file_2.write(data())
+  file_2.close()
+  file_3 = open(file_path_3[1], 'wb')
+  file_3.write(data())
+  file_3.close()
+  file_4 = open(file_path_4[1], 'wb')
+  file_4.write(data())
+  file_4.close()
+
+
+  #  Build server's repository.
+  build_server_repository(server_repository_dir, targets)
+
+  #  Build client's repository.
+  client_repository_include_all_role_files(repository_dir)
+
+  repositories = {'main_repository': repository_dir,
+                  'client_repository': client_repository_dir,
+                  'server_repository': server_repository_dir,
+                  'targets_directory': targets}
+
+  return repositories
+
+
+
+
+
+#  client_repository_include_all_role_files() copies all of the metadata file.
+def client_repository_include_all_role_files(repository_dir):
+  if repository_dir is None:
+    msg = ('Please provide main repository directory where client '+
+           'repository is located.')
+    sys.exit(msg)
+
+  #  Destination directories.
+  current_dir = os.path.join(repository_dir, 'client_repository', 'metadata',
+                             'current')
+  previous_dir = os.path.join(repository_dir, 'client_repository', 'metadata',
+                             'previous')
+  #  Source directory.
+  metadata_files = os.path.join(repository_dir, 'server_repository',
+                                'metadata')
+
+  #  Copy the whole source directory to destination directories.
+  shutil.copytree(metadata_files, current_dir)
+  shutil.copytree(metadata_files, previous_dir)
+
+
+
+
+
+#  Supply the main repository directory.
+def remove_all_repositories(repository_directory):
+  #  Check if 'repository_directory' is an existing directory.
+  if os.path.isdir(repository_directory):
+    shutil.rmtree(repository_directory)
+  else:
+    print '\nInvalid repository directory.'
+
+
+
+
+
+if __name__ == '__main__':
+  repos = create_repositories()
+  remove_all_repositories(repos['main_repository'])
diff --git a/src/tuf/tests/test_download.py b/src/tuf/tests/test_download.py
new file mode 100755
index 00000000..66f55711
--- /dev/null
+++ b/src/tuf/tests/test_download.py
@@ -0,0 +1,176 @@
+"""
+<Program>
+  test_download.py
+  
+<Author>
+  Konstantin Andrianov
+  
+<Started>
+  March 26, 2012.
+  
+<Copyright>
+  See LICENSE for licensing information.
+
+<Purpose>
+  Test download.py module.
+
+NOTE: launch test_download_server.py before running.  
+"""
+
+import tuf
+import tuf.download
+import tuf.tests.unittest_toolbox as unittest_toolbox
+
+import os
+import time
+import unittest
+import hashlib
+import urllib2
+
+
+TARGET = 'test_target_file.txt'  # Remove this, use temp file instead.
+"""
+server_script = '.....'
+temp_dir = unittest_toolbox.make_temp_directory()
+current_dir = os.getcwd()
+target = unittest_toolbox.make_temp_data_file(directory=current_dir)
+server = unittest_toolbox.make_temp_data_file(directory=current_dir, 
+                                              data=server_script)
+"""
+PORT = 8080
+EXC = (tuf.FormatError, tuf.DownloadError, tuf.BadHashError, 
+       urllib2.URLError, urllib2.HTTPError)
+
+
+# Unit tests
+class TestDownload_url_to_tempfileobj(unittest.TestCase):
+  def setUp(self):
+    '''
+    <Initialized Variables>
+      url:
+        A url string that composed of localhost, port # and target name.
+      target_file:
+        A string of an entire target file.
+      target_length:
+        Integer value representing the length of the target file.
+      target_hash:
+        A dictionary consisting of the hash algorithm as a key and a hexdigest 
+        as its value.
+      digest:
+        A hexadecimal hash value.
+      
+    '''
+
+    if not os.path.isfile(TARGET):
+      self._fileobject = open(TARGET, 'w')
+      data = 'file containing data'
+      self._fileobject.write(data)
+      self._fileobject.close()
+
+    else:
+      msg = '\'TARGET\': '+TARGET+'. File already exists! Try renaming TARGET.'
+      raise tuf.Error, msg
+
+    self.url = "http://localhost:"+str(PORT)+"/"+TARGET
+ 
+    self._fileobject = open(TARGET, 'r')
+    self.target_file = self._fileobject.read()
+    self.target_length = len(self.target_file)
+  
+    # Computing hash of the target file.
+    # md5 algorithm is used here, any algorithm can be used. If changed to some 
+    # other algorithm don't forget to edit the key in 'self.target_hash' 
+    # dictionary.
+    self.d = hashlib.md5()
+    self.d.update(self.target_file)
+    self.digest = self.d.hexdigest()
+    self.target_hash = {"md5":self.digest}  
+  
+  
+  def tearDown(self):
+    self._fileobject.close()
+    os.remove(TARGET)
+
+  def testNormal(self):
+    # temp_file is a 'file-like' object
+    # I took measurement of performance when using 'auto_flush = False' vs. 
+    # 'auto_flush = True' in the download_url_to_file(). No change was observed.
+    star_cpu = time.clock()
+    star_real = time.time()
+    _temp_file = tuf.download.download_url_to_tempfileobj(self.url, 
+                                                          self.target_hash,
+                                                          self.target_length)
+    end_cpu = time.clock()
+    end_real = time.time()
+    print "Performance cpu time: "+str(end_cpu - star_cpu)
+    print "Performance real time: "+str(end_real - star_real)
+    _temp_file.seek(0)
+    data = _temp_file.read()
+    _temp_file.close_temp_file()
+    self.assertEqual(data, self.target_file)
+
+
+  def testWrongLength_lessthenactual(self):
+    wronglength = self.target_length - 1
+    self.assertRaises(tuf.DownloadError, 
+                      tuf.download.download_url_to_tempfileobj,
+                      self.url, self.target_hash, wronglength)
+
+
+  def testWrongLength(self):
+    wronglength = self.target_length + 1
+    self.assertRaises(tuf.DownloadError, 
+                      tuf.download.download_url_to_tempfileobj,
+                      self.url, self.target_hash, wronglength)
+
+
+  def testWrongHash(self):
+    wronghash = {"md5":"fffffffffffffff"}
+    self.assertRaises(tuf.DownloadError, 
+                      tuf.download.download_url_to_tempfileobj,
+                      self.url, wronghash, self.target_length)
+
+
+  def testEmptyArgs_url(self):
+    url = None
+    self.assertRaises(EXC, tuf.download.download_url_to_tempfileobj,
+                      url, self.target_hash, self.target_length)
+
+
+  def testEmptyArgs_hashes(self):
+    _hash = None
+    self.assertRaises(EXC, tuf.download.download_url_to_tempfileobj,
+                      self.url, _hash, self.target_length)
+  
+
+  def testEmptyArgs_length(self):
+    length = None
+    self.assertRaises(EXC, tuf.download.download_url_to_tempfileobj,
+                      self.url, self.target_hash,length)
+
+
+  def testWrongFile(self):
+    url = self.url = "http://localhost:"+str(PORT)+"/"+"non_existing.sh"
+    self.assertRaises(EXC, tuf.download.download_url_to_tempfileobj,
+                      url, self.target_hash, self.target_length)
+
+
+  def testWrongPort(self):
+    wrongPort = 8081
+    url = self.url = "http://localhost:"+str(wrongPort)+"/"+TARGET
+    self.assertRaises(EXC, tuf.download.download_url_to_tempfileobj,
+                      url, self.target_hash, self.target_length)
+
+
+  # This function takes time to complete.
+  def testWrongURL(self):
+    url = self.url = "http://192.168.12.12:"+str(PORT)+"/"+"non_existing.sh"
+    self.assertRaises(EXC, tuf.download.download_url_to_tempfileobj,
+                      url, self.target_hash, self.target_length)
+
+
+
+# Run the unittests.  
+if __name__ == '__main__':
+  unittest.main()
+
diff --git a/src/tuf/tests/test_download_server.py b/src/tuf/tests/test_download_server.py
new file mode 100755
index 00000000..b8d4a39e
--- /dev/null
+++ b/src/tuf/tests/test_download_server.py
@@ -0,0 +1,37 @@
+"""
+<Program>
+  test_download_server.py
+ 
+<Author>
+  Konstantin Andrianov
+
+<Started>
+  February 15, 2012
+  
+<Copyright>
+  See LICENSE for licensing information.
+
+<Purpose>
+  This is a basic server that was designed to be used in conjunction with 
+  test_download.py to test download.py module. 
+
+"""
+
+# Server serves files in the current directory.
+
+import SimpleHTTPServer
+import SocketServer
+
+PORT = 8080
+
+Handler = SimpleHTTPServer.SimpleHTTPRequestHandler
+httpd = SocketServer.TCPServer(("", PORT), Handler)
+
+print "serving at port", PORT
+httpd.serve_forever(poll_interval=0.5)
+
+
+# Instead you can run the following command:
+# $python -m SimpleHTTPServer 8080
+# http://docs.python.org/library/simplehttpserver.html#module-SimpleHTTPServer
+
diff --git a/src/tuf/tests/test_hash.py b/src/tuf/tests/test_hash.py
new file mode 100755
index 00000000..cfd5d7b3
--- /dev/null
+++ b/src/tuf/tests/test_hash.py
@@ -0,0 +1,219 @@
+"""
+<Program Name>
+  test_hash.py
+
+<Authors>
+  Geremy Condra
+  Vladimir Diaz
+    vladimir.v.diaz AT gmail
+
+<Started>
+  March 1, 2012.  Based on a previous version of this module.
+
+<Copyright>
+  See LICENSE for licensing information.
+
+<Purpose>
+  Unit tests for hash.py.
+
+"""
+
+import os
+import StringIO
+import tempfile
+import unittest
+
+import tuf.hash
+
+
+class Test(unittest.TestCase):
+
+  def _run_with_all_hash_libraries(self, test_func):
+    test_func('hashlib')
+    test_func('pycrypto')
+
+
+  def test_md5_update(self):
+    self._run_with_all_hash_libraries(self._do_md5_update)
+
+
+  def _do_md5_update(self, library):
+    digest_object = tuf.hash.digest('md5', library)
+    self.assertEqual(digest_object.hexdigest(),
+                    'd41d8cd98f00b204e9800998ecf8427e')
+    digest_object.update('a')
+    self.assertEqual(digest_object.hexdigest(),
+                    '0cc175b9c0f1b6a831c399e269772661')
+    digest_object.update(u'bbb')
+    self.assertEqual(digest_object.hexdigest(),
+                    'f034e93091235adbb5d2781908e2b313')
+    digest_object.update('')
+    self.assertEqual(digest_object.hexdigest(),
+                    'f034e93091235adbb5d2781908e2b313')
+
+
+  def test_sha1_update(self):
+    self._run_with_all_hash_libraries(self._do_sha1_update)
+
+
+  def _do_sha1_update(self, library):
+    digest_object = tuf.hash.digest('sha1', library)
+
+    self.assertEqual(digest_object.hexdigest(), 
+                    'da39a3ee5e6b4b0d3255bfef95601890afd80709')
+    digest_object.update('a')
+    self.assertEqual(digest_object.hexdigest(),
+                    '86f7e437faa5a7fce15d1ddcb9eaeaea377667b8')
+    digest_object.update(u'bbb')
+    self.assertEqual(digest_object.hexdigest(),
+                    'd7bfa42fc62b697bf6cf1cda9af1fb7f40a27817')
+    digest_object.update('')
+    self.assertEqual(digest_object.hexdigest(),
+                    'd7bfa42fc62b697bf6cf1cda9af1fb7f40a27817')
+
+
+  def test_sha224_update(self):
+    self._run_with_all_hash_libraries(self._do_sha224_update)
+
+
+  def _do_sha224_update(self, library):
+    digest_object = tuf.hash.digest('sha224', library)
+
+    self.assertEqual(digest_object.hexdigest(),
+                    'd14a028c2a3a2bc9476102bb288234c415a2b01f828ea62ac5b3e42f')
+    digest_object.update('a')
+    self.assertEqual(digest_object.hexdigest(),
+                    'abd37534c7d9a2efb9465de931cd7055ffdb8879563ae98078d6d6d5')
+    digest_object.update(u'bbb')
+    self.assertEqual(digest_object.hexdigest(),
+                    'ab1342f31c2a6f242d9a3cefb503fb49465c95eb255c16ad791d688c')
+    digest_object.update('')
+    self.assertEqual(digest_object.hexdigest(),
+                    'ab1342f31c2a6f242d9a3cefb503fb49465c95eb255c16ad791d688c')
+
+
+  def test_sha256_update(self):
+    self._run_with_all_hash_libraries(self._do_sha256_update)
+
+
+  def _do_sha256_update(self, library):
+    digest_object = tuf.hash.digest('sha256', library)
+    self.assertEqual(digest_object.hexdigest(),
+            'e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855')
+    digest_object.update('a')
+    self.assertEqual(digest_object.hexdigest(),
+            'ca978112ca1bbdcafac231b39a23dc4da786eff8147c4e72b9807785afee48bb')
+    digest_object.update(u'bbb')
+    self.assertEqual(digest_object.hexdigest(),
+            '01d162a5c95d4698c0a3e766ae80d85994b549b877ed275803725f43dadc83bd')
+    digest_object.update('')
+    self.assertEqual(digest_object.hexdigest(),
+            '01d162a5c95d4698c0a3e766ae80d85994b549b877ed275803725f43dadc83bd')
+
+
+  def test_sha384_update(self):
+    self._run_with_all_hash_libraries(self._do_sha384_update)
+
+
+  def _do_sha384_update(self, library):
+    digest_object = tuf.hash.digest('sha384', library)
+    self.assertEqual(digest_object.hexdigest(),
+    '38b060a751ac96384cd9327eb1b1e36a21fdb71114be07434c0cc7bf63f6e1da274edebfe'
+    '76f65fbd51ad2f14898b95b')
+    digest_object.update('a')
+    self.assertEqual(digest_object.hexdigest(), 
+    '54a59b9f22b0b80880d8427e548b7c23abd873486e1f035dce9cd697e85175033caa88e6d'
+    '57bc35efae0b5afd3145f31')
+    digest_object.update(u'bbb')
+    self.assertEqual(digest_object.hexdigest(),
+    'f2c1438e9cc1d24bebbf3b88e60adc169db0c5c459d02054ec131438bf20ebee5ca88c17c'
+    'b5f1a824fcccf8d2b20b0a9')
+    digest_object.update('')
+    self.assertEqual(digest_object.hexdigest(),
+    'f2c1438e9cc1d24bebbf3b88e60adc169db0c5c459d02054ec131438bf20ebee5ca88c17c'
+    'b5f1a824fcccf8d2b20b0a9')
+
+
+  def test_sha512_update(self):
+    self._run_with_all_hash_libraries(self._do_sha512_update)
+
+
+  def _do_sha512_update(self, library):
+    digest_object = tuf.hash.digest('sha512', library)
+
+    self.assertEqual(digest_object.hexdigest(),
+    'cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5'
+    'd85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e')
+    digest_object.update('a')
+    self.assertEqual(digest_object.hexdigest(), 
+    '1f40fc92da241694750979ee6cf582f2d5d7d28e18335de05abc54d0560e0f5302860c652'
+    'bf08d560252aa5e74210546f369fbbbce8c12cfc7957b2652fe9a75')
+    digest_object.update(u'bbb')
+    self.assertEqual(digest_object.hexdigest(),
+    '09ade82ae3c5d54f8375f348563a372106488adef16a74b63b5591849f740bff55ceab22e'
+    '117b4b09349b860f8a644adb32a9ea542abdecb80bf625160604251')
+    digest_object.update('')
+    self.assertEqual(digest_object.hexdigest(),
+    '09ade82ae3c5d54f8375f348563a372106488adef16a74b63b5591849f740bff55ceab22e'
+    '117b4b09349b860f8a644adb32a9ea542abdecb80bf625160604251')
+
+
+  def test_unsupported_algorithm(self):
+    self._run_with_all_hash_libraries(self._do_unsupported_algorithm)
+
+
+  def _do_unsupported_algorithm(self, library):
+    self.assertRaises(tuf.UnsupportedAlgorithmError, tuf.hash.digest, 'bogus')
+
+
+  def test_digest_size(self):
+    self._run_with_all_hash_libraries(self._do_digest_size)
+
+
+  def _do_digest_size(self, library):
+    self.assertEqual(16, tuf.hash.digest('md5', library).digest_size)
+    self.assertEqual(20, tuf.hash.digest('sha1', library).digest_size)
+    self.assertEqual(28, tuf.hash.digest('sha224', library).digest_size)
+    self.assertEqual(32, tuf.hash.digest('sha256', library).digest_size)
+    self.assertEqual(48, tuf.hash.digest('sha384', library).digest_size)
+    self.assertEqual(64, tuf.hash.digest('sha512', library).digest_size)
+
+
+  def test_update_filename(self):
+    self._run_with_all_hash_libraries(self._do_update_filename)
+
+
+  def _do_update_filename(self, library):
+    data = 'abcdefgh' * 4096
+    fd, filename = tempfile.mkstemp()
+    try:
+      os.write(fd, data)
+      os.close(fd)
+      for algorithm in ['md5', 'sha1', 'sha224', 'sha256', 'sha384', 'sha512']:
+        digest_object_truth = tuf.hash.digest(algorithm, library)
+        digest_object_truth.update(data)
+        digest_object = tuf.hash.digest_filename(filename, algorithm, library)
+        self.assertEqual(digest_object_truth.digest(), digest_object.digest())
+    finally:
+        os.remove(filename)
+
+
+  def test_update_file_obj(self):
+    self._run_with_all_hash_libraries(self._do_update_file_obj)
+
+
+  def _do_update_file_obj(self, library):
+    data = 'abcdefgh' * 4096
+    file_obj = StringIO.StringIO()
+    file_obj.write(data)
+    for algorithm in ['md5', 'sha1', 'sha224', 'sha256', 'sha384', 'sha512']:
+      digest_object_truth = tuf.hash.digest(algorithm, library)
+      digest_object_truth.update(data)
+      digest_object = tuf.hash.digest_fileobject(file_obj, algorithm, library)
+      # Note: we don't seek because the update_file_obj call is supposed
+      # to always seek to the beginning.
+      self.assertEqual(digest_object_truth.digest(), digest_object.digest())
+
+
+if __name__ == "__main__":
+    unittest.main()
diff --git a/src/tuf/tests/test_keystore.py b/src/tuf/tests/test_keystore.py
new file mode 100755
index 00000000..2e145adf
--- /dev/null
+++ b/src/tuf/tests/test_keystore.py
@@ -0,0 +1,327 @@
+"""
+<Program Name>
+  test_keystore.py
+
+<Author>
+  Konstantin Andrianov
+
+<Started>
+  April 27, 2012.
+
+<Copyright>
+  See LICENSE for licensing information.
+
+<Purpose>
+  Unit test for keystore.py.
+
+"""
+
+import unittest
+import shutil
+import os
+
+import tuf.repo.keystore
+import tuf.rsa_key
+import tuf.formats
+import tuf.util
+
+# We'll need json module for testing '_encrypt()' and '_decrypt()'
+# internal function.
+json = tuf.util.import_json()
+
+# Creating a directory string in current directory. 
+_CURRENT_DIR = os.getcwd()
+_DIR = os.path.join(_CURRENT_DIR, 'test_keystore')
+
+# Check if directory '_DIR' exists.
+if os.path.exists(_DIR):
+  msg = ('\''+_DIR+'\' directory already exists,'+ 
+        ' please change '+'\'_DIR\''+' to something else.')
+  raise tuf.Error(msg)
+
+KEYSTORE = tuf.repo.keystore
+RSAKEYS = []
+PASSWDS = []
+temp_keys_info = []
+temp_keys_vals = []
+
+print 'Generating keys...'
+for i in range(3):
+  # Populating the original 'RSAKEYS' and 'PASSWDS' lists.
+  RSAKEYS.append(tuf.rsa_key.generate())
+  PASSWDS.append('passwd_'+str(i))
+
+  # Saving original copies of 'RSAKEYS' and 'PASSWDS' to temp variables
+  # in order to repopulate them at the start of every test.
+  temp_keys_info.append(RSAKEYS[i].values())
+  temp_keys_vals.append(RSAKEYS[i]['keyval'].values())
+
+temp_passwds=list(PASSWDS)
+print 'Done.'
+
+
+
+class TestKeystore(unittest.TestCase):
+  def setUp(self):
+    # Returning 'RSAKEY' and 'PASSWDS' to original state.
+    for i in range(len(temp_keys_info)):
+      RSAKEYS[i]['keytype'] = temp_keys_info[i][0]
+      RSAKEYS[i]['keyid'] = temp_keys_info[i][1]
+      RSAKEYS[i]['keyval'] = temp_keys_info[i][2]
+      RSAKEYS[i]['keyval']['public'] = temp_keys_vals[i][0]
+      RSAKEYS[i]['keyval']['private'] = temp_keys_vals[i][1]
+      PASSWDS[i] = temp_passwds[i]
+
+
+
+  def tearDown(self):
+    # Empty keystore's databases.
+    KEYSTORE.clear_keystore()
+
+    # Check if directory '_DIR' exists, remove it if it does.
+    if os.path.exists(_DIR):
+      shutil.rmtree(_DIR)
+
+
+
+  def test_clear_keystore(self):
+    # Populate KEYSTORE's internal databases '_keystore' and '_key_passwords'.
+    for i in range(3):
+      KEYSTORE.add_rsakey(RSAKEYS[i], PASSWDS[i], RSAKEYS[i]['keyid'])
+   
+    # Verify KEYSTORE's internal databases ARE NOT EMPTY.
+    self.assertTrue(len(KEYSTORE._keystore) > 0)
+    self.assertTrue(len(KEYSTORE._key_passwords) > 0)
+   
+    # Clear KEYSTORE's internal databases.
+    KEYSTORE.clear_keystore()
+
+    # Verify KEYSTORE's internal databases ARE EMPTY.
+    self.assertFalse(len(KEYSTORE._keystore) > 0)
+    self.assertFalse(len(KEYSTORE._key_passwords) > 0)
+
+  
+
+  def test_add_rsakey(self):
+    # Passing 2 arguments to the function and verifying that the internal 
+    # databases have been modified.
+    KEYSTORE.add_rsakey(RSAKEYS[0], PASSWDS[0])
+
+    self.assertEqual(RSAKEYS[0], KEYSTORE._keystore[RSAKEYS[0]['keyid']], 
+                     'Adding an rsa key dict was unsuccessful.')
+
+    self.assertEqual(PASSWDS[0], 
+              KEYSTORE._key_passwords[RSAKEYS[0]['keyid']], 
+              'Adding a password pertaining to \'_keyid\' was unsuccessful.')
+    
+    # Passing three arguments to the function, i.e. including the 'keyid'.
+    KEYSTORE.add_rsakey(RSAKEYS[1], PASSWDS[1], RSAKEYS[1]['keyid'])
+
+    self.assertEqual(RSAKEYS[1], 
+                     KEYSTORE._keystore[RSAKEYS[1]['keyid']], 
+                     'Adding an rsa key dict was unsuccessful.')
+
+    self.assertEqual(PASSWDS[1], 
+              KEYSTORE._key_passwords[RSAKEYS[1]['keyid']],
+              'Adding a password pertaining to \'_keyid\' was unsuccessful.')
+
+    # Passing a keyid that does not match the keyid in 'rsakey_dict'.
+    _keyid = 'somedifferentkey123456789' 
+    self.assertRaises(tuf.Error, KEYSTORE.add_rsakey, RSAKEYS[2], 
+                      PASSWDS[2], _keyid)
+
+    # Passing an existing 'rsakey_dict' object.
+    self.assertRaises(tuf.KeyAlreadyExistsError, KEYSTORE.add_rsakey, 
+                      RSAKEYS[1], PASSWDS[1], RSAKEYS[1]['keyid'])
+
+    # Passing an 'rsakey_dict' that does not conform to the 'RSAKEY_SCHEMA'.
+    del RSAKEYS[2]['keytype']
+ 
+    self.assertRaises(tuf.FormatError, KEYSTORE.add_rsakey,
+                      RSAKEYS[2], PASSWDS[2], RSAKEYS[2]['keyid'])
+
+
+
+  def test_save_keystore_to_keyfiles(self):
+    # Extract and store keyids in '_keyids' list.
+    keyids = []
+
+    # Populate KEYSTORE's internal databases '_keystore' and '_key_passwords'.
+    for i in range(3):
+      KEYSTORE.add_rsakey(RSAKEYS[i], PASSWDS[i], RSAKEYS[i]['keyid'])
+      keyids.append(RSAKEYS[i]['keyid'])      
+
+    # Check if directory '_DIR' exists, remove it if it does.
+    if os.path.exists(_DIR):
+      shutil.rmtree(_DIR)
+
+    KEYSTORE.save_keystore_to_keyfiles(_DIR)
+   
+    # Check if directory '_DIR' has been created.
+    self.assertTrue(os.path.exists(_DIR), 'Creating directory failed.')
+
+    # Check if all of the key files where created and that they are not empty.
+    for keyid in keyids:
+      key_file = os.path.join(_DIR, str(keyid)+'.key')
+      # Checks if key file has been created.
+      self.assertTrue(os.path.exists(key_file), 'Key file does not exits.')
+
+      file_stats = os.stat(key_file)
+      # Checks if key file is not empty.
+      self.assertTrue(file_stats.st_size > 0)
+
+    # Passing an invalid 'directory_name' argument - an integer value.
+    self.assertRaises(tuf.FormatError, KEYSTORE.save_keystore_to_keyfiles, 222)
+
+
+
+  def test_load_keystore_from_keyfiles(self):
+    keyids = []
+    # Check if '_DIR' directory exists, if not - create it.
+    if not os.path.exists(_DIR):
+      # Populate KEYSTORE's internal databases.
+      for i in range(3):
+        KEYSTORE.add_rsakey(RSAKEYS[i], PASSWDS[i], RSAKEYS[i]['keyid'])
+        keyids.append(RSAKEYS[i]['keyid'])
+
+      # Create the key files.
+      KEYSTORE.save_keystore_to_keyfiles(_DIR)
+    
+    # Clearing internal databases.
+    KEYSTORE.clear_keystore()
+
+    # Test normal conditions where two valid arguments are passed. 
+    loaded_keys = KEYSTORE.load_keystore_from_keyfiles(_DIR, keyids, PASSWDS)
+    
+    # Loaded keys should all be contained in 'keyids'.
+    loaded_keys_set = set(loaded_keys)
+    keyids_set = set(keyids)
+    intersect = keyids_set.intersection(loaded_keys_set)
+    self.assertEquals(len(intersect), len(keyids))
+
+    for i in range(3):
+      self.assertEqual(RSAKEYS[i], KEYSTORE._keystore[RSAKEYS[i]['keyid']])
+
+    # Clearing internal databases.
+    KEYSTORE.clear_keystore()
+
+    _invalid_dir = os.path.join(_CURRENT_DIR, 'invalid_directory')
+
+    # Passing an invalid 'directory_name' argument - a directory that
+    # does not exist. AS EXPECTED, THIS CALL SHOULDN'T RAISE ANY ERRORS.
+    KEYSTORE.load_keystore_from_keyfiles(_invalid_dir, keyids, PASSWDS)
+
+    # The keystore should not have loaded any keys.
+    self.assertEqual(0, len(KEYSTORE._keystore))
+    self.assertEqual(0, len(KEYSTORE._key_passwords))
+
+    # Passing nonexistent 'keyids'.
+    # AS EXPECTED, THIS CALL SHOULDN'T RAISE ANY ERRORS.
+    invalid_keyids = ['333', '333', '333']
+    KEYSTORE.load_keystore_from_keyfiles(_DIR, invalid_keyids, PASSWDS)
+   
+    # The keystore should not have loaded any keys.
+    self.assertEqual(0, len(KEYSTORE._keystore))
+    self.assertEqual(0, len(KEYSTORE._key_passwords))
+
+    # Passing an invalid 'directory_name' argument - an integer value.
+    self.assertRaises(tuf.FormatError, KEYSTORE.load_keystore_from_keyfiles,
+                      333, keyids, PASSWDS)
+
+    # Passing an invalid 'passwords' argument - a string value.
+    self.assertRaises(tuf.FormatError, KEYSTORE.load_keystore_from_keyfiles,
+                      _DIR, keyids, '333')
+
+    # Passing an invalid 'passwords' argument - an integer value.
+    self.assertRaises(tuf.FormatError, KEYSTORE.load_keystore_from_keyfiles,
+                      _DIR, keyids, 333)
+
+    # Passing an invalid 'keyids' argument - a string value.
+    self.assertRaises(tuf.FormatError, KEYSTORE.load_keystore_from_keyfiles,
+                      _DIR, '333', PASSWDS)
+    
+    # Passing an invalid 'keyids' argument - an integer value.
+    self.assertRaises(tuf.FormatError, KEYSTORE.load_keystore_from_keyfiles,
+                     _DIR, 333, PASSWDS)
+
+
+
+  def test_change_password(self):
+    # Populate KEYSTORE's internal databases.
+    for i in range(2):
+      KEYSTORE.add_rsakey(RSAKEYS[i], PASSWDS[i], RSAKEYS[i]['keyid'])
+
+    # Create a new password.
+    new_passwd = 'changed_password'
+
+    # Change a password - normal case.
+    KEYSTORE.change_password(RSAKEYS[0]['keyid'], PASSWDS[0], new_passwd)
+    
+    # Check if password was changed.
+    self.assertNotEqual(KEYSTORE._key_passwords[RSAKEYS[0]['keyid']], 
+                        PASSWDS[0])
+    self.assertEqual(KEYSTORE._key_passwords[RSAKEYS[0]['keyid']], 
+                     new_passwd)
+
+    # Passing an invalid keyid i.e. RSAKEY[2] that was not loaded into
+    # the '_keystore'.
+    self.assertRaises(tuf.UnknownKeyError, KEYSTORE.change_password, 
+                      RSAKEYS[2]['keyid'], PASSWDS[1], new_passwd)
+
+    # Passing an incorrect old password.
+    self.assertRaises(tuf.BadPasswordError, KEYSTORE.change_password,
+                      RSAKEYS[1]['keyid'], PASSWDS[2], new_passwd)
+
+
+   
+  def test_get_key(self):
+    # Populate KEYSTORE's internal databases.
+    for i in range(2):
+      KEYSTORE.add_rsakey(RSAKEYS[i], PASSWDS[i], RSAKEYS[i]['keyid'])
+
+    # Get a key - normal case.
+    self.assertEqual(KEYSTORE.get_key(RSAKEYS[0]['keyid']), RSAKEYS[0])    
+
+    # Passing an invalid keyid.
+    self.assertRaises(tuf.UnknownKeyError, 
+                      KEYSTORE.get_key, RSAKEYS[2]['keyid'])
+   
+    # Passing an invalid keyid format.
+    self.assertRaises(tuf.FormatError, KEYSTORE.get_key, 123)    
+
+
+
+  def test_internal_encrypt(self):
+    # Test for valid arguments to '_encrypt()' and a valid return type. 
+    encrypted_key = KEYSTORE._encrypt(json.dumps(RSAKEYS[0]), PASSWDS[0])
+    self.assertEqual(type(encrypted_key), str)
+   
+    # Test for invalid arguments to _encrypt().
+    self.assertRaises(tuf.CryptoError, KEYSTORE._encrypt, '', PASSWDS[0])
+    self.assertRaises(tuf.CryptoError, KEYSTORE._encrypt,
+                      json.dumps(RSAKEYS[0]), '')
+  
+  
+  
+  def test_internal_decrypt(self):
+    del RSAKEYS[0]['keyid']
+    tuf.formats.KEY_SCHEMA.check_match(RSAKEYS[0])
+
+    # Getting a valid encrypted key using '_encrypt()'.
+    encrypted_key = KEYSTORE._encrypt(json.dumps(RSAKEYS[0]), PASSWDS[0])
+
+    # Decrypting and decoding (using json's loads()) an encrypted file.
+    tuf.util.load_json_string(KEYSTORE._decrypt(encrypted_key, PASSWDS[0]))
+
+    self.assertEqual(RSAKEYS[0], tuf.util.load_json_string(
+                     KEYSTORE._decrypt(encrypted_key, PASSWDS[0])))
+    
+    # Passing an invalid password to try to decrypt the file.
+    self.assertRaises(tuf.CryptoError, KEYSTORE._decrypt,
+                      encrypted_key, PASSWDS[1])
+
+
+
+# Run the unit tests.
+suite = unittest.TestLoader().loadTestsFromTestCase(TestKeystore)
+unittest.TextTestRunner(verbosity=2).run(suite)
diff --git a/src/tuf/tests/test_mirrors.py b/src/tuf/tests/test_mirrors.py
new file mode 100755
index 00000000..23e29915
--- /dev/null
+++ b/src/tuf/tests/test_mirrors.py
@@ -0,0 +1,122 @@
+"""
+<Program>
+  test_mirrors.py
+
+<Author>
+  Konstantin Andrianov
+
+<Started>
+  March 26, 2012
+
+<Copyright>
+  See LICENSE for licensing information.
+
+<Purpose>
+  Test mirrors.py module.
+
+"""
+
+import tuf
+import tuf.formats as formats
+import tuf.mirrors as mirrors
+import copy
+import unittest
+
+# Unit tests
+class TestMirrors(unittest.TestCase):
+  mirrors = {'mirror1': {'url_prefix' : 'http://mirror1.com',
+                         'metadata_path' : 'metadata',
+                         'targets_path' : 'targets',
+                         'confined_target_paths' : ['targets/target1.py',
+                                                    'targets/target2.py']},
+             'mirror2': {'url_prefix' : 'http://mirror2.com',
+                         'metadata_path' : 'metadata',
+                         'targets_path' : 'targets',
+                         'confined_target_paths' : ['targets/target3.py',
+                                                    'targets/target4.py']},
+             'mirror3': {'url_prefix' : 'http://mirror3.com',
+                         'metadata_path' : 'metadata',
+                         'targets_path' : 'targets',
+                         'confined_target_paths' : ['targets/target1.py',
+                                                    'targets/target2.py']}}
+
+
+
+  # Testing if wrong formats are being detected.
+  def testFormatErrors(self):
+
+    # Checking if all the formats are correct.
+    self.assertTrue(formats.MIRRORDICT_SCHEMA.matches(TestMirrors.mirrors))
+
+
+    file_path = 1234
+    file_type = 'meta'
+    self.assertRaises(tuf.FormatError, mirrors.get_list_of_mirrors,
+                      file_type, file_path, self.mirrors)
+
+    file_path = []
+    self.assertRaises(tuf.FormatError, mirrors.get_list_of_mirrors,
+                      file_type, file_path, TestMirrors.mirrors)
+
+    file_path = {}
+    self.assertRaises(tuf.FormatError, mirrors.get_list_of_mirrors,
+                      file_type, file_path, TestMirrors.mirrors)
+
+    file_type = 1234
+    file_path = 'meta2.txt'
+    self.assertRaises(tuf.FormatError, mirrors.get_list_of_mirrors,
+                      file_type, file_path, TestMirrors.mirrors)
+
+    file_type = 'blah'
+    self.assertEqual(mirrors.get_list_of_mirrors(file_type, file_path,
+                                                 TestMirrors.mirrors),
+                                                 [])
+
+
+  """
+  def testNormalCases(self):
+    file_path = 'root.txt'
+    file_type = 'meta'
+    result = mirrors.get_list_of_mirrors(file_type, file_path,
+                                             TestMirrors.mirrors)
+    print result
+    expected_output = ['http://mirror1.com/metadata/root.txt',
+              'http://mirror2.com/metadata/root.txt',
+              'http://mirror3.com/metadata/root.txt']
+    self.assertEqual(expected_output, result, 'Expected output did not match')
+
+
+    file_path = 'target1.py'
+    file_type = 'target'
+    result = mirrors.get_list_of_mirrors(file_type, file_path,
+                                             TestMirrors.mirrors)
+    print result
+    expected_output = ['http://mirror1.com/targets/target1.py',
+              'http://mirror3.com/targets/target1.py']
+    self.assertEqual(expected_output, result, 'Expected output did not match')
+
+
+    file_path = 'target4.py'
+    file_type = 'targets'
+    result = mirrors.get_list_of_mirrors(file_type, file_path,
+                                             TestMirrors.mirrors)
+    print result
+    expected_output = ['http://mirror2.com/targets/target4.py']
+    self.assertEqual(expected_output, result, 'Expected output did not match')
+  """
+
+  """
+  def testNonExistingPath(self):
+    file_path = 'tArgetz.py'
+    file_type = 'target'
+    empty_list = mirrors.get_list_of_mirrors(file_type,
+                                             file_path,
+                                             self.mirrors)
+    msg = 'List returned on wrong \'file_path\' '+'should be empty.'
+    self.assertEqual([],empty_list, msg)
+  """
+
+
+# Run the unittests
+suite = unittest.TestLoader().loadTestsFromTestCase(TestMirrors)
+unittest.TextTestRunner(verbosity=2).run(suite)
diff --git a/src/tuf/tests/test_quickstart.py b/src/tuf/tests/test_quickstart.py
new file mode 100755
index 00000000..dc978779
--- /dev/null
+++ b/src/tuf/tests/test_quickstart.py
@@ -0,0 +1,175 @@
+"""
+<Program Name>
+  test_quickstart.py
+
+<Author>
+  Konstantin Andrianov
+
+<Started>
+  September 6, 2012
+
+<Copyright>
+  See LICENSE for licensing information.
+
+<Purpose>
+  To test quickstart.py for expected/unexpected input by the user, verifying
+  that all unexpected input is caught and an exception is raised.
+
+  Given that all message prompts don't change - this will work pretty well
+  for running quickstart without having to manually enter input to prompts
+  every time you want to run quickstart.
+
+"""
+
+import os
+import shutil
+import unittest
+
+import quickstart
+import tuf.util
+import tuf.tests.unittest_toolbox
+
+unit_tbox = tuf.tests.unittest_toolbox.Modified_TestCase
+
+
+class TestQuickstart(unit_tbox):
+  def test_1_get_password(self):
+    # A quick test of _get_password.
+    password = self.random_string()
+    def _mock_getpass(junk1, junk2, pw = password):
+      return pw
+    # Monkey patch getpass.getpass().
+    quickstart.getpass.getpass = _mock_getpass
+    # Run _get_password().
+    self.assertEqual(quickstart._get_password(), password)
+
+
+  def test_2_build_repository(self):
+
+    # SETUP
+
+    #  Create the project directories.
+    repo_dir = os.path.join(os.getcwd(), 'repository')
+    keystore_dir = os.path.join(os.getcwd(), 'keystore')
+    client_dir = os.path.join(os.getcwd(), 'client')
+    
+    proj_files = self.make_temp_directory_with_data_files()
+    proj_dir = os.path.join(proj_files[0], 'targets')
+
+    input_dict = {'expiration':'12/12/2013',
+                  'root':{'threshold':1, 'password':'pass'},
+                  'targets':{'threshold':1, 'password':'pass'},
+                  'release':{'threshold':1, 'password':'pass'},
+                  'timestamp':{'threshold':1, 'password':'pass'}}
+
+
+    def _mock_prompt(message, junk=str, input_parameters=input_dict):
+      if message.startswith('\nWhen would you like your '+
+          'certificates to expire?'):
+        return input_parameters['expiration']
+      for role in self.role_list:  # role_list=['root', 'targets', ...]
+        if message.startswith('\nEnter the desired threshold '+
+            'for the role '+repr(role)):
+          return input_parameters[role]['threshold']
+        elif message.startswith('Enter a password for '+repr(role)):
+          for threshold in range(input_parameters[role]['threshold']):
+            if message.endswith(repr(role)+' ('+str(threshold+1)+'): '):
+              return input_parameters[role]['password']
+      print 'Cannot recognize message: '+message
+
+    # Monkey patching quickstart's _prompt() and _get_password.
+    quickstart._prompt = _mock_prompt
+    quickstart._get_password = _mock_prompt
+
+
+    def _remove_repository_directories(repo_dir, keystore_dir, client_dir):
+      """
+        quickstart.py creates the 'client', 'keystore', and 'repository'
+        directories in the current working directory.  Remove these
+        directories after every quickstart.build_repository() call.
+      """
+      
+      try: 
+        shutil.rmtree(repo_dir)
+        shutil.rmtree(keystore_dir)
+        shutil.rmtree(client_dir)
+      except OSError, e:
+        pass
+
+
+
+    # TESTS
+
+    #  TEST: various input parameters.
+    #  Supplying bogus expiration.
+    input_dict['expiration'] = '5/8/2011'
+    self.assertRaises(tuf.RepositoryError, quickstart.build_repository,
+        proj_dir)
+    input_dict['expiration'] = self.random_string()  # random string
+    self.assertRaises(tuf.RepositoryError, quickstart.build_repository,
+        proj_dir)
+    _remove_repository_directories(repo_dir, keystore_dir, client_dir) 
+    
+    #  Restore expiration.
+    input_dict['expiration'] = '10/10/2013'
+
+    #  Supplying bogus 'root' threshold.  Doing this for all roles slows
+    #  the test significantly.
+    input_dict['root']['threshold'] = self.random_string()
+    self.assertRaises(tuf.RepositoryError, quickstart.build_repository,
+        proj_dir)
+    _remove_repository_directories(repo_dir, keystore_dir, client_dir) 
+
+    input_dict['root']['threshold'] = 0
+    self.assertRaises(tuf.RepositoryError, quickstart.build_repository,
+        proj_dir)
+    _remove_repository_directories(repo_dir, keystore_dir, client_dir) 
+    
+    # Restore keystore directory.
+    input_dict['root']['threshold'] = 1
+
+    
+    #  TEST: normal case.
+    try:
+      quickstart.build_repository(proj_dir)
+    except Exception, e:
+      raise
+    
+    # Verify the existence of metadata, target, and keystore files.
+    meta_dir = os.path.join(repo_dir, 'metadata')
+    targets_dir = os.path.join(repo_dir, 'targets')
+    client_current_meta_dir = os.path.join(client_dir, 'metadata', 'current')
+    client_previous_meta_dir = os.path.join(client_dir, 'metadata', 'previous')
+    target_files = os.listdir(targets_dir)
+
+    #  Verify repository, keystore, metadata, and targets directories.
+    self.assertTrue(os.path.exists(repo_dir))
+    self.assertTrue(os.path.exists(keystore_dir))
+    self.assertTrue(os.path.exists(meta_dir))
+    self.assertTrue(os.path.exists(targets_dir))
+    self.assertTrue(os.path.exists(client_current_meta_dir))
+    self.assertTrue(os.path.exists(client_previous_meta_dir))
+
+    # Verify that target_files exist.
+    self.assertTrue(target_files)
+
+    for role in self.role_list:
+      meta_file = role+'.txt'
+      # Verify metadata file for a 'role'.
+      self.assertTrue(os.path.isfile(os.path.join(meta_dir, meta_file)))
+      # Get the metadata.
+      signable = tuf.util.load_json_file(os.path.join(meta_dir, meta_file))
+      for signature in range(len(signable['signatures'])):
+        # Extract a keyid.
+        keyid = signable['signatures'][signature]['keyid']
+        key_file = os.path.join(keystore_dir, keyid+'.key')
+        # Verify existence of a key for the keyid that belong to the 'role'.
+        self.assertTrue(os.path.isfile(key_file))
+
+    _remove_repository_directories(repo_dir, keystore_dir, client_dir) 
+
+
+
+# Run the unit tests.
+suite = unittest.TestLoader().loadTestsFromTestCase(TestQuickstart)
+unittest.TextTestRunner(verbosity=2).run(suite)
diff --git a/src/tuf/tests/test_rsa_key.py b/src/tuf/tests/test_rsa_key.py
new file mode 100755
index 00000000..c9ed6bde
--- /dev/null
+++ b/src/tuf/tests/test_rsa_key.py
@@ -0,0 +1,185 @@
+"""
+<Program Name>
+  test_rsa_key.py
+
+<Author> 
+  Konstantin Andrianov
+
+<Started>
+  April 24, 2012. 
+
+<Copyright>
+  See LICENSE for licensing information.
+
+<Purpose>
+  Test cases for rsa_key.py.
+
+<Notes> 
+  I'm using 'global rsakey_dict' - there is no harm in doing so since 
+  in order to modify the global variable in any method, python requires
+  explicit indication to modify i.e. declaring 'global' in each method 
+  that modifies the global variable 'rsakey_dict'. 
+
+"""
+
+import unittest
+
+import tuf.formats
+import tuf.rsa_key
+
+
+RSA_KEY = tuf.rsa_key
+FORMAT_ERROR_MSG = 'tuf.FormatError was raised! Check object\'s format.'
+DATA = 'SOME DATA REQUIRING AUTHENTICITY.'
+
+
+rsakey_dict = RSA_KEY.generate()
+temp_key_info_vals = rsakey_dict.values() 
+temp_key_vals = rsakey_dict['keyval'].values()
+
+class TestRSA_KEY(unittest.TestCase):
+  def setUp(self):
+    rsakey_dict['keytype']=temp_key_info_vals[0]
+    rsakey_dict['keyid']=temp_key_info_vals[1]
+    rsakey_dict['keyval']=temp_key_info_vals[2]
+    rsakey_dict['keyval']['public']=temp_key_vals[0]
+    rsakey_dict['keyval']['private']=temp_key_vals[1]
+
+ 
+  def test_generate(self):
+    _rsakey_dict = RSA_KEY.generate()
+
+    # Check if the format of the object returned by generate() corresponds
+    # to RSAKEY_SCHEMA format.
+    self.assertEqual(None, tuf.formats.RSAKEY_SCHEMA.check_match(_rsakey_dict),
+                     FORMAT_ERROR_MSG)
+
+    # Passing a bit value that is <2048 to generate() - should raise 
+    # 'tuf.FormatError'.
+    self.assertRaises(tuf.FormatError, RSA_KEY.generate, 555)
+
+    # Passing a string instead of integer for a bit value.
+    self.assertRaises(tuf.FormatError, RSA_KEY.generate, 'bits')
+
+    # NOTE if random bit value >=2048 (not 4096) is passed generate(bits) 
+    # does not raise any errors and returns a valid key.
+    self.assertTrue(tuf.formats.RSAKEY_SCHEMA.matches(RSA_KEY.generate(2048)))
+    self.assertTrue(tuf.formats.RSAKEY_SCHEMA.matches(RSA_KEY.generate(4096)))
+    
+  def test_create_in_metadata_format(self):
+    key_value = rsakey_dict['keyval']
+    key_meta = RSA_KEY.create_in_metadata_format(key_value)
+    
+    # Check if the format of the object returned by this function corresponds
+    # to KEY_SCHEMA format.
+    self.assertEqual(None, 
+                     tuf.formats.KEY_SCHEMA.check_match(key_meta), 
+                     FORMAT_ERROR_MSG)    
+    key_meta = RSA_KEY.create_in_metadata_format(key_value, private=True)
+
+    # Check if the format of the object returned by this function corresponds
+    # to KEY_SCHEMA format.
+    self.assertEqual(None, tuf.formats.KEY_SCHEMA.check_match(key_meta), 
+                     FORMAT_ERROR_MSG) 
+
+    # Supplying a 'bad' key_value.
+    del key_value['public']
+    self.assertRaises(tuf.FormatError, RSA_KEY.create_in_metadata_format,
+                      key_value)
+
+
+  def test_create_from_metadata_format(self):
+    # Reconfiguring rsakey_dict to conform to KEY_SCHEMA
+    # i.e. {keytype: 'rsa', keyval: {public: pub_key, private: priv_key}}
+    #keyid = rsakey_dict['keyid']
+    del rsakey_dict['keyid']
+
+    rsakey_dict_from_meta = RSA_KEY.create_from_metadata_format(rsakey_dict) 
+
+    # Check if the format of the object returned by this function corresponds
+    # to RSAKEY_SCHEMA format.
+    self.assertEqual(None, 
+           tuf.formats.RSAKEY_SCHEMA.check_match(rsakey_dict_from_meta),
+           FORMAT_ERROR_MSG)
+
+    # Supplying a wrong number of arguments.
+    self.assertRaises(TypeError, RSA_KEY.create_from_metadata_format)
+    args = (rsakey_dict, rsakey_dict)
+    self.assertRaises(TypeError, RSA_KEY.create_from_metadata_format, *args)
+
+    # Supplying a malformed argument to the function - should get FormatError
+    del rsakey_dict['keyval']
+    self.assertRaises(tuf.FormatError, RSA_KEY.create_from_metadata_format,
+                      rsakey_dict)   
+
+
+  def test_helper_get_keyid(self):
+    key_value = rsakey_dict['keyval']
+    
+    # Check format of 'key_value'.
+    self.assertEqual(None, tuf.formats.KEYVAL_SCHEMA.check_match(key_value),
+                     FORMAT_ERROR_MSG)
+
+    keyid = RSA_KEY._get_keyid(key_value)    
+
+    # Check format of 'keyid' - the output of '_get_keyid()' function.
+    self.assertEqual(None, tuf.formats.KEYID_SCHEMA.check_match(keyid),
+                     FORMAT_ERROR_MSG)
+
+
+  def test_createsignature(self):
+    # Creating a signature for 'DATA'.
+    signature = RSA_KEY.create_signature(rsakey_dict, DATA)
+ 
+    # Check format of output.
+    self.assertEqual(None, 
+                     tuf.formats.SIGNATURE_SCHEMA.check_match(signature),
+                     FORMAT_ERROR_MSG)
+
+    # Removing private key from 'rsakey_dict' - should raise a TypeError.
+    rsakey_dict['keyval']['private'] = ''
+    
+    args = (rsakey_dict, DATA)
+    self.assertRaises(TypeError, RSA_KEY.create_signature, *args)
+
+    # Supplying an incorrect number of arguments.
+    self.assertRaises(TypeError, RSA_KEY.create_signature)
+
+
+  def test_verify_signature(self):
+    # Creating a signature 'signature' of 'DATA' to be verified.
+    signature = RSA_KEY.create_signature(rsakey_dict, DATA)
+
+    # Verifying the 'signature' of 'DATA'.
+    verified = RSA_KEY.verify_signature(rsakey_dict, signature, DATA)
+    self.assertTrue(verified, "Incorrect signature.")
+
+    # Testing an invalid 'signature'. Same 'signature' is passed, with 
+    # 'DATA' different than the original 'DATA' that was used 
+    # in creating the 'signature'. Function should return 'False'.
+    
+    # Modifying 'DATA'.
+    _DATA = '1111'+DATA+'1111'
+  
+    # Verifying the 'signature' of modified '_DATA'.
+    verified = RSA_KEY.verify_signature(rsakey_dict, signature, _DATA)
+    self.assertFalse(verified, 
+                     'Returned \'True\' on an incorrect signature.')
+
+    # Modifying 'signature' to pass an incorrect method since only 'evp' 
+    # is accepted.
+    signature['method'] = 'not_evp'
+
+    args = (rsakey_dict, signature, DATA)
+    self.assertRaises(tuf.UnknownMethodError, RSA_KEY.verify_signature, *args) 
+
+    # Passing incorrect number of arguments.
+    self.assertRaises(TypeError,RSA_KEY.verify_signature)
+
+
+
+
+
+# Run the unit tests.
+suite = unittest.TestLoader().loadTestsFromTestCase(TestRSA_KEY)
+unittest.TextTestRunner(verbosity=2).run(suite)
diff --git a/src/tuf/tests/test_sig.py b/src/tuf/tests/test_sig.py
new file mode 100755
index 00000000..735a6f75
--- /dev/null
+++ b/src/tuf/tests/test_sig.py
@@ -0,0 +1,389 @@
+"""
+<Program Name>
+  test_sig.py
+
+<Author>
+  Geremy Condra 
+  Vladimir Diaz <vladimir.v.diaz@gmail.com>
+
+<Started>
+  February 28, 2012.  Based on a previous version of this module.
+
+<Copyright>
+  See LICENSE for licensing information.
+
+<Purpose>
+  Test cases for for sig.py.
+
+"""
+
+import unittest
+
+import tuf.keydb
+import tuf.roledb
+import tuf.rsa_key
+import tuf.sig
+
+
+# Setup the keys to use in our test cases.
+KEYS = []
+for _ in range(3):
+  KEYS.append(tuf.rsa_key.generate(2048))
+
+
+
+class TestSig(unittest.TestCase):
+  def setUp(self):
+    pass
+
+
+  def test_get_signature_status_no_role(self):
+    signable = {'signed' : 'test', 'signatures' : []}
+    # Should verify we are not adding a duplicate signature
+    # when doing the following action.  Here we know 'signable'
+    # has only one signature so it's okay.
+    signable['signatures'].append(tuf.sig.generate_rsa_signature(
+                                  signable['signed'], KEYS[0]))
+
+    tuf.keydb.add_rsakey(KEYS[0]) 
+
+    # No specific role we're considering.
+    sig_status = tuf.sig.get_signature_status(signable, None)
+
+    self.assertEqual(0, sig_status['threshold'])
+    self.assertEqual([KEYS[0]['keyid']], sig_status['good_sigs'])
+    self.assertEqual([], sig_status['bad_sigs'])
+    self.assertEqual([], sig_status['unknown_sigs'])
+    self.assertEqual([], sig_status['untrusted_sigs'])
+    self.assertEqual([], sig_status['unknown_method_sigs'])
+
+    # Not allowed to call verify() without having specified a role.
+    args = (signable, None)
+    self.assertRaises(tuf.Error, tuf.sig.verify, *args)
+
+    # Done.  Let's remove the added key(s) from the key database.
+    tuf.keydb.remove_key(KEYS[0]['keyid'])
+
+
+  def test_get_signature_status_bad_sig(self):
+    signable = {'signed' : 'test', 'signatures' : []}
+
+    signable['signatures'].append(tuf.sig.generate_rsa_signature(
+                                  signable['signed'], KEYS[0]))
+    signable['signed'] += 'signature no longer matches signed data'
+
+    tuf.keydb.add_rsakey(KEYS[0])
+    threshold = 1
+    roleinfo = tuf.formats.make_role_metadata(
+        [KEYS[0]['keyid']], threshold)
+    tuf.roledb.add_role('Root', roleinfo)
+
+    sig_status = tuf.sig.get_signature_status(signable, 'Root')
+
+    self.assertEqual(1, sig_status['threshold'])
+    self.assertEqual([], sig_status['good_sigs'])
+    self.assertEqual([KEYS[0]['keyid']], sig_status['bad_sigs'])
+    self.assertEqual([], sig_status['unknown_sigs'])
+    self.assertEqual([], sig_status['untrusted_sigs'])
+    self.assertEqual([], sig_status['unknown_method_sigs'])
+
+    self.assertFalse(tuf.sig.verify(signable, 'Root'))
+
+    # Done.  Let's remove the added key(s) from the key database.
+    tuf.keydb.remove_key(KEYS[0]['keyid'])
+    # Remove the role.
+    tuf.roledb.remove_role('Root')
+
+
+  def test_get_signature_status_unknown_method(self):
+    signable = {'signed' : 'test', 'signatures' : []}
+
+    signable['signatures'].append(tuf.sig.generate_rsa_signature(
+                                  signable['signed'], KEYS[0]))
+    signable['signatures'][0]['method'] = 'fake-sig-method'
+
+    tuf.keydb.add_rsakey(KEYS[0])
+    threshold = 1
+    roleinfo = tuf.formats.make_role_metadata(
+        [KEYS[0]['keyid']], threshold)
+    tuf.roledb.add_role('Root', roleinfo)
+
+    sig_status = tuf.sig.get_signature_status(signable, 'Root')
+
+    self.assertEqual(1, sig_status['threshold'])
+    self.assertEqual([], sig_status['good_sigs'])
+    self.assertEqual([], sig_status['bad_sigs'])
+    self.assertEqual([], sig_status['unknown_sigs'])
+    self.assertEqual([], sig_status['untrusted_sigs'])
+    self.assertEqual([KEYS[0]['keyid']],
+                    sig_status['unknown_method_sigs'])
+
+    self.assertFalse(tuf.sig.verify(signable, 'Root'))
+
+    # Done.  Let's remove the added key(s) from the key database.
+    tuf.keydb.remove_key(KEYS[0]['keyid'])
+    # Remove the role.
+    tuf.roledb.remove_role('Root')
+
+
+  def test_get_signature_status_single_key(self):
+    signable = {'signed' : 'test', 'signatures' : []}
+
+    signable['signatures'].append(tuf.sig.generate_rsa_signature(
+                                  signable['signed'], KEYS[0]))
+
+    tuf.keydb.add_rsakey(KEYS[0])
+    threshold = 1
+    roleinfo = tuf.formats.make_role_metadata(
+        [KEYS[0]['keyid']], threshold)
+    tuf.roledb.add_role('Root', roleinfo)
+
+    sig_status = tuf.sig.get_signature_status(signable, 'Root')
+
+    self.assertEqual(1, sig_status['threshold'])
+    self.assertEqual([KEYS[0]['keyid']], sig_status['good_sigs'])
+    self.assertEqual([], sig_status['bad_sigs'])
+    self.assertEqual([], sig_status['unknown_sigs'])
+    self.assertEqual([], sig_status['untrusted_sigs'])
+    self.assertEqual([], sig_status['unknown_method_sigs'])
+
+    self.assertTrue(tuf.sig.verify(signable, 'Root'))
+
+    # Done.  Let's remove the added key(s) from the key database.
+    tuf.keydb.remove_key(KEYS[0]['keyid'])
+    # Remove the role.
+    tuf.roledb.remove_role('Root')
+
+
+  def test_get_signature_status_below_threshold(self):
+    signable = {'signed' : 'test', 'signatures' : []}
+
+    signable['signatures'].append(tuf.sig.generate_rsa_signature(
+                                  signable['signed'], KEYS[0]))
+
+    tuf.keydb.add_rsakey(KEYS[0])
+    threshold = 2
+    roleinfo = tuf.formats.make_role_metadata(
+        [KEYS[0]['keyid'],
+        KEYS[2]['keyid']], threshold)
+    tuf.roledb.add_role('Root', roleinfo)
+
+    sig_status = tuf.sig.get_signature_status(signable, 'Root')
+
+    self.assertEqual(2, sig_status['threshold'])
+    self.assertEqual([KEYS[0]['keyid']], sig_status['good_sigs'])
+    self.assertEqual([], sig_status['bad_sigs'])
+    self.assertEqual([], sig_status['unknown_sigs'])
+    self.assertEqual([], sig_status['untrusted_sigs'])
+    self.assertEqual([], sig_status['unknown_method_sigs'])
+
+    self.assertFalse(tuf.sig.verify(signable, 'Root'))
+
+    # Done.  Let's remove the added key(s) from the key database.
+    tuf.keydb.remove_key(KEYS[0]['keyid'])
+
+    # Remove the role.
+    tuf.roledb.remove_role('Root')
+
+
+  def test_get_signature_status_below_threshold_unrecognized_sigs(self):
+    signable = {'signed' : 'test', 'signatures' : []}
+
+    # Two keys sign it, but only one of them will be trusted.
+    signable['signatures'].append(tuf.sig.generate_rsa_signature(
+                                  signable['signed'], KEYS[0]))
+    signable['signatures'].append(tuf.sig.generate_rsa_signature(
+                                  signable['signed'], KEYS[2]))
+
+    tuf.keydb.add_rsakey(KEYS[0])
+    tuf.keydb.add_rsakey(KEYS[1])
+    threshold = 2
+    roleinfo = tuf.formats.make_role_metadata(
+        [KEYS[0]['keyid'],
+        KEYS[1]['keyid']], threshold)
+    tuf.roledb.add_role('Root', roleinfo)
+
+    sig_status = tuf.sig.get_signature_status(signable, 'Root')
+
+    self.assertEqual(2, sig_status['threshold'])
+    self.assertEqual([KEYS[0]['keyid']], sig_status['good_sigs'])
+    self.assertEqual([], sig_status['bad_sigs'])
+    self.assertEqual([KEYS[2]['keyid']], sig_status['unknown_sigs'])
+    self.assertEqual([], sig_status['untrusted_sigs'])
+    self.assertEqual([], sig_status['unknown_method_sigs'])
+
+    self.assertFalse(tuf.sig.verify(signable, 'Root'))
+
+    # Done.  Let's remove the added key(s) from the key database.
+    tuf.keydb.remove_key(KEYS[0]['keyid'])
+    tuf.keydb.remove_key(KEYS[1]['keyid'])
+
+    # Remove the role.
+    tuf.roledb.remove_role('Root')
+  
+  
+  def test_get_signature_status_below_threshold_unauthorized_sigs(self):
+    signable = {'signed' : 'test', 'signatures' : []}
+
+    # Two keys sign it, but one of them is only trusted for a different
+    # role.
+    signable['signatures'].append(tuf.sig.generate_rsa_signature(
+                                  signable['signed'], KEYS[0]))
+    signable['signatures'].append(tuf.sig.generate_rsa_signature(
+                                  signable['signed'], KEYS[1]))
+
+    tuf.keydb.add_rsakey(KEYS[0])
+    tuf.keydb.add_rsakey(KEYS[1])
+    threshold = 2
+    roleinfo = tuf.formats.make_role_metadata(
+        [KEYS[0]['keyid'], KEYS[2]['keyid']], threshold)
+    tuf.roledb.add_role('Root', roleinfo)
+    roleinfo = tuf.formats.make_role_metadata(
+        [KEYS[1]['keyid'], KEYS[2]['keyid']], threshold)
+    tuf.roledb.add_role('Release', roleinfo)
+
+    sig_status = tuf.sig.get_signature_status(signable, 'Root')
+
+    self.assertEqual(2, sig_status['threshold'])
+    self.assertEqual([KEYS[0]['keyid']], sig_status['good_sigs'])
+    self.assertEqual([], sig_status['bad_sigs'])
+    self.assertEqual([], sig_status['unknown_sigs'])
+    self.assertEqual([KEYS[1]['keyid']], sig_status['untrusted_sigs'])
+    self.assertEqual([], sig_status['unknown_method_sigs'])
+
+    self.assertFalse(tuf.sig.verify(signable, 'Root'))
+
+    # Done.  Let's remove the added key(s) from the key database.
+    tuf.keydb.remove_key(KEYS[0]['keyid'])
+    tuf.keydb.remove_key(KEYS[1]['keyid'])
+
+    # Remove the roles.
+    tuf.roledb.remove_role('Root')
+    tuf.roledb.remove_role('Release')
+
+
+  def test_check_signatures_no_role(self):
+    signable = {'signed' : 'test', 'signatures' : []}
+
+    signable['signatures'].append(tuf.sig.generate_rsa_signature(
+                                  signable['signed'], KEYS[0]))
+
+    tuf.keydb.add_rsakey(KEYS[0])
+
+    # No specific role we're considering. It's invalid to use the
+    # function tuf.sig.verify() without a role specified because
+    # tuf.sig.verify() is checking trust, as well.
+    args = (signable, None)
+    self.assertRaises(tuf.Error, tuf.sig.verify, *args)
+
+    # Done.  Let's remove the added key(s) from the key database.
+    tuf.keydb.remove_key(KEYS[0]['keyid'])
+
+
+  def test_verify_single_key(self):
+    signable = {'signed' : 'test', 'signatures' : []}
+    signable['signatures'].append(tuf.sig.generate_rsa_signature(
+                                  signable['signed'], KEYS[0]))
+
+    tuf.keydb.add_rsakey(KEYS[0])
+    threshold = 1
+    roleinfo = tuf.formats.make_role_metadata(
+        [KEYS[0]['keyid']], threshold)
+    tuf.roledb.add_role('Root', roleinfo)
+
+    # This will call verify() and return True if 'signable' is valid,
+    # False otherwise.
+    self.assertTrue(tuf.sig.verify(signable, 'Root'))
+
+    # Done.  Let's remove the added key(s) from the key database.
+    tuf.keydb.remove_key(KEYS[0]['keyid'])
+
+    # Remove the roles.
+    tuf.roledb.remove_role('Root')
+
+
+  def test_verify_unrecognized_sig(self):
+    signable = {'signed' : 'test', 'signatures' : []}
+
+    # Two keys sign it, but only one of them will be trusted.
+    signable['signatures'].append(tuf.sig.generate_rsa_signature(
+                                  signable['signed'], KEYS[0]))
+    signable['signatures'].append(tuf.sig.generate_rsa_signature(
+                                  signable['signed'], KEYS[2]))
+
+    tuf.keydb.add_rsakey(KEYS[0])
+    tuf.keydb.add_rsakey(KEYS[1])
+    threshold = 2
+    roleinfo = tuf.formats.make_role_metadata(
+        [KEYS[0]['keyid'], KEYS[1]['keyid']], threshold)
+    tuf.roledb.add_role('Root', roleinfo)
+
+    self.assertFalse(tuf.sig.verify(signable, 'Root'))
+
+    # Done.  Let's remove the added key(s) from the key database.
+    tuf.keydb.remove_key(KEYS[0]['keyid'])
+    tuf.keydb.remove_key(KEYS[1]['keyid'])
+
+    # Remove the roles.
+    tuf.roledb.remove_role('Root')
+
+
+  def test_generate_rsa_signature(self):
+    signable = {'signed' : 'test', 'signatures' : []}
+
+    signable['signatures'].append(tuf.sig.generate_rsa_signature(
+                                  signable['signed'], KEYS[0]))
+
+    self.assertEqual(1, len(signable['signatures']))
+    signature = signable['signatures'][0]
+    self.assertEqual(KEYS[0]['keyid'], signature['keyid'])
+
+    signable['signatures'].append(tuf.sig.generate_rsa_signature(
+                                  signable['signed'], KEYS[1]))
+
+    self.assertEqual(2, len(signable['signatures']))
+    signature = signable['signatures'][1]
+    self.assertEqual(KEYS[1]['keyid'], signature['keyid'])
+
+
+  def test_may_need_new_keys(self):
+    # One untrusted key in 'signable'.    
+    signable = {'signed' : 'test', 'signatures' : []}
+
+    signable['signatures'].append(tuf.sig.generate_rsa_signature(
+                                  signable['signed'], KEYS[0]))
+
+    tuf.keydb.add_rsakey(KEYS[1])
+    threshold = 1
+    roleinfo = tuf.formats.make_role_metadata(
+        [KEYS[1]['keyid']], threshold)
+    tuf.roledb.add_role('Root', roleinfo)
+
+    sig_status = tuf.sig.get_signature_status(signable, 'Root')
+
+    self.assertTrue(tuf.sig.may_need_new_keys(sig_status))
+
+
+    # Done.  Let's remove the added key(s) from the key database.
+    tuf.keydb.remove_key(KEYS[1]['keyid'])
+
+    # Remove the roles.
+    tuf.roledb.remove_role('Root')
+
+
+  def test_signable_has_invalid_format(self):
+    # get_signature_status() and verify() validate 'signable' before continuing.
+    # 'signable' must be of the form: {'signed': , 'signatures': [{}]}.
+    # Object types are checked as well.
+    signable = {'not_signed' : 'test', 'signatures' : []}
+    args = (signable['not_signed'], KEYS[0]) 
+    self.assertRaises(tuf.FormatError, tuf.sig.get_signature_status, *args)
+
+    # 'signatures' value must be a list.  Let's try a dict. 
+    signable = {'signed' : 'test', 'signatures' : {}} 
+    args = (signable['signed'], KEYS[0])
+    self.assertRaises(tuf.FormatError, tuf.sig.get_signature_status, *args)
+
+
+suite = unittest.TestLoader().loadTestsFromTestCase(TestSig)
+unittest.TextTestRunner(verbosity=2).run(suite)
diff --git a/src/tuf/tests/test_signercli.py b/src/tuf/tests/test_signercli.py
new file mode 100755
index 00000000..4b959c16
--- /dev/null
+++ b/src/tuf/tests/test_signercli.py
@@ -0,0 +1,1220 @@
+"""
+<Program Name>
+  test_signercli.py
+
+<Author>
+  Konstantin Andrianov
+
+<Started>
+  September 20, 2012
+
+<Copyright>
+  See LICENSE for licensing information.
+
+<Purpose>
+  test_signercli.py provides collection of methods that tries to test all the
+  units (methods) of the module under test.
+
+  unittest_toolbox module was created to provide additional testing tools for
+  tuf's modules.  For more info see unittest_toolbox.py.
+
+
+<Methodology>
+  Unittests must follow a specific structure i.e. independent methods should
+  be tested prior to dependent methods. More accurately: least dependent
+  methods are tested before most dependent methods.  There is no reason to
+  rewrite or construct other methods that replicate already-tested methods
+  solely for testing purposes.  This is possible because 'unittest.TestCase'
+  class guarantees the order of unit tests.  So that, 'test_something_A'
+  method would be tested before 'test_something_B'.  To ensure the structure
+  a number will be placed after 'test' and before methods name like so:
+  'test_1_check_directory'.  The number is a measure of dependence, where 1
+  is less dependent than 2.
+
+"""
+
+
+import os
+
+import tuf.formats
+import tuf.util
+import tuf.repo.keystore as keystore
+import tuf.repo.signerlib as signerlib
+#  Module to test: signercli.py
+import tuf.repo.signercli as signercli
+#  Helper module unittest_toolbox.py
+import tuf.tests.unittest_toolbox as unittest_toolbox
+
+
+
+# Populating 'rsa_keystore' and 'rsa_passwords' dictionaries.
+# We will need them when creating keystore directories.
+unittest_toolbox.Modified_TestCase.bind_keys_to_roles()
+
+
+
+class TestSignercli(unittest_toolbox.Modified_TestCase):
+
+
+  #  HELPER METHODS.
+
+  #  Generic patch for signerlib._prompt().
+  def mock_prompt(self, output):
+
+    #  Method to patch signercli._prompt().
+    def _mock_prompt(junk1, junk2, ret=output):
+      return ret
+
+    #  Patch signercli._prompt()
+    signercli._prompt = _mock_prompt
+
+
+
+  #  Patch signercli._get_metadata_directory()
+  def mock_get_metadata_directory(self, directory=None):
+
+    #  Create method to patch signercli._get_metadata_directory()
+    def _mock_get_meta_dir(directory=directory):
+
+      #  If directory was specified, return that directory.
+      if directory:
+        return directory
+
+      #  Else create a temporary directory and return it.
+      else:
+        return self.make_temp_directory()
+
+    #  Patch signercli._get_metadata_directory()
+    signercli._get_metadata_directory = _mock_get_meta_dir
+
+
+
+  #  This method patches signercli._prompt() that are called from
+  #  make_role_metadata methods (e.g., tuf.signercli.make_root_metadata()).
+  def make_metadata_mock_prompts(self, targ_dir, conf_path):
+    def _mock_prompt(msg, junk):
+      if msg.startswith('\nEnter the directory containing the target'):
+        return targ_dir
+      elif msg.startswith('\nEnter the configuration file path'):
+        return conf_path
+      else:
+        error_msg = ('Prompt: '+'\''+msg[1:]+'\''+
+            ' did not match any predefined mock prompts.')
+        self.fail(error_msg)
+
+    #  Patch signercli._prompt().
+    signercli._prompt = _mock_prompt
+
+
+
+  #  This mock method can be easily modified, by altering unittest_toolbox's
+  #  dictionaries.  For instance, if you want to modify password for certain
+  #  keyid just save the existing 'self.rsa_passwords[keyid]' and set it
+  #  to some other value like self.random_string(), after the test reassign
+  #  the saved value back to 'self.rsa_passwords[keyid]'.
+  def get_passwords(self):
+
+    #  Mock '_get_password' method.
+    def _mock_get_password(msg):
+      for role in self.role_list:
+        if msg.startswith('\nEnter the password for the '+role):
+          for keyid in self.top_level_role_info[role]['keyids']:
+            if msg.endswith(keyid+'): '):
+              return self.rsa_passwords[keyid]
+      error_msg = ('Prompt: '+'\''+msg+'\''+
+          ' did not match any predefined mock prompts.')
+      raise tuf.Error(error_msg)
+
+    #  Monkey patch '_prompt'.
+    signercli._get_password = _mock_get_password
+
+
+
+
+
+  #  UNIT TESTS.
+  #  If a unit test starts with test_# followed by two underscores,
+  #  (test_#__method) this means that it's an internal method of signercli.
+  #  For instance the unit test for signercli._get_password() would
+  #  look like this: test_1__get_password, whereas unit test for
+  #  signercli.change_password would look like this:
+  #  test_3_change_password().
+
+  def test_1__check_directory(self):
+
+    # SETUP
+    directory = self.make_temp_directory()
+    no_such_dir = self.random_path()
+
+
+    # TESTS
+    #  Test: normal case.
+    self.assertEqual(signercli._check_directory(directory), directory)
+
+    #  Test: invalid directory.
+    self.assertRaises(tuf.RepositoryError, signercli._check_directory,
+        no_such_dir)
+
+    #  Test: invalid directory type.
+    self.assertRaises(tuf.RepositoryError, signercli._check_directory,
+                      [no_such_dir])
+    self.assertRaises(tuf.RepositoryError, signercli._check_directory,
+                      1234)
+    self.assertRaises(tuf.RepositoryError, signercli._check_directory,
+                      {'directory':no_such_dir})
+
+
+
+
+
+  def test_1__get_password(self):
+
+    # SETUP
+    password = self.random_string()
+    def _mock_getpass(junk1, junk2, pw=password):
+      return pw
+
+    # Patch getpass.getpass().
+    signercli.getpass.getpass = _mock_getpass
+
+
+    # Test: normal case.
+    self.assertEqual(signercli._get_password(), password)
+
+
+
+
+
+  def test_2__get_metadata_directory(self):
+
+    # SETUP
+    meta_directory = self.make_temp_directory()
+    self.mock_prompt(meta_directory)
+
+
+    # TESTS
+    self.assertEqual(signercli._get_metadata_directory(), meta_directory)
+    self.assertTrue(os.path.exists(signercli._get_metadata_directory()))
+    self.mock_prompt(self.random_string())
+    self.assertRaises(tuf.RepositoryError, signercli._get_metadata_directory)
+    self.mock_prompt([self.random_string()])
+    self.assertRaises(tuf.RepositoryError, signercli._get_metadata_directory)
+
+
+
+
+
+  def test_1__list_keyids(self):
+
+    # SETUP
+    keystore_dir = self.create_temp_keystore_directory()
+
+
+    # TESTS
+    #  Test: normal case.
+    signercli._list_keyids(keystore_dir)
+
+
+
+
+
+  def test_2__get_keyids(self):
+    
+    # SETUP    
+    #  Create a temp keystore directory.
+    keystore_dir = self.create_temp_keystore_directory()
+
+    #  List of keyids including keyword 'quit'.
+    keyids = ['quit'] + self.rsa_keyids
+
+    #  Patching signercli._prompt()
+    def _mock_prompt(msg, junk):
+
+      #  Pop 'keyids' everytime signercli._prompt() is called.
+      keyid = keyids.pop()
+      if keyid != 'quit':
+        get_password(keyid)
+      return keyid
+
+    signercli._prompt = _mock_prompt
+    
+    #  Patching signercli._get_password().
+    def get_password(keyid):
+      password = self.rsa_passwords[keyid]
+      def _mock_get_password(msg):
+        return password
+
+      signercli._get_password = _mock_get_password
+
+
+    # TESTS
+    #  Test: normal case.
+    loaded_keyids = signercli._get_keyids(keystore_dir)
+    self.assertTrue(tuf.formats.KEYIDS_SCHEMA.matches(loaded_keyids))
+    
+    #  Check if all the keysids were loaded.
+    for keyid in self.rsa_keyids:
+      if keyid not in loaded_keyids:
+        msg = '\nCould not load the keyid: '+repr(keyid)
+        self.fail(msg)
+   
+    #  Test: invalid password.
+    keyids = ['quit', self.rsa_keyids[0]]
+    saved_pw = self.rsa_passwords[keyid]
+    
+    #  Invalid password
+    self.rsa_passwords[self.rsa_keyids[0]] = self.random_string()
+    self.assertEqual(signercli._get_keyids(keystore_dir), [])
+
+    #  Restore the password.
+    self.rsa_passwords[self.rsa_keyids[0]] = saved_pw
+
+    #  Test: invalid keyid.
+    keyid = self.random_string()
+    keyids = ['quit', keyid]
+
+    #  Create an invalid entry in the passwords dictionary.
+    self.rsa_passwords[keyid] = self.random_string()
+    self.assertEqual(signercli._get_keyids(keystore_dir), [])
+
+    #  Restore passwords dictionary.
+    del self.rsa_passwords[keyid]
+
+
+
+
+
+  def test_2__get_all_config_keyids(self):
+
+    # SETUP
+    #  Create temp directory for config file.
+    config_dir = self.make_temp_directory()
+
+    #  Build the config file needed by '_get_all_config_keyids.
+    config_filepath = signerlib.build_config_file(config_dir, 365,
+                                                  self.top_level_role_info)
+
+    #  Create a temp keystore directory.
+    keystore_dir = self.create_temp_keystore_directory()
+
+    #  'sample_keyid' used to test invalid keyid.
+    sample_keyid = self.rsa_keyids[0]
+
+    #  Patch signercli._get_password()
+    self.get_passwords()
+
+
+    # TESTS
+    #  Test: an incorrect password.
+    saved_pw = self.rsa_passwords[sample_keyid]
+    self.rsa_passwords[sample_keyid] = self.random_string()
+    self.assertRaises(tuf.Error, signercli._get_all_config_keyids,
+                      config_filepath, keystore_dir)
+
+    #  Restore the password.
+    self.rsa_passwords[sample_keyid] = saved_pw
+
+    #  Test: missing top-level role in the config file.
+    #    Clear keystore's dictionaries.
+    keystore.clear_keystore()
+
+    #    Remove a role from 'top_level_role_info' which is used to construct
+    #    config file.
+    targets_holder = self.top_level_role_info['targets']
+    del self.top_level_role_info['targets']
+
+    #    Build config file without 'targets' role.
+    config_filepath = signerlib.build_config_file(config_dir, 365,
+                                                  self.top_level_role_info)
+    self.assertRaises(tuf.Error, signercli._get_all_config_keyids,
+                      config_filepath, keystore_dir)
+
+    #    Rebuild config file and 'top_level_role_info'.
+    self.top_level_role_info['targets'] = targets_holder
+    config_filepath = signerlib.build_config_file(config_dir, 365,
+                                                  self.top_level_role_info)
+
+    #  Test: non-existing config file path.
+    keystore.clear_keystore()
+    self.assertRaises(tuf.Error, signercli._get_all_config_keyids,
+                      self.random_path(), keystore_dir)
+
+    #  Test: normal case.
+    keystore.clear_keystore()
+    signercli._get_all_config_keyids(config_filepath, keystore_dir)
+
+
+
+
+
+  def test_2__get_role_config_keyids(self):
+
+    # SETUP
+    #  Create temp directory for config file.
+    config_dir = self.make_temp_directory()
+
+    #  Build a config file.
+    config_filepath = signerlib.build_config_file(config_dir, 365,
+                                                  self.top_level_role_info)
+    #  Create a temp keystore directory.
+    keystore_dir = self.create_temp_keystore_directory()
+
+    #  Patch '_get_password' method.
+    self.get_passwords()
+
+
+    # TESTS
+    for role in self.role_list:
+      #  Test: normal cases.
+      keystore.clear_keystore()
+      signercli._get_role_config_keyids(config_filepath, keystore_dir, role)
+      
+      #  Test: incorrect passwords.
+      keystore.clear_keystore()
+      role_keyids = self.top_level_role_info[role]['keyids']
+      for keyid in role_keyids:
+        saved_pw = self.rsa_passwords[keyid]
+        self.rsa_passwords[keyid] = self.random_string()
+        self.assertRaises(tuf.Error, signercli._get_role_config_keyids,
+            config_filepath, keystore_dir, role)
+
+        #    Restore the password.
+        self.rsa_passwords[keyid] = saved_pw
+
+    #  Test: non-existing config file path.
+    keystore.clear_keystore()
+    self.assertRaises(tuf.Error, signercli._get_role_config_keyids,
+        self.random_path(), keystore_dir, 'release')
+
+    #  Test: non-existing role.
+    keystore.clear_keystore()
+    self.assertRaises(tuf.Error, signercli._get_role_config_keyids,
+                      config_filepath, keystore_dir, 'no_such_role')
+
+
+
+
+
+  def test_1__sign_and_write_metadata(self):
+
+    # SETUP
+    #  Role to test.
+    role = 'root'
+
+    #  Create temp directory.
+    temp_dir = self.make_temp_directory()
+
+    #  File name.
+    filename = os.path.join(temp_dir, role+'.txt')
+
+    #  Role's keyids.
+    keyids = self.top_level_role_info[role]['keyids']
+
+    #  Create a temp keystore directory.
+    keystore_dir =\
+        self.create_temp_keystore_directory(keystore_dicts=True)
+
+    #  Create temp directory for config file.
+    config_dir = self.make_temp_directory()
+
+    #  Build config file.
+    config_filepath = signerlib.build_config_file(config_dir, 365,
+                                                  self.top_level_role_info)
+
+    #  Create role's metadata.
+    signable_meta = signerlib.generate_root_metadata(config_filepath)
+
+
+    # TESTS
+    #  Test: normal case.
+    signercli._sign_and_write_metadata(signable_meta, keyids, filename)
+
+    #  Verify that the root meta file was created.
+    self.assertTrue(os.path.exists(filename))
+
+    Errors = (tuf.Error, tuf.FormatError)
+
+    #  Test: invalid metadata.
+    self.assertRaises(Errors, signercli._sign_and_write_metadata,
+                      self.random_string(), keyids, filename)
+
+    #  Test: invalid keyids
+    invalid_keyids = self.random_string()
+    self.assertRaises(Errors, signercli._sign_and_write_metadata,
+                      signable_meta, invalid_keyids, filename)
+
+    #  Test: invalid filename
+    self.assertRaises(Errors, signercli._sign_and_write_metadata,
+                      signable_meta, invalid_keyids, True)
+
+
+
+
+  def test_2_change_password(self):
+
+    # SETUP
+    test_keyid = self.rsa_keyids[0]
+    self.mock_prompt(test_keyid)
+
+    #  Create keystore directory.
+    keystore_dir = self.create_temp_keystore_directory()
+
+    #  Specify old password and create a new password.
+    old_password = self.rsa_passwords[test_keyid]
+    new_password = self.random_string()
+
+    #  Mock method for signercli._get_password()
+    def _mock_get_password(msg, confirm=False, old_pw=old_password,
+        new_pw=new_password):
+      if msg.startswith('\nEnter the old password for the keyid: '):
+        return old_pw
+      else:
+        return new_pw
+
+    #  Patch signercli._get_password.
+    signercli._get_password = _mock_get_password
+
+
+    # TESTS
+    #  Test: normal case.
+    signercli.change_password(keystore_dir)
+
+    #  Verify password change.
+    self.assertEqual(keystore._key_passwords[test_keyid], new_password)
+
+    #  Test: non-existing keyid.
+    keystore.clear_keystore()
+    self.mock_prompt(self.random_string(15))
+    self.assertRaises(tuf.RepositoryError, signercli.change_password,
+                      keystore_dir)
+
+    #  Restore the prompt input to existing keyid.
+    self.mock_prompt(test_keyid)
+
+    #  Test: non-existing old password.
+    keystore.clear_keystore()
+    old_password = self.random_string()
+    self.assertRaises(tuf.RepositoryError, signercli.change_password,
+                      keystore_dir)
+
+
+
+
+
+  def test_2_generate_rsa_key(self):
+
+    # SETUP
+    #  Method to patch signercli._get_password()
+    def _mock_get_password(junk, confirm=False):
+      return self.random_string()
+
+    #  Patch signercli._get_password()
+    signercli._get_password = _mock_get_password
+
+    #  Create a temp keystore directory.
+    keystore_dir = self.make_temp_directory()
+
+
+    # TESTS
+    #  Test: invalid rsa bits.
+    self.mock_prompt(1024)
+    self.assertRaises(tuf.RepositoryError, signercli.generate_rsa_key,
+                      keystore_dir)
+    #  Input appropriate number of rsa bits.
+    self.mock_prompt(3072)
+
+    #  Test: normal case.
+    signercli.generate_rsa_key(keystore_dir)
+
+    #  Was the key file added to the directory?
+    self.assertTrue(os.listdir(keystore_dir))
+
+
+
+
+
+  def test_2_dump_key(self):
+
+    # SETUP
+    keyid = self.rsa_keyids[0]
+    password = self.rsa_passwords[keyid]
+    show_priv = 'private'
+
+
+    #  Mock method for signercli._get_password().
+    def _mock_get_password(msg):
+      return password
+
+    #  Mock method for signercli._prompt().
+    def _mock_prompt(msg, junk):
+       if msg.startswith('\nEnter the keyid'):
+         return keyid
+       else:
+         return show_priv
+
+    #  Patch signercli._get_password().
+    signercli._get_password = _mock_get_password
+
+    #  Patch signercli._prompt().
+    signercli._prompt = _mock_prompt
+
+    #  Create keystore directory.
+    keystore_dir = self.create_temp_keystore_directory()
+
+
+    # TESTS
+    #  Test: normal case.
+    signercli.dump_key(keystore_dir)
+
+    #  Test: incorrect password.
+    saved_pw = password
+    password = self.random_string()
+    self.assertRaises(tuf.RepositoryError, signercli.dump_key,
+                      keystore_dir)
+
+    #  Restore the correct password.
+    password = saved_pw
+
+    #  Test: non-existing keyid.
+    keyid = self.random_string()
+    self.assertRaises(tuf.RepositoryError, signercli.dump_key,
+                      keystore_dir)
+    keyid = self.rsa_keyids[0]
+
+
+
+
+
+  def test_3_make_root_metadata(self):
+
+    # SETUP
+    #  Create temp directory for config file.
+    config_dir = self.make_temp_directory()
+
+    #  Build a config file.
+    config_filepath = signerlib.build_config_file(config_dir, 365,
+        self.top_level_role_info)
+
+    #  Create a temp metadata directory.
+    meta_dir = self.make_temp_directory()
+
+    #  Patch signercli._get_metadata_directory().
+    self.mock_get_metadata_directory(directory=meta_dir)
+
+    #  Patch signercli._prompt().
+    self.mock_prompt(config_filepath)
+
+    #  Patch signercli._get_password().
+    self.get_passwords()
+
+    #  Create keystore directory.
+    keystore_dir = self.create_temp_keystore_directory()
+
+
+    # TESTS
+    #  Test: normal case.
+    signercli.make_root_metadata(keystore_dir)
+
+    #  Verify that the root metadata path was created.
+    self.assertTrue(os.path.exists(os.path.join(meta_dir, 'root.txt')))
+
+    #  Test: invalid config path.
+    #  Clear keystore's dictionaries.
+    keystore.clear_keystore()
+
+    #  Supply a non-existing path to signercli._prompt().
+    self.mock_prompt(self.random_path())
+    self.assertRaises(tuf.RepositoryError, signercli.make_root_metadata,
+                      keystore_dir)
+
+    #  Re-patch signercli._prompt() with valid config path.
+    self.mock_prompt(config_filepath)
+
+    #  Test: incorrect 'root' passwords.
+    #  Clear keystore's dictionaries.
+    keystore.clear_keystore()
+    keyids = self.top_level_role_info['root']['keyids']
+    for keyid in keyids:
+      saved_pw = self.rsa_passwords[keyid]
+      self.rsa_passwords[keyid] = self.random_string()
+      self.assertRaises(tuf.RepositoryError, signercli.make_root_metadata,
+                        keystore_dir)
+      self.rsa_passwords[keyid] = saved_pw
+
+
+
+
+
+  def test_3_make_targets_metadata(self):
+
+    # SETUP
+    #  Create a temp repository and metadata directories.
+    repo_dir = self.make_temp_directory()
+    meta_dir = self.make_temp_directory(directory=repo_dir)
+
+    #  Create a directory containing target files.
+    targets_dir, targets_paths =\
+        self.make_temp_directory_with_data_files(directory=repo_dir)
+
+    #  Create temp directory for config file.
+    config_dir = self.make_temp_directory()
+
+    #  Build a config file.
+    config_filepath = signerlib.build_config_file(config_dir, 365,
+                                                  self.top_level_role_info)
+
+    #  Patch signercli._get_metadata_directory()
+    self.mock_get_metadata_directory(directory=meta_dir)
+
+    #  Patch signercli._get_password().  Used in _get_role_config_keyids()
+    self.get_passwords()
+
+    #  Create keystore directory.
+    keystore_dir = self.create_temp_keystore_directory()
+
+    #  Mock method for signercli._prompt().
+    self.make_metadata_mock_prompts(targ_dir=targets_dir,
+                                    conf_path=config_filepath)
+
+
+    # TESTS
+    #  Test: normal case.
+    signercli.make_targets_metadata(keystore_dir)
+
+    #  Verify that targets metadata file was created.
+    self.assertTrue(os.path.exists(os.path.join(meta_dir, 'targets.txt')))
+
+    #  Test: invalid targets path.
+    #  Clear keystore's dictionaries.
+    keystore.clear_keystore()
+
+    #  Supply a non-existing targets directory.
+    self.make_metadata_mock_prompts(targ_dir=self.random_path(),
+                                    conf_path=config_filepath)
+    self.assertRaises(tuf.RepositoryError, signercli.make_targets_metadata,
+                      keystore_dir)
+
+    #  Restore the targets directory.
+    self.make_metadata_mock_prompts(targ_dir=targets_dir,
+                                    conf_path=config_filepath)
+
+    #  Test: invalid config path.
+    #  Clear keystore's dictionaries.
+    keystore.clear_keystore()
+
+    #  Supply a non-existing config path.
+    self.make_metadata_mock_prompts(targ_dir=targets_dir,
+                                    conf_path=self.random_path())
+    self.assertRaises(tuf.RepositoryError, signercli.make_targets_metadata,
+                      keystore_dir)
+
+    #  Restore the config file path.
+    self.make_metadata_mock_prompts(targ_dir=targets_dir,
+                                    conf_path=config_filepath)
+
+    #  Test: incorrect 'targets' passwords.
+    #  Clear keystore's dictionaries.
+    keystore.clear_keystore()
+    keyids = self.top_level_role_info['targets']['keyids']
+    for keyid in keyids:
+      saved_pw = self.rsa_passwords[keyid]
+      self.rsa_passwords[keyid] = self.random_string()
+      self.assertRaises(tuf.RepositoryError, signercli.make_targets_metadata,
+                        keystore_dir)
+      self.rsa_passwords[keyid] = saved_pw
+
+
+
+
+
+  def test_4_make_release_metadata(self):
+
+    #  In order to build release metadata file (release.txt),
+    #  root and targets metadata files (root.txt, targets.txt)
+    #  must exist in the metadata directory.
+
+    # SETUP
+    #  Create temp directory for config file.
+    config_dir = self.make_temp_directory()
+
+    #  Build a config file.
+    config_filepath = signerlib.build_config_file(config_dir, 365,
+                                                  self.top_level_role_info)
+
+    #  Create a temp repository and metadata directories.
+    repo_dir = self.make_temp_directory()
+    meta_dir = self.make_temp_directory(repo_dir)
+
+    #  Create a directory containing target files.
+    targets_dir, targets_paths = \
+        self.make_temp_directory_with_data_files(directory=repo_dir)
+
+    #  Patch signercli._get_metadata_directory().
+    self.mock_get_metadata_directory(directory=meta_dir)
+
+    #  Patch signercli._get_password().  Used in _get_role_config_keyids().
+    self.get_passwords()
+
+    #  Create keystore directory.
+    keystore_dir = self.create_temp_keystore_directory()
+
+    #  Mock method for signercli._prompt().
+    self.make_metadata_mock_prompts(targ_dir=targets_dir,
+                                    conf_path=config_filepath)
+
+
+    # TESTS
+    #  Test: no root.txt in the metadata dir.
+    signercli.make_targets_metadata(keystore_dir)
+
+    #  Verify that 'tuf.RepositoryError' is raised due to a missing root.txt.
+    keystore.clear_keystore()
+    self.assertTrue(os.path.exists(os.path.join(meta_dir, 'targets.txt')))
+    self.assertRaises(tuf.RepositoryError, signercli.make_release_metadata,
+                      keystore_dir)
+    os.remove(os.path.join(meta_dir,'targets.txt'))
+    keystore.clear_keystore()
+
+    #  Test: no targets.txt in the metadatadir.
+    signercli.make_root_metadata(keystore_dir)
+    keystore.clear_keystore()
+
+    #  Verify that 'tuf.RepositoryError' is raised due to a missing targets.txt.
+    self.assertTrue(os.path.exists(os.path.join(meta_dir, 'root.txt')))
+    self.assertRaises(tuf.RepositoryError, signercli.make_release_metadata,
+                      keystore_dir)
+    os.remove(os.path.join(meta_dir,'root.txt'))
+    keystore.clear_keystore()
+
+    #  Test: normal case.
+    signercli.make_root_metadata(keystore_dir)
+    keystore.clear_keystore()
+    signercli.make_targets_metadata(keystore_dir)
+    keystore.clear_keystore()
+    signercli.make_release_metadata(keystore_dir)
+    keystore.clear_keystore()
+
+    #  Verify if the root, targets and release meta files were created.
+    self.assertTrue(os.path.exists(os.path.join(meta_dir, 'root.txt')))
+    self.assertTrue(os.path.exists(os.path.join(meta_dir, 'targets.txt')))
+    self.assertTrue(os.path.exists(os.path.join(meta_dir, 'release.txt')))
+
+    #  Test: invalid config path.
+    #  Supply a non-existing config file path.
+    self.make_metadata_mock_prompts(targ_dir=targets_dir,
+        conf_path=self.random_path())
+    self.assertRaises(tuf.RepositoryError, signercli.make_release_metadata,
+        keystore_dir)
+
+    #  Restore the config file path.
+    self.make_metadata_mock_prompts(targ_dir=targets_dir,
+        conf_path=config_filepath)
+
+    #  Test: incorrect 'release' passwords.
+    #  Clear keystore's dictionaries.
+    keystore.clear_keystore()
+    keyids = self.top_level_role_info['release']['keyids']
+    for keyid in keyids:
+      saved_pw = self.rsa_passwords[keyid]
+      self.rsa_passwords[keyid] = self.random_string()
+      self.assertRaises(tuf.RepositoryError, signercli.make_release_metadata,
+          keystore_dir)
+      self.rsa_passwords[keyid] = saved_pw
+
+
+
+
+
+  def test_5_make_timestamp_metadata(self):
+
+
+    #  In order to build timestamp metadata file (timestamp.txt),
+    #  root, targets and release metadata files (root.txt, targets.txt
+    #  release.txt) must exist in the metadata directory.
+
+    # SETUP
+    #  Create temp directory for config file.
+    config_dir = self.make_temp_directory()
+
+    #  Build a config file.
+    config_filepath = signerlib.build_config_file(config_dir, 365,
+                                                  self.top_level_role_info)
+
+    #  Create a temp repository and metadata directories.
+    repo_dir = self.make_temp_directory()
+    meta_dir = self.make_temp_directory(repo_dir)
+
+    #  Create a directory containing target files.
+    targets_dir, targets_paths = \
+        self.make_temp_directory_with_data_files(directory=repo_dir)
+
+    #  Patch signercli._get_metadata_directory().
+    self.mock_get_metadata_directory(directory=meta_dir)
+
+    #  Patch signercli._get_password().  Used in _get_role_config_keyids().
+    self.get_passwords()
+
+    #  Create keystore directory.
+    keystore_dir = self.create_temp_keystore_directory()
+
+    #  Mock method for signercli._prompt().
+    self.make_metadata_mock_prompts(targ_dir=targets_dir,
+                                    conf_path=config_filepath)
+
+
+    # TESTS
+    #  Test: no root.txt in the metadata dir.
+    signercli.make_targets_metadata(keystore_dir)
+
+    #  Verify if the targets metadata file was created.
+    keystore.clear_keystore()
+    self.assertTrue(os.path.exists(os.path.join(meta_dir, 'targets.txt')))
+    self.assertRaises(tuf.RepositoryError, signercli.make_timestamp_metadata,
+                      keystore_dir)
+    os.remove(os.path.join(meta_dir,'targets.txt'))
+    keystore.clear_keystore()
+
+    #  Test: no targets.txt in the metadatadir.
+    signercli.make_root_metadata(keystore_dir)
+
+    #  Verify if the root metadata file was created.
+    keystore.clear_keystore()
+    self.assertTrue(os.path.exists(os.path.join(meta_dir, 'root.txt')))
+    self.assertRaises(tuf.RepositoryError, signercli.make_timestamp_metadata,
+                      keystore_dir)
+    os.remove(os.path.join(meta_dir,'root.txt'))
+    keystore.clear_keystore()
+
+    #  Test: no release.txt in the metadatadir.
+    signercli.make_root_metadata(keystore_dir)
+    keystore.clear_keystore()
+    signercli.make_targets_metadata(keystore_dir)
+    keystore.clear_keystore()
+
+    #  Verify that 'tuf.Repository' is raised due to a missing release.txt.
+    self.assertTrue(os.path.exists(os.path.join(meta_dir, 'root.txt')))
+    self.assertTrue(os.path.exists(os.path.join(meta_dir, 'targets.txt')))
+    self.assertRaises(tuf.RepositoryError, signercli.make_timestamp_metadata,
+                      keystore_dir)
+    os.remove(os.path.join(meta_dir,'root.txt'))
+    os.remove(os.path.join(meta_dir,'targets.txt'))
+    keystore.clear_keystore()
+
+    #  Test: normal case.
+    signercli.make_root_metadata(keystore_dir)
+    keystore.clear_keystore()
+    signercli.make_targets_metadata(keystore_dir)
+    keystore.clear_keystore()
+    signercli.make_release_metadata(keystore_dir)
+    keystore.clear_keystore()
+    signercli.make_timestamp_metadata(keystore_dir)
+    keystore.clear_keystore()
+
+    #  Verify if the root, targets and release metadata files were created.
+    self.assertTrue(os.path.exists(os.path.join(meta_dir, 'root.txt')))
+    self.assertTrue(os.path.exists(os.path.join(meta_dir, 'targets.txt')))
+    self.assertTrue(os.path.exists(os.path.join(meta_dir, 'release.txt')))
+    self.assertTrue(os.path.exists(os.path.join(meta_dir, 'timestamp.txt')))
+
+    #  Test: invalid config path.
+    #  Supply a non-existing config file path.
+    self.make_metadata_mock_prompts(targ_dir=targets_dir,
+                                    conf_path=self.random_path())
+    self.assertRaises(tuf.RepositoryError,
+                      signercli.make_release_metadata, keystore_dir)
+
+    #  Restore the config file path.
+    self.make_metadata_mock_prompts(targ_dir=targets_dir,
+                                    conf_path=config_filepath)
+
+    #  Test: incorrect 'release' passwords.
+
+    #  Clear keystore's dictionaries.
+    keystore.clear_keystore()
+
+    keyids = self.top_level_role_info['release']['keyids']
+    for keyid in keyids:
+      saved_pw = self.rsa_passwords[keyid]
+      self.rsa_passwords[keyid] = self.random_string()
+      self.assertRaises(tuf.RepositoryError,
+                        signercli.make_release_metadata, keystore_dir)
+      self.rsa_passwords[keyid] = saved_pw
+
+
+
+
+
+  def test_6_sign_metadata_file(self):
+
+    #  To test this method, an RSA key will be created with
+    #  a password in addition to the existing RSA keys.
+
+    # SETUP
+    #  Create temp directory for config file.
+    config_dir = self.make_temp_directory()
+
+    #  Build a config file.
+    config_filepath = signerlib.build_config_file(config_dir, 365,
+                                                  self.top_level_role_info)
+
+    #  Create a temp repository and metadata directories.
+    repo_dir = self.make_temp_directory()
+    meta_dir = self.make_temp_directory(repo_dir)
+
+    #  Create a directory containing target files.
+    targets_dir, targets_paths = \
+        self.make_temp_directory_with_data_files(directory=repo_dir)
+
+    #  Patch signercli._get_metadata_directory().
+    self.mock_get_metadata_directory(directory=meta_dir)
+
+    #  Patch signercli._get_password().  Used in _get_role_config_keyids().
+    self.get_passwords()
+
+    #  Create keystore directory.
+    keystore_dir = self.create_temp_keystore_directory()
+
+    #  Mock method for signercli._prompt().
+    self.make_metadata_mock_prompts(targ_dir=targets_dir,
+                                    conf_path=config_filepath)
+
+    #  Create metadata files.
+    signercli.make_root_metadata(keystore_dir)
+    keystore.clear_keystore()
+    signercli.make_targets_metadata(keystore_dir)
+    keystore.clear_keystore()
+    signercli.make_release_metadata(keystore_dir)
+    keystore.clear_keystore()
+    signercli.make_timestamp_metadata(keystore_dir)
+    keystore.clear_keystore()
+
+    #  Verify if the root, targets and release meta files were created.
+    root_meta_filepath = os.path.join(meta_dir, 'root.txt')
+    targets_meta_filepath = os.path.join(meta_dir, 'targets.txt')
+    release_meta_filepath = os.path.join(meta_dir, 'release.txt')
+    timestamp_meta_filepath = os.path.join(meta_dir, 'timestamp.txt')
+
+    self.assertTrue(os.path.exists(root_meta_filepath))
+    self.assertTrue(os.path.exists(targets_meta_filepath))
+    self.assertTrue(os.path.exists(release_meta_filepath))
+    self.assertTrue(os.path.exists(timestamp_meta_filepath))
+
+
+    #  Create a new RSA key, indicate metadata filename.
+    new_keyid = self.generate_rsakey()
+    meta_filename = targets_meta_filepath
+
+    #  Create keystore directory.  New key is untouched.
+    keystore_dir = self.create_temp_keystore_directory(keystore_dicts=True)
+
+    #  List of keyids to be returned by _get_keyids()
+    signing_keyids = []
+
+    #  Method to patch signercli._get_keyids()
+    def _mock_get_keyids(junk):
+      return signing_keyids
+
+    #  Method to patch signercli._prompt().
+    def _mock_prompt(msg, junk):
+      return meta_filename
+
+    #  Patch signercli._get_keyids()
+    signercli._get_keyids = _mock_get_keyids
+
+    #  Patch signercli._prompt().
+    signercli._prompt = _mock_prompt
+
+
+    # TESTS
+    #  Test: no loaded keyids.
+    self.assertRaises(tuf.RepositoryError,
+                      signercli.sign_metadata_file, keystore_dir)
+
+    #  Load new keyid.
+    signing_keyids = [new_keyid]
+
+    #  Test: normal case.
+    signercli.sign_metadata_file(keystore_dir)
+
+    #  Verify the change.
+    self.assertTrue(os.path.exists(targets_meta_filepath))
+
+    #  Load targets metadata from the file ('targets.txt').
+    targets_metadata = tuf.util.load_json_file(targets_meta_filepath)
+    keyid_exists = False
+    for signature in targets_metadata['signatures']:
+      if new_keyid == signature['keyid']:
+        keyid_exists = True
+        break
+
+    self.assertTrue(keyid_exists)
+
+
+
+
+
+  def test_7_make_delegation(self):
+    # SETUP
+    #  Create a temp repository and metadata directories.
+    repo_dir = self.make_temp_directory()
+    meta_dir = self.make_temp_directory(directory=repo_dir)
+
+    #  Create targets directories.
+    targets_dir, targets_paths =\
+        self.make_temp_directory_with_data_files(directory=repo_dir)
+    delegated_targets_dir = os.path.join(targets_dir,'targets',
+                                         'delegated_level1')
+
+    #  Assign parent role and name of the delegated role.
+    parent_role = 'targets'
+    delegated_role = 'delegated_role_1'
+
+    #  Create couple new RSA keys for delegation levels 1 and 2.
+    new_keyid_1 = self.generate_rsakey()
+    new_keyid_2 = self.generate_rsakey()
+
+    #  Create temp directory for config file.
+    config_dir = self.make_temp_directory()
+
+    #  Build a config file.
+    config_filepath = signerlib.build_config_file(config_dir, 365,
+                                                  self.top_level_role_info)
+
+    #  Patch signercli._get_metadata_directory().
+    self.mock_get_metadata_directory(directory=meta_dir)
+
+    #  Patch signercli._get_password().  Get passwords for parent's keyids.
+    self.get_passwords()
+
+    #  Create keystore directory.
+    keystore_dir = self.create_temp_keystore_directory()
+
+    #  Mock method for signercli._prompt() to generate targets.txt file.
+    self.make_metadata_mock_prompts(targ_dir=targets_dir,
+                                    conf_path=config_filepath)
+
+    #  List of keyids to be returned by _get_keyids()
+    signing_keyids = [new_keyid_1]
+
+    #  Load keystore.
+    load_keystore = keystore.load_keystore_from_keyfiles
+
+    #  Build targets metadata file (targets.txt).
+    signercli.make_targets_metadata(keystore_dir)
+
+    #  Clear kestore's dictionaries.
+    keystore.clear_keystore()
+
+    #  Mock method for signercli._prompt().
+    def _mock_prompt(msg, junk):
+      if msg.startswith('\nNOTE: The directory entered'):
+        return delegated_targets_dir
+      elif msg.startswith('\nChoose and enter the parent'):
+        return parent_role
+      elif msg.endswith('\nEnter the delegated role\'s name: '):
+        return delegated_role
+      else:
+        error_msg = ('Prompt: '+'\''+msg+'\''+
+                     ' did not match any predefined mock prompts.')
+        self.fail(error_msg)
+
+    #  Mock method for signercli._get_password().
+    def _mock_get_password(msg):
+      for keyid in self.rsa_keyids:
+        if msg.endswith('('+keyid+'): '):
+          return self.rsa_passwords[keyid]
+
+    #  Method to patch signercli._get_keyids()
+    def _mock_get_keyids(junk):
+      if signing_keyids:
+        for keyid in signing_keyids:
+          password = self.rsa_passwords[keyid]
+          #  Load the keyfile.
+          load_keystore(keystore_dir, [keyid], [password])
+      return signing_keyids
+
+    #  Patch signercli._prompt().
+    signercli._prompt = _mock_prompt
+
+    #  Patch signercli._get_password().
+    signercli._get_password = _mock_get_password
+
+    #  Patch signercli._get_keyids().
+    signercli._get_keyids = _mock_get_keyids
+
+
+    # TESTS
+    #  Test: invalid parent role.
+    #  Assign a non-existing parent role.
+    parent_role = self.random_string()
+    self.assertRaises(tuf.RepositoryError, signercli.make_delegation,
+                      keystore_dir)
+
+    #  Restore parent role.
+    parent_role = 'targets'
+
+    #  Test: invalid password(s) for parent's keyids.
+    keystore.clear_keystore()
+    parent_keyids = self.top_level_role_info[parent_role]['keyids']
+    for keyid in parent_keyids:
+      saved_pw = self.rsa_passwords[keyid]
+      self.rsa_passwords[keyid] = self.random_string()
+      self.assertRaises(tuf.RepositoryError, signercli.make_delegation,
+                        keystore_dir)
+      self.rsa_passwords[keyid] = saved_pw
+
+    #  Test: delegated_keyids > 1 or (== 0).
+    keystore.clear_keystore()
+
+    #  Load keyids ( > 1).
+    #  'signing_keyids' already contains 'new_keyid', add more.
+    for keyid in self.top_level_role_info['release']['keyids']:
+      signing_keyids.append(keyid)
+    self.assertRaises(tuf.RepositoryError, signercli.make_delegation,
+                      keystore_dir)
+    keystore.clear_keystore()
+
+    #  Load 0 keyids (== 0).
+    signing_keyids = []
+    self.assertRaises(tuf.RepositoryError, signercli.make_delegation,
+                      keystore_dir)
+    keystore.clear_keystore()
+
+    #  Restore signing_keyids (== 1).
+    signing_keyids = [new_keyid_1]
+
+    #  Test: normal case 1.
+    #  Testing first level delegation.
+    signercli.make_delegation(keystore_dir)
+
+    #  Verify delegated metadata file exists.
+    delegated_meta_file = os.path.join(meta_dir, parent_role,
+                                       delegated_role+'.txt')
+    self.assertTrue(os.path.exists(delegated_meta_file))
+
+    #  Test: normal case 2.
+    #  Testing second level delegation.
+    keystore.clear_keystore()
+
+    #  Make necessary adjustments for the test.
+    signing_keyids = [new_keyid_2]
+    delegated_targets_dir = os.path.join(delegated_targets_dir,
+                                         'delegated_level2')
+    parent_role = os.path.join(parent_role, delegated_role)
+    delegated_role = 'delegated_role_2'
+
+    signercli.make_delegation(keystore_dir)
+
+    #  Verify delegated metadata file exists.
+    delegated_meta_file = os.path.join(meta_dir, parent_role,
+                                       delegated_role+'.txt')
+    self.assertTrue(os.path.exists(delegated_meta_file))
+
+
+
+
+
+# Run unit tests.
+loader = unittest_toolbox.unittest.TestLoader
+suite = loader().loadTestsFromTestCase(TestSignercli)
+unittest_toolbox.unittest.TextTestRunner(verbosity=2).run(suite)
diff --git a/src/tuf/tests/test_signerlib.py b/src/tuf/tests/test_signerlib.py
new file mode 100755
index 00000000..5c70c4ef
--- /dev/null
+++ b/src/tuf/tests/test_signerlib.py
@@ -0,0 +1,840 @@
+"""
+<Program Name>
+  test_signerlib.py
+
+<Author>
+  Konstantin Andrianov
+
+<Started>
+  September 6, 2012
+
+<Copyright>
+  See LICENSE for licensing information.
+
+<Purpose>
+  Test_signerlib.py provides collection of methods that tries to test all the
+  units (methods) of the module under test.
+
+  This unittest module requires setting of rsa keys, keyids and such.
+  There is a method in unittest_toolbox.Modified_TestCase class
+  'bind_keys_to_roles()'.  This method  will set dictionaries
+  'top_level_role_info' and 'rsa_keystore'.
+
+  'top_level_role_info' corresponds to ROLEDICT_SCHEMA and it looks like this:
+    {'rolename': {'keyids': ['34345df32093bd12...'], 'threshold': 1}, ...}
+
+  'rsa_keystore' looks like this: {keyid : { -- RSAKEY_SCHEMA --}, ... }  or
+    {keyid : {'keytype': 'rsa', 'keyid': keyid,
+              'keyval': {'public': 'PUBLIC KEY',
+                         'private  ': 'PRIVATE KEY'}}, ... }
+
+  unittest_toolbox module was created to provide additional testing tools for
+  tuf's modules.  For more info see unittest_toolbox.py.
+
+
+<Methodology>
+  Unittests must follow a specific structure i.e. independent methods should
+  be tested prior to dependent methods. More accurately: least dependent methods
+  are tested before most dependent methods.  There is no reason to rewrite or
+  construct other methods that replicate already-tested methods solely for
+  testing purposes.  This is possible because 'unittest.TestCase' class guarantees
+  the order of unit tests.  So that, 'test_something_A' method would be tested
+  before 'test_something_B'.  To ensure the structure a number will be placed
+  after 'test' and before methods name like so 'test_1_check_directory'.  The
+  number is sort of a measure of dependence, where 1 is less dependent than 2.
+
+"""
+
+import os
+import tempfile
+import filecmp
+import shutil
+import ConfigParser
+import gzip
+
+import tuf.util
+import tuf.formats as formats
+import tuf.repo.signerlib as signerlib
+import tuf.tests.unittest_toolbox
+
+# 'unittest_toolbox.Modified_TestCase' is too long, I'll set it to 'unit_tbox'.
+unit_tbox = tuf.tests.unittest_toolbox.Modified_TestCase
+test_loader = tuf.tests.unittest_toolbox.unittest.TestLoader
+
+# Generate rsa keys and roles dictionary dictionaries.
+unit_tbox.bind_keys_to_roles()
+
+
+class TestSignerlib(unit_tbox):
+  # Test methods.
+
+  def test_1_get_metadata_filenames(self):
+
+    # SETUP
+    metadata_dir = self.make_temp_directory()
+    empty_dir = ''
+
+    def _get_metadata_filenames(test_metadata_dir):
+      filenames = signerlib.get_metadata_filenames(test_metadata_dir)
+      if test_metadata_dir is None:
+        test_metadata_dir = '.'
+
+      #  Check if a dictionary instance with 4 mappings is returned.
+      self.assertTrue(isinstance(filenames, dict))
+      self.assertFalse(not filenames, 'Empty dictionary returned.')
+      self.assertEqual(len(filenames), 4)
+
+      #  Check if all the keys in 'filenames' dictionary
+      #  correspond to 'role_list' items i.e. all top level
+      #  roles are include in the 'filenames' with their
+      #  appropriate paths as values.
+      for role in unit_tbox.role_list:
+        value_at_role = os.path.join(test_metadata_dir, role+'.txt')
+        self.assertTrue(role in filenames)
+        self.assertEqual(filenames[role], value_at_role)
+
+    # Run _get_metadata_filenames(arg) trying different arguments.
+    self.assertRaises(tuf.FormatError, signerlib.get_metadata_filenames, 123)
+    _get_metadata_filenames(metadata_dir)
+    _get_metadata_filenames(empty_dir)
+
+
+
+
+
+  def test_1_get_metadata_file_info(self):
+
+    # SETUP
+    temp_file_path = self.make_temp_data_file()
+    rand_str = self.random_string()
+
+
+    # TESTS
+    #  Test: improper arguments that should raise exceptions.
+    self.assertRaises(tuf.Error, signerlib.get_metadata_file_info, '')
+    self.assertRaises(tuf.FormatError, signerlib.get_metadata_file_info,
+                      123)
+    self.assertRaises(tuf.FormatError, signerlib.get_metadata_file_info,
+                      {rand_str: rand_str})
+    self.assertRaises(tuf.FormatError, signerlib.get_metadata_file_info,
+                      [rand_str, rand_str])
+
+    #  Make sure the format return by 'get_metadata_file_info'
+    #  matches tuf.formats.FILEINFO_SCHEMA.
+    file_info = signerlib.get_metadata_file_info(temp_file_path)
+    self.assertTrue(formats.FILEINFO_SCHEMA.matches(file_info))
+
+
+
+
+
+  def test_1_generate_and_save_rsa_key(self):
+    """
+    generate_and_save_rsa_key() is independent from all the other methods in
+    signerlib.  In order to test this method all we need is to create a temp
+    directory and a sample password.
+    """
+
+    # SETUP
+    keystore_dir = self.make_temp_directory()
+    password = self.random_string()
+
+
+    # TESTS
+    #  Test: Run generate_and_save_rsa_key().
+    rsakey = signerlib.generate_and_save_rsa_key(keystore_dir, password)
+    self.assertTrue(formats.RSAKEY_SCHEMA.matches(rsakey))
+
+    #  Test: Check if rsa key file was created.
+    key_path = os.path.join(keystore_dir, rsakey['keyid']+'.key')
+    self.assertTrue(os.path.exists(key_path))
+
+
+
+
+
+  def test_1_read_config_file(self):
+    """
+    A short test of 'read_config_file' method.  Using a tuple
+    that contains config dictionary and a config file containing
+    the same dictionary, test if 'read_config_file' returns a
+    dictionary corresponding to the supplied config dictionary when
+    config file is passes.
+    """
+
+    # SETUP
+    #  'base_config' is a tuple containing a config file path and
+    #  a corresponding config dictionary.  Note, make sure appropriate
+    #  suffix is set.  In our case it will be 'signerlib.CONFIG_FILENAME'.
+    base_config = self.make_temp_config_file(suffix=signerlib.CONFIG_FILENAME)
+
+
+    # TESTS
+    #  Test: normal case.
+    self.assertTrue(signerlib.read_config_file(base_config[0]),
+                    base_config[1])
+
+    #  Test: exceptions.
+    self.assertRaises(tuf.FormatError, signerlib.read_config_file, 123)
+    self.assertRaises((tuf.Error, tuf.FormatError), signerlib.read_config_file,
+                      '')
+    self.assertRaises((tuf.Error, tuf.FormatError), signerlib.read_config_file,
+                      'junk/dir/'+self.random_string())
+    self.assertRaises(tuf.FormatError, signerlib.read_config_file,
+                      [self.random_string()])
+
+
+
+
+
+  def test_1_generate_targets_metadata(self):
+
+    # SETUP
+    generate_targets_meta = signerlib.generate_targets_metadata
+
+    #  Generate target files.
+    #  'repo_dir' represents repository base.
+    #  'target_files' represents a list of relative target paths.
+    repo_dir, target_files = self.make_temp_directory_with_data_files()
+
+
+    # TESTS
+    #  Test: Run the generate_targets_metadata().  Test its return value.
+    #  Its return value should correspond to tuf.formats.SIGNABLE_SCHEMA
+    target_signable_obj = generate_targets_meta(repo_dir, target_files)
+
+    #  Test: Validate input.
+    self.assertTrue(formats.SIGNABLE_SCHEMA.matches(target_signable_obj))
+
+    #  Test: various invalid parameters.
+    self.assertRaises(tuf.FormatError, generate_targets_meta,
+                      repo_dir, 1234)
+    self.assertRaises(tuf.FormatError, generate_targets_meta,
+                      repo_dir, self.random_string())
+    self.assertRaises(tuf.FormatError, generate_targets_meta,
+                      repo_dir, [self.random_string(), 1234])
+    self.assertRaises(tuf.Error, generate_targets_meta,
+                      self.random_path(), target_files)
+
+
+
+
+
+  def test_1_check_directory(self):
+    """
+    Quick test to ensure that the method returns valid output.
+    """
+
+    # SETUP
+    temp_dir, _junk = self.make_temp_directory_with_data_files()
+    rand_str = self.random_string()
+
+
+    # TESTS
+    #  Test: normal case, check proper output.
+    self.assertEqual(signerlib.check_directory(temp_dir), temp_dir)
+
+    #  Test exceptions.
+    self.assertRaises(tuf.FormatError, signerlib.check_directory, 1234)
+    self.assertRaises(tuf.FormatError, signerlib.check_directory, [rand_str])
+    self.assertRaises(tuf.FormatError, signerlib.check_directory,
+                      {rand_str: rand_str})
+    self.assertRaises(tuf.Error, signerlib.check_directory, self.random_path())
+
+
+
+
+
+  def test_1_write_metadata_file(self):
+
+    # SETUP
+    #  Create temp directory to be prevent any relative path discrepancies.
+    meta_dir = self.make_temp_directory()
+
+    #  Create a temp file to store 'metadata' info in.
+    meta_file = self.make_temp_file(directory=meta_dir)
+
+    #  Use valid input for json obj.
+    signable_dict = {'signatures':[], 'signed':{'role':'info'}}
+
+
+    # TESTS
+    #  Test: normal case.
+    signerlib.write_metadata_file(signable_dict, meta_file)
+
+    #  Extract the content of the temp file.
+    stored_signable_dict = tuf.util.load_json_file(meta_file)
+
+    #  Check if object stored in the file corresponds to SIGNABLE_SCHEMA.
+    self.assertTrue(formats.SIGNABLE_SCHEMA.matches(stored_signable_dict))
+
+    #  Does original dictionary 'signable_dict' matches dictionary retrieved
+    #  from the file - 'stored_signable_dict'?
+    self.assertEqual(signable_dict, stored_signable_dict)
+
+    #  Test: verify exceptions.
+    self.assertRaises(tuf.FormatError, signerlib.write_metadata_file,'','')
+    self.assertRaises(tuf.FormatError, signerlib.write_metadata_file,
+                      [self.random_string()], meta_file)
+    self.assertRaises(tuf.FormatError, signerlib.write_metadata_file,
+                      signable_dict, [self.random_string()])
+    self.assertRaises(tuf.Error, signerlib.write_metadata_file, signable_dict,
+                      self.random_path())
+    self.assertRaises(tuf.FormatError, signerlib.write_metadata_file,
+                      {self.random_string(): self.random_string()},
+                      self.random_path())
+
+
+
+  def test_2_build_config_file(self):
+    """
+    This method tests build_config_file().
+    Previously tested signerlib's read_config_file() is used here.
+    """
+
+    # SETUP
+    #  Declare timeout.
+    days = 365  # number of days
+
+    #  Make a temp directory for config file.
+    config_dir = self.make_temp_directory()
+
+    #  For 'role_info' argument we going to use 'self.top_level_role_info'
+    #  dictionary.  There is more info in the beginning of this test
+    #  module, also in the test.unittest_toolbox module.
+    roledict_info = self.top_level_role_info
+
+
+    # TESTS
+    #  Test: normal case.
+    #  Run build_config_file().  The method is expected to return file
+    #  path of the config file.  We'll compare it to 'roledict_info'.
+    build_config = signerlib.build_config_file
+    config_path = build_config(config_file_directory=config_dir,
+                               timeout=days, role_info=roledict_info)
+
+    #  Check if 'config_path' directory exists.
+    self.assertTrue(os.path.exists(config_path))
+
+    #  Using 'signerlib.read_config_file' method extract config dictionary
+    #  that was stored.
+    config_dict = signerlib.read_config_file(config_path)
+
+    #  Remove 'expiration' key from the extracted config dictionary, since
+    #  initial role dictionary does not have this field.
+    del config_dict['expiration']
+
+    #  Compare the initial dictionary 'roledict_info' with extracted
+    #  dictionary 'config_dict'.  They have to match.
+    self.assertTrue(config_dict, roledict_info)
+
+    #  Test: exceptions on bogus arguments.
+    self.assertRaises(tuf.Error, signerlib.build_config_file,
+                      self.random_path(), 365, roledict_info)
+    self.assertRaises(tuf.FormatError, signerlib.build_config_file,
+                      config_dir, -1, roledict_info)
+    self.assertRaises(tuf.FormatError, signerlib.build_config_file,
+                      config_dir, 365, self.directory_dictionary)
+
+
+
+  def test_3_generate_root_metadata(self):
+    """
+    test_3_build_root_metadata() is based on two other signerlib methods
+    i.e. build_config_file() and read_config_file().  Hence, 3rd level.
+    """
+
+    # SETUP
+    build_config = signerlib.build_config_file
+
+    #  Create a temp directory to hold a config file.
+    config_dir = self.make_temp_directory()
+
+    #  Create config file using previously tested build_config_file().
+    config_path = build_config(config_dir, 365, self.top_level_role_info)
+
+    #  Create a config file without a 'targets' role section.
+    notargets_conf_dir = self.make_temp_directory()
+    saved_targets_role = self.top_level_role_info['targets']
+    del self.top_level_role_info['targets']
+    notargets_conf_path = build_config(notargets_conf_dir, 365,
+                                       self.top_level_role_info)
+
+    #  Restore top_level_role_info to initial state.
+    self.top_level_role_info['targets'] = saved_targets_role
+
+
+    # TESTS
+    #  Test: What if keystore is not set up?
+    self.assertRaises(tuf.UnknownKeyError, signerlib.generate_root_metadata,
+                      config_path)
+
+    #  Patch keystore's get_key method.  No harm is done here since correct
+    #  arguments are passed and keystore methods are tested separately.
+    signerlib.tuf.repo.keystore.get_key = self.get_keystore_key
+
+    #  Test: normal case.  Pass a correct config path.
+    root_meta = signerlib.generate_root_metadata(config_path)
+
+    #  Check if the returned dictionary corresponds to SIGNABLE_SCHEMA.
+    self.assertTrue(formats.SIGNABLE_SCHEMA.matches(root_meta))
+
+    #  Test: bogus arguments.
+    self.assertRaises(tuf.Error, signerlib.generate_root_metadata,
+                      notargets_conf_path)
+    self.assertRaises(tuf.Error, signerlib.generate_root_metadata, '')
+    self.assertRaises(tuf.Error, signerlib.generate_root_metadata,
+                      self.random_string())
+    self.assertRaises(tuf.Error, signerlib.generate_root_metadata,
+                      {self.random_string(): self.random_string()})
+
+
+
+
+
+  def test_4_sign_metadata(self):
+    """
+    test_4_sign_metadata() will require us to create metadata using one of
+    the generate_role_metadata() and use monkey patched keystore's get_key().
+    """
+
+    for role in ['root', 'targets']:
+
+      # SETUP.
+      role_info = self._get_role_info(role)
+      filename = role+'.txt'
+
+
+      # TESTS
+      #  Test: normal case.
+      signable = signerlib.sign_metadata(role_info[0], role_info[1],
+                                         filename)
+
+      #  Check if signable is returned.
+      self.assertTrue(formats.SIGNABLE_SCHEMA.matches(signable))
+
+      #  Test: various bogus parameters.
+      self.assertRaises(tuf.FormatError, signerlib.sign_metadata,
+                        self.random_string(), role_info[1], filename)
+      self.assertRaises(tuf.FormatError, signerlib.sign_metadata,
+                        role_info[0], 12345, filename)
+
+      #  Test: Verifying 'keytype', once is sufficient.
+      if role == 'root':
+        #  Alter keytype field of the rsa key.  Restore it after.
+        for keyid in role_info[1]:
+          key = self.get_keystore_key(keyid)
+          key['keytype'] = 'unknown_type'
+        self.assertRaises(tuf.Error, signerlib.sign_metadata, role_info[0],
+            role_info[1], filename)
+
+        #  Restoring the initial state of rsa_keystore.
+        for keyid in role_info[1]:
+          key = self.get_keystore_key(keyid)
+          key['keytype'] = 'rsa'
+
+
+
+
+
+  def test_5_build_root_file(self):
+    """
+    test_5_build_root_file() relies on previously tested signerlib's
+    generate_root_metadata(), sign_metadata() and write_metadata_file().
+    build_root_file() basically joins these methods together to create
+    root.txt.
+
+    Test Outline: Get signed metadata and other info of a root role.
+    'root_meta' is a tuple - see _get_role_meta() and _get_signed_role_info().
+    Run build_root_file() with created parameters 'config_path', 'root_keyids'
+    and 'meta_dir'.  Verify existence of the created directory.  Extract
+    content of the file and verify that it matches original 'signed_root_meta'
+    dictionary.  Test various bogus parameters.
+    """
+
+    # SETUP
+    signed_root_meta, root_info = self._get_signed_role_info('root')
+    root_keyids = root_info[1]
+    config_path = root_info[3]
+    meta_dir = root_info[2]  # Reuse config's directory.
+    root_meta_path = os.path.join(meta_dir, 'root.txt')
+
+
+    # TESTS
+    #  Test: normal case.
+    signerlib.build_root_file(config_path, root_keyids, meta_dir)
+
+    #  Check existence of the file and validity of it's content.
+    self.assertTrue(os.path.exists(root_meta_path))
+    file_content = tuf.util.load_json_file(root_meta_path)
+    self.assertEqual(signed_root_meta, file_content)
+
+    #  Test: variouse exeptions.
+    self.assertRaises(tuf.Error, signerlib.build_root_file,
+        self.random_path(), root_keyids, meta_dir)
+    self.assertRaises(tuf.Error, signerlib.build_root_file,
+        config_path, root_keyids, self.random_path())
+    self.assertRaises(tuf.FormatError, signerlib.build_root_file,
+        config_path, self.random_string(), meta_dir)
+
+
+
+
+
+  def test_5_build_targets_file(self):
+    """
+    test_5_build_targets_file() relies on previously tested signerlib's
+    generate_targets_metadata(), sign_metadata() and write_metadata_file().
+    build_targets_file() basically joins these methods together to create
+    targets.txt.
+    """
+
+    # SETUP
+    signed_targets_meta, targets_info = self._get_signed_role_info('targets')
+
+    #  'targets_info' is a tuple that includes targets meta, repository dir,
+    #  list of target files.
+    targets_keyids = targets_info[1]
+    repo_dir = targets_info[2]
+    meta_dir = os.path.join(repo_dir, 'metadata')
+    os.mkdir(meta_dir)
+    targets_file_path = os.path.join(meta_dir, 'targets.txt')
+    targets_dir = os.path.join(repo_dir, 'targets')
+
+
+    # TESTS
+    #  Test: normal case.
+    signerlib.build_targets_file(targets_dir, targets_keyids, meta_dir)
+
+    #  Check existence of the file and validity of it's content.
+    self.assertTrue(os.path.exists(targets_file_path))
+    file_content = tuf.util.load_json_file(targets_file_path)
+    self.assertEqual(signed_targets_meta, file_content)
+
+    #  Test: variouse exeptions.
+    self.assertRaises(tuf.Error, signerlib.build_targets_file,
+        self.random_path(), targets_keyids, meta_dir)
+    self.assertRaises(tuf.FormatError, signerlib.build_root_file,
+        targets_dir, self.random_string(), meta_dir)
+    self.assertRaises((tuf.FormatError, tuf.Error), signerlib.build_root_file,
+        targets_dir, targets_keyids, self.random_path())
+
+
+
+
+
+  def test_6_generate_release_metadata(self):
+    """
+    test_6_generate_release_metadata() uses previously tested
+    singnerlib's build_root_file(), build_target_file()
+    and get_metadata_file_info.  In order to use generate_release_metadata()
+    we need to have root.txt and targets.txt in the metadata directory,
+    plus we need to have targets directory (with target files/directories).
+    """
+
+    # SETUP
+    #  Create root.txt and targets.txt as described above.
+    meta_dir = self._create_root_and_targets_meta_files()
+
+
+    # TESTS
+    #  Test: Run generate_release_metadata().
+    release_meta = signerlib.generate_release_metadata(meta_dir)
+
+    #  Verify that created metadata dictionary corresponds to
+    #  SIGNABLE_SCHEMA and its 'signed' value to RELEASE_SCHEMA.
+    self.assertTrue(formats.SIGNABLE_SCHEMA.matches(release_meta))
+    self.assertTrue(formats.RELEASE_SCHEMA.matches(release_meta['signed']))
+
+    #  Test: exceptions.
+    self.assertRaises(tuf.Error, signerlib.generate_release_metadata,
+                      self.random_path())
+    self.assertRaises(tuf.FormatError, signerlib.generate_release_metadata,
+                      ['junk'])
+
+
+
+
+
+  def test_7_build_release_file(self):
+    """
+    test_7_build_release_file() uses previously tested
+    generate_release_metadata().
+    """
+
+    # SETUP
+    #  Create root.txt and targets.txt as described above.  Also, get signed
+    #  release metadata to compare it with the content of the file
+    signed_release_meta, release_info = self._get_signed_role_info('release')
+    meta_dir = release_info[2]
+    release_keyids = release_info[1]
+    release_filepath = os.path.join(meta_dir, 'release.txt')
+
+
+    # TESTS
+    #  Test: normal case.
+    signerlib.build_release_file(release_keyids, meta_dir)
+
+    # Check if 'release.txt' file was created in metadata directory.
+    self.assertTrue(os.path.exists(release_filepath))
+    file_content = tuf.util.load_json_file(release_filepath)
+    self.assertEqual(file_content, signed_release_meta)
+
+    #  Test: exceptions.
+    self.assertRaises(tuf.Error, signerlib.build_release_file, release_keyids,
+                      self.random_path())
+    self.assertRaises(tuf.FormatError, signerlib.build_release_file,
+                      self.random_string(), meta_dir)
+
+
+
+
+
+  def test_8_generate_timestamp_metadata(self):
+    """
+    test_8_generate_timestamp_metadata() uses previously tested
+    build_release_file()
+    """
+
+    # SETUP
+    generate_timestamp_meta = signerlib.generate_timestamp_metadata
+
+    #  Create release metadata and create 'release.txt' file.
+    junk, release_keyids, meta_dir = self._get_role_info('release')
+    signerlib.build_release_file(release_keyids, meta_dir)
+    release_filepath = os.path.join(meta_dir, 'release.txt')
+
+    #  To test compression we need to create compressed 'release.txt'.
+    #  The 'release.txt' should exist at this point, compress it.
+    release_file = open(release_filepath, 'rb')
+    gzipped_release = open(release_filepath+'.gz', 'wb')
+    gzipped_release.writelines(release_file)
+    gzipped_release.close()
+    release_file.close()
+
+
+    # TESTS
+    #  Test: normal case.
+    timestamp_meta = generate_timestamp_meta(release_filepath)
+
+    #  Verify metadata formats.
+    self.assertTrue(formats.SIGNABLE_SCHEMA.matches(timestamp_meta))
+    self.assertTrue(formats.TIMESTAMP_SCHEMA.matches(timestamp_meta['signed']))
+
+    #  Test: normal case (with compression).
+    timestamp_meta = generate_timestamp_meta(release_filepath+'.gz')
+
+    #  Verify metadata formats.
+    self.assertTrue(formats.SIGNABLE_SCHEMA.matches(timestamp_meta))
+    self.assertTrue(formats.TIMESTAMP_SCHEMA.matches(timestamp_meta['signed']))
+
+    #  Test: invalid path.
+    self.assertRaises(tuf.Error, generate_timestamp_meta, self.random_path())
+
+
+
+
+
+  def test_9_build_timestamp_metadata(self):
+    """
+    test_9_build_timestamp_file() uses previously tested
+    generate_timestamp_metadata().
+    """
+
+    # SETUP
+    #  Create all necessary files and metadata i.e. signed timestamp
+    #  metadata, timestamp keyids, 'release.txt', 'root.txt', 'targets.txt',
+    #  target files, etc.
+    signed_timestamp_meta, timestamp_info = \
+        self._get_signed_role_info('timestamp')
+
+    timestamp_keyids = timestamp_info[1]
+    meta_dir = timestamp_info[2]
+    timestamp_filepath = os.path.join(meta_dir, 'timestamp.txt')
+
+
+    # TESTS
+    #  Test: normal case.
+    signerlib.build_timestamp_file(timestamp_keyids, meta_dir)
+
+    # Check if 'timestamp.txt' file was created in metadata directory.
+    self.assertTrue(os.path.exists(timestamp_filepath))
+    file_content = tuf.util.load_json_file(timestamp_filepath)
+    self.assertEqual(file_content, signed_timestamp_meta)
+
+    #  Test: try bogus parameters.
+    self.assertRaises(tuf.Error, signerlib.build_timestamp_file,
+                      timestamp_keyids, self.random_path())
+    self.assertRaises(tuf.FormatError, signerlib.build_timestamp_file,
+                      self.random_string(), meta_dir)
+
+
+
+
+
+  def test_9_get_target_keyids(self):
+
+    # SETUP
+    #  Create metadata directory and targets metadata file.
+    meta_dir = self._create_root_and_targets_meta_files()
+
+    signed_targets_meta, targets_info = self._get_signed_role_info('targets')
+
+    #  'targets_info' is a tuple that includes targets meta, repository dir,
+    #  list of target files.
+    targets_keyids = targets_info[1]
+    repo_dir = targets_info[2]
+    meta_dir = os.path.join(repo_dir, 'metadata')
+    os.mkdir(meta_dir)
+    targets_file_path = os.path.join(meta_dir, 'targets.txt')
+    targets_dir = os.path.join(repo_dir, 'targets')
+
+
+    # TESTS
+    #  Test: normal case.
+    signerlib.build_targets_file(targets_dir, targets_keyids, meta_dir)
+
+    #  Check existence of the file and validity of it's content.
+    self.assertTrue(os.path.exists(targets_file_path))
+    file_content = tuf.util.load_json_file(targets_file_path)
+    self.assertEqual(signed_targets_meta, file_content)
+    #  Generate some delegation metadata file.
+    
+    #  Test: normal case.
+    _target_keyids = signerlib.get_target_keyids(meta_dir)
+    for keyid in targets_keyids:
+      self.assertTrue(keyid in _target_keyids['targets'])
+
+
+
+
+
+
+  # HELPER METHODS
+  # Call these non-test methods ONLY in methods that begin with 'test'.
+  def _create_root_and_targets_meta_files(self, repo_dir=None):
+    """
+    This method generates temp root.txt and target.txt, it uses following
+    previously tested signerlib's methods:
+      build_root_file()
+      build_targets_file()
+    """
+
+    if not repo_dir:
+      # Create repository directory.
+      repo_dir = self.make_temp_directory()
+
+    # Create metadata directory.
+    meta_dir = os.path.join(repo_dir, 'metadata')
+    os.mkdir(meta_dir)
+
+    # Create root.txt.
+    junk, root_keyids, repo_dir, config_path = \
+        self._get_role_info('root', directory=repo_dir)
+    signerlib.build_root_file(config_path, root_keyids, meta_dir)
+    self.assertTrue(os.path.exists(os.path.join(meta_dir, 'root.txt')))
+
+    # Create targets.txt.
+    junk, targets_keyids, repo_dir, target_files = \
+        self._get_role_info('targets', directory=repo_dir)
+    path_to_targets = os.path.join(repo_dir, 'targets')
+    signerlib.build_targets_file(path_to_targets, targets_keyids, meta_dir)
+    self.assertTrue(os.path.exists(os.path.join(meta_dir, 'root.txt')))
+
+    return meta_dir
+
+
+
+
+
+  def _get_role_info(self, role, directory=None):
+    """
+    This method generates role's metadata dictionary, it uses previously
+    tested signerlib's methods.  Note that at everything maintains the order.
+    Nothing that has not been tested previously is used in any of the
+    following conditions.
+
+    <Arguments>
+      directory:
+        Directory of a config file.
+
+    <Returns>
+      Tuple (role's metadata(not signed), role's keyids, directory, optional)
+
+    """
+
+    if not directory:
+      # Create a temp directory to hold a config file.
+      directory = self.make_temp_directory()
+
+    # Get role's keyids.
+    role_keyids = self.top_level_role_info[role]['keyids']
+
+
+    if role == 'root':
+      #  Create config file using previously tested build_config_file().
+      config_path = signerlib.build_config_file(directory, 365,
+                                                self.top_level_role_info)
+
+      #  Patch keystore's get_key method.
+      signerlib.tuf.repo.keystore.get_key = self.get_keystore_key
+
+      #  Create root metadata.
+      root_meta = signerlib.generate_root_metadata(config_path)
+      return root_meta, role_keyids, directory, config_path
+
+    elif role == 'targets':
+      # Generate target files.
+      # 'repo_dir' represents repository base.
+      # 'target_files' represents a list of relative target paths.
+      repo_dir, target_files = \
+          self.make_temp_directory_with_data_files(directory=directory)
+
+      # Run the 'signerlib.generate_targets_metadata'.  Test its return value.
+      # Its return value should correspond to tuf.formats.SIGNABLE_SCHEMA
+      targets_meta = signerlib.generate_targets_metadata(repo_dir,
+                                                         target_files)
+      return targets_meta, role_keyids, repo_dir, target_files
+
+    elif role == 'release':
+      # Generate 'root.txt' and 'targets.txt' with targets directory in
+      # the repository containing files and directories.
+      meta_dir = self._create_root_and_targets_meta_files()
+      release_meta = signerlib.generate_release_metadata(meta_dir)
+      return release_meta, role_keyids, meta_dir
+
+    elif role == 'timestamp':
+      # Generate 'release.txt' which includes creation of 'root.txt',
+      # 'targets.txt' and target files.
+      junk, release_keyids, meta_dir = self._get_role_info('release')
+      signerlib.build_release_file(release_keyids, meta_dir)
+      release_filepath = os.path.join(meta_dir, 'release.txt')
+
+      # Generate timestamp metadata.
+      timestamp_meta = signerlib.generate_timestamp_metadata(release_filepath)
+      return timestamp_meta, role_keyids, meta_dir
+
+    else:
+      print '\nUnrecognized top-level role.'
+
+
+
+
+
+  def _get_signed_role_info(self, role, directory=None):
+    role_info = self._get_role_info(role, directory=directory)
+    filename = repr(role+'.txt')
+
+    # Try sign_metadata(), see if signable is returned.
+    signed_meta = signerlib.sign_metadata(role_info[0], role_info[1],
+                                          filename)
+    return signed_meta, role_info
+
+
+
+
+
+# RUN UNIT TESTS.
+print
+suite = test_loader().loadTestsFromTestCase(TestSignerlib)
+tuf.tests.unittest_toolbox.unittest.TextTestRunner(verbosity=2).run(suite)
diff --git a/src/tuf/tests/test_updater.py b/src/tuf/tests/test_updater.py
new file mode 100755
index 00000000..a31e3e8f
--- /dev/null
+++ b/src/tuf/tests/test_updater.py
@@ -0,0 +1,1116 @@
+"""
+<Program Name>
+  test_updater.py
+
+<Author>
+  Konstantin Andrianov
+
+<Started>
+  October 15, 2012
+
+<Copyright>
+  See LICENSE for licensing information.
+
+<Purpose>
+  test_updater.py provides collection of methods that tries to test all the
+  units (methods) of the module under test.
+
+  unittest_toolbox module was created to provide additional testing tools for
+  tuf's modules.  For more info see unittest_toolbox.py.
+
+
+<Methodology>
+  Unit tests must follow a specific structure i.e. independent methods should
+  be tested prior to dependent methods. More accurately: least dependent
+  methods are tested before most dependent methods.  There is no reason to
+  rewrite or construct other methods that replicate already-tested methods
+  solely for testing purposes.  This is possible because 'unittest.TestCase'
+  class guarantees the order of unit tests.  So that, 'test_something_A'
+  method would be tested before 'test_something_B'.  To ensure the structure
+  a number will be placed after 'test' and before methods name like so:
+  'test_1_check_directory'.  The number is a measure of dependence, where 1
+  is less dependent than 2.
+
+"""
+
+import os
+import gzip
+import time
+import shutil
+import tempfile
+
+import tuf.util
+import tuf.repo.keystore as keystore
+import tuf.repo.signerlib as signerlib
+import tuf.client.updater as updater
+import tuf.tests.repository_setup as setup
+import tuf.tests.unittest_toolbox as unittest_toolbox
+
+
+#  References to roledb and keydb dictionaries.
+roledb_dict = tuf.roledb._roledb_dict
+keydb_dict = tuf.keydb._keydb_dict
+
+
+
+class TestUpdater_init_(unittest_toolbox.Modified_TestCase):
+
+  def test__init__exceptions(self):
+    # Setup:
+    # Create an empty repository structure for client.
+    repo_dir = self.make_temp_directory()
+
+    # Config patch.  The repository directory must be configured in 'tuf.conf'.
+    tuf.conf.repository_directory = repo_dir
+
+
+    # Test: empty repository. 
+    self.assertRaises(tuf.RepositoryError, updater.Updater, 'Repo_Name',
+                      self.mirrors) 
+
+    # Test: empty repository with {repository_dir}/metadata directory.
+    meta_dir = os.path.join(repo_dir, 'metadata')
+    os.mkdir(meta_dir)
+    self.assertRaises(tuf.RepositoryError, updater.Updater, 'Repo_Name',
+                      self.mirrors) 
+
+    # Test: empty repository with {repository_dir}/metadata/current directory.
+    current_dir = os.path.join(meta_dir, 'current')
+    os.mkdir(current_dir)
+    self.assertRaises(tuf.RepositoryError, updater.Updater, 'Repo_Name',
+                      self.mirrors)
+
+    # Test: normal case.
+    repositories = setup.create_repositories()
+    client_repo_dir = repositories['client_repository']
+    tuf.conf.repository_directory = client_repo_dir
+    updater.Updater('Repo_Name', self.mirrors)
+    
+    # Test: case w/ only root metadata file present in the current dir.
+    client_current_dir = os.path.join(client_repo_dir, 'metadata', 'current')
+    for directory, junk, role_list in os.walk(client_current_dir):
+      for role_filepath in role_list:
+        role_filepath = os.path.join(directory, role_filepath)
+        if role_filepath.endswith('root.txt'):
+          continue
+        os.remove(role_filepath)
+    updater.Updater('Repo_Name', self.mirrors)
+
+    #  Remove all created repositories.
+    setup.remove_all_repositories(repositories['main_repository'])
+
+
+
+
+class TestUpdater(unittest_toolbox.Modified_TestCase):
+  # Create repositories.  'repositories' is a tuple that looks like this:
+  # (repository_dir, client_repository_dir, server_repository_dir), see 
+  # repository_setup.py odule.
+  repositories = setup.create_repositories()
+
+  # Save references to repository directories and metadata.
+  #  Server side references.
+  server_repo_dir = repositories['server_repository']
+  server_meta_dir = os.path.join(server_repo_dir, 'metadata')
+  root_filepath = os.path.join(server_meta_dir, 'root.txt')
+  timestamp_filepath = os.path.join(server_meta_dir, 'timestamp.txt')
+  targets_filepath = os.path.join(server_meta_dir, 'targets.txt')
+  release_filepath = os.path.join(server_meta_dir, 'release.txt')
+
+  #  References to delegated metadata paths and directories.
+  delegated_dir1 = os.path.join(server_meta_dir, 'targets')
+  delegated_filepath1 = os.path.join(delegated_dir1, 'delegated_role1.txt')
+  delegated_dir2 = os.path.join(delegated_dir1, 'delegated_role1')
+  delegated_filepath2 = os.path.join(delegated_dir2, 'delegated_role2.txt')
+  targets_dir = os.path.join(server_repo_dir, 'targets')  
+
+  #  Client side references.
+  client_repo_dir = repositories['client_repository']
+  client_meta_dir = os.path.join(client_repo_dir, 'metadata')
+  client_current_dir = os.path.join(client_meta_dir, 'current')
+  client_previous_dir = os.path.join(client_meta_dir, 'previous')
+
+
+
+
+
+  def setUp(self):
+    #  We are inheriting from custom class.
+    unittest_toolbox.Modified_TestCase.setUp(self)
+
+    #  Patching 'tuf.conf.repository_directory' with the one we set up.
+    tuf.conf.repository_directory = self.client_repo_dir
+
+    #  Creating Repository instance.
+    self.Repository = updater.Updater('Client_Repository', self.mirrors)
+
+    #  List of all role paths, (in order they are updated).  This list will be
+    #  used as an optional argument to 'download_url_to_tempfileobj' patch 
+    #  function.
+    self.all_role_paths = [self.timestamp_filepath,
+                           self.release_filepath,
+                           self.root_filepath,
+                           self.targets_filepath,
+                           self.delegated_filepath1,
+                           self.delegated_filepath2]
+
+    #  Making sure that server and client's metadata files are the same.
+    shutil.rmtree(self.client_current_dir)
+    shutil.copytree(self.server_meta_dir, self.client_current_dir)
+
+
+
+
+
+  def tearDown(self):
+    #  We are inheriting from custom class.
+    unittest_toolbox.Modified_TestCase.tearDown(self)
+
+    #  Clear roledb and keydb dictionaries.
+    roledb_dict.clear()
+    keydb_dict.clear()
+
+
+
+
+
+  # HELPER FUNCTIONS (start with '_').
+
+  def _mock_download_url_to_tempfileobj(self, output):
+    """
+    <Purpose>
+      Patch 'tuf.download.download_url_to_fileobject' method.
+      
+    <Arguments>
+      output:
+        Can be a file path or a list of file paths.  If 'output' is a file
+        path then a tuf.util.TempFile file-object of that path is returned on
+        the call.  Else if, 'output' is a list of file paths then first
+        element of the that list is popped and it's tuf.util.TempFile fileobject
+        of is returned every time the patch is called.
+
+    """
+
+    def _mock_download(url, hashes=None, length=None):
+      if isinstance(output, (str, unicode)):
+        file_path = output
+      elif isinstance(output, list):
+        file_path = output.pop(0)
+      file_obj = open(file_path, 'rb')
+      temp_fileobj = tuf.util.TempFile()
+      temp_fileobj.write(file_obj.read())
+      return temp_fileobj
+
+    # Patch tuf.download.download_url_to_tempfileobj().
+    tuf.download.download_url_to_tempfileobj = _mock_download
+
+
+
+  def _add_file_to_directory(self, directory):
+    file_path = tempfile.mkstemp(suffix='.txt', dir=directory)
+    fileobj = open(file_path[1], 'wb')
+    fileobj.write(self.random_string())
+    fileobj.close()
+    return file_path[1]
+
+
+
+  def _remove_filepath(self, filepath):
+    os.remove(filepath)
+
+
+
+  def _add_target_to_targets_dir(self, targets_keyids):
+    """
+    Adds a file to server's 'targets' directory and rebuilds
+    targets metadata (targets.txt).
+    """
+    
+    targets_sub_dir = os.path.join(self.targets_dir, 'targets_sub_dir')
+    if not os.path.exists(targets_sub_dir):
+      os.mkdir(targets_sub_dir)
+    file_path = tempfile.mkstemp(suffix='.txt', dir=targets_sub_dir)
+    data = self.random_string()
+    file_object = open(file_path[1], 'wb')
+    file_object.write(data)
+    file_object.close()
+
+    #  In order to rebuild metadata, keystore's dictionary must be loaded.
+    #  Fortunately, 'unittest_toolbox.rsa_keystore' dictionary stores all keys.
+    keystore._keystore = self.rsa_keystore
+    setup.build_server_repository(self.server_repo_dir, self.targets_dir)
+
+    keystore._keystore = {}
+    junk, target_filename = os.path.split(file_path[1])
+    return os.path.join('targets_sub_dir', target_filename)
+
+
+
+  def _remove_target_from_targets_dir(self, target_filename, remove_all=True):
+    """
+    Remove a target 'target_filename' from server's targets directory and
+    rebuild 'targets', 'release', 'timestamp' metadata files.
+    'target_filename' is relative to targets directory. 
+    Example of 'target_filename': 'targets_sub_dir/somefile.txt'.
+
+    If 'remove_all' is set to True, then the sub directory 'targets_sub_dir'
+    (with all added targets) is removed.  All listed metadata files are
+    rebuilt.
+    """
+    
+    targets_sub_dir = os.path.join(self.targets_dir, 'targets_sub_dir')
+    if remove_all:
+      shutil.rmtree(targets_sub_dir)
+    else:
+      target_path = os.path.join(targets_dir, target_filename)
+      os.remove(target_path)
+
+    #  In order to rebuild metadata, keystore's dictionary must be loaded.
+    keystore._keystore = self.rsa_keystore
+    setup.build_server_repository(self.server_repo_dir, self.targets_dir)
+  
+    #  Synchronise client's repository with server's repository.
+    shutil.rmtree(self.client_meta_dir)
+    shutil.copytree(self.server_meta_dir, self.client_current_dir)
+    shutil.copytree(self.server_meta_dir, self.client_previous_dir)
+
+    keystore._keystore = {}
+
+
+
+  def _compress_file(self, file_path):
+    fileobj = open(file_path, 'rb')
+    file_path_compressed = file_path+'.gz'
+    fileobj_compressed = gzip.open(file_path+'.gz', 'wb')
+    fileobj_compressed.writelines(fileobj)
+    fileobj_compressed.close()
+    fileobj.close()
+    return file_path_compressed
+
+
+
+  def _get_list_of_target_paths(self, targets_directory, relative=True):
+    # This helper function returns a list of all target filepaths
+    # located in the server's targets directory (where all target files are
+    # located).  If 'relative' is true, relative paths to 'targets_directory'
+    # are returned.
+
+    target_filepaths = []
+    if relative:
+      for directory, sub_directories, files in os.walk(targets_directory):
+        for _file in files:
+          file_path = os.path.join(directory, _file)
+          rel_file_path = os.path.relpath(file_path, targets_directory)
+          target_filepaths.append(rel_file_path) 
+
+    else:
+      for directory, sub_directories, files in os.walk(targets_directory):
+        for _file in files:
+          file_path = os.path.join(directory, _file)
+          target_filepaths.append(file_path)
+
+    return target_filepaths
+
+
+
+  def _update_top_level_roles(self):
+    self._mock_download_url_to_tempfileobj(self.timestamp_filepath)
+    self.Repository._update_metadata('timestamp')
+
+    # Reference self.Repository._update_metadata_if_changed().
+    update_if_changed = self.Repository._update_metadata_if_changed    
+
+    self._mock_download_url_to_tempfileobj(self.release_filepath)
+    update_if_changed('release', referenced_metadata = 'timestamp')
+
+    self._mock_download_url_to_tempfileobj(self.root_filepath)
+    update_if_changed('root')
+
+    self._mock_download_url_to_tempfileobj(self.targets_filepath)
+    update_if_changed('targets')
+
+
+
+
+
+  # UNIT TESTS.
+
+  def test_1__load_metadata_from_file(self):
+    # Setup
+    #  Get root.txt file path.  Extract root metadata, 
+    #  it will be compared with content of loaded root metadata.
+    root_filepath = os.path.join(self.client_current_dir, 'root.txt')
+    root_meta = tuf.util.load_json_file(root_filepath)
+
+
+    # Test: normal case.
+    for role in self.role_list:
+      self.Repository._load_metadata_from_file('current', role)
+
+    #  Verify that the correct number of metadata objects has been loaded. 
+    self.assertEqual(len(self.Repository.metadata['current']), 4)
+
+    #  Verify that the content of root metadata is valid.
+    self.assertEqual(self.Repository.metadata['current']['root'],
+                     root_meta['signed'])
+
+
+
+
+
+
+  def test_1__rebuild_key_and_role_db(self):    
+    # Setup
+    root_meta = self.Repository.metadata['current']['root']
+
+
+    # Test: normal case.
+    self.Repository._rebuild_key_and_role_db()
+    
+    #  Verify tuf.roledb._roledb_dict and tuf.keydb._keydb_dict dictionaries
+    #  are populated.  'top_level_role_info' is a unittest_toolbox's dict
+    #  that contains top level role information it corresponds to a
+    #  ROLEDICT_SCHEMA where roles are keys and role information their values.
+    self.assertEqual(roledb_dict, self.top_level_role_info)
+    self.assertEqual(len(keydb_dict), 4)
+
+    #  Verify that keydb dictionary was updated.
+    for role in self.role_list:
+      keyids = self.top_level_role_info[role]['keyids']
+      for keyid in keyids:
+        self.assertTrue(keyid in keydb_dict)
+
+
+
+
+
+  def test_2__import_delegations(self):
+    # In order to test '_import_delegations' the parent of the delegation
+    # has to be in Repository.metadata['current'], but it has to be inserted
+    # there without using '_load_metadata_from_file' function since it calls
+    # '_import_delegations'.
+    # Setup.
+    deleg_role1_signable = tuf.util.load_json_file(self.delegated_filepath1)
+    self.Repository.metadata['current']['targets/delegated_role1'] = \
+        deleg_role1_signable['signed']
+
+ 
+    # Test: pass a role without delegations.
+    self.Repository._import_delegations('root')
+
+    #  Verify that there was no change in roledb and keydb dictionaries
+    #  by checking the number of elements in the dictionaries.
+    self.assertEqual(len(roledb_dict), 5)
+    self.assertEqual(len(keydb_dict), 5)
+
+    # Test: normal case, first level delegation.
+    self.Repository._import_delegations('targets/delegated_role1')
+
+    self.assertEqual(len(roledb_dict), 6)
+    self.assertEqual(len(keydb_dict), 6)
+
+    #  Verify that roledb dictionary was updated.
+    self.assertTrue('targets/delegated_role1' in tuf.roledb._roledb_dict)
+    
+    #  Verify that keydb dictionary was updated.
+    keyids = self.semi_roledict['targets/delegated_role1']['keyids']
+    for keyid in keyids:
+      self.assertTrue(keyid in keydb_dict)
+
+
+
+
+
+  def test_2__ensure_all_targets_allowed(self):
+    # Setup
+    #  Reference to self.Repository._ensure_all_targets_allowed()    
+    ensure_all_targets_allowed = self.Repository._ensure_all_targets_allowed
+
+    #  Extract delegated role metadata, it will be used as an argument
+    #  to updater._ensure_all_targets_allowed() method.
+    #  'role1' is delegated by 'targets' role.
+    targets_meta_dir = os.path.join(self.server_meta_dir, 'targets')
+    role1_meta_dir = os.path.join(targets_meta_dir, 'delegated_role1')
+    
+    role1_path = os.path.join(targets_meta_dir, 'delegated_role1.txt')
+    role1_metadata_signable = tuf.util.load_json_file(role1_path)
+    role1_metadata = role1_metadata_signable['signed']
+    
+
+    # Test: normal case.
+    ensure_all_targets_allowed('targets/delegated_role1', role1_metadata)
+
+    # Test: invalid role.  tuf.UnknownRoleError is raised since 
+    # 'delegated_role1' is not in the Repository's 'metadata' dictionary.
+    self.assertRaises(tuf.UnknownRoleError, ensure_all_targets_allowed,
+                      'targets/delegated_role1/delegated_role2',
+                      role1_metadata)
+
+    #  To verify that an exception is raised when targets listed in the 
+    #  delegated role's metadata are not indicated in the metadata of the
+    #  delegated role's parent, we need to modify delegated role's 'targets'
+    #  field.
+    target = self.random_string()+'.txt'
+    deleg_target_path = os.path.join('delegated_level', target)
+    role1_metadata['targets'][deleg_target_path] = self.random_string()
+
+    # Test: targets not included in the parent's metadata.
+    self.assertRaises(tuf.RepositoryError, ensure_all_targets_allowed,
+                      'targets/delegated_role1',
+                      role1_metadata)
+
+
+
+
+
+  def test_3__update_metadata(self):
+    """
+    This unit test verifies the method's proper behaviour on the expected input.
+    """
+
+    # Setup
+    #  Since client's '.../metadata/current' will need to have separate
+    #  gzipped metadata file in order to test compressed file handling,
+    #  we need to copy it there.  
+    targets_filepath_compressed = self._compress_file(self.targets_filepath)
+    shutil.copy(targets_filepath_compressed, self.client_current_dir) 
+
+    #  To test updater._update_metadata(), 'targets' metadata file is
+    #  going to be modified at the server's repository.
+    #  Keyid's are required to build the metadata.
+    targets_keyids = setup.role_keyids['targets']
+
+    #  Add a file to targets directory and rebuild targets metadata.
+    #  Returned target's filename will be used to verify targets metadata.
+    added_target_1 = self._add_target_to_targets_dir(targets_keyids)
+
+    #  Reference 'self.Repository._update_metadata'.
+    _update_metadata = self.Repository._update_metadata
+
+
+    # Test: Invalid file downloaded.
+    #  Patch 'download.download_url_to_tempfileobj' function.
+    self._mock_download_url_to_tempfileobj(self.release_filepath)
+    self.assertRaises(tuf.RepositoryError, _update_metadata, 'targets')
+
+
+    # Test: normal case.
+    #  Patch 'download.download_url_to_tempfileobj' function.
+    self._mock_download_url_to_tempfileobj(self.targets_filepath)
+    _update_metadata('targets')
+    list_of_targets = self.Repository.metadata['current']['targets']['targets']
+
+    #  Verify that the added target's path is listed in target's metadata.
+    if added_target_1 not in list_of_targets.keys():
+      self.fail('\nFailed to update targets metadata.')
+
+  
+    # Test: normal case, compressed metadata file.
+    #  Add a file to targets directory and rebuild targets metadata. 
+    added_target_2 = self._add_target_to_targets_dir(targets_keyids)
+
+    #  To test compressed file handling, compress targets metadata file.
+    targets_filepath_compressed = self._compress_file(self.targets_filepath) 
+
+    #  Re-patch 'download.download_url_to_tempfileobj' function.
+    self._mock_download_url_to_tempfileobj(targets_filepath_compressed)
+    _update_metadata('targets', compression='gzip')
+    list_of_targets = self.Repository.metadata['current']['targets']['targets']
+
+    #  Verify that the added target's path is listed in target's metadata.
+    if added_target_2 not in list_of_targets.keys():
+      self.fail('\nFailed to update targets metadata.')
+
+
+    # Restoring server's repository to the initial state.
+    os.remove(targets_filepath_compressed)
+    os.remove(os.path.join(self.client_current_dir,'targets.txt.gz'))
+    self._remove_target_from_targets_dir(added_target_1)
+
+
+
+
+
+  def test_1__update_fileinfo(self):
+    # Tests
+    #  Verify that fileinfo dictionary is empty.
+    self.assertFalse(self.Repository.fileinfo)
+
+    #  Load file info for top level roles.  This populates the fileinfo 
+    #  dictionary.
+    for role in self.role_list:
+      self.Repository._update_fileinfo(role+'.txt')
+
+    #  Verify that fileinfo has been populated and contains appropriate data.
+    self.assertTrue(self.Repository.fileinfo)
+    for role in self.role_list:
+      role_filepath = os.path.join(self.client_current_dir, role+'.txt')
+      role_info = tuf.util.get_file_details(role_filepath)
+      role_info_dict = {'length':role_info[0], 'hashes':role_info[1]}
+      self.assertTrue(role+'.txt' in self.Repository.fileinfo.keys())
+      self.assertEqual(self.Repository.fileinfo[role+'.txt'], role_info_dict)
+
+
+
+
+
+  def test_2__fileinfo_has_changed(self):
+    #  Verify that the method returns 'False' if file info was not changed.
+    for role in self.role_list:
+      role_filepath = os.path.join(self.client_current_dir, role+'.txt')
+      role_info = tuf.util.get_file_details(role_filepath)
+      role_info_dict = {'length':role_info[0], 'hashes':role_info[1]}
+      self.assertFalse(self.Repository._fileinfo_has_changed(role+'.txt',
+                                                             role_info_dict))
+
+    # Verify that the method returns 'True' if length or hashes were changed.
+    for role in self.role_list:
+      role_filepath = os.path.join(self.client_current_dir, role+'.txt')
+      role_info = tuf.util.get_file_details(role_filepath)
+      role_info_dict = {'length':8, 'hashes':role_info[1]}
+      self.assertTrue(self.Repository._fileinfo_has_changed(role+'.txt',
+                                                             role_info_dict))
+
+    for role in self.role_list:
+      role_filepath = os.path.join(self.client_current_dir, role+'.txt')
+      role_info = tuf.util.get_file_details(role_filepath)
+      role_info_dict = {'length':role_info[0],
+                        'hashes':{'sha256':self.random_string()}}
+      self.assertTrue(self.Repository._fileinfo_has_changed(role+'.txt',
+                                                             role_info_dict))
+
+
+
+
+
+  def test_3__update_metadata_if_changed(self):
+    """
+    This unit test verifies the method's proper behaviour on expected input.
+    """
+
+    # Setup
+    #  To test updater._update_metadata_if_changed, 'targets' metadata file is
+    #  going to be modified at the server's repository.
+    #  Keyid's are required to build the metadata.
+    targets_keyids = setup.role_keyids['targets']
+
+    #  Add a file to targets directory and rebuild targets metadata.
+    #  Returned target's filename will be used to verify targets metadata.
+    added_target_1 = self._add_target_to_targets_dir(targets_keyids)
+
+    #  Reference 'self.Repository._update_metadata_if_changed' function.
+    update_if_changed = self.Repository._update_metadata_if_changed
+
+
+    # Test: normal case.  Update 'release' metadata.
+    #  Patch download_file.
+    self._mock_download_url_to_tempfileobj(self.timestamp_filepath)
+
+    #  Update timestamp metadata, it will indicate change in release metadata.
+    self.Repository._update_metadata('timestamp')
+
+    #  Save current release metadata before updating.  It will be used to
+    #  verify the update.
+    old_release_meta = self.Repository.metadata['current']['release']
+    self._mock_download_url_to_tempfileobj(self.release_filepath)
+
+    #  Update release metadata, it will indicate change in targets metadata.
+    update_if_changed(metadata_role='release', referenced_metadata='timestamp')
+    current_release_meta = self.Repository.metadata['current']['release']
+    previous_release_meta = self.Repository.metadata['previous']['release']
+    self.assertEqual(old_release_meta, previous_release_meta)
+    self.assertNotEqual(old_release_meta, current_release_meta)
+
+
+    # Test: normal case.  Update 'targets' metadata. 
+    #  Patch 'download.download_url_to_tempfileobj' and update targets.
+    self._mock_download_url_to_tempfileobj(self.targets_filepath)
+    update_if_changed('targets')
+    list_of_targets = self.Repository.metadata['current']['targets']['targets']
+
+    #  Verify that the added target's path is listed in target's metadata.
+    if added_target_1 not in list_of_targets.keys():
+      self.fail('\nFailed to update targets metadata.')
+
+
+    # Test: normal case.  Update compressed release file.
+    release_filepath_compressed = self._compress_file(self.release_filepath)
+
+    #  Since client's '.../metadata/current' will need to have separate
+    #  gzipped metadata file in order to test compressed file handling,
+    #  we need to copy it there.  
+    shutil.copy(release_filepath_compressed, self.client_current_dir) 
+  
+    #  Add a target file and rebuild metadata files at the server side.
+    added_target_2 = self._add_target_to_targets_dir(targets_keyids)
+    
+    #  Since release file was updated, update compressed release file.
+    release_filepath_compressed = self._compress_file(self.release_filepath)
+ 
+    #  Patch download_file.
+    self._mock_download_url_to_tempfileobj(self.timestamp_filepath)
+
+    #  Update timestamp metadata, it will indicate change in release metadata.
+    self.Repository._update_metadata('timestamp')
+
+    #  Save current release metadata before updating.  It will be used to
+    #  verify the update.
+    old_release_meta = self.Repository.metadata['current']['release']
+    self._mock_download_url_to_tempfileobj(self.release_filepath)
+
+    #  Update release metadata, and verify the change.
+    update_if_changed(metadata_role='release', referenced_metadata='timestamp')
+    current_release_meta = self.Repository.metadata['current']['release']
+    previous_release_meta = self.Repository.metadata['previous']['release']
+    self.assertEqual(old_release_meta, previous_release_meta)
+    self.assertNotEqual(old_release_meta, current_release_meta)
+  
+
+    # Test: Invalid targets metadata file downloaded.
+    #  Patch 'download.download_url_to_tempfileobj' and update targets.
+    self._mock_download_url_to_tempfileobj(self.root_filepath)
+    self.assertRaises(tuf.MetadataNotAvailableError, update_if_changed, 
+                      'targets')
+
+    # Restoring repositories to the initial state.
+    os.remove(release_filepath_compressed)
+    os.remove(os.path.join(self.client_current_dir, 'release.txt.gz'))
+    self._remove_target_from_targets_dir(added_target_1)
+
+
+
+
+
+  def test_2__move_current_to_previous(self):
+    # The test will consist of removing a metadata file from client's
+    # {client_repository}/metadata/previous directory, executing the method
+    # and then verifying that the 'previous' directory contains
+    # the release file.
+    release_meta_path = os.path.join(self.client_previous_dir, 'release.txt')
+    os.remove(release_meta_path)
+    self.assertFalse(os.path.exists(release_meta_path))
+    self.Repository._move_current_to_previous('release')
+    self.assertTrue(os.path.exists(release_meta_path))
+    shutil.copy(release_meta_path, self.client_current_dir)
+
+
+
+
+
+  def test_2__delete_metadata(self):
+    # This test will verify that 'root' metadata is never deleted, when
+    # role is deleted verify that the file is not present in the 
+    # self.Repository.metadata dictionary.
+    self.Repository._delete_metadata('root')
+    self.assertTrue('root' in self.Repository.metadata['current'])
+    self.Repository._delete_metadata('timestamp')
+    self.assertFalse('timestamp' in self.Repository.metadata['current'])
+    timestamp_meta_path = os.path.join(self.client_previous_dir,
+                                       'timestamp.txt')
+    shutil.copy(timestamp_meta_path, self.client_current_dir)
+
+
+
+
+
+  def test_2__ensure_not_expired(self):
+    # This test will verify that nothing is raised when a metadata file
+    # has future expiration date, and raises 'tuf.ExpiredMetadataError'
+    # when metadata is actually expired.
+    self.Repository._ensure_not_expired('root')
+    self.Repository.metadata['current']['root']['expires'] = time.time() - 10
+    self.assertRaises(tuf.ExpiredMetadataError,
+                      self.Repository._ensure_not_expired,
+                      'root')
+
+
+
+
+
+  def test_4_refresh(self):
+    # Setup.
+    #  This unit test is based on adding an extra target file to the
+    #  server and rebuilding all server-side metadata.  When 'refresh'
+    #  function is called by the client all top level metadata should
+    #  be updated.
+    target_fullpath = self._add_file_to_directory(self.targets_dir)
+    target_relpath = os.path.split(target_fullpath)
+    
+    #  Reference 'self.Repository.metadata['current']['targets']'.
+    targets_meta = self.Repository.metadata['current']['targets']
+    self.assertFalse(target_relpath[1] in targets_meta['targets'].keys())
+
+    #  Rebuild metadata at the server side.
+    self._mock_download_url_to_tempfileobj(self.all_role_paths)
+    setup.build_server_repository(self.server_repo_dir, self.targets_dir)
+  
+
+    # Test: normal case. 
+    self.Repository.refresh()
+
+    #  Verify that clients metadata was updated. 
+    targets_meta = self.Repository.metadata['current']['targets']
+    self.assertTrue(target_relpath[1] in targets_meta['targets'].keys())
+
+
+    # Restore server's repository to initial state.
+    self._remove_filepath(target_fullpath)
+    #  Rebuild metadata at the server side.
+    self._mock_download_url_to_tempfileobj(self.all_role_paths)
+    setup.build_server_repository(self.server_repo_dir, self.targets_dir)
+
+
+
+
+
+  def test_4__refresh_targets_metadata(self):
+    # To test this method a target file would be added to a delegated role,
+    # and metadata on the server side would be rebuilt.
+
+    # Setup
+    targets_deleg_dir1 = os.path.join(self.targets_dir, 'delegated_level1')
+    targets_deleg_dir2 = os.path.join(targets_deleg_dir1, 'delegated_level2')
+    shutil.rmtree(self.server_meta_dir)
+    shutil.rmtree(os.path.join(self.server_repo_dir, 'keystore'))
+    tuf.roledb._roledb_dict['targets/delegated_role1'] = \
+        self.semi_roledict['targets/delegated_role1'] 
+    tuf.roledb._roledb_dict['targets/delegated_role1/delegated_role2'] = \
+        self.semi_roledict['targets/delegated_role1/delegated_role2']
+
+    #  Delegated roles paths.
+    role1_dir = os.path.join(self.server_meta_dir, 'targets')
+    role1_filepath = os.path.join(role1_dir, 'delegated_role1.txt')
+    role2_dir = os.path.join(role1_dir, 'delegated_role1')
+    role2_filepath = os.path.join(role2_dir, 'delegated_role2.txt')
+
+    #  Create a file in the delegated targets directory.
+    deleg_target_filepath2 = self._add_file_to_directory(targets_deleg_dir2)
+    junk, deleg_target_file2 = os.path.split(deleg_target_filepath2)
+  
+    #  Rebuild server's metadata and update client's metadata.
+    setup.build_server_repository(self.server_repo_dir, self.targets_dir)
+    self._update_top_level_roles()
+
+    #  Patching 'download.download_url_to_tempfilepbj' function.
+    delegated_roles = [role1_filepath, role2_filepath]
+    self._mock_download_url_to_tempfileobj(delegated_roles)
+
+
+    # Test: normal case.
+    self.Repository._refresh_targets_metadata(include_delegations=True)
+
+    #  References
+    deleg_role = 'targets/delegated_role1/delegated_role2'
+    deleg_metadata = self.Repository.metadata['current'][deleg_role]
+
+    #  Verify that client's metadata files were refreshed successfully by
+    #  checking that the added target file is listed in the client's metadata.
+    #  'targets_list' is the list of included targets from client's metadata.
+    targets_list = [] 
+    for target in deleg_metadata['targets']:
+      junk, target_file  = os.path.split(target)
+      targets_list.append(target_file)
+
+    self.assertTrue(deleg_target_file2 in targets_list)
+
+
+    #  Clean up.
+    self._remove_filepath(deleg_target_filepath2)
+    shutil.rmtree(os.path.join(self.server_repo_dir, 'metadata'))
+    shutil.rmtree(os.path.join(self.server_repo_dir, 'keystore'))
+    setup.build_server_repository(self.server_repo_dir, self.targets_dir)
+
+
+
+
+
+  def test_3__targets_of_role(self):
+    # Setup
+    targets_dir_content = os.listdir(self.targets_dir)
+
+
+    # Test: normal case.
+    targets_list = self.Repository._targets_of_role('targets')
+    
+    #  Verify that list of targets was returned,
+    #  and that it contains valid target file.
+    self.assertTrue(tuf.formats.TARGETFILES_SCHEMA.matches(targets_list))
+    targets_filepaths = []
+    for target in range(len(targets_list)):
+      targets_filepaths.append(targets_list[target]['filepath'])
+    for dir_target in targets_dir_content:
+      if dir_target.endswith('.txt'):
+        self.assertTrue(dir_target in targets_filepaths)
+
+
+
+
+
+  def test_5_all_targets(self):
+   # As with '_refresh_targets_metadata()', tuf.roledb._roledb_dict
+   # has to be populated.  'tuf.download.download_url_to_tempfileobj' method
+   # should be patched.
+
+   # Setup
+   self._mock_download_url_to_tempfileobj(self.all_role_paths)
+
+   # Update top-level metadata.
+   self.Repository.refresh()
+
+
+   # Test: normal case.
+   all_targets = self.Repository.all_targets()
+
+   #  Verify format of 'all_targets', it should correspond to
+   #  'TARGETFILES_SCHEMA'.
+   self.assertTrue(tuf.formats.TARGETFILES_SCHEMA.matches(all_targets))
+
+   #  Verify that there is a correct number of records in 'all_targets' list.
+   #  The expected number is '6' since we have 4 targets and 2 of them are
+   #  delegated (basically 2 out of 4 counted twice).
+   self.assertTrue(len(all_targets) is 6)   
+
+
+
+
+
+  def test_5_targets_of_role(self):
+    # Setup
+    targets_dir_content = os.listdir(self.targets_dir)
+
+
+    # Test: normal case.
+    targets_list = self.Repository.targets_of_role()
+    
+    #  Verify that list of targets was returned,
+    #  and that it contains valid target file.
+    self.assertTrue(tuf.formats.TARGETFILES_SCHEMA.matches(targets_list))
+    targets_filepaths = []
+    for target in range(len(targets_list)):
+      targets_filepaths.append(targets_list[target]['filepath'])
+    for dir_target in targets_dir_content:
+      if dir_target.endswith('.txt'):
+        self.assertTrue(dir_target in targets_filepaths)
+
+
+
+
+
+  def test_6_target(self):
+    # Requirements: make sure roledb_dict is populated and
+    # tuf.download.download_url_to_tempfileobj function is patched.
+
+    # Setup
+    targets_dir_content = os.listdir(self.targets_dir)
+
+    #  Reference 'self.Repository.metadata['current']['targets']['targets']
+    targets_field = self.Repository.metadata['current']['targets']['targets']
+
+    #  Reference 'self.Repository.target' function.
+    target = self.Repository.target
+
+
+    # Test: normal case.
+    for _target in targets_dir_content:
+      if _target.endswith('.txt'):
+        target_info = target(_target)
+        #  Verify that 'target_info' corresponds to 'TARGETFILE_SCHEMA'.
+        self.assertTrue(tuf.formats.TARGETFILE_SCHEMA.matches(target_info))
+
+
+    # Test: invalid target path.    
+    self.assertRaises(tuf.RepositoryError, target, self.random_path())
+
+
+
+
+
+
+  def test_6_download_target(self):
+    # 'tuf.download.download_url_to_tempfileobj' method should be patched.
+
+    # Setup:
+    target_rel_paths_src = self._get_list_of_target_paths(self.targets_dir)
+
+    #  Create temporary directory that will be passed as an argument to the
+    #  'download_target' function as a targets destination directory.
+    dest_dir = self.make_temp_directory()
+
+
+    # Test: normal case.
+    for file_path in target_rel_paths_src:
+      #  Get the target info which is a parameter to 'download_target' method.
+      target_info = self.Repository.target(file_path)
+      self._mock_download_url_to_tempfileobj(os.path.join(self.targets_dir, file_path))
+      self.Repository.download_target(target_info, dest_dir)
+
+    #  Verify that all target files are downloaded.
+    target_rel_paths_dest = self._get_list_of_target_paths(dest_dir)
+    self.assertTrue(target_rel_paths_dest, target_rel_paths_src)
+
+
+    # Test:
+    # Attempt a file download of a valid target, however, a download exception
+    # occurs because the target is not within the mirror's confined
+    # target paths.
+    #  Adjust mirrors dictionary, so that 'confined_target_paths' field
+    #  contains at least one confined target and excludes needed target file.
+    mirrors = self.Repository.mirrors
+    for mirror_name, mirror_info in mirrors.items():
+      mirrors[mirror_name]['confined_target_paths'] = [self.random_path()]
+
+    #  Get the target file info.
+    file_path = target_rel_paths_src[0]
+    target_info = self.Repository.target(file_path)
+
+    #  Patch 'download.download_url_to_tempfileobj' and verify that an
+    #  exception is raised.
+    self._mock_download_url_to_tempfileobj(os.path.join(self.targets_dir, file_path))
+    self.assertRaises(tuf.DownloadError, self.Repository.download_target,
+                      target_info,
+                      dest_dir)
+      
+    for mirror_name, mirror_info in mirrors.items():
+      mirrors[mirror_name]['confined_target_paths'] = ['']
+
+
+
+
+
+  def test_7_updated_targets(self):
+    # In this test, client will have two target files.  Server will modify 
+    # one of them.  As with 'all_targets' function, tuf.roledb._roledb_dict
+    # has to be populated.  'tuf.download.download_url_to_tempfileobj' method
+    # should be patched.
+    
+    # Setup:
+    target_rel_paths_src = self._get_list_of_target_paths(self.targets_dir)
+
+    #  Create temporary directory which will hold client's target files.
+    dest_dir = self.make_temp_directory()
+
+    target_info = []
+    for target_path in target_rel_paths_src:
+      target_info.append(self.Repository.target(target_path))
+
+    #  Populate 'dest_dir' with few target files.
+    target_path0 = os.path.join(self.targets_dir, target_info[0]['filepath'])
+    self._mock_download_url_to_tempfileobj(target_path0)
+    self.Repository.download_target(target_info[0], dest_dir)
+
+    target_path1 = os.path.join(self.targets_dir, target_info[1]['filepath'])
+    self._mock_download_url_to_tempfileobj(target_path1)
+    self.Repository.download_target(target_info[1], dest_dir)
+
+    #  Modify one of the above downloaded target files at the server side.
+    file_obj = open(target_path0, 'wb')
+    file_obj.write(2*self.random_string())
+    file_obj.close()
+
+    #  Rebuild server's metadata and update client's metadata.
+    setup.build_server_repository(self.server_repo_dir, self.targets_dir)
+    self._update_top_level_roles()
+
+    # Get the list of target files.  It will be used as an argument to
+    # 'updated_targets' function.
+    delegated_roles = []
+    delegated_roles = self.all_role_paths[4:]
+    self._mock_download_url_to_tempfileobj(delegated_roles)
+    all_targets = self.Repository.all_targets()
+
+    #  At this point client needs to update modified target and download
+    #  two other targets.  As a result of calling 'update_targets' method,
+    #  a list of updated/new targets (that will need to be downloaded)
+    #  should be returned.
+
+    
+    # Test: normal cases.
+    updated_targets = self.Repository.updated_targets(all_targets, dest_dir)
+
+    #  Verify that list contains all files that need to be updated, these
+    #  files include modified and new target files.  Also, confirm that files
+    #  than need not to be updated are absent from the list.
+   
+    #  'updated_targets' list should contains 5 target files i.e. one - that
+    #  was modified, two - that are absent from the client's repository and
+    #  same two - belonging to delegated roles.
+    self.assertTrue(len(updated_targets) is 5)
+    for updated_target in updated_targets:
+      if target_info[1]['filepath'] == updated_target['filepath']:
+        msg = 'A file that need not to be updated is indicated as updated.'
+        self.fail(msg)
+
+
+    
+
+
+  def test_8_remove_obsolete_targets(self):
+    # This unit test should be last, because it removes target files from the
+    # server's targets directory. It is done to avoid adding files, rebuilding 
+    # and updating metadata. 
+    
+    # Setup:
+    target_rel_paths_src = self._get_list_of_target_paths(self.targets_dir)
+
+    #  Create temporary directory which will hold client's target files.
+    dest_dir = self.make_temp_directory()
+
+    #  Populate 'dest_dir' with all target files.
+    for target_path in target_rel_paths_src:
+      _target_info = self.Repository.target(target_path)
+      _target_path = os.path.join(self.targets_dir, target_path)
+      self._mock_download_url_to_tempfileobj(_target_path)
+      self.Repository.download_target(_target_info, dest_dir)
+
+    #  Remove few target files from the server's repository.
+    os.remove(os.path.join(self.targets_dir, target_rel_paths_src[0]))
+    os.remove(os.path.join(self.targets_dir, target_rel_paths_src[3]))
+
+    #  Rebuild server's metadata and update client's metadata.
+    setup.build_server_repository(self.server_repo_dir, self.targets_dir)
+    self._update_top_level_roles()
+
+    #  Get the list of target files.  It will be used as an argument to
+    #  'updated_targets' function.
+    delegated_roles = []
+    delegated_roles = self.all_role_paths[4:]
+    self._mock_download_url_to_tempfileobj(delegated_roles)
+    all_targets = self.Repository.all_targets()
+    
+
+    # Test: normal case.
+    #  Verify number of target files in the 'dest_dir' (should be 4),
+    #  and execute 'remove_obsolete_targets' function.
+    self.assertTrue(os.listdir(dest_dir), 4)
+    self.Repository.remove_obsolete_targets(dest_dir)
+
+    #  Verify that number of target files in the 'dest_dir' is now 2, since
+    #  two files were previously removed.
+    self.assertTrue(os.listdir(dest_dir), 2)
+    self.assertTrue(os.path.join(dest_dir), target_rel_paths_src[1])
+    self.assertTrue(os.path.join(dest_dir), target_rel_paths_src[2])
+
+    #  Verify that if there are no obsolete files, the number of files,
+    #  in the 'dest_dir' remains the same.
+    self.Repository.remove_obsolete_targets(dest_dir)
+    self.assertTrue(os.listdir(dest_dir), 2)    
+
+
+
+
+
+# Run all unit tests.
+loader = unittest_toolbox.unittest.TestLoader()
+suite = unittest_toolbox.unittest.TestSuite()
+
+class1_tests = loader.loadTestsFromTestCase(TestUpdater_init_)
+class2_tests = loader.loadTestsFromTestCase(TestUpdater)
+ 
+suite.addTest(class1_tests)
+suite.addTest(class2_tests)
+
+try:
+  unittest_toolbox.unittest.TextTestRunner(verbosity=2).run(suite)
+finally:
+  #  Removing repositories.
+  setup.remove_all_repositories(TestUpdater.repositories['main_repository'])
diff --git a/src/tuf/tests/unittest_toolbox.py b/src/tuf/tests/unittest_toolbox.py
new file mode 100755
index 00000000..efb95a93
--- /dev/null
+++ b/src/tuf/tests/unittest_toolbox.py
@@ -0,0 +1,487 @@
+"""
+<Program>
+  unittest_toolbox.py
+
+<Author>
+  Konstantin Andrianov
+
+<Started>
+  March 26, 2012
+
+<Copyright>
+  See LICENSE for licensing information.
+
+<Purpose>
+  Provides an array of various methods for unit testing.  Use it instead of
+  actual unittest module.  This module builds on unittest module.
+  Specifically, Modified_TestCase is a derived class from unittest.TestCase.
+
+"""
+
+import os
+import sys
+import shutil
+import unittest
+import tempfile
+import random
+import string
+import ConfigParser
+
+import tuf.rsa_key as rsa_key
+import tuf.repo.keystore as keystore
+
+
+class Modified_TestCase(unittest.TestCase):
+  """
+  <Purpose>
+    Provide additional test-setup methods to make testing
+    of module's methods-under-test as independent as possible.
+
+    If you want to modify setUp()/tearDown() do:
+    class Your_Test_Class(modified_TestCase):
+      def setUp():
+        your setup modification
+        your setup modification
+        ...
+        modified_TestCase.setUp(self)
+
+  <Methods>
+    switch_wd(self, twd):
+      Switch from current working directory to temporary working directory (twd).
+
+    make_temp_directory(self, directory=None):
+      Creates and returns an absolute path of a temporary directory.
+
+    make_temp_file(self, suffix='.txt', directory=None):
+      Creates and returns an absolute path of an empty temp file.
+
+    make_temp_data_file(self, suffix='', directory=None, data = junk_data):
+      Returns an absolute path of a temp file containing some data.
+
+    make_temp_config_file(self, suffix='', directory=None, config_dict={}, expiration=None):
+      Creates a temporary file and puts a config dictionary in it using
+      ConfigParser.  It then returns a (config_file_path, config_dictionary)
+      tuple.
+
+    make_temp_directory_with_data_files(self, _current_dir=None,directory_content=\
+        directory_dictionary, directory=None):
+      Creates a temp directory with files, directories and sub-directories
+      based on the dictionary supplied. It returns a temp directory, which
+      is parent of the structure supplied in the dictionary.
+
+    random_path(self, length = 7):
+      Generate a 'random' path consisting of n-length strings of random chars.
+
+    get_keystore_key(self, keyid):
+      This a monkey patch for keystore's get_key method.
+
+
+    Static Methods:
+    --------------
+    Following methods are static because they technically don't operate
+    on any instances of the class, what they do is: they modify class variables
+    (dictionaries) that are shared among all instances of the class.  So
+    it is possible to call them without instantiating the class.
+
+    generate_rsakey():
+      Generate rsa key and put it into 'rsa_keystore' dictionary.
+
+    bind_keys_to_a_role(role, threshold=1):
+      Binds a key to a 'role' thus modifying 'semi_roledict' and
+      'rsa_keystore' dictionaries.
+
+    bind_keys_to_roles(role_thresholds={}):
+      Bind keys to top level roles.  If dictionary of roles-thresholds is
+      supplied set - use it to crate appropriate amount of keys.  If you
+      want to set a dictionary specifying a threshold each role should have,
+      the dictionary should look like this: {role : 2, ... }  where role
+      might be 'root' and # is a threshold #.
+
+    random_string(length=7):
+      Generate a 'length' long string of random characters.
+
+  """
+
+  # List of all top level roles.
+  role_list = ['root', 'targets', 'release', 'timestamp']
+
+  # List of delegated roles.
+  delegated_role_list = ['targets/delegated_role1',
+                         'targets/delegated_role1/delegated_role2']
+
+  # 'rsa_keyids' stores keyids of all created rsa keys.
+  rsa_keyids = []
+
+  # 'rsa_keystore' stores all created rsa keys, that are RSAKEY_SCHEMA
+  # conformant, as values for their corresponding keyid dictionary keys.
+  # {keyid : {-- rsa key --}, ...}
+  rsa_keystore = {}
+
+  # 'rsa_passwords' stores passwords for all created rsa keys.
+  rsa_passwords = {}
+
+  # 'semi_roledict' because it lacks an item that a fully pledged
+  # ROLEDICT_SCHEMA dictionary would have i.e. 'path' key is absent.
+  semi_roledict = {}
+
+  # 'top_level_role_info' same as 'semi_roledict' except that it only
+  # contains top-level roles.
+  top_level_role_info = {}
+
+  junk_data = 'Stored data.'
+
+  directory_dictionary = {'targets':[{'delegated_level1':
+                                      [{'delegated_level2':junk_data},
+                                      junk_data]},
+                                    junk_data,
+                                    junk_data]}
+
+  config_expiration = {'expiration':{'days':0, 'years':0,
+                       'minutes':0, 'hours':0, 'seconds':0}}
+
+
+  mirrors = {'mirror1': {'url_prefix' : 'http://mirror1.com',
+                         'metadata_path' : 'metadata',
+                         'targets_path' : 'targets',
+                         'confined_target_paths' : ['']},
+             'mirror2': {'url_prefix' : 'http://mirror2.com',
+                         'metadata_path' : 'metadata',
+                         'targets_path' : 'targets',
+                         'confined_target_paths' : ['']},
+             'mirror3': {'url_prefix' : 'http://mirror3.com',
+                         'metadata_path' : 'metadata',
+                         'targets_path' : 'targets',
+                         'confined_target_paths' : ['']}}
+
+
+
+
+  def setUp(self):
+    self._cleanup = []
+
+
+  def tearDown(self):
+    # Removing 'tuf.log' file from current working directory.
+    tuf_log_path = os.path.join(os.getcwd(), 'tuf.log')
+    if os.path.exists(tuf_log_path):
+      os.unlink(tuf_log_path)
+
+    for cleanup_function in self._cleanup:
+      # Perform clean up by executing clean-up functions.
+      try:
+        # OSError will occur if the directory was already removed.
+        cleanup_function()
+      except OSError:
+        pass
+
+
+
+
+
+  def make_temp_directory(self, directory=None):
+    """Creates and returns an absolute path of a directory."""
+    prefix = self.__class__.__name__+'_'
+    temp_directory = tempfile.mkdtemp(prefix=prefix, dir=directory)
+    def _destroy_temp_directory():
+      shutil.rmtree(temp_directory)
+    self._cleanup.append(_destroy_temp_directory)
+    return temp_directory
+
+
+
+
+
+  def make_temp_file(self, suffix='.txt', directory=None):
+    """Creates and returns an absolute path of an empty file."""
+    prefix='tmp_file_'+self.__class__.__name__+'_'
+    temp_file = tempfile.mkstemp(suffix=suffix, prefix=prefix, dir=directory)
+    def _destroy_temp_file():
+      os.unlink(temp_file[1])
+    self._cleanup.append(_destroy_temp_file)
+    return temp_file[1]
+
+
+
+
+
+  def make_temp_data_file(self, suffix='', directory=None, data = junk_data):
+    """Returns an absolute path of a temp file containing data."""
+    temp_file_path = self.make_temp_file(suffix=suffix, directory=directory)
+    temp_file = open(temp_file_path, 'wb')
+    temp_file.write(data)
+    temp_file.close()
+    return temp_file_path
+
+
+
+
+
+  def make_temp_config_file(self, suffix='', directory=None, config_dict={}, expiration=None):
+    """
+    Creates a temporary file and puts a simple config
+    dictionary in it using ConfigParser.
+    It then returns the temp file path, dictionary tuple.
+    """
+    config = ConfigParser.RawConfigParser()
+    if not config_dict:
+      # Using the fact that empty sequences are false.
+      # Make some mock config data. Make sure it at least has 'keyid',
+      # 'threshold' and 'days' keys.
+      config_dict = {'expiration':{'days':100},
+          'root':{'keyids':['123abc','123abc'], 'threshold':2}}
+    if expiration:
+      config_dict['expiration'] = {}
+      config_dict['expiration'] = self.config_expiration['expiration']
+      config_dict['expiration']['days'] = expiration
+    for section in config_dict:
+      config.add_section(section)
+      for key in config_dict[section]:
+        config.set(section, key, config_dict[section][key])
+    config_path = self.make_temp_file(suffix=suffix, directory=directory)
+    config_file = open(config_path, 'wb')
+    config.write(config_file)
+    config_file.close()
+    return (config_path, config_dict)
+
+
+
+
+
+  def make_temp_directory_with_data_files(self, _current_dir=None,
+      directory_content=directory_dictionary, directory=None):
+    """
+      Creates a temp directory with files, directories and sub-directories
+      based on the dictionary supplied. It returns a temp directory, which
+      is parent of the structure supplied in the dictionary.  When nested
+      directories desired use lists as values ex. {'dir_1':[{dir2:None}]}
+      to get '/tmp/tmp_dir_Test_random/dir_1/dir_2' without files.
+
+      <Arguments>
+        directory: Specifies a path where to create the new directory in
+        (like repository directory).  If 'None' temp directory would be
+        created (recommended).
+
+        _current_dir: Used internally.  Represents a current directory, for
+          example '/tmp/tmp_dir_Test_random',
+          '/tmp/tmp_dir_Test_random/targets/' and
+          '/tmp/tmp_dir_Test_random/targets/more_targets' would all be
+          current directories in turn since they all contain either files
+          or other directories.
+
+        directory_content: Represents a dictionary with desired tree
+          structure to be attached to the 'directory'.
+
+      Example:
+
+        directory_dict = {'targets':[{'more_targets': junk_data},
+                          junk_data, junk_data]}
+
+        self.make_temp_directory_with_data_files(directory_content=
+        directory_dict)
+        Creates:
+          /tmp/tmp_dir_Test_random/
+          /tmp/tmp_dir_Test_random/targets/
+          /tmp/tmp_dir_Test_random/targets/tmp_random1.txt
+          /tmp/tmp_dir_Test_random/targets/tmp_random2.txt
+          /tmp/tmp_dir_Test_random/targets/more_targets/
+          /tmp/tmp_dir_Test_random/targets/more_targets/tmp_random3.txt
+        Returns:
+          ('/tmp/tmp_dir_Test_random/', [targets/tmp_random1.txt,
+          targets/tmp_random2.txt, targets/more_targets/tmp_random3.txt])
+
+    """
+
+    if not _current_dir:
+      if directory:
+        _current_dir = directory
+      else:
+        _current_dir = self.make_temp_directory()
+
+      # Calls itself with _current_dir set.
+      self.make_temp_directory_with_data_files(_current_dir=_current_dir)
+      temp_target_files = []
+
+      for directory, _junk, files in os.walk(_current_dir):
+        for target in files:
+          full_path = os.path.join(directory, target)
+          rel_path = os.path.relpath(full_path, _current_dir)
+          temp_target_files.append(rel_path)
+
+      return _current_dir, temp_target_files
+
+    for key in directory_content:
+      # Create directory 'key'.
+      _new_current_dir = os.path.join(_current_dir, key)
+      os.mkdir(_new_current_dir)
+
+      # We have the directory.  Check if value of key is a list or a str.
+      # If a list iterate through it.
+      # Else create a file with content of the item/value.
+      if isinstance(directory_content[key],list) and\
+         len(directory_content[key]) > 1:
+
+        # Check that there are more than 1 item in the list.
+        # else create a file with content of the item.
+        for item in range(len(directory_content[key])):
+          if isinstance(directory_content[key][item], dict):
+            # Pass current directory which is now '_new_current_dir' and the
+            # dictionary 'directory_content[key][item]'
+            self.make_temp_directory_with_data_files(
+                            _current_dir=_new_current_dir,
+                            directory_content=directory_content[key][item])
+          else:
+            # Create a file w/ data, returning its address.
+            self.make_temp_data_file(suffix='.txt',
+                                     directory=_new_current_dir,
+                                     data=directory_content[key][item])
+
+      else:
+      # Create a file w/ data, returning its address.
+        if directory_content[key]:
+          if isinstance(directory_content[key], str):
+            self.make_temp_data_file(suffix='.txt', directory=_new_current_dir,
+                                     data=directory_content[key])
+
+          elif isinstance(directory_content[key], list) and\
+                          len(directory_content[key])==1:
+            self.make_temp_data_file(suffix='.txt', directory=_new_current_dir,
+                                     data=directory_content[key][0])
+
+
+
+
+
+  def random_path(self, length = 7):
+    """Generate a 'random' path consisting of random n-length strings."""
+
+    rand_path = '/'+self.random_string(length)
+    for i in range(2):
+      rand_path = os.path.join(rand_path, self.random_string(length))
+
+    return rand_path
+
+
+
+
+
+  def get_keystore_key(self, keyid):
+    """This is a monkey patch for keystore's get_key method."""
+
+    return self.rsa_keystore[keyid]
+
+
+
+
+
+  @staticmethod
+  def generate_rsakey():
+    """
+    This method generates a rsa key as shown below. It puts it in
+    'rsa_keystore' and returns the 'keyid' of the created rsa dictionary.
+
+      {'keytype': 'rsa',
+       'keyid': keyid,
+       'keyval': {'public': '-----BEGIN RSA PUBLIC KEY----- ...',
+                  'private': '-----BEGIN RSA PRIVATE KEY----- ...'}}
+    """
+
+    rsakey = rsa_key.generate()
+    keyid = rsakey['keyid']
+    Modified_TestCase.rsa_keyids.append(keyid)
+    Modified_TestCase.rsa_passwords[keyid] = Modified_TestCase.random_string()
+    Modified_TestCase.rsa_keystore[keyid] = rsakey
+    return keyid
+
+
+
+
+
+  def create_temp_keystore_directory(self, keystore_dicts=False):
+
+    if not self.rsa_keystore or not self.rsa_passwords:
+      msg = 'Populate \'rsa_keystore\' and \'rsa_passwords\''+\
+          ' before invoking this method.'
+      sys.exit(msg)
+
+    temp_keystore_directory = self.make_temp_directory()
+    keystore._keystore = self.rsa_keystore
+    keystore._key_passwords = self.rsa_passwords
+    keystore.save_keystore_to_keyfiles(temp_keystore_directory)
+    if not keystore_dicts:
+      keystore._keystore={}
+      keystore._key_passwords={}
+      #keystore.clear_keystore()
+
+    return temp_keystore_directory
+
+
+
+
+
+  @staticmethod
+  def bind_keys_to_a_role(role, threshold=1):
+    """
+    Binds a key to a 'role' thus modifying 'semi_roledict'
+    and 'rsa_keystore' dictionaries.  If 'threshold' is given,
+    'threshold' number of keys are added to the 'role', otherwise
+    'threshold' is set to 1.  There might be existing keys bound
+    to the role, this method will add 'threshold' amount of keys
+    to already existing keys.
+    """
+
+    if not Modified_TestCase.semi_roledict.has_key(role):
+      # If 'semi_roledict' doesn't contain the 'role', initialize it.
+      Modified_TestCase.semi_roledict[role] = {}
+      Modified_TestCase.semi_roledict[role]['keyids'] = []
+      Modified_TestCase.semi_roledict[role]['threshold'] = threshold
+    else:
+      # Update the role's threshold.
+      Modified_TestCase.semi_roledict[role]['threshold'] += threshold
+
+    for number in range(threshold):
+      # Create rsa keys and store their keyids in 'keyids' list.
+      # Side effect: rsa_keystore gets populated with rsa keys.
+      Modified_TestCase.semi_roledict[role]['keyids'].\
+          append(Modified_TestCase.generate_rsakey())
+
+    if role in Modified_TestCase.role_list:
+      Modified_TestCase.top_level_role_info[role] = {}
+      Modified_TestCase.top_level_role_info[role] = \
+          Modified_TestCase.semi_roledict[role]
+
+
+
+
+
+  @staticmethod
+  def bind_keys_to_roles(role_thresholds={}):
+    """
+    Bind keys to top level roles.  If dictionary of roles-thresholds
+    is supplied set - use it to create appropriate amount of keys.  If you
+    want to set a dictionary specifying a threshold each role should have,
+    the dictionary should look like this: {role : 2, ... }  where role
+    might be 'root' and # is a threshold #.
+    """
+
+    list_of_all_roles = Modified_TestCase.role_list + \
+        Modified_TestCase.delegated_role_list
+    for role in list_of_all_roles:
+      if role_thresholds:
+        Modified_TestCase.bind_keys_to_a_role(role, 
+                                              threshold=role_thresholds[role])
+      else:
+        Modified_TestCase.bind_keys_to_a_role(role)
+
+
+
+
+
+  @staticmethod
+  def random_string(length=15):
+    """Generate a random string of specified length."""
+
+    rand_str = ''
+    for letter in range(length):
+      rand_str += random.choice('abcdefABCDEF'+string.digits)
+
+    return rand_str
diff --git a/src/tuf/util.py b/src/tuf/util.py
new file mode 100755
index 00000000..45498cc2
--- /dev/null
+++ b/src/tuf/util.py
@@ -0,0 +1,541 @@
+"""
+<Program Name>
+  util.py
+
+<Author>
+  Konstantin Andrianov
+  Derived from original util.py written by Geremy Condra.
+
+<Started>
+  March 24, 2012
+
+<Copyright>
+  See LICENSE for licensing information.
+
+<Purpose>
+  Provides utility services.  This module supplies utility functions such as:
+  get_file_details that computes length and hash of a file, import_json that
+  tries to import a working json module, load_json functions, TempFile class -
+  generates a file-like object temporary starage, etc.
+
+"""
+
+
+import gzip
+import os
+import shutil
+import sys
+import re
+import tempfile
+import logging
+
+import tuf.formats
+import tuf.hash
+import tuf.log
+import tuf.conf
+
+
+# See 'log.py' to learn how logging is handled in TUF
+logger = logging.getLogger('tuf.util')
+
+
+
+
+
+class TempFile(object):
+  """
+  <Purpose>
+    A high-level temporary file that cleans itself up or can be manually
+    cleaned up. This isn't a complete file-like object. The file functions
+    that are supported make additional common-case safe assumptions. There
+    are additional functions that aren't part of file-like objects.  TempFile
+    is used in download.py module.
+
+  """
+
+  def __init__(self, prefix='tmp'):
+    """
+    <Purpose>
+      Initializes TempFile.
+
+    <Arguments>
+      prefix:
+        A string argument to be used with tempfile.TemporaryFile function.
+
+    <Exceptions>
+      OSError on failure to load temp dir.
+      tuf.Error
+
+    <Return>
+      None.
+
+    """
+
+    self._compression = None
+
+    # If compression is set then the original file is saved in 'self._orig_file'.
+    self._orig_file = None
+
+    temp_dir = tuf.conf.temporary_directory
+    if  temp_dir is not None:
+      # We use TemporaryFile for the auto-delete aspects of it to ensure
+      # we don't leave behind temp files.
+      try:
+        self.temporary_file = tempfile.TemporaryFile(prefix=prefix, dir=temp_dir)
+      except OSError, err:
+        logger.error('Temp file in '+temp_dir+' failed: '+err)
+        logger.error('Will attempt to use system default temp dir.')
+
+    try:
+      self.temporary_file = tempfile.TemporaryFile(prefix=prefix)
+    except OSError, err:
+      logger.critical('Temp file in '+temp_dir+'failed: '+err)
+      raise tuf.Error(err)
+
+
+  def flush(self):
+    """
+    <Purpose>
+      Flushes buffered output for the file.
+
+    <Arguments>
+      None.
+
+    <Exceptions>
+      None.
+
+    <Return>
+      None.
+
+    """
+
+    self.temporary_file.flush()
+
+
+  def read(self, size=None):
+    """
+    <Purpose>
+      Read specified number of bytes.  If size is not specified then the whole
+      file is read and the file pointer is placed at the beginning of the file.
+
+    <Arguments>
+      size: Number of bytes to be read.
+
+    <Exceptions>
+      None
+
+    <Return>
+      String of data.
+
+    """
+
+    if size is None:
+      self.temporary_file.seek(0)
+      data = self.temporary_file.read()
+      self.temporary_file.seek(0)
+      return data
+    else:
+      if not (isinstance(size, int) and size > 0):
+        raise tuf.FormatError
+      return self.temporary_file.read(size)
+
+
+  def write(self, data, auto_flush=True):
+    """
+    <Purpose>
+      Writes a data string to the file.
+
+    <Arguments>
+      data:
+        A string containing some data.
+
+      auto_flush:
+        Boolean argument, if set to 'True', all data will be flushed from
+        internal buffer.
+
+    <Exceptions>
+      None.
+
+    <Return>
+      None.
+
+    """
+
+    self.temporary_file.write(data)
+    if auto_flush:
+      self.flush()
+
+
+  def move(self, destination_path):
+    """
+    <Purpose>
+      Copies 'self.temporary_file' to a non-temp file at 'destination_path' and
+      closes 'self.temporary_file' so that it is removed.
+
+    <Arguments>
+      destination_path:
+        Path to store the file in.
+
+    <Exceptions>
+      None.
+
+    <Return>
+      None.
+
+    """
+
+    self.flush()
+    self.seek(0)
+    destination_file = open(destination_path, 'wb')
+    shutil.copyfileobj(self.temporary_file, destination_file)
+    destination_file.close()
+    # 'self.close()' closes temporary file which destroys itself.
+    self.close_temp_file()
+
+
+  def seek(self, *args):
+    """
+    <Purpose>
+      Set file's current position.
+
+    <Arguments>
+      *args:
+        (*-operator): unpacking argument list is used
+        because seek method accepts two args: offset and whence.  If whence is
+        not specified, its default is 0.  Indicate offset to set the file's
+        current position. Refer to the python manual for more info.
+
+    <Exceptions>
+      None.
+
+    <Return>
+      None.
+
+    """
+
+    self.temporary_file.seek(*args)
+
+
+  def decompress_temp_file_object(self, compression):
+    """
+    <Purpose>
+      To decompress a compressed temp file object.  Decompression is performed
+      on a temp file object that is compressed, this occurs after downloading
+      a compressed file.  For instance if a compressed version of some meta
+      file in the repository is downloaded, the temp file containing the
+      compressed meta file will be decompressed using this function.
+      Note that after calling this method, write() can no longer be called.
+
+                            meta.txt.gz
+                               |...[download]
+                        temporary_file (containing meta.txt.gz)
+                        /             \
+               temporary_file          _orig_file
+          containing meta.txt          containing meta.txt.gz
+          (decompressed data)
+
+    <Arguments>
+      compression:
+        A string indicating the type of compression that was used to compress
+        a file.  Only gzip is allowed.
+
+    <Exceptions>
+      tuf.Error
+
+    <Side Effects>
+      'self._orig_file' is used to store the original data of 'temporary_file'.
+
+    <Return>
+      None.
+
+    """
+
+    if self._orig_file is not None:
+      raise tuf.Error('Can only set compression on a TempFile once.')
+
+    if compression != 'gzip':
+      raise tuf.Error('Only gzip compression is supported.')
+    self.seek(0)
+    self._compression = compression
+    self._orig_file = self.temporary_file
+    self.temporary_file = gzip.GzipFile(fileobj=self.temporary_file, mode='rb')
+
+
+  def close_temp_file(self):
+    """
+    <Purpose>
+      Closes the temporary file object. 'close_temp_file' mimics usual
+      file.close(), however temporary file destroys itself when
+      'close_temp_file' is called. Further if compression is set, second
+      temporary file instance 'self._orig_file' is also closed so that no open
+      temporary files are left open.
+
+    <Arguments>
+      None.
+
+    <Exceptions>
+      None.
+
+    <Side Effects>
+      Closes 'self._orig_file'.
+
+    <Return>
+      None.
+
+    """
+
+    self.temporary_file.close()
+    # If compression has been set, we need to explicitly close the original
+    # file object.
+    if self._orig_file is not None:
+      self._orig_file.close()
+
+
+
+
+# TODO: Change the argument name to something like 'file_path'
+# TODO: Do something with 'repository_directory'
+# TODO: Make sure that you are able to run from anywhere on the system
+# TODO: not only from the repository directory.
+def get_file_details(file_path, repository_directory=None):
+  """
+  <Purpose>
+    To get file's length and hash information.  The hash is computed using
+    sha256 algorithm.  This function is used in signerlib.py and updater.py
+    modules.
+
+  <Arguments>
+    file_path:
+      Absolute file path.  Otherwise, 'file_path' has to be relative to the
+      current working directory.
+      TODO: Include repository directory to
+
+  <Exceptions>
+    tuf.FormatError: If hash of the file does not match HASHDICT_SCHEMA.
+    TODO: check non-existing path wich produces OSError.
+
+  <Returns>
+    A tuple (length, hashes) describing file_path.
+
+  """
+  # Making sure that the format of 'file_path' is a path string.
+  # tuf.FormatError is raised on incorrect format.
+  tuf.formats.RELPATH_SCHEMA.check_match(file_path)
+
+  # Does the path exists?
+  if not os.path.exists(file_path):
+    raise tuf.Error, 'Path '+repr(file_path)+' doest not exist.'
+  file_path = os.path.abspath(file_path)
+
+  # Obtaining length of the file.
+  file_length = os.path.getsize(file_path)
+
+  # Obtaining hash of the file.
+  digest_object = tuf.hash.digest_filename(file_path, algorithm='sha256')
+  file_hash = {'sha256' : digest_object.hexdigest()}
+
+  # Performing a format check to ensure 'file_hash' corresponds HASHDICT_SCHEMA.
+  # Raise 'tuf.FormatError' if there is a mismatch.
+  tuf.formats.HASHDICT_SCHEMA.check_match(file_hash)
+
+  return file_length, file_hash
+
+
+
+
+
+def ensure_parent_dir(filename):
+  """
+  <Purpose>
+    To ensure existence of the parent directory of 'filename'.  If the parent
+    directory of 'name' does not exist, create it.
+
+  <Arguments>
+    filename:
+      A path string.
+
+  <Side Effects>
+    A directory is created whenever parent directory of 'filename' does not exist.
+
+  <Return>
+    None.
+
+  """
+
+  # Ensure 'name' corresponds to 'RELPATH_SCHEMA'.
+  # Raise 'tuf.FormatError' on a mismatch.
+  tuf.formats.RELPATH_SCHEMA.check_match(filename)
+
+  # Split 'filename' into head and tail, check if head exists.
+  directory = os.path.split(filename)[0]
+  if directory and not os.path.exists(directory):
+    os.makedirs(directory, 0700)
+
+
+
+
+
+def path_in_confined_paths(test_path, confined_paths):
+  """
+  <Purpose>
+    Check whether 'test_path' is in the list/tuple of 'confined_paths'.
+
+  <Arguments>
+    test_path:
+      A string representing a path.
+
+    confined_paths:
+      A list or a tuple of path strings.
+
+  <Exceptions>
+   tuf.TypeError, if the arguments are improperly typed.
+
+  <Return>
+    Boolean.  True, if path is either the empty string
+    or in 'confined_paths'; False, otherwise.
+
+  """
+
+  # Do the arguments are the correct format?
+  # Raise 'tuf.FormatError' if there is a mismatch.
+  tuf.formats.PATH_SCHEMA.check_match(test_path)
+  tuf.formats.PATHS_SCHEMA.check_match(confined_paths)
+
+  if not isinstance(test_path, basestring):
+    raise TypeError('The test path must be a string')
+  if not isinstance(confined_paths, (list, tuple)):
+    raise TypeError('The confined paths must be a list or a tuple')
+
+  for pattern in confined_paths:
+    # Ignore slashes at the beginning.
+    pattern = pattern.lstrip('/')
+
+    # An empty string signifies the client should be confined to all
+    # directories and subdirectories.  No need to check 'test_path'.
+    if pattern == '':
+      return True
+
+    # Get the directory name (i.e., strip off the file_path+extension)
+    directory_name = os.path.dirname(test_path)
+
+    if directory_name == os.path.dirname(pattern):
+      return True
+
+  return False
+
+
+
+
+
+_json_module = None
+
+def import_json():
+  """
+  <Purpose>
+    Tries to import json module.
+
+  <Arguments>
+    None.
+
+  <Exceptions>
+    ImportError on failure to import json or simplejson modules.
+    NameError
+
+  <Return>
+    json/simplejson module
+
+  """
+
+  global _json_module
+  if _json_module is not None:
+    return _json_module
+
+  for name in [ 'json', 'simplejson' ]:
+    try:
+      module = __import__(name)
+    except ImportError:
+      continue
+    if not hasattr(module, 'dumps'):
+      # Some versions of Ubuntu have a module called 'json' that is
+      # not a recognizable simplejson module.
+      if name == 'json':
+        logger.warn('Your operating system has a nonfunctional json '
+                    'module.  That is going to break any programs that '
+                    'use the real json module in Python 2.6.  Trying '
+                    'simplejson instead.')
+      continue
+
+    # Some old versions of simplejson escape / as \/ in a misguided and
+    # inadequate attempt to fix XSS attacks.  Make them not do that.  This
+    # code is not guaranteed to work on all broken versions of simplejson:
+    # it replaces an entry in the internal character-replacement
+    # dictionary so that '/' is translated to itself rather than to \/.
+    # We also need to make sure that ensure_ascii is False, so that we
+    # do not call the C-optimized string encoder in these broken versions,
+    # which we can't fix easily.  Both parts are a kludge.
+    try:
+      escape_dct = module.encoder.ESCAPE_DCT
+    except NameError:
+      pass
+    else:
+      if escape_dct.has_key('/'):
+        escape_dct['/'] = '/'
+        save_dumps = module.dumps
+        save_dump = module.dump
+        def dumps(*k, **v):
+          v['ensure_ascii'] = False
+          return save_dumps(*k, **v)
+        def dump(*k, **v):
+          v['ensure_ascii'] = False
+          return save_dump(*k, **v)
+        module.dump = dump
+        module.dumps = dumps
+        logger.warn('Your operating system has an old broken '
+                    'simplejson module.  I tried to fix it for you.')
+
+    _json_module = module
+    return module
+
+  raise ImportError('Could not import a working json module')
+
+
+json = import_json()
+
+
+def load_json_string(data):
+  """
+  <Purpose>
+    To deserialize a JSON object from a string 'data'.
+
+  <Arguments>
+    data:
+      A JSON string.
+
+  <Return>
+    Deserialized object.  For example a dictionary.
+
+  """
+
+  return json.loads(data)
+
+
+def load_json_file(filename):
+  """
+  <Purpose>
+    To deserialize a JSON object from a file containing the object.
+
+  <Arguments>
+    data:
+      A JSON string.
+
+  <Return>
+    Deserialized object.  For example a dictionary.
+
+  """
+
+  fp = open(filename)
+  try:
+    return json.load(fp)
+  finally:
+    fp.close()
+