diff --git a/src/core/ddsc/src/dds__topic.h b/src/core/ddsc/src/dds__topic.h
index d59dc1f..f6de42a 100644
--- a/src/core/ddsc/src/dds__topic.h
+++ b/src/core/ddsc/src/dds__topic.h
@@ -35,6 +35,8 @@ DDS_EXPORT void dds_topic_set_filter_with_ctx
 DDS_EXPORT dds_topic_intern_filter_fn dds_topic_get_filter_with_ctx
   (dds_entity_t topic);
 
+DDS_EXPORT dds_entity_t dds_create_topic_impl (dds_entity_t participant, struct ddsi_sertopic *sertopic, const dds_qos_t *qos, const dds_listener_t *listener, const nn_plist_t *sedp_plist);
+
 #if defined (__cplusplus)
 }
 #endif
diff --git a/src/core/ddsc/src/dds_builtin.c b/src/core/ddsc/src/dds_builtin.c
index 8dd026f..ca45561 100644
--- a/src/core/ddsc/src/dds_builtin.c
+++ b/src/core/ddsc/src/dds_builtin.c
@@ -76,7 +76,7 @@ dds_entity_t dds__get_builtin_topic (dds_entity_t entity, dds_entity_t topic)
   }
 
   dds_qos_t *qos = dds__create_builtin_qos ();
-  tp = dds_create_topic_arbitrary (par->m_entity.m_hdllink.hdl, sertopic, qos, NULL, NULL);
+  tp = dds_create_topic_impl (par->m_entity.m_hdllink.hdl, sertopic, qos, NULL, NULL);
   dds_delete_qos (qos);
   dds_entity_unpin (e);
   return tp;
diff --git a/src/core/ddsc/src/dds_topic.c b/src/core/ddsc/src/dds_topic.c
index 7d9df7d..4796703 100644
--- a/src/core/ddsc/src/dds_topic.c
+++ b/src/core/ddsc/src/dds_topic.c
@@ -280,7 +280,7 @@ const struct dds_entity_deriver dds_entity_deriver_topic = {
   .validate_status = dds_topic_status_validate
 };
 
-dds_entity_t dds_create_topic_arbitrary (dds_entity_t participant, struct ddsi_sertopic *sertopic, const dds_qos_t *qos, const dds_listener_t *listener, const nn_plist_t *sedp_plist)
+dds_entity_t dds_create_topic_impl (dds_entity_t participant, struct ddsi_sertopic *sertopic, const dds_qos_t *qos, const dds_listener_t *listener, const nn_plist_t *sedp_plist)
 {
   dds_return_t rc;
   dds_participant *par;
@@ -465,6 +465,15 @@ err_invalid_qos:
   return rc;
 }
 
+dds_entity_t dds_create_topic_arbitrary (dds_entity_t participant, struct ddsi_sertopic *sertopic, const dds_qos_t *qos, const dds_listener_t *listener, const nn_plist_t *sedp_plist)
+{
+  assert(sertopic);
+  assert(sertopic->name);
+  if (!strncmp(sertopic->name, "DCPS", 4))
+    return DDS_RETCODE_BAD_PARAMETER;
+  return dds_create_topic_impl (participant, sertopic, qos, listener, sedp_plist);
+}
+
 dds_entity_t dds_create_topic (dds_entity_t participant, const dds_topic_descriptor_t *desc, const char *name, const dds_qos_t *qos, const dds_listener_t *listener)
 {
   struct ddsi_sertopic_default *st;
diff --git a/src/core/ddsc/tests/topic.c b/src/core/ddsc/tests/topic.c
index d71c8d5..3707715 100644
--- a/src/core/ddsc/tests/topic.c
+++ b/src/core/ddsc/tests/topic.c
@@ -177,7 +177,7 @@ CU_Test(ddsc_topic_create, desc_null, .init=ddsc_topic_init, .fini=ddsc_topic_fi
 
 
 CU_TheoryDataPoints(ddsc_topic_create, invalid_names) = {
-        CU_DataPoints(char *, NULL, "", "mi-dle", "-start", "end-", "1st", "Thus$", "pl+s", "t(4)"),
+        CU_DataPoints(char *, NULL, "", "mi-dle", "-start", "end-", "1st", "Thus$", "pl+s", "t(4)", "DCPSmytopic"),
 };
 CU_Theory((char *name), ddsc_topic_create, invalid_names, .init=ddsc_topic_init, .fini=ddsc_topic_fini)
 {
diff --git a/src/security/api/include/dds/security/dds_security_api_err.h b/src/security/api/include/dds/security/dds_security_api_err.h
index 20ee24b..9246ba5 100644
--- a/src/security/api/include/dds/security/dds_security_api_err.h
+++ b/src/security/api/include/dds/security/dds_security_api_err.h
@@ -97,16 +97,14 @@ extern "C" {
 #define DDS_SECURITY_ERR_INVALID_SUBJECT_NAME_CODE 146
 #define DDS_SECURITY_ERR_INVALID_SUBJECT_NAME_MESSAGE "Subject name is invalid"
 #define DDS_SECURITY_ERR_VALIDITY_PERIOD_EXPIRED_CODE 147
-#define DDS_SECURITY_ERR_VALIDITY_PERIOD_EXPIRED_MESSAGE "Permissions validity period expired for %s"
+#define DDS_SECURITY_ERR_VALIDITY_PERIOD_EXPIRED_MESSAGE "Permissions validity period expired for %s (expired: %s)"
 #define DDS_SECURITY_ERR_VALIDITY_PERIOD_NOT_STARTED_CODE 148
-#define DDS_SECURITY_ERR_VALIDITY_PERIOD_NOT_STARTED_MESSAGE "Permissions validity period has not started yet for %s"
+#define DDS_SECURITY_ERR_VALIDITY_PERIOD_NOT_STARTED_MESSAGE "Permissions validity period has not started yet for %s (start: %s)"
 #define DDS_SECURITY_ERR_CAN_NOT_FIND_PERMISSIONS_GRANT_CODE 149
 #define DDS_SECURITY_ERR_CAN_NOT_FIND_PERMISSIONS_GRANT_MESSAGE "Could not find valid grant in permissions"
-#define DDS_SECURITY_ERR_PERMISSIONS_OUT_OF_VALIDITY_DATE_CODE 150
-#define DDS_SECURITY_ERR_PERMISSIONS_OUT_OF_VALIDITY_DATE_MESSAGE "Permissions of subject (%s) outside validity date: %s - %s"
-#define DDS_SECURITY_ERR_URI_TYPE_NOT_SUPPORTED_CODE 151
+#define DDS_SECURITY_ERR_URI_TYPE_NOT_SUPPORTED_CODE 150
 #define DDS_SECURITY_ERR_URI_TYPE_NOT_SUPPORTED_MESSAGE "Unsupported URI type: %s"
-#define DDS_SECURITY_ERR_INVALID_CRYPTO_DATA_NOT_ALIGNED_CODE 152
+#define DDS_SECURITY_ERR_INVALID_CRYPTO_DATA_NOT_ALIGNED_CODE 151
 #define DDS_SECURITY_ERR_INVALID_CRYPTO_DATA_NOT_ALIGNED_MESSAGE "The payload is not aligned at 4 bytes"
 
 #define DDS_SECURITY_ERR_UNDEFINED_CODE 200
diff --git a/src/security/builtin_plugins/CMakeLists.txt b/src/security/builtin_plugins/CMakeLists.txt
index 113d0b4..93feffb 100644
--- a/src/security/builtin_plugins/CMakeLists.txt
+++ b/src/security/builtin_plugins/CMakeLists.txt
@@ -11,6 +11,7 @@
 #
 cmake_minimum_required(VERSION 3.7)
 
+add_subdirectory("${CMAKE_CURRENT_LIST_DIR}/access_control")
 add_subdirectory("${CMAKE_CURRENT_LIST_DIR}/authentication")
 add_subdirectory("${CMAKE_CURRENT_LIST_DIR}/cryptographic")
 
diff --git a/src/security/builtin_plugins/access_control/CMakeLists.txt b/src/security/builtin_plugins/access_control/CMakeLists.txt
new file mode 100644
index 0000000..c0cee0a
--- /dev/null
+++ b/src/security/builtin_plugins/access_control/CMakeLists.txt
@@ -0,0 +1,55 @@
+#
+# Copyright(c) 2006 to 2019 ADLINK Technology Limited and others
+#
+# This program and the accompanying materials are made available under the
+# terms of the Eclipse Public License v. 2.0 which is available at
+# http://www.eclipse.org/legal/epl-2.0, or the Eclipse Distribution License
+# v. 1.0 which is available at
+# http://www.eclipse.org/org/documents/edl-v10.php.
+#
+# SPDX-License-Identifier: EPL-2.0 OR BSD-3-Clause
+#
+include (GenerateExportHeader)
+
+find_package(OpenSSL)
+
+PREPEND(srcs_accesscontrol "${CMAKE_CURRENT_LIST_DIR}/src"
+    access_control_objects.c
+    access_control_parser.c
+    access_control_utils.c
+    access_control.c
+)
+
+add_library(dds_security_ac SHARED "")
+
+generate_export_header(
+    dds_security_ac
+        BASE_NAME SECURITY
+        EXPORT_FILE_NAME "${CMAKE_CURRENT_BINARY_DIR}/include/dds/security/export.h"
+)
+
+add_definitions(-DDDSI_INCLUDE_SSL)
+
+target_link_libraries(dds_security_ac PUBLIC ddsc)
+target_link_libraries(dds_security_ac PUBLIC OpenSSL::SSL)
+
+target_sources(dds_security_ac
+    PRIVATE
+        ${srcs_accesscontrol}
+)
+
+target_include_directories(dds_security_ac
+    PUBLIC
+        "$<BUILD_INTERFACE:$<TARGET_PROPERTY:security_api,INTERFACE_INCLUDE_DIRECTORIES>>"
+        "$<BUILD_INTERFACE:$<TARGET_PROPERTY:security_core,INTERFACE_INCLUDE_DIRECTORIES>>"
+        "$<BUILD_INTERFACE:$<TARGET_PROPERTY:ddsrt,INTERFACE_INCLUDE_DIRECTORIES>>"
+        "$<BUILD_INTERFACE:${CMAKE_CURRENT_BINARY_DIR}/include>"
+)
+
+install(
+  TARGETS
+  EXPORT "${PROJECT_NAME}"
+  RUNTIME DESTINATION "${CMAKE_INSTALL_BINDIR}" COMPONENT lib
+  LIBRARY DESTINATION "${CMAKE_INSTALL_LIBDIR}" COMPONENT lib
+  ARCHIVE DESTINATION "${CMAKE_INSTALL_LIBDIR}" COMPONENT lib
+)
diff --git a/src/security/builtin_plugins/access_control/src/access_control.c b/src/security/builtin_plugins/access_control/src/access_control.c
new file mode 100644
index 0000000..f356445
--- /dev/null
+++ b/src/security/builtin_plugins/access_control/src/access_control.c
@@ -0,0 +1,2486 @@
+/*
+ * Copyright(c) 2006 to 2019 ADLINK Technology Limited and others
+ *
+ * This program and the accompanying materials are made available under the
+ * terms of the Eclipse Public License v. 2.0 which is available at
+ * http://www.eclipse.org/legal/epl-2.0, or the Eclipse Distribution License
+ * v. 1.0 which is available at
+ * http://www.eclipse.org/org/documents/edl-v10.php.
+ *
+ * SPDX-License-Identifier: EPL-2.0 OR BSD-3-Clause
+ */
+#define ACCESS_CONTROL_USE_ONE_PERMISSION
+
+#include <assert.h>
+#include <string.h>
+#include <openssl/x509.h>
+#include <openssl/err.h>
+#include "dds/ddsrt/heap.h"
+#include "dds/ddsrt/misc.h"
+#include "dds/ddsrt/string.h"
+#include "dds/ddsrt/sync.h"
+#include "dds/ddsrt/types.h"
+#include "dds/security/dds_security_api.h"
+#include "dds/security/core/dds_security_utils.h"
+#include "access_control.h"
+#include "access_control_utils.h"
+#include "access_control_objects.h"
+#include "access_control_parser.h"
+
+#if OPENSSL_VERSION_NUMBER >= 0x10000000L && OPENSSL_VERSION_NUMBER < 0x10100000L
+#define REMOVE_THREAD_STATE() ERR_remove_thread_state(NULL);
+#elif OPENSSL_VERSION_NUMBER < 0x10000000L
+#define REMOVE_THREAD_STATE() ERR_remove_state(0);
+#else
+#define REMOVE_THREAD_STATE()
+#endif
+
+static const char *ACCESS_CONTROL_PROTOCOL_CLASS = "DDS:Access";
+static const unsigned ACCESS_CONTROL_PROTOCOL_VERSION_MAJOR = 1;
+static const unsigned ACCESS_CONTROL_PROTOCOL_VERSION_MINOR = 0;
+
+static const char *ACCESS_CONTROL_PERMISSIONS_CLASS_ID = "Permissions";
+
+static const char *QOS_PROPERTY_PERMISSIONS_DOCUMENT = "dds.sec.access.permissions";
+static const char *QOS_PROPERTY_GOVERNANCE_DOCUMENT = "dds.sec.access.governance";
+static const char *QOS_PROPERTY_PERMISSIONS_CA = "dds.sec.access.permissions_ca";
+static const char *QOS_PROPERTY_IDENTITY_CERT = "dds.sec.auth.identity_certificate";
+
+static const char *ACCESS_PERMISSIONS_CREDENTIAL_TOKEN_ID = "DDS:Access:PermissionsCredential";
+static const char *ACCESS_PROPERTY_PERMISSION_DOCUMENT = "dds.perm.cert";
+
+typedef enum TOPIC_TYPE
+{
+  TOPIC_TYPE_USER = 0,
+  TOPIC_TYPE_NON_SECURE_BUILTIN,
+  TOPIC_TYPE_SECURE_ParticipantsSecure,
+  TOPIC_TYPE_SECURE_PublicationsSecure,
+  TOPIC_TYPE_SECURE_SubscriptionsSecure,
+  TOPIC_TYPE_SECURE_ParticipantMessageSecure,
+  TOPIC_TYPE_SECURE_ParticipantStatelessMessage,
+  TOPIC_TYPE_SECURE_ParticipantVolatileMessageSecure
+} TOPIC_TYPE;
+
+/**
+ * Implementation structure for storing encapsulated members of the instance
+ * while giving only the interface definition to user
+ */
+
+typedef struct dds_security_access_control_impl
+{
+  dds_security_access_control base;
+  ddsrt_mutex_t lock;
+
+#ifdef ACCESS_CONTROL_USE_ONE_PERMISSION
+  local_participant_access_rights *local_access_rights;
+#else
+  /* TODO: implement access rights per participant */
+  struct AccessControlTable *local_permissions;
+#endif
+  struct AccessControlTable *remote_permissions;
+#if TIMED_CALLBACK_IMPLEMENTED
+  struct ut_timed_dispatcher_t *timed_callbacks;
+#endif
+} dds_security_access_control_impl;
+
+static bool get_sec_attributes(dds_security_access_control_impl *ac, const DDS_Security_PermissionsHandle permissions_handle, const char *topic_name,
+    DDS_Security_EndpointSecurityAttributes *attributes, DDS_Security_SecurityException *ex);
+static char *get_access_control_class_id(const char *classid);
+static local_participant_access_rights *check_and_create_local_participant_rights(DDS_Security_IdentityHandle identity_handle, int domain_id, const DDS_Security_Qos *participant_qos, DDS_Security_SecurityException *ex);
+static remote_participant_access_rights *check_and_create_remote_participant_rights(DDS_Security_IdentityHandle remote_identity_handle, local_participant_access_rights *local_rights,
+    const DDS_Security_PermissionsToken *remote_permissions_token, const DDS_Security_AuthenticatedPeerCredentialToken *remote_credential_token, DDS_Security_SecurityException *ex);
+static local_participant_access_rights *find_local_access_rights(dds_security_access_control_impl *ac, DDS_Security_PermissionsHandle handle);
+static local_participant_access_rights *find_local_rights_by_identity(dds_security_access_control_impl *ac, DDS_Security_IdentityHandle identity_handle);
+static remote_participant_access_rights *find_remote_rights_by_identity(dds_security_access_control_impl *ac, DDS_Security_IdentityHandle identity_handle);
+static DDS_Security_boolean domainid_within_sets(struct domain_id_set *domain, int domain_id);
+static DDS_Security_boolean is_topic_in_criteria(const struct criteria *criteria, const char *topic_name);
+static DDS_Security_boolean is_partition_qos_in_criteria(const struct criteria *criteria, const DDS_Security_PartitionQosPolicy *partitions);
+static DDS_Security_boolean is_partition_in_criteria(const struct criteria *criteria, const char *partition_name);
+static struct domain_rule *find_domain_rule_in_governance(struct domain_rule *rule, int domain_id);
+static DDS_Security_boolean get_participant_sec_attributes(dds_security_access_control *instance, const DDS_Security_PermissionsHandle permissions_handle,
+    DDS_Security_ParticipantSecurityAttributes *attributes, DDS_Security_SecurityException *ex);
+static DDS_Security_boolean get_permissions_token(dds_security_access_control *instance, DDS_Security_PermissionsToken *permissions_token, const DDS_Security_PermissionsHandle handle, DDS_Security_SecurityException *ex);
+static remote_participant_access_rights *find_remote_permissions_by_permissions_handle(dds_security_access_control_impl *ac, DDS_Security_PermissionsHandle permissions_handle);
+static struct topic_rule *find_topic_from_domain_rule(struct domain_rule *domain_rule, const char *topic_name);
+static DDS_Security_boolean domainid_within_sets(struct domain_id_set *domain, int domain_id);
+static DDS_Security_boolean compare_class_id_plugin_classname(DDS_Security_string class_id_1, DDS_Security_string class_id_2);
+static DDS_Security_boolean compare_class_id_major_ver(DDS_Security_string class_id_1, DDS_Security_string class_id_2);
+#if TIMED_CALLBACK_IMPLEMENTED
+  static void add_validity_end_trigger(dds_security_access_control_impl *ac, const DDS_Security_PermissionsHandle permissions_handle, dds_time_t end);
+#endif
+static DDS_Security_boolean is_allowed_by_permissions(struct permissions_parser *permissions, int domain_id, const char *topic_name, const DDS_Security_PartitionQosPolicy *partitions,
+    const char *identity_subject_name, permission_criteria_type criteria_type, DDS_Security_SecurityException *ex);
+static void sanity_check_local_access_rights(local_participant_access_rights *rights);
+static void sanity_check_remote_access_rights(remote_participant_access_rights *rights);
+static TOPIC_TYPE get_topic_type(const char *topic_name);
+
+
+static DDS_Security_PermissionsHandle
+validate_local_permissions(
+    dds_security_access_control *instance,
+    const dds_security_authentication *auth_plugin,
+    const DDS_Security_IdentityHandle identity_handle,
+    const DDS_Security_DomainId domain_id,
+    const DDS_Security_Qos *participant_qos,
+    DDS_Security_SecurityException *ex)
+{
+  dds_security_access_control_impl *ac = (dds_security_access_control_impl *)instance;
+  local_participant_access_rights *rights;
+  DDS_Security_PermissionsHandle permissions_handle = DDS_SECURITY_HANDLE_NIL;
+
+  if (!instance || !auth_plugin || identity_handle == DDS_SECURITY_HANDLE_NIL || !participant_qos)
+  {
+    DDS_Security_Exception_set(ex, DDS_ACCESS_CONTROL_PLUGIN_CONTEXT, DDS_SECURITY_ERR_INVALID_PARAMETER_CODE, 0, DDS_SECURITY_ERR_INVALID_PARAMETER_MESSAGE);
+    return DDS_SECURITY_HANDLE_NIL;
+  }
+
+#ifdef ACCESS_CONTROL_USE_ONE_PERMISSION
+  ddsrt_mutex_lock(&ac->lock);
+  if (ac->local_access_rights == NULL)
+  {
+    rights = check_and_create_local_participant_rights(identity_handle, domain_id, participant_qos, ex);
+    ac->local_access_rights = rights;
+  }
+  else
+  {
+    ACCESS_CONTROL_OBJECT_KEEP(ac->local_access_rights);
+    rights = ac->local_access_rights;
+  }
+  ddsrt_mutex_unlock(&ac->lock);
+#else
+  {
+    local_participant_access_rights *existing = find_local_rights_by_identity(ac, identity_handle);
+    if (existing)
+    {
+      ACCESS_CONTROL_OBJECT_RELEASE(existing);
+      return ACCESS_CONTROL_OBJECT_HANDLE(existing);
+    }
+
+    rights = check_and_create_local_participant_rights(identity_handle, domain_id, participant_qos, ex);
+    if (rights)
+      access_control_table_insert(ac->local_permissions, (AccessControlObject *)rights);
+  }
+#endif
+
+  permissions_handle = ACCESS_CONTROL_OBJECT_HANDLE(rights);
+
+  if (permissions_handle != DDS_SECURITY_HANDLE_NIL)
+  {
+    assert (rights->permissions_expiry != DDS_TIME_INVALID);
+
+#if TIMED_CALLBACK_IMPLEMENTED
+    if (rights->permissions_expiry != 0)
+      add_validity_end_trigger(ac, permissions_handle, rights->permissions_expiry);
+#endif
+  }
+
+  return permissions_handle;
+}
+
+static DDS_Security_PermissionsHandle
+validate_remote_permissions(
+    dds_security_access_control *instance,
+    const dds_security_authentication *auth_plugin,
+    const DDS_Security_IdentityHandle local_identity_handle,
+    const DDS_Security_IdentityHandle remote_identity_handle,
+    const DDS_Security_PermissionsToken *remote_permissions_token,
+    const DDS_Security_AuthenticatedPeerCredentialToken *remote_credential_token,
+    DDS_Security_SecurityException *ex)
+{
+  dds_security_access_control_impl *ac = (dds_security_access_control_impl *)instance;
+  local_participant_access_rights *local_rights;
+  remote_participant_access_rights *remote_rights, *existing;
+  DDS_Security_PermissionsHandle permissions_handle = DDS_SECURITY_HANDLE_NIL;
+
+  if (!instance || !auth_plugin || local_identity_handle == DDS_SECURITY_HANDLE_NIL || remote_identity_handle == DDS_SECURITY_HANDLE_NIL ||
+      !remote_permissions_token || !remote_permissions_token->class_id || !remote_credential_token)
+  {
+    DDS_Security_Exception_set(ex, DDS_ACCESS_CONTROL_PLUGIN_CONTEXT, DDS_SECURITY_ERR_INVALID_PARAMETER_CODE, 0, DDS_SECURITY_ERR_INVALID_PARAMETER_MESSAGE);
+    return DDS_SECURITY_HANDLE_NIL;
+  }
+
+  if (!(local_rights = find_local_rights_by_identity(ac, local_identity_handle)))
+  {
+    DDS_Security_Exception_set(ex, DDS_ACCESS_CONTROL_PLUGIN_CONTEXT, DDS_SECURITY_ERR_INVALID_PARAMETER_CODE, 0, DDS_SECURITY_ERR_INVALID_PARAMETER_MESSAGE);
+    return DDS_SECURITY_HANDLE_NIL;
+  }
+
+  if ((existing = find_remote_rights_by_identity(ac, remote_identity_handle)))
+  {
+    if (existing->local_rights->local_identity == local_identity_handle)
+    {
+      ACCESS_CONTROL_OBJECT_RELEASE(existing);
+      return ACCESS_CONTROL_OBJECT_HANDLE(existing);
+    }
+  }
+
+#ifdef ACCESS_CONTROL_USE_ONE_PERMISSION
+  if (existing)
+  {
+    /* No check because it has already been checked */
+    remote_rights = ac_remote_participant_access_rights_new(remote_identity_handle, local_rights, existing->permissions, existing->permissions_expiry, remote_permissions_token, existing->identity_subject_name);
+    sanity_check_remote_access_rights(remote_rights);
+    /* TODO: copy or relate security attributes of existing with new remote permissions object */
+  }
+  else
+  {
+    remote_rights = check_and_create_remote_participant_rights(remote_identity_handle, local_rights, remote_permissions_token, remote_credential_token, ex);
+  }
+#else
+  remote_rights = check_and_create_remote_participant_rights(remote_identity_handle, local_rights, remote_permissions_token, remote_credential_token, ex);
+#endif
+
+  permissions_handle = ACCESS_CONTROL_OBJECT_HANDLE(remote_rights);
+
+#if TIMED_CALLBACK_IMPLEMENTED
+  if (permissions_handle != DDS_SECURITY_HANDLE_NIL)
+    add_validity_end_trigger(ac, permissions_handle, remote_rights->permissions_expiry);
+#endif
+
+  if (remote_rights)
+    access_control_table_insert(ac->remote_permissions, (AccessControlObject *)remote_rights);
+
+  ACCESS_CONTROL_OBJECT_RELEASE(existing);
+  ACCESS_CONTROL_OBJECT_RELEASE(remote_rights);
+  ACCESS_CONTROL_OBJECT_RELEASE(local_rights);
+
+  return permissions_handle;
+}
+
+static DDS_Security_boolean
+check_create_participant(dds_security_access_control *instance,
+                         const DDS_Security_PermissionsHandle permissions_handle,
+                         const DDS_Security_DomainId domain_id,
+                         const DDS_Security_Qos *participant_qos,
+                         DDS_Security_SecurityException *ex)
+{
+  dds_security_access_control_impl *ac = (dds_security_access_control_impl *)instance;
+  local_participant_access_rights *rights;
+  struct domain_rule *domainRule = NULL;
+  struct topic_rule *topicRule = NULL;
+  DDS_Security_ParticipantSecurityAttributes participantSecurityAttributes;
+  DDS_Security_boolean result = false;
+
+  if (instance == NULL || permissions_handle == DDS_SECURITY_HANDLE_NIL || participant_qos == NULL)
+  {
+    DDS_Security_Exception_set(ex, DDS_ACCESS_CONTROL_PLUGIN_CONTEXT, DDS_SECURITY_ERR_INVALID_PARAMETER_CODE, 0, DDS_SECURITY_ERR_INVALID_PARAMETER_MESSAGE);
+    return false;
+  }
+
+  /* Retrieve rights */
+  if ((rights = find_local_access_rights(ac, permissions_handle)) == NULL)
+  {
+    DDS_Security_Exception_set(ex, DDS_ACCESS_CONTROL_PLUGIN_CONTEXT, DDS_SECURITY_ERR_INVALID_PARAMETER_CODE, 0, "Could not find local rights for the participant.");
+    return false;
+  }
+
+  /* Retrieve domain rules */
+  domainRule = find_domain_rule_in_governance(rights->governance_tree->dds->domain_access_rules->domain_rule, domain_id);
+  if (domainRule == NULL || domainRule->topic_access_rules == NULL || domainRule->topic_access_rules->topic_rule == NULL)
+  {
+    DDS_Security_Exception_set(ex, DDS_ACCESS_CONTROL_PLUGIN_CONTEXT, DDS_SECURITY_ERR_CAN_NOT_FIND_DOMAIN_IN_GOVERNANCE_CODE, 0, DDS_SECURITY_ERR_CAN_NOT_FIND_DOMAIN_IN_GOVERNANCE_MESSAGE, domain_id);
+    goto exit;
+  }
+
+  /* Iterate over topics rules*/
+  topicRule = domainRule->topic_access_rules->topic_rule;
+  while (topicRule != NULL)
+  {
+    if (!topicRule->enable_read_access_control->value || !topicRule->enable_write_access_control->value)
+    {
+      /* Governance specifies any topics on the DomainParticipant
+         domain_id with enable_read_access_control set to false or with enable_write_access_control set to false */
+      result = true;
+      goto exit;
+    }
+    topicRule = (struct topic_rule *)topicRule->node.next;
+  }
+
+  if (!get_participant_sec_attributes(instance, permissions_handle, &participantSecurityAttributes, ex))
+    goto exit;
+
+  if (!participantSecurityAttributes.is_access_protected)
+  {
+    result = true;
+    goto exit;
+  }
+
+  /* Is this participant permitted? */
+  result = is_allowed_by_permissions(rights->permissions_tree, domain_id, NULL /* topic_name */, NULL /* partitions */, rights->identity_subject_name, UNKNOWN_CRITERIA, ex);
+
+exit:
+  ACCESS_CONTROL_OBJECT_RELEASE(rights);
+  return result;
+}
+
+static DDS_Security_boolean
+check_create_datawriter(dds_security_access_control *instance,
+                        const DDS_Security_PermissionsHandle permissions_handle,
+                        const DDS_Security_DomainId domain_id, const char *topic_name,
+                        const DDS_Security_Qos *writer_qos,
+                        const DDS_Security_PartitionQosPolicy *partition,
+                        const DDS_Security_DataTags *data_tag,
+                        DDS_Security_SecurityException *ex)
+{
+  DDS_Security_TopicSecurityAttributes topic_sec_attr;
+  local_participant_access_rights *local_rights;
+  DDS_Security_boolean result = false;
+  DDSRT_UNUSED_ARG(data_tag);
+
+  if (instance == NULL)
+  {
+    DDS_Security_Exception_set(ex, DDS_ACCESS_CONTROL_PLUGIN_CONTEXT, DDS_SECURITY_ERR_INVALID_PARAMETER_CODE, 0, "Plugin instance not provided");
+    return false;
+  }
+  if (permissions_handle == DDS_SECURITY_HANDLE_NIL)
+  {
+    DDS_Security_Exception_set(ex, DDS_ACCESS_CONTROL_PLUGIN_CONTEXT, DDS_SECURITY_ERR_INVALID_PARAMETER_CODE, 0, "Permissions handle not provided");
+    return false;
+  }
+  if (topic_name == NULL)
+  {
+    DDS_Security_Exception_set(ex, DDS_ACCESS_CONTROL_PLUGIN_CONTEXT, DDS_SECURITY_ERR_INVALID_PARAMETER_CODE, 0, "Topic name not provided");
+    return false;
+  }
+  if (writer_qos == NULL)
+  {
+    DDS_Security_Exception_set(ex, DDS_ACCESS_CONTROL_PLUGIN_CONTEXT, DDS_SECURITY_ERR_INVALID_PARAMETER_CODE, 0, "QoS not provided");
+    return false;
+  }
+  if (partition == NULL)
+  {
+    DDS_Security_Exception_set(ex, DDS_ACCESS_CONTROL_PLUGIN_CONTEXT, DDS_SECURITY_ERR_INVALID_PARAMETER_CODE, 0, "Partition not provided");
+    return false;
+  }
+  if ((local_rights = find_local_access_rights((dds_security_access_control_impl *)instance, permissions_handle)) == NULL)
+  {
+    DDS_Security_Exception_set(ex, DDS_ACCESS_CONTROL_PLUGIN_CONTEXT, DDS_SECURITY_ERR_INVALID_PARAMETER_CODE, 0, "Could not find rights material");
+    return false;
+  }
+  if (local_rights->domain_id != domain_id)
+  {
+    DDS_Security_Exception_set(ex, DDS_ACCESS_CONTROL_PLUGIN_CONTEXT, DDS_SECURITY_ERR_INVALID_PARAMETER_CODE, 0,
+        "Given domain_id (%d) does not match the related participant domain_id (%d)\n", domain_id, local_rights->domain_id);
+    goto exit;
+  }
+
+  /* Find a topic with the specified topic name in the Governance */
+  if (!(result = instance->get_topic_sec_attributes(instance, permissions_handle, topic_name, &topic_sec_attr, ex)))
+    goto exit;
+
+  if (!topic_sec_attr.is_write_protected)
+  {
+    result = true;
+    goto exit;
+  }
+
+  /* Find a topic with the specified topic name in the Governance */
+  result = is_allowed_by_permissions(local_rights->permissions_tree, domain_id, topic_name, partition, local_rights->identity_subject_name, PUBLISH_CRITERIA, ex);
+
+exit:
+  ACCESS_CONTROL_OBJECT_RELEASE(local_rights);
+  return result;
+}
+
+static DDS_Security_boolean
+check_create_datareader(dds_security_access_control *instance,
+                        const DDS_Security_PermissionsHandle permissions_handle,
+                        const DDS_Security_DomainId domain_id,
+                        const char *topic_name,
+                        const DDS_Security_Qos *reader_qos,
+                        const DDS_Security_PartitionQosPolicy *partition,
+                        const DDS_Security_DataTags *data_tag,
+                        DDS_Security_SecurityException *ex)
+{
+  DDS_Security_TopicSecurityAttributes topic_sec_attr;
+  local_participant_access_rights *local_rights;
+  DDS_Security_boolean result = false;
+
+  DDSRT_UNUSED_ARG(data_tag);
+
+  if (instance == NULL || permissions_handle == DDS_SECURITY_HANDLE_NIL || topic_name == NULL || reader_qos == NULL || partition == NULL)
+  {
+    DDS_Security_Exception_set(ex, DDS_ACCESS_CONTROL_PLUGIN_CONTEXT, DDS_SECURITY_ERR_INVALID_PARAMETER_CODE, 0, DDS_SECURITY_ERR_INVALID_PARAMETER_MESSAGE);
+    return false;
+  }
+  if ((local_rights = find_local_access_rights((dds_security_access_control_impl *)instance, permissions_handle)) == NULL)
+  {
+    DDS_Security_Exception_set(ex, DDS_ACCESS_CONTROL_PLUGIN_CONTEXT, DDS_SECURITY_ERR_INVALID_PARAMETER_CODE, 0, DDS_SECURITY_ERR_INVALID_PARAMETER_MESSAGE);
+    return false;
+  }
+  if (local_rights->domain_id != domain_id)
+  {
+    DDS_Security_Exception_set(ex, DDS_ACCESS_CONTROL_PLUGIN_CONTEXT, DDS_SECURITY_ERR_INVALID_PARAMETER_CODE, 0,
+        "Given domain_id (%d) does not match the related participant domain_id (%d)\n", domain_id, local_rights->domain_id);
+    goto exit;
+  }
+
+  /* Find a topic with the specified topic name in the Governance */
+  if ((result = instance->get_topic_sec_attributes(instance, permissions_handle, topic_name, &topic_sec_attr, ex)) == false)
+    goto exit;
+
+  if (topic_sec_attr.is_read_protected == false)
+  {
+    result = true;
+    goto exit;
+  }
+
+  /* Find a topic with the specified topic name in the Governance */
+  result = is_allowed_by_permissions(local_rights->permissions_tree, domain_id, topic_name, partition, local_rights->identity_subject_name, SUBSCRIBE_CRITERIA, ex);
+
+exit:
+  ACCESS_CONTROL_OBJECT_RELEASE(local_rights);
+  return result;
+}
+
+static DDS_Security_boolean
+check_create_topic(dds_security_access_control *instance,
+                   const DDS_Security_PermissionsHandle permissions_handle,
+                   const DDS_Security_DomainId domain_id, const char *topic_name,
+                   const DDS_Security_Qos *qos, DDS_Security_SecurityException *ex)
+{
+  DDS_Security_TopicSecurityAttributes topic_sec_attr;
+  local_participant_access_rights *local_rights;
+  DDS_Security_boolean result = false;
+
+  if (instance == NULL || permissions_handle == DDS_SECURITY_HANDLE_NIL || qos == NULL || topic_name == NULL)
+  {
+    DDS_Security_Exception_set(ex, DDS_ACCESS_CONTROL_PLUGIN_CONTEXT, DDS_SECURITY_ERR_INVALID_PARAMETER_CODE, 0, DDS_SECURITY_ERR_INVALID_PARAMETER_MESSAGE);
+    return false;
+  }
+  if ((local_rights = find_local_access_rights((dds_security_access_control_impl *)instance, permissions_handle)) == NULL)
+  {
+    DDS_Security_Exception_set(ex, DDS_ACCESS_CONTROL_PLUGIN_CONTEXT, DDS_SECURITY_ERR_INVALID_PARAMETER_CODE, 0, DDS_SECURITY_ERR_INVALID_PARAMETER_MESSAGE);
+    return false;
+  }
+  if (local_rights->domain_id != domain_id)
+  {
+    DDS_Security_Exception_set(ex, DDS_ACCESS_CONTROL_PLUGIN_CONTEXT, DDS_SECURITY_ERR_INVALID_PARAMETER_CODE, 0,
+        "Given domain_id (%d) does not match the related participant domain_id (%d)\n", domain_id, local_rights->domain_id);
+    goto exit;
+  }
+
+  /* Find a topic with the specified topic name in the Governance */
+  if ((result = instance->get_topic_sec_attributes(instance, permissions_handle, topic_name, &topic_sec_attr, ex)) == false)
+    goto exit;
+
+  if (topic_sec_attr.is_read_protected == false || topic_sec_attr.is_write_protected == false)
+  {
+    result = true;
+    goto exit;
+  }
+
+  /* Find a topic with the specified topic name in the Governance */
+  result = is_allowed_by_permissions(local_rights->permissions_tree, domain_id, topic_name, NULL, local_rights->identity_subject_name, UNKNOWN_CRITERIA /* both publish and subscribe rules */, ex);
+
+exit:
+  ACCESS_CONTROL_OBJECT_RELEASE(local_rights);
+  return result;
+}
+
+static DDS_Security_boolean
+check_local_datawriter_register_instance(
+    dds_security_access_control *instance,
+    const DDS_Security_PermissionsHandle permissions_handle,
+    const DDS_Security_Entity *writer, const DDS_Security_DynamicData *key,
+    DDS_Security_SecurityException *ex)
+{
+  DDSRT_UNUSED_ARG(permissions_handle);
+  DDSRT_UNUSED_ARG(writer);
+  DDSRT_UNUSED_ARG(key);
+  DDSRT_UNUSED_ARG(ex);
+  DDSRT_UNUSED_ARG(instance);
+
+  /* Not implemented */
+  return true;
+}
+
+static DDS_Security_boolean
+check_local_datawriter_dispose_instance(
+    dds_security_access_control *instance,
+    const DDS_Security_PermissionsHandle permissions_handle,
+    const DDS_Security_Entity *writer, const DDS_Security_DynamicData key,
+    DDS_Security_SecurityException *ex)
+{
+  DDSRT_UNUSED_ARG(permissions_handle);
+  DDSRT_UNUSED_ARG(writer);
+  DDSRT_UNUSED_ARG(key);
+  DDSRT_UNUSED_ARG(ex);
+  DDSRT_UNUSED_ARG(instance);
+
+  /* Not implemented */
+  return true;
+}
+
+static DDS_Security_boolean
+check_remote_participant(dds_security_access_control *instance,
+                         const DDS_Security_PermissionsHandle permissions_handle,
+                         const DDS_Security_DomainId domain_id,
+                         const DDS_Security_ParticipantBuiltinTopicDataSecure *participant_data,
+                         DDS_Security_SecurityException *ex)
+{
+  dds_security_access_control_impl *ac = (dds_security_access_control_impl *)instance;
+  remote_participant_access_rights *remote_rights = NULL;
+  DDS_Security_boolean isValid = false;
+  DDS_Security_ParticipantSecurityAttributes participantSecurityAttributes;
+  DDS_Security_PermissionsHandle local_permissions_handle;
+  DDS_Security_string class_id_remote_str;
+  DDS_Security_string class_id_local_str;
+  DDS_Security_boolean result = false;
+
+  if (instance == NULL || permissions_handle == DDS_SECURITY_HANDLE_NIL || participant_data == NULL)
+  {
+    DDS_Security_Exception_set(ex, DDS_ACCESS_CONTROL_PLUGIN_CONTEXT, DDS_SECURITY_ERR_INVALID_PARAMETER_CODE, 0, DDS_SECURITY_ERR_INVALID_PARAMETER_MESSAGE);
+    return false;
+  }
+
+  /* retrieve the cached remote DomainParticipant Governance; the permissions_handle is associated with the remote participant */
+  if ((remote_rights = find_remote_permissions_by_permissions_handle(ac, permissions_handle)) == NULL)
+  {
+    DDS_Security_Exception_set(ex, DDS_ACCESS_CONTROL_PLUGIN_CONTEXT, DDS_SECURITY_ERR_INVALID_PARAMETER_CODE, 0, DDS_SECURITY_ERR_INVALID_PARAMETER_MESSAGE);
+    return false;
+  }
+
+  /* The local rights pointer is actually the local permissions handle. */
+  local_permissions_handle = ACCESS_CONTROL_OBJECT_HANDLE(remote_rights->local_rights);
+  if ((isValid = get_participant_sec_attributes(instance, local_permissions_handle, &participantSecurityAttributes, ex)) == false)
+    goto exit;
+  if (participantSecurityAttributes.is_access_protected == false)
+  {
+    result = true;
+    goto exit;
+  }
+
+  /* 2) If the PluginClassName or the MajorVersion of the local permissions_token differ from those in the remote_permissions_token,
+       the operation shall return false. */
+  class_id_remote_str = remote_rights->permissions->remote_permissions_token_class_id;
+  class_id_local_str = get_access_control_class_id(ACCESS_CONTROL_PERMISSIONS_CLASS_ID);
+  if (compare_class_id_plugin_classname(class_id_remote_str, class_id_local_str) == false)
+  {
+    DDS_Security_Exception_set(ex, DDS_ACCESS_CONTROL_PLUGIN_CONTEXT, DDS_SECURITY_ERR_INCOMPATIBLE_REMOTE_PLUGIN_CLASSNAME_CODE, 0, DDS_SECURITY_ERR_INCOMPATIBLE_REMOTE_PLUGIN_CLASSNAME_MESSAGE);
+    goto exit_free_classid;
+  }
+  if (compare_class_id_major_ver(class_id_remote_str, class_id_local_str) == false)
+  {
+    DDS_Security_Exception_set(ex, DDS_ACCESS_CONTROL_PLUGIN_CONTEXT, DDS_SECURITY_ERR_INCOMPATIBLE_REMOTE_PLUGIN_MAJORVERSION_CODE, 0, DDS_SECURITY_ERR_INCOMPATIBLE_REMOTE_PLUGIN_MAJORVERSION_MESSAGE);
+    goto exit_free_classid;
+  }
+
+  /* 3) If the Permissions document contains a Grant for the remote DomainParticipant and the Grant contains an allow rule on
+       the DomainParticipant domain_id, then the  operation shall succeed and return true. */
+  /* Iterate over the grants and rules of the remote participant */
+  result = is_allowed_by_permissions(remote_rights->permissions->permissions_tree, domain_id, NULL, NULL, remote_rights->identity_subject_name, UNKNOWN_CRITERIA, ex);
+
+exit_free_classid:
+  ddsrt_free(class_id_local_str);
+exit:
+  ACCESS_CONTROL_OBJECT_RELEASE(remote_rights);
+  return result;
+}
+
+static DDS_Security_boolean
+check_remote_datawriter(dds_security_access_control *instance,
+                        const DDS_Security_PermissionsHandle permissions_handle,
+                        const DDS_Security_DomainId domain_id,
+                        const DDS_Security_PublicationBuiltinTopicDataSecure *publication_data,
+                        DDS_Security_SecurityException *ex)
+{
+  dds_security_access_control_impl *ac = (dds_security_access_control_impl *)instance;
+  DDS_Security_TopicSecurityAttributes topic_sec_attr;
+  remote_participant_access_rights *remote_rights;
+  DDS_Security_string class_id_remote_str;
+  DDS_Security_string class_id_local_str;
+  DDS_Security_boolean result = false;
+
+  if (instance == NULL || permissions_handle == DDS_SECURITY_HANDLE_NIL || publication_data == NULL)
+  {
+    DDS_Security_Exception_set(ex, DDS_ACCESS_CONTROL_PLUGIN_CONTEXT, DDS_SECURITY_ERR_INVALID_PARAMETER_CODE, 0, DDS_SECURITY_ERR_INVALID_PARAMETER_MESSAGE);
+    return false;
+  }
+  if ((remote_rights = find_remote_permissions_by_permissions_handle(ac, permissions_handle)) == NULL)
+  {
+    DDS_Security_Exception_set(ex, DDS_ACCESS_CONTROL_PLUGIN_CONTEXT, DDS_SECURITY_ERR_INVALID_PARAMETER_CODE, 0, DDS_SECURITY_ERR_INVALID_PARAMETER_MESSAGE);
+    return false;
+  }
+  if ((result = instance->get_topic_sec_attributes(instance, ACCESS_CONTROL_OBJECT_HANDLE(remote_rights->local_rights), publication_data->topic_name, &topic_sec_attr, ex)) == false)
+    goto exit;
+  if (topic_sec_attr.is_write_protected == false)
+  {
+    result = true;
+    goto exit;
+  }
+
+  /* Compare PluginClassName and MajorVersion parts */
+  class_id_remote_str = remote_rights->permissions->remote_permissions_token_class_id;
+  class_id_local_str = get_access_control_class_id(ACCESS_CONTROL_PERMISSIONS_CLASS_ID);
+  if (compare_class_id_plugin_classname(class_id_remote_str, class_id_local_str) == false)
+  {
+    DDS_Security_Exception_set(ex, DDS_ACCESS_CONTROL_PLUGIN_CONTEXT, DDS_SECURITY_ERR_INCOMPATIBLE_REMOTE_PLUGIN_CLASSNAME_CODE, 0,
+        DDS_SECURITY_ERR_INCOMPATIBLE_REMOTE_PLUGIN_CLASSNAME_MESSAGE);
+    goto exit_free_classid;
+  }
+  if (compare_class_id_major_ver(class_id_remote_str, class_id_local_str) == false)
+  {
+    DDS_Security_Exception_set(ex, DDS_ACCESS_CONTROL_PLUGIN_CONTEXT, DDS_SECURITY_ERR_INCOMPATIBLE_REMOTE_PLUGIN_MAJORVERSION_CODE, 0,
+        DDS_SECURITY_ERR_INCOMPATIBLE_REMOTE_PLUGIN_MAJORVERSION_MESSAGE);
+    goto exit_free_classid;
+  }
+
+  /* Find a topic with the specified topic name in the Governance */
+  result = is_allowed_by_permissions(remote_rights->permissions->permissions_tree, domain_id, publication_data->topic_name,
+      &(publication_data->partition), remote_rights->identity_subject_name, PUBLISH_CRITERIA, ex);
+
+exit_free_classid:
+  ddsrt_free(class_id_local_str);
+exit:
+  ACCESS_CONTROL_OBJECT_RELEASE(remote_rights);
+  return result;
+}
+
+static DDS_Security_boolean
+check_remote_datareader(dds_security_access_control *instance,
+                        const DDS_Security_PermissionsHandle permissions_handle,
+                        const DDS_Security_DomainId domain_id,
+                        const DDS_Security_SubscriptionBuiltinTopicDataSecure *subscription_data,
+                        DDS_Security_boolean *relay_only,
+                        DDS_Security_SecurityException *ex)
+{
+  dds_security_access_control_impl *ac = (dds_security_access_control_impl *)instance;
+  DDS_Security_TopicSecurityAttributes topic_sec_attr;
+  remote_participant_access_rights *remote_rights;
+  DDS_Security_string class_id_remote_str;
+  DDS_Security_string class_id_local_str;
+
+  DDS_Security_boolean result = false;
+
+  if (instance == NULL || permissions_handle == DDS_SECURITY_HANDLE_NIL || subscription_data == NULL || relay_only == NULL)
+  {
+    DDS_Security_Exception_set(ex, DDS_ACCESS_CONTROL_PLUGIN_CONTEXT, DDS_SECURITY_ERR_INVALID_PARAMETER_CODE, 0, DDS_SECURITY_ERR_INVALID_PARAMETER_MESSAGE);
+    return false;
+  }
+
+  *relay_only = false;
+  if ((remote_rights = find_remote_permissions_by_permissions_handle(ac, permissions_handle)) == NULL)
+  {
+    DDS_Security_Exception_set(ex, DDS_ACCESS_CONTROL_PLUGIN_CONTEXT, DDS_SECURITY_ERR_INVALID_PARAMETER_CODE, 0, DDS_SECURITY_ERR_INVALID_PARAMETER_MESSAGE);
+    return false;
+  }
+  if (!(instance->get_topic_sec_attributes(instance, ACCESS_CONTROL_OBJECT_HANDLE(remote_rights->local_rights), subscription_data->topic_name, &topic_sec_attr, ex)))
+    goto exit;
+  if (!topic_sec_attr.is_read_protected)
+  {
+    result = true;
+    goto exit;
+  }
+
+  /* Compare PluginClassName and MajorVersion parts */
+  class_id_remote_str = remote_rights->permissions->remote_permissions_token_class_id;
+  class_id_local_str = get_access_control_class_id(ACCESS_CONTROL_PERMISSIONS_CLASS_ID);
+  if (compare_class_id_plugin_classname(class_id_remote_str, class_id_local_str) == false)
+  {
+    DDS_Security_Exception_set(ex, DDS_ACCESS_CONTROL_PLUGIN_CONTEXT, DDS_SECURITY_ERR_INCOMPATIBLE_REMOTE_PLUGIN_CLASSNAME_CODE, 0,
+        DDS_SECURITY_ERR_INCOMPATIBLE_REMOTE_PLUGIN_CLASSNAME_MESSAGE);
+    goto exit_free_classid;
+  }
+  if (compare_class_id_major_ver(class_id_remote_str, class_id_local_str) == false)
+  {
+    DDS_Security_Exception_set(ex, DDS_ACCESS_CONTROL_PLUGIN_CONTEXT, DDS_SECURITY_ERR_INCOMPATIBLE_REMOTE_PLUGIN_MAJORVERSION_CODE, 0,
+                               DDS_SECURITY_ERR_INCOMPATIBLE_REMOTE_PLUGIN_MAJORVERSION_MESSAGE);
+    ACCESS_CONTROL_OBJECT_RELEASE(remote_rights);
+    goto exit_free_classid;
+  }
+
+  /* Find a topic with the specified topic name in the Governance */
+  result = is_allowed_by_permissions(remote_rights->permissions->permissions_tree, domain_id, subscription_data->topic_name,
+      &(subscription_data->partition), remote_rights->identity_subject_name, SUBSCRIBE_CRITERIA, ex);
+
+exit_free_classid:
+  ddsrt_free(class_id_local_str);
+exit:
+  ACCESS_CONTROL_OBJECT_RELEASE(remote_rights);
+  return result;
+}
+
+static DDS_Security_boolean
+check_remote_topic(dds_security_access_control *instance,
+                   const DDS_Security_PermissionsHandle permissions_handle,
+                   const DDS_Security_DomainId domain_id,
+                   const DDS_Security_TopicBuiltinTopicData *topic_data,
+                   DDS_Security_SecurityException *ex)
+{
+  dds_security_access_control_impl *ac = (dds_security_access_control_impl *)instance;
+  DDS_Security_TopicSecurityAttributes topic_sec_attr;
+  remote_participant_access_rights *remote_rights;
+  DDS_Security_string class_id_remote_str;
+  DDS_Security_string class_id_local_str;
+  DDS_Security_boolean result = false;
+
+  if (instance == NULL || permissions_handle == DDS_SECURITY_HANDLE_NIL || topic_data == NULL)
+  {
+    DDS_Security_Exception_set(ex, DDS_ACCESS_CONTROL_PLUGIN_CONTEXT, DDS_SECURITY_ERR_INVALID_PARAMETER_CODE, 0, DDS_SECURITY_ERR_INVALID_PARAMETER_MESSAGE);
+    return false;
+  }
+  if ((remote_rights = find_remote_permissions_by_permissions_handle(ac, permissions_handle)) == NULL)
+  {
+    DDS_Security_Exception_set(ex, DDS_ACCESS_CONTROL_PLUGIN_CONTEXT, DDS_SECURITY_ERR_INVALID_PARAMETER_CODE, 0, DDS_SECURITY_ERR_INVALID_PARAMETER_MESSAGE);
+    return false;
+  }
+  if ((result = instance->get_topic_sec_attributes(instance, ACCESS_CONTROL_OBJECT_HANDLE(remote_rights->local_rights), topic_data->name, &topic_sec_attr, ex)) == false)
+    goto exit;
+  if (!topic_sec_attr.is_read_protected || !topic_sec_attr.is_write_protected)
+  {
+    result = true;
+    goto exit;
+  }
+
+  /* Compare PluginClassName and MajorVersion parts */
+  class_id_remote_str = remote_rights->permissions->remote_permissions_token_class_id;
+  class_id_local_str = get_access_control_class_id(ACCESS_CONTROL_PERMISSIONS_CLASS_ID);
+  if (!compare_class_id_plugin_classname(class_id_remote_str, class_id_local_str))
+  {
+    DDS_Security_Exception_set(ex, DDS_ACCESS_CONTROL_PLUGIN_CONTEXT, DDS_SECURITY_ERR_INCOMPATIBLE_REMOTE_PLUGIN_CLASSNAME_CODE, 0,
+      DDS_SECURITY_ERR_INCOMPATIBLE_REMOTE_PLUGIN_CLASSNAME_MESSAGE);
+    goto exit_free_classid;
+  }
+  if (!compare_class_id_major_ver(class_id_remote_str, class_id_local_str))
+  {
+    DDS_Security_Exception_set(ex, DDS_ACCESS_CONTROL_PLUGIN_CONTEXT, DDS_SECURITY_ERR_INCOMPATIBLE_REMOTE_PLUGIN_MAJORVERSION_CODE, 0,
+      DDS_SECURITY_ERR_INCOMPATIBLE_REMOTE_PLUGIN_MAJORVERSION_MESSAGE);
+    goto exit_free_classid;
+  }
+
+  result = is_allowed_by_permissions(remote_rights->permissions->permissions_tree, domain_id, topic_data->name, NULL, remote_rights->identity_subject_name, UNKNOWN_CRITERIA, ex);
+
+exit_free_classid:
+  ddsrt_free(class_id_local_str);
+exit:
+  ACCESS_CONTROL_OBJECT_RELEASE(remote_rights);
+  return result;
+}
+
+static DDS_Security_boolean
+check_local_datawriter_match(
+    dds_security_access_control *instance,
+    const DDS_Security_PermissionsHandle writer_permissions_handle,
+    const DDS_Security_PermissionsHandle reader_permissions_handle,
+    const DDS_Security_PublicationBuiltinTopicDataSecure *publication_data,
+    const DDS_Security_SubscriptionBuiltinTopicDataSecure *subscription_data,
+    DDS_Security_SecurityException *ex)
+{
+  DDSRT_UNUSED_ARG(writer_permissions_handle);
+  DDSRT_UNUSED_ARG(reader_permissions_handle);
+  DDSRT_UNUSED_ARG(publication_data);
+  DDSRT_UNUSED_ARG(subscription_data);
+  DDSRT_UNUSED_ARG(ex);
+  DDSRT_UNUSED_ARG(instance);
+
+  /* This function is not implemented because it relies on DataTagging,
+     an optional DDS Security feature that is not implemented */
+  return true;
+}
+
+static DDS_Security_boolean
+check_local_datareader_match(
+    dds_security_access_control *instance,
+    const DDS_Security_PermissionsHandle reader_permissions_handle,
+    const DDS_Security_PermissionsHandle writer_permissions_handle,
+    const DDS_Security_SubscriptionBuiltinTopicDataSecure *subscription_data,
+    const DDS_Security_PublicationBuiltinTopicDataSecure *publication_data,
+    DDS_Security_SecurityException *ex)
+{
+  DDSRT_UNUSED_ARG(reader_permissions_handle);
+  DDSRT_UNUSED_ARG(writer_permissions_handle);
+  DDSRT_UNUSED_ARG(subscription_data);
+  DDSRT_UNUSED_ARG(publication_data);
+  DDSRT_UNUSED_ARG(ex);
+  DDSRT_UNUSED_ARG(instance);
+
+  /* Not implemented */
+  return true;
+}
+
+static DDS_Security_boolean
+check_remote_datawriter_register_instance(
+    dds_security_access_control *instance,
+    const DDS_Security_PermissionsHandle permissions_handle,
+    const DDS_Security_Entity *reader,
+    const DDS_Security_InstanceHandle publication_handle,
+    const DDS_Security_DynamicData key,
+    const DDS_Security_InstanceHandle instance_handle,
+    DDS_Security_SecurityException *ex)
+{
+  DDSRT_UNUSED_ARG(permissions_handle);
+  DDSRT_UNUSED_ARG(reader);
+  DDSRT_UNUSED_ARG(publication_handle);
+  DDSRT_UNUSED_ARG(key);
+  DDSRT_UNUSED_ARG(instance_handle);
+  DDSRT_UNUSED_ARG(ex);
+  DDSRT_UNUSED_ARG(instance);
+
+  /* Not implemented */
+  return true;
+}
+
+static DDS_Security_boolean
+check_remote_datawriter_dispose_instance(
+    dds_security_access_control *instance,
+    const DDS_Security_PermissionsHandle permissions_handle,
+    const DDS_Security_Entity *reader,
+    const DDS_Security_InstanceHandle publication_handle,
+    const DDS_Security_DynamicData key,
+    DDS_Security_SecurityException *ex)
+{
+  DDSRT_UNUSED_ARG(permissions_handle);
+  DDSRT_UNUSED_ARG(reader);
+  DDSRT_UNUSED_ARG(publication_handle);
+  DDSRT_UNUSED_ARG(key);
+  DDSRT_UNUSED_ARG(ex);
+  DDSRT_UNUSED_ARG(instance);
+
+  /* Not implemented */
+  return true;
+}
+
+static DDS_Security_boolean
+get_permissions_token(dds_security_access_control *instance,
+                      DDS_Security_PermissionsToken *permissions_token,
+                      const DDS_Security_PermissionsHandle handle,
+                      DDS_Security_SecurityException *ex)
+{
+  local_participant_access_rights *rights;
+  if (!ex)
+    return false;
+  if (!instance)
+  {
+    DDS_Security_Exception_set(ex, DDS_ACCESS_CONTROL_PLUGIN_CONTEXT, DDS_SECURITY_ERR_INVALID_PARAMETER_CODE, DDS_SECURITY_VALIDATION_FAILED, "get_permissions_token: No instance provided");
+    return false;
+  }
+  if (!permissions_token)
+  {
+    DDS_Security_Exception_set(ex, DDS_ACCESS_CONTROL_PLUGIN_CONTEXT, DDS_SECURITY_ERR_INVALID_PARAMETER_CODE, DDS_SECURITY_VALIDATION_FAILED, "get_permissions_token: No permissions token provided");
+    return false;
+  }
+  if (handle == DDS_SECURITY_HANDLE_NIL)
+  {
+    DDS_Security_Exception_set(ex, DDS_ACCESS_CONTROL_PLUGIN_CONTEXT, DDS_SECURITY_ERR_INVALID_PARAMETER_CODE, DDS_SECURITY_VALIDATION_FAILED, "get_permissions_token: No permissions handle provided");
+    return false;
+  }
+  if ((rights = find_local_access_rights((dds_security_access_control_impl *)instance, handle)) == NULL)
+  {
+    DDS_Security_Exception_set(ex, DDS_ACCESS_CONTROL_PLUGIN_CONTEXT, DDS_SECURITY_ERR_INVALID_PARAMETER_CODE, 0, "get_permissions_token: Unused permissions handle provided");
+    return false;
+  }
+
+  ACCESS_CONTROL_OBJECT_RELEASE(rights);
+  memset(permissions_token, 0, sizeof(*permissions_token));
+  permissions_token->class_id = get_access_control_class_id(ACCESS_CONTROL_PERMISSIONS_CLASS_ID);
+  return true;
+}
+
+static DDS_Security_boolean
+get_permissions_credential_token(
+    dds_security_access_control *instance,
+    DDS_Security_PermissionsCredentialToken *permissions_credential_token,
+    const DDS_Security_PermissionsHandle handle,
+    DDS_Security_SecurityException *ex)
+{
+  dds_security_access_control_impl *ac = (dds_security_access_control_impl *)instance;
+  local_participant_access_rights *rights;
+  if (!ex)
+    return false;
+  if (!instance)
+  {
+    DDS_Security_Exception_set(ex, DDS_ACCESS_CONTROL_PLUGIN_CONTEXT, DDS_SECURITY_ERR_INVALID_PARAMETER_CODE, DDS_SECURITY_VALIDATION_FAILED, "get_permissions_credential_token: No instance provided");
+    return false;
+  }
+  if (!permissions_credential_token)
+  {
+    DDS_Security_Exception_set(ex, DDS_ACCESS_CONTROL_PLUGIN_CONTEXT, DDS_SECURITY_ERR_INVALID_PARAMETER_CODE, DDS_SECURITY_VALIDATION_FAILED, "get_permissions_credential_token: No permissions credential token provided");
+    return false;
+  }
+  if (handle == DDS_SECURITY_HANDLE_NIL)
+  {
+    DDS_Security_Exception_set(ex, DDS_ACCESS_CONTROL_PLUGIN_CONTEXT, DDS_SECURITY_ERR_INVALID_PARAMETER_CODE, DDS_SECURITY_VALIDATION_FAILED, "get_permissions_credential_token: No permissions handle provided");
+    return false;
+  }
+  if ((rights = find_local_access_rights(ac, handle)) == NULL)
+  {
+    DDS_Security_Exception_set(ex, DDS_ACCESS_CONTROL_PLUGIN_CONTEXT, DDS_SECURITY_ERR_INVALID_PARAMETER_CODE, 0, "get_permissions_credential_token: Unused permissions handle provided");
+    return false;
+  }
+
+  memset(permissions_credential_token, 0, sizeof(*permissions_credential_token));
+  permissions_credential_token->class_id = ddsrt_strdup(ACCESS_PERMISSIONS_CREDENTIAL_TOKEN_ID);
+  permissions_credential_token->properties._length = permissions_credential_token->properties._maximum = 1;
+  permissions_credential_token->properties._buffer = DDS_Security_PropertySeq_allocbuf(1);
+  permissions_credential_token->properties._buffer[0].name = ddsrt_strdup(ACCESS_PROPERTY_PERMISSION_DOCUMENT);
+  permissions_credential_token->properties._buffer[0].value = ddsrt_strdup(rights->permissions_document);
+  ACCESS_CONTROL_OBJECT_RELEASE(rights);
+  return true;
+}
+
+
+static DDS_Security_boolean
+set_listener(dds_security_access_control *instance,
+             const dds_security_access_control_listener *listener,
+             DDS_Security_SecurityException *ex)
+{
+  DDSRT_UNUSED_ARG(ex);
+#if TIMED_CALLBACK_IMPLEMENTED
+  dds_security_access_control_impl *ac = (dds_security_access_control_impl *)instance;
+  if (listener)
+    ut_timed_dispatcher_enable(ac->timed_callbacks, (void *)listener);
+  else
+    ut_timed_dispatcher_disable(ac->timed_callbacks);
+#else
+  DDSRT_UNUSED_ARG(instance);
+  DDSRT_UNUSED_ARG(listener);
+#endif
+
+  return true;
+}
+
+static DDS_Security_boolean
+return_permissions_token(
+    dds_security_access_control *instance,
+    const DDS_Security_PermissionsToken *token,
+    DDS_Security_SecurityException *ex)
+{
+  if (!instance || !token)
+  {
+    DDS_Security_Exception_set(ex, DDS_ACCESS_CONTROL_PLUGIN_CONTEXT, DDS_SECURITY_ERR_INVALID_PARAMETER_CODE, 0, DDS_SECURITY_ERR_INVALID_PARAMETER_MESSAGE);
+    return false;
+  }
+  DDS_Security_DataHolder_deinit((DDS_Security_DataHolder *)token);
+  return true;
+}
+
+static DDS_Security_boolean
+return_permissions_credential_token(
+    dds_security_access_control *instance,
+    const DDS_Security_PermissionsCredentialToken *permissions_credential_token,
+    DDS_Security_SecurityException *ex)
+{
+  if (!instance || !permissions_credential_token)
+  {
+    DDS_Security_Exception_set(ex, DDS_ACCESS_CONTROL_PLUGIN_CONTEXT, DDS_SECURITY_ERR_INVALID_PARAMETER_CODE, 0, DDS_SECURITY_ERR_INVALID_PARAMETER_MESSAGE);
+    return false;
+  }
+  DDS_Security_DataHolder_deinit((DDS_Security_DataHolder *)permissions_credential_token);
+  return true;
+}
+
+static void
+protectionkind_to_participant_attribute(
+    DDS_Security_ProtectionKind kind,
+    DDS_Security_boolean *is_protected,
+    DDS_Security_ParticipantSecurityAttributesMask *mask,
+    DDS_Security_ParticipantSecurityAttributesMask encryption_bit,
+    DDS_Security_ParticipantSecurityAttributesMask authentication_bit)
+{
+  switch (kind)
+  {
+  case DDS_SECURITY_PROTECTION_KIND_ENCRYPT_WITH_ORIGIN_AUTHENTICATION:
+    (*mask) |= authentication_bit;
+    (*mask) |= encryption_bit;
+    (*is_protected) = true;
+    break;
+  case DDS_SECURITY_PROTECTION_KIND_ENCRYPT:
+    (*mask) |= encryption_bit;
+    (*is_protected) = true;
+    break;
+  case DDS_SECURITY_PROTECTION_KIND_SIGN_WITH_ORIGIN_AUTHENTICATION:
+    (*mask) |= authentication_bit;
+    (*is_protected) = true;
+    break;
+  case DDS_SECURITY_PROTECTION_KIND_SIGN:
+    (*is_protected) = true;
+    break;
+  case DDS_SECURITY_PROTECTION_KIND_NONE:
+  default:
+    (*is_protected) = false;
+    break;
+  }
+}
+
+static DDS_Security_PluginEndpointSecurityAttributesMask
+get_plugin_endpoint_security_attributes_mask(
+    DDS_Security_boolean is_payload_encrypted,
+    DDS_Security_boolean is_submessage_encrypted,
+    DDS_Security_boolean is_submessage_origin_authenticated)
+{
+  DDS_Security_PluginEndpointSecurityAttributesMask mask = DDS_SECURITY_ENDPOINT_ATTRIBUTES_FLAG_IS_VALID;
+  if (is_submessage_encrypted)
+    mask |= DDS_SECURITY_PLUGIN_ENDPOINT_ATTRIBUTES_FLAG_IS_SUBMESSAGE_ENCRYPTED;
+  if (is_payload_encrypted)
+    mask |= DDS_SECURITY_PLUGIN_ENDPOINT_ATTRIBUTES_FLAG_IS_PAYLOAD_ENCRYPTED;
+  if (is_submessage_origin_authenticated)
+    mask |= DDS_SECURITY_PLUGIN_ENDPOINT_ATTRIBUTES_FLAG_IS_SUBMESSAGE_ORIGIN_AUTHENTICATED;
+  return mask;
+}
+
+static void
+domain_rule_to_participant_attributes(
+    const struct domain_rule *rule,
+    DDS_Security_ParticipantSecurityAttributes *attributes)
+{
+  /* Expect proper rule. */
+  assert(rule);
+  assert(rule->allow_unauthenticated_participants);
+  assert(rule->enable_join_access_control);
+  assert(rule->liveliness_protection_kind);
+  assert(rule->discovery_protection_kind);
+  assert(rule->rtps_protection_kind);
+  assert(attributes);
+
+  memset(attributes, 0, sizeof(DDS_Security_ParticipantSecurityAttributes));
+
+  attributes->allow_unauthenticated_participants = rule->allow_unauthenticated_participants->value;
+  attributes->is_access_protected = rule->enable_join_access_control->value;
+
+  attributes->plugin_participant_attributes = DDS_SECURITY_PARTICIPANT_ATTRIBUTES_FLAG_IS_VALID;
+
+  protectionkind_to_participant_attribute(
+      rule->discovery_protection_kind->value,
+      &(attributes->is_discovery_protected),
+      &(attributes->plugin_participant_attributes),
+      DDS_SECURITY_PLUGIN_PARTICIPANT_ATTRIBUTES_FLAG_IS_DISCOVERY_ENCRYPTED,
+      DDS_SECURITY_PLUGIN_PARTICIPANT_ATTRIBUTES_FLAG_IS_DISCOVERY_AUTHENTICATED);
+
+  protectionkind_to_participant_attribute(
+      rule->liveliness_protection_kind->value,
+      &(attributes->is_liveliness_protected),
+      &(attributes->plugin_participant_attributes),
+      DDS_SECURITY_PLUGIN_PARTICIPANT_ATTRIBUTES_FLAG_IS_LIVELINESS_ENCRYPTED,
+      DDS_SECURITY_PLUGIN_PARTICIPANT_ATTRIBUTES_FLAG_IS_LIVELINESS_AUTHENTICATED);
+
+  protectionkind_to_participant_attribute(
+      rule->rtps_protection_kind->value,
+      &(attributes->is_rtps_protected),
+      &(attributes->plugin_participant_attributes),
+      DDS_SECURITY_PLUGIN_PARTICIPANT_ATTRIBUTES_FLAG_IS_RTPS_ENCRYPTED,
+      DDS_SECURITY_PLUGIN_PARTICIPANT_ATTRIBUTES_FLAG_IS_RTPS_AUTHENTICATED);
+}
+
+static DDS_Security_boolean
+domainid_within_sets(
+    struct domain_id_set *domain,
+    int domain_id)
+{
+  DDS_Security_boolean found = false;
+  int32_t min;
+  int32_t max;
+
+  while (domain != NULL && !found)
+  {
+    assert(domain->min);
+    min = domain->min->value;
+    max = domain->max ? domain->max->value : min;
+    if ((domain_id >= min) && (domain_id <= max))
+      found = true;
+    domain = (struct domain_id_set *)domain->node.next;
+  }
+  return found;
+}
+
+static struct domain_rule *
+find_domain_rule_in_governance(struct domain_rule *rule, int domain_id)
+{
+  struct domain_rule *found = NULL;
+  while ((rule != NULL) && (found == NULL))
+  {
+    assert(rule->domains);
+    if (domainid_within_sets(rule->domains->domain_id_set, domain_id))
+      found = rule;
+    rule = (struct domain_rule *)rule->node.next;
+  }
+  return found;
+}
+
+static DDS_Security_boolean
+get_participant_sec_attributes(
+    dds_security_access_control *instance,
+    const DDS_Security_PermissionsHandle permissions_handle,
+    DDS_Security_ParticipantSecurityAttributes *attributes,
+    DDS_Security_SecurityException *ex)
+{
+  dds_security_access_control_impl *ac = (dds_security_access_control_impl *)instance;
+  local_participant_access_rights *local_rights;
+  struct domain_rule *found = NULL;
+  DDS_Security_boolean result = false;
+
+  if (instance == 0 || permissions_handle == DDS_SECURITY_HANDLE_NIL || attributes == NULL)
+  {
+    DDS_Security_Exception_set(ex, DDS_ACCESS_CONTROL_PLUGIN_CONTEXT, DDS_SECURITY_ERR_INVALID_PARAMETER_CODE, 0, DDS_SECURITY_ERR_INVALID_PARAMETER_MESSAGE);
+    return false;
+  }
+
+  /* The local rights are actually the local permissions handle. Check that. */
+  if ((local_rights = find_local_access_rights(ac, permissions_handle)) == NULL)
+  {
+    DDS_Security_Exception_set(ex, DDS_ACCESS_CONTROL_PLUGIN_CONTEXT, DDS_SECURITY_ERR_INVALID_PARAMETER_CODE, 0, "Invalid permissions handle");
+    return false;
+  }
+  if ((found = find_domain_rule_in_governance(local_rights->governance_tree->dds->domain_access_rules->domain_rule, local_rights->domain_id)))
+  {
+    domain_rule_to_participant_attributes(found, attributes);
+    result = true;
+  }
+  else
+  {
+    DDS_Security_Exception_set(ex, DDS_ACCESS_CONTROL_PLUGIN_CONTEXT, DDS_SECURITY_ERR_IDENTITY_EMPTY_CODE, 0, "Could not domain id within governance file.");
+  }
+  ACCESS_CONTROL_OBJECT_RELEASE(local_rights);
+  return result;
+}
+
+static DDS_Security_boolean
+compare_class_id_plugin_classname(DDS_Security_string classid1, DDS_Security_string classid2)
+{
+  char *classname1 = strrchr(classid1, ':');
+  char *classname2 = strrchr(classid2, ':');
+  const ptrdiff_t len1 = classname1 - classid1;
+  const ptrdiff_t len2 = classname2 - classid2;
+  return len1 == len2 && classname1 && classname2 &&
+    ddsrt_strncasecmp(classid1, classid2, (size_t) len1) == 0;
+}
+
+static DDS_Security_boolean
+compare_class_id_major_ver(DDS_Security_string classid1, DDS_Security_string classid2)
+{
+  char *version_1 = strrchr(classid1, ':');
+  char *version_2 = strrchr(classid2, ':');
+  if (version_1 && version_2)
+  {
+    const char *majorVersion_1 = strrchr(version_1, '.');
+    const char *majorVersion_2 = strrchr(version_2, '.');
+    const ptrdiff_t len1 = majorVersion_1 - version_1;
+    const ptrdiff_t len2 = majorVersion_2 - version_2;
+    return len1 == len2 && majorVersion_1 && majorVersion_2 &&
+      ddsrt_strncasecmp(version_1, version_2, (size_t) len1) == 0;
+  }
+  return false;
+}
+
+static DDS_Security_boolean
+is_partition_qos_in_criteria(
+    const struct criteria *criteria,
+    const DDS_Security_PartitionQosPolicy *partitions)
+{
+  unsigned int partition_index = 0;
+  const char *partitionDefault[] = {""};
+  const DDS_Security_PartitionQosPolicy *partitionsToCheck;
+  DDS_Security_PartitionQosPolicy defaultPartitions;
+  defaultPartitions.name._length = 1;
+  defaultPartitions.name._maximum = 1;
+  defaultPartitions.name._buffer = (char **)partitionDefault;
+
+  if (criteria == NULL)
+    return false;
+
+  if (!partitions || partitions->name._length == 0)
+    partitionsToCheck = &defaultPartitions;
+  else
+    partitionsToCheck = partitions;
+
+  for (partition_index = 0; partition_index < partitionsToCheck->name._length; partition_index++)
+  {
+    if (is_partition_in_criteria(criteria, partitionsToCheck->name._buffer[partition_index]) == false)
+      return false;
+  }
+
+  return true;
+}
+
+static DDS_Security_boolean
+is_partition_in_criteria(
+    const struct criteria *criteria,
+    const char *partition_name)
+{
+  struct partitions *current_partitions;
+  struct string_value *current_partition;
+
+  if (criteria == NULL || partition_name == NULL)
+    return false;
+
+  current_partitions = (struct partitions *)criteria->partitions;
+  while (current_partitions != NULL)
+  {
+    current_partition = current_partitions->partition;
+    while (current_partition != NULL)
+    {
+      if (ac_fnmatch(current_partition->value, partition_name))
+        return true;
+      current_partition = (struct string_value *)current_partition->node.next;
+    }
+    current_partitions = (struct partitions *)current_partitions->node.next;
+  }
+  return false;
+}
+
+static DDS_Security_boolean
+is_topic_in_criteria(
+    const struct criteria *criteria,
+    const char *topic_name)
+{
+  struct topics *current_topics;
+  struct string_value *current_topic;
+
+  if (criteria == NULL || topic_name == NULL)
+    return false;
+
+  /* Start by checking for a matching topic */
+  current_topics = criteria->topics;
+  while (current_topics != NULL)
+  {
+    current_topic = current_topics->topic;
+    while (current_topic != NULL)
+    {
+      if (ac_fnmatch(current_topic->value, topic_name))
+        return true;
+      current_topic = (struct string_value *)current_topic->node.next;
+    }
+    current_topics = (struct topics *)current_topics->node.next;
+  }
+  return false;
+}
+
+static struct topic_rule *
+find_topic_from_domain_rule(
+    struct domain_rule *domain_rule,
+    const char *topic_name)
+{
+  struct topic_rule *topic_rule;
+  struct topic_rule *topic_found = NULL;
+
+  if (domain_rule->topic_access_rules != NULL &&
+      domain_rule->topic_access_rules->topic_rule != NULL)
+  {
+    topic_rule = domain_rule->topic_access_rules->topic_rule;
+    while (topic_rule != NULL && topic_found == NULL)
+    {
+      assert(topic_rule->topic_expression);
+      if (ac_fnmatch(topic_rule->topic_expression->value, topic_name))
+        topic_found = topic_rule;
+      topic_rule = (struct topic_rule *)topic_rule->node.next;
+    }
+  }
+  return topic_found;
+}
+
+static DDS_Security_boolean
+get_topic_sec_attributes(
+    dds_security_access_control *instance,
+    const DDS_Security_PermissionsHandle permissions_handle,
+    const char *topic_name,
+    DDS_Security_TopicSecurityAttributes *attributes,
+    DDS_Security_SecurityException *ex)
+{
+  dds_security_access_control_impl *ac = (dds_security_access_control_impl *)instance;
+  local_participant_access_rights *rights;
+  struct domain_rule *found;
+  DDS_Security_boolean result = false;
+
+  if (instance == 0)
+  {
+    DDS_Security_Exception_set(ex, DDS_ACCESS_CONTROL_PLUGIN_CONTEXT, DDS_SECURITY_ERR_INVALID_PARAMETER_CODE, 0, "No plugin instance provided");
+    return false;
+  }
+  if (permissions_handle == DDS_SECURITY_HANDLE_NIL)
+  {
+    DDS_Security_Exception_set(ex, DDS_ACCESS_CONTROL_PLUGIN_CONTEXT, DDS_SECURITY_ERR_INVALID_PARAMETER_CODE, 0, "No permissions handle provided");
+    return false;
+  }
+  if (topic_name == NULL || strlen(topic_name) == 0)
+  {
+    DDS_Security_Exception_set(ex, DDS_ACCESS_CONTROL_PLUGIN_CONTEXT, DDS_SECURITY_ERR_INVALID_PARAMETER_CODE, 0, "No topic name provided");
+    return false;
+  }
+  if (attributes == NULL)
+  {
+    DDS_Security_Exception_set(ex, DDS_ACCESS_CONTROL_PLUGIN_CONTEXT, DDS_SECURITY_ERR_INVALID_PARAMETER_CODE, 0, "No attributes provided");
+    return false;
+  }
+  rights = find_local_access_rights(ac, permissions_handle);
+  if (rights == NULL)
+  {
+    DDS_Security_Exception_set(ex, DDS_ACCESS_CONTROL_PLUGIN_CONTEXT, DDS_SECURITY_ERR_INVALID_PARAMETER_CODE, 0, "Unused permissions handle provided");
+    return false;
+  }
+
+  memset(attributes, 0, sizeof(*attributes));
+
+  if (get_topic_type(topic_name) != TOPIC_TYPE_USER)
+  {
+    /* No attributes are set for builtin topics. */
+    ACCESS_CONTROL_OBJECT_RELEASE(rights);
+    return true;
+  }
+
+  if ((found = find_domain_rule_in_governance(rights->governance_tree->dds->domain_access_rules->domain_rule, rights->domain_id)))
+  {
+    struct topic_rule *topic_rule = find_topic_from_domain_rule(found, topic_name);
+    if (topic_rule)
+    {
+      attributes->is_discovery_protected = topic_rule->enable_discovery_protection->value;
+      attributes->is_liveliness_protected = topic_rule->enable_liveliness_protection->value;
+      attributes->is_read_protected = topic_rule->enable_read_access_control->value;
+      attributes->is_write_protected = topic_rule->enable_write_access_control->value;
+      result = true;
+    }
+    else
+    {
+      DDS_Security_Exception_set(ex, DDS_ACCESS_CONTROL_PLUGIN_CONTEXT, DDS_SECURITY_ERR_CAN_NOT_FIND_TOPIC_IN_DOMAIN_CODE, 0, DDS_SECURITY_ERR_CAN_NOT_FIND_TOPIC_IN_DOMAIN_MESSAGE, topic_name, rights->domain_id);
+    }
+  }
+  else
+  {
+    DDS_Security_Exception_set(ex, DDS_ACCESS_CONTROL_PLUGIN_CONTEXT, DDS_SECURITY_ERR_CAN_NOT_FIND_DOMAIN_IN_GOVERNANCE_CODE, 0, DDS_SECURITY_ERR_CAN_NOT_FIND_DOMAIN_IN_GOVERNANCE_MESSAGE, rights->domain_id);
+  }
+
+  ACCESS_CONTROL_OBJECT_RELEASE(rights);
+  return result;
+}
+
+static DDS_Security_boolean
+get_datawriter_sec_attributes(
+    dds_security_access_control *instance,
+    const DDS_Security_PermissionsHandle permissions_handle,
+    const char *topic_name,
+    const DDS_Security_PartitionQosPolicy *partition,
+    const DDS_Security_DataTagQosPolicy *data_tag,
+    DDS_Security_EndpointSecurityAttributes *attributes,
+    DDS_Security_SecurityException *ex)
+{
+  DDSRT_UNUSED_ARG(partition);
+  DDSRT_UNUSED_ARG(data_tag);
+  dds_security_access_control_impl *ac = (dds_security_access_control_impl *)instance;
+
+  if (instance == 0 || permissions_handle == DDS_SECURITY_HANDLE_NIL || topic_name == 0 || strlen(topic_name) == 0 || attributes == NULL)
+  {
+    DDS_Security_Exception_set(ex, DDS_ACCESS_CONTROL_PLUGIN_CONTEXT, DDS_SECURITY_ERR_INVALID_PARAMETER_CODE, 0, DDS_SECURITY_ERR_INVALID_PARAMETER_MESSAGE);
+    return false;
+  }
+  return get_sec_attributes(ac, permissions_handle, topic_name, attributes, ex);
+}
+
+static DDS_Security_boolean
+get_datareader_sec_attributes(
+    dds_security_access_control *instance,
+    const DDS_Security_PermissionsHandle permissions_handle,
+    const char *topic_name,
+    const DDS_Security_PartitionQosPolicy *partition,
+    const DDS_Security_DataTagQosPolicy *data_tag,
+    DDS_Security_EndpointSecurityAttributes *attributes,
+    DDS_Security_SecurityException *ex)
+{
+  DDSRT_UNUSED_ARG(partition);
+  DDSRT_UNUSED_ARG(data_tag);
+  dds_security_access_control_impl *ac = (dds_security_access_control_impl *)instance;
+
+  if (instance == 0 || permissions_handle == DDS_SECURITY_HANDLE_NIL || topic_name == 0 || strlen(topic_name) == 0 || attributes == NULL)
+  {
+    DDS_Security_Exception_set(ex, DDS_ACCESS_CONTROL_PLUGIN_CONTEXT, DDS_SECURITY_ERR_INVALID_PARAMETER_CODE, 0, DDS_SECURITY_ERR_INVALID_PARAMETER_MESSAGE);
+    return false;
+  }
+  return get_sec_attributes(ac, permissions_handle, topic_name, attributes, ex);
+}
+
+static DDS_Security_boolean
+return_participant_sec_attributes(
+    dds_security_access_control *instance,
+    const DDS_Security_ParticipantSecurityAttributes *attributes,
+    DDS_Security_SecurityException *ex)
+{
+  DDSRT_UNUSED_ARG(attributes);
+  DDSRT_UNUSED_ARG(ex);
+  DDSRT_UNUSED_ARG(instance);
+  /* Nothing to do. */
+  return true;
+}
+
+static DDS_Security_boolean
+return_topic_sec_attributes(
+    dds_security_access_control *instance,
+    const DDS_Security_TopicSecurityAttributes *attributes,
+    DDS_Security_SecurityException *ex)
+{
+  DDSRT_UNUSED_ARG(attributes);
+  DDSRT_UNUSED_ARG(ex);
+  DDSRT_UNUSED_ARG(instance);
+  /* Nothing to do. */
+  return true;
+}
+
+static DDS_Security_boolean
+return_datawriter_sec_attributes(
+    dds_security_access_control *instance,
+    const DDS_Security_EndpointSecurityAttributes *attributes,
+    DDS_Security_SecurityException *ex)
+{
+  DDSRT_UNUSED_ARG(attributes);
+  DDSRT_UNUSED_ARG(ex);
+  DDSRT_UNUSED_ARG(instance);
+  /* Nothing to do. */
+  return true;
+}
+
+static DDS_Security_boolean
+return_datareader_sec_attributes(
+    dds_security_access_control *instance,
+    const DDS_Security_EndpointSecurityAttributes *attributes,
+    DDS_Security_SecurityException *ex)
+{
+  DDSRT_UNUSED_ARG(attributes);
+  DDSRT_UNUSED_ARG(ex);
+  DDSRT_UNUSED_ARG(instance);
+  /* Nothing to do. */
+  return true;
+}
+
+static DDS_Security_boolean
+return_permissions_handle(
+    dds_security_access_control *instance,
+    const DDS_Security_PermissionsHandle permissions_handle,
+    DDS_Security_SecurityException *ex)
+{
+  dds_security_access_control_impl *ac = (dds_security_access_control_impl *)instance;
+  AccessControlObject *object;
+
+  if (!instance || !permissions_handle)
+  {
+    DDS_Security_Exception_set(ex, DDS_ACCESS_CONTROL_PLUGIN_CONTEXT, DDS_SECURITY_ERR_INVALID_PARAMETER_CODE, 0, DDS_SECURITY_ERR_INVALID_PARAMETER_MESSAGE);
+    return false;
+  }
+
+#ifdef ACCESS_CONTROL_USE_ONE_PERMISSION
+  ddsrt_mutex_lock(&ac->lock);
+  if (permissions_handle == ACCESS_CONTROL_OBJECT_HANDLE(ac->local_access_rights))
+  {
+    ddsrt_mutex_unlock(&ac->lock);
+    return true;
+  }
+  ddsrt_mutex_unlock(&ac->lock);
+#else
+  object = access_control_table_find(ac->local_permissions, permissions_handle);
+  if (object)
+  {
+    access_control_table_remove_object(ac->local_permissions, object);
+    access_control_object_release(object);
+    return true;
+  }
+#endif
+
+  object = access_control_table_find(ac->remote_permissions, permissions_handle);
+  if (!object)
+  {
+    DDS_Security_Exception_set(ex, DDS_ACCESS_CONTROL_PLUGIN_CONTEXT, DDS_SECURITY_ERR_INVALID_PARAMETER_CODE, 0, DDS_SECURITY_ERR_INVALID_PARAMETER_MESSAGE);
+    return false;
+  }
+
+  access_control_table_remove_object(ac->remote_permissions, object);
+  access_control_object_release(object);
+  return true;
+}
+
+int init_access_control(const char *argument, void **context)
+{
+  DDSRT_UNUSED_ARG(argument);
+
+  dds_security_access_control_impl *access_control = ddsrt_malloc(sizeof(*access_control));
+  memset(access_control, 0, sizeof(*access_control));
+
+#if TIMED_CALLBACK_IMPLEMENTED
+  access_control->timed_callbacks = ut_timed_dispatcher_new();
+#endif
+  access_control->base.validate_local_permissions = &validate_local_permissions;
+  access_control->base.validate_remote_permissions = &validate_remote_permissions;
+  access_control->base.check_create_participant = &check_create_participant;
+  access_control->base.check_create_datawriter = &check_create_datawriter;
+  access_control->base.check_create_datareader = &check_create_datareader;
+  access_control->base.check_create_topic = &check_create_topic;
+  access_control->base.check_local_datawriter_register_instance = &check_local_datawriter_register_instance;
+  access_control->base.check_local_datawriter_dispose_instance = &check_local_datawriter_dispose_instance;
+  access_control->base.check_remote_participant = &check_remote_participant;
+  access_control->base.check_remote_datawriter = &check_remote_datawriter;
+  access_control->base.check_remote_datareader = &check_remote_datareader;
+  access_control->base.check_remote_topic = &check_remote_topic;
+  access_control->base.check_local_datawriter_match = &check_local_datawriter_match;
+  access_control->base.check_local_datareader_match = &check_local_datareader_match;
+  access_control->base.check_remote_datawriter_register_instance = &check_remote_datawriter_register_instance;
+  access_control->base.check_remote_datawriter_dispose_instance = &check_remote_datawriter_dispose_instance;
+  access_control->base.get_permissions_token = &get_permissions_token;
+  access_control->base.get_permissions_credential_token = &get_permissions_credential_token;
+  access_control->base.set_listener = &set_listener;
+  access_control->base.return_permissions_token = &return_permissions_token;
+  access_control->base.return_permissions_credential_token = &return_permissions_credential_token;
+  access_control->base.get_participant_sec_attributes = &get_participant_sec_attributes;
+  access_control->base.get_topic_sec_attributes = &get_topic_sec_attributes;
+  access_control->base.get_datawriter_sec_attributes = &get_datawriter_sec_attributes;
+  access_control->base.get_datareader_sec_attributes = &get_datareader_sec_attributes;
+  access_control->base.return_participant_sec_attributes = &return_participant_sec_attributes;
+  access_control->base.return_topic_sec_attributes = &return_topic_sec_attributes;
+  access_control->base.return_datawriter_sec_attributes = &return_datawriter_sec_attributes;
+  access_control->base.return_datareader_sec_attributes = &return_datareader_sec_attributes;
+  access_control->base.return_permissions_handle = &return_permissions_handle;
+  ddsrt_mutex_init(&access_control->lock);
+
+#ifdef ACCESS_CONTROL_USE_ONE_PERMISSION
+  access_control->local_access_rights = NULL;
+#else
+  access_control->local_permissions = access_control_table_new();
+#endif
+  access_control->remote_permissions = access_control_table_new();
+
+  OpenSSL_add_all_algorithms();
+  OpenSSL_add_all_ciphers();
+  OpenSSL_add_all_digests();
+  ERR_load_BIO_strings();
+  ERR_load_crypto_strings();
+
+  *context = access_control;
+  return 0;
+}
+
+static bool
+get_sec_attributes(
+    dds_security_access_control_impl *ac,
+    const DDS_Security_PermissionsHandle permissions_handle,
+    const char *topic_name,
+    DDS_Security_EndpointSecurityAttributes *attributes,
+    DDS_Security_SecurityException *ex)
+{
+  local_participant_access_rights *rights;
+  DDS_Security_boolean result = false;
+  TOPIC_TYPE topic_type;
+  assert(topic_name);
+  assert(attributes);
+  memset(attributes, 0, sizeof(DDS_Security_EndpointSecurityAttributes));
+  if ((rights = find_local_access_rights(ac, permissions_handle)) == NULL)
+  {
+    DDS_Security_Exception_set(ex, DDS_ACCESS_CONTROL_PLUGIN_CONTEXT, DDS_SECURITY_ERR_INVALID_PARAMETER_CODE, 0, "Invalid permissions handle");
+    return false;
+  }
+
+  if ((topic_type = get_topic_type(topic_name)) != TOPIC_TYPE_USER)
+  {
+    /* Builtin topics are treated in a special manner. */
+    result = true;
+
+    if (topic_type == TOPIC_TYPE_SECURE_ParticipantsSecure || topic_type == TOPIC_TYPE_SECURE_PublicationsSecure ||
+        topic_type == TOPIC_TYPE_SECURE_SubscriptionsSecure || topic_type == TOPIC_TYPE_SECURE_ParticipantMessageSecure)
+    {
+      struct domain_rule *found = find_domain_rule_in_governance(rights->governance_tree->dds->domain_access_rules->domain_rule, rights->domain_id);
+      if (found)
+      { /* Domain matched */
+        /* is_submessage_protected should match is_liveliness_protected of
+             * ParticipantSecurityAttributes for DCPSParticipantMessageSecure.
+             * is_submessage_protected should match is_discovery_protected of
+             * ParticipantSecurityAttributes for OTHER 3.*/
+        if (topic_type == TOPIC_TYPE_SECURE_ParticipantMessageSecure)
+        {
+          attributes->is_submessage_protected = !(found->liveliness_protection_kind->value == DDS_SECURITY_PROTECTION_KIND_NONE);
+          attributes->plugin_endpoint_attributes = get_plugin_endpoint_security_attributes_mask(
+              /* payload encrypted */
+              false,
+              /* submsg encrypted */
+              found->liveliness_protection_kind->value == DDS_SECURITY_PROTECTION_KIND_ENCRYPT ||
+                  found->liveliness_protection_kind->value == DDS_SECURITY_PROTECTION_KIND_ENCRYPT_WITH_ORIGIN_AUTHENTICATION,
+              /* submsg authenticated */
+              found->liveliness_protection_kind->value == DDS_SECURITY_PROTECTION_KIND_ENCRYPT_WITH_ORIGIN_AUTHENTICATION ||
+                  found->liveliness_protection_kind->value == DDS_SECURITY_PROTECTION_KIND_SIGN_WITH_ORIGIN_AUTHENTICATION);
+        }
+        else
+        {
+          attributes->is_submessage_protected = !(found->discovery_protection_kind->value == DDS_SECURITY_PROTECTION_KIND_NONE);
+          attributes->plugin_endpoint_attributes = get_plugin_endpoint_security_attributes_mask(
+              /* payload encrypted */
+              false,
+              /* submsg encrypted */
+              found->discovery_protection_kind->value == DDS_SECURITY_PROTECTION_KIND_ENCRYPT ||
+                  found->discovery_protection_kind->value == DDS_SECURITY_PROTECTION_KIND_ENCRYPT_WITH_ORIGIN_AUTHENTICATION,
+              /* submsg authenticated */
+              found->discovery_protection_kind->value == DDS_SECURITY_PROTECTION_KIND_ENCRYPT_WITH_ORIGIN_AUTHENTICATION ||
+                  found->discovery_protection_kind->value == DDS_SECURITY_PROTECTION_KIND_SIGN_WITH_ORIGIN_AUTHENTICATION);
+        }
+      }
+      else
+      {
+        DDS_Security_Exception_set(ex, DDS_ACCESS_CONTROL_PLUGIN_CONTEXT, DDS_SECURITY_ERR_CAN_NOT_FIND_DOMAIN_IN_GOVERNANCE_CODE, 0, DDS_SECURITY_ERR_CAN_NOT_FIND_DOMAIN_IN_GOVERNANCE_MESSAGE, rights->domain_id);
+        result = false;
+      }
+      attributes->is_read_protected = false;
+      attributes->is_write_protected = false;
+      attributes->is_payload_protected = false;
+      attributes->is_key_protected = false;
+    }
+    else if (topic_type == TOPIC_TYPE_SECURE_ParticipantStatelessMessage)
+    {
+      attributes->plugin_endpoint_attributes = DDS_SECURITY_ENDPOINT_ATTRIBUTES_FLAG_IS_VALID;
+      attributes->is_read_protected = false;
+      attributes->is_write_protected = false;
+      attributes->is_payload_protected = false;
+      attributes->is_key_protected = false;
+      attributes->is_submessage_protected = false;
+    }
+    else if (topic_type == TOPIC_TYPE_SECURE_ParticipantVolatileMessageSecure)
+    {
+      attributes->plugin_endpoint_attributes = DDS_SECURITY_ENDPOINT_ATTRIBUTES_FLAG_IS_VALID |
+                                               DDS_SECURITY_PLUGIN_ENDPOINT_ATTRIBUTES_FLAG_IS_SUBMESSAGE_ENCRYPTED;
+      attributes->is_read_protected = false;
+      attributes->is_write_protected = false;
+      attributes->is_payload_protected = false;
+      attributes->is_key_protected = false;
+      attributes->is_submessage_protected = true;
+    }
+    else
+    {
+      /* Non secure builtin topics. */
+      attributes->plugin_endpoint_attributes = DDS_SECURITY_ENDPOINT_ATTRIBUTES_FLAG_IS_VALID;
+      attributes->is_read_protected = false;
+      attributes->is_write_protected = false;
+      attributes->is_payload_protected = false;
+      attributes->is_key_protected = false;
+      attributes->is_submessage_protected = false;
+    }
+  }
+  else
+  {
+    /* Normal user topic attributes are acquired from governance and permission documents. */
+    struct domain_rule *found = find_domain_rule_in_governance(rights->governance_tree->dds->domain_access_rules->domain_rule, rights->domain_id);
+    if (found)
+    { /* Domain matched */
+      struct topic_rule *topic_rule = find_topic_from_domain_rule(found, topic_name);
+      if (topic_rule)
+      { /* Topic matched */
+        attributes->is_discovery_protected = topic_rule->enable_discovery_protection->value;
+        attributes->is_liveliness_protected = topic_rule->enable_liveliness_protection->value;
+        attributes->is_read_protected = topic_rule->enable_read_access_control->value;
+        attributes->is_write_protected = topic_rule->enable_write_access_control->value;
+        attributes->is_payload_protected = topic_rule->data_protection_kind->value != DDS_SECURITY_BASICPROTECTION_KIND_NONE;
+        attributes->is_submessage_protected = topic_rule->metadata_protection_kind->value != DDS_SECURITY_PROTECTION_KIND_NONE;
+        attributes->is_key_protected = topic_rule->data_protection_kind->value == DDS_SECURITY_BASICPROTECTION_KIND_ENCRYPT;
+
+        /*calculate and assign the mask */
+        attributes->plugin_endpoint_attributes = get_plugin_endpoint_security_attributes_mask(
+            topic_rule->data_protection_kind->value == DDS_SECURITY_BASICPROTECTION_KIND_ENCRYPT,
+            topic_rule->metadata_protection_kind->value == DDS_SECURITY_PROTECTION_KIND_ENCRYPT ||
+                    topic_rule->metadata_protection_kind->value == DDS_SECURITY_PROTECTION_KIND_ENCRYPT_WITH_ORIGIN_AUTHENTICATION,
+            topic_rule->metadata_protection_kind->value == DDS_SECURITY_PROTECTION_KIND_ENCRYPT_WITH_ORIGIN_AUTHENTICATION ||
+                    topic_rule->metadata_protection_kind->value == DDS_SECURITY_PROTECTION_KIND_SIGN_WITH_ORIGIN_AUTHENTICATION);
+
+        memset(&attributes->ac_endpoint_properties, 0, sizeof(DDS_Security_PropertySeq));
+        result = true;
+      }
+      else
+      {
+        DDS_Security_Exception_set(ex, DDS_ACCESS_CONTROL_PLUGIN_CONTEXT, DDS_SECURITY_ERR_CAN_NOT_FIND_TOPIC_IN_DOMAIN_CODE, 0, DDS_SECURITY_ERR_CAN_NOT_FIND_TOPIC_IN_DOMAIN_MESSAGE, topic_name, rights->domain_id);
+      }
+    }
+    else
+    {
+      DDS_Security_Exception_set(ex, DDS_ACCESS_CONTROL_PLUGIN_CONTEXT, DDS_SECURITY_ERR_CAN_NOT_FIND_DOMAIN_IN_GOVERNANCE_CODE, 0, DDS_SECURITY_ERR_CAN_NOT_FIND_DOMAIN_IN_GOVERNANCE_MESSAGE, rights->domain_id);
+    }
+  }
+  ACCESS_CONTROL_OBJECT_RELEASE(rights);
+  return result;
+}
+
+static char *
+get_access_control_class_id(
+    const char *classid)
+{
+  size_t sz = strlen(ACCESS_CONTROL_PROTOCOL_CLASS) + strlen(classid) + 6;
+  char *classId = ddsrt_malloc(sz);
+  snprintf(classId, sz, "%s:%s:%1u.%1u", ACCESS_CONTROL_PROTOCOL_CLASS, classid, ACCESS_CONTROL_PROTOCOL_VERSION_MAJOR, ACCESS_CONTROL_PROTOCOL_VERSION_MINOR);
+  return classId;
+}
+
+static void
+sanity_check_local_access_rights(
+    local_participant_access_rights *rights)
+{
+#ifndef NDEBUG
+  if (rights)
+  {
+    assert(rights->permissions_document);
+    assert(rights->governance_tree);
+    assert(rights->governance_tree->dds);
+    assert(rights->governance_tree->dds->domain_access_rules);
+    assert(rights->governance_tree->dds->domain_access_rules->domain_rule);
+    assert(rights->permissions_tree);
+    assert(rights->permissions_tree->dds);
+    assert(rights->permissions_tree->dds->permissions);
+    assert(rights->permissions_tree->dds->permissions->grant);
+  }
+#else
+  DDSRT_UNUSED_ARG(rights);
+#endif
+}
+
+static void
+sanity_check_remote_access_rights(
+    remote_participant_access_rights *rights)
+{
+#ifndef NDEBUG
+  /* Just some sanity checks. */
+  if (rights)
+  {
+    assert(rights->permissions);
+    assert(rights->permissions->permissions_tree);
+    assert(rights->permissions->permissions_tree->dds);
+    assert(rights->permissions->permissions_tree->dds->permissions);
+    assert(rights->permissions->remote_permissions_token_class_id);
+    assert(rights->local_rights);
+    sanity_check_local_access_rights(rights->local_rights);
+  }
+#else
+  DDSRT_UNUSED_ARG(rights);
+#endif
+}
+
+static local_participant_access_rights *
+find_local_access_rights(
+    dds_security_access_control_impl *ac,
+    DDS_Security_PermissionsHandle handle)
+{
+  local_participant_access_rights *rights = NULL;
+
+#ifdef ACCESS_CONTROL_USE_ONE_PERMISSION
+  DDSRT_UNUSED_ARG(handle);
+
+  ddsrt_mutex_lock(&ac->lock);
+  if (handle == ACCESS_CONTROL_OBJECT_HANDLE(ac->local_access_rights))
+    rights = (local_participant_access_rights *)ACCESS_CONTROL_OBJECT_KEEP(ac->local_access_rights);
+  ddsrt_mutex_unlock(&ac->lock);
+#else
+  rights = (local_participant_access_rights *)access_control_table_find(ac->local_permissions, handle);
+#endif
+
+  sanity_check_local_access_rights(rights);
+  return rights;
+}
+
+struct find_by_identity_arg
+{
+  AccessControlObject *object;
+  DDS_Security_IdentityHandle handle;
+};
+
+#ifndef ACCESS_CONTROL_USE_ONE_PERMISSION
+static int
+local_identity_handle_match(
+    AccessControlObject *obj,
+    void *arg)
+{
+  local_participant_access_rights *rights = (local_participant_access_rights *)obj;
+  struct find_by_identity_arg *info = arg;
+
+  if (rights->local_identity == info->handle)
+  {
+    info->object = obj;
+    return 0;
+  }
+
+  return 1;
+}
+#endif
+
+static int
+remote_identity_handle_match(
+    AccessControlObject *obj,
+    void *arg)
+{
+  remote_participant_access_rights *rights = (remote_participant_access_rights *)obj;
+  struct find_by_identity_arg *info = arg;
+
+  if (rights->remote_identity == info->handle)
+  {
+    info->object = ACCESS_CONTROL_OBJECT_KEEP(obj);
+    return 0;
+  }
+
+  return 1;
+}
+
+static local_participant_access_rights *
+find_local_rights_by_identity(
+    dds_security_access_control_impl *ac,
+    DDS_Security_IdentityHandle identity_handle)
+{
+  local_participant_access_rights *rights = NULL;
+
+#ifdef ACCESS_CONTROL_USE_ONE_PERMISSION
+  DDSRT_UNUSED_ARG(identity_handle);
+
+  ddsrt_mutex_lock(&ac->lock);
+  rights = (local_participant_access_rights *)ACCESS_CONTROL_OBJECT_KEEP(ac->local_access_rights);
+  ddsrt_mutex_unlock(&ac->lock);
+#else
+  {
+    struct find_by_identity_arg args;
+    args.object = NULL;
+    args.handle = identity_handle;
+    access_control_table_walk(ac->local_permissions, local_identity_handle_match, &args);
+    rights = (local_participant_access_rights *)args.object;
+  }
+#endif
+  sanity_check_local_access_rights(rights);
+  return rights;
+}
+
+static remote_participant_access_rights *
+find_remote_rights_by_identity(
+    dds_security_access_control_impl *ac,
+    DDS_Security_IdentityHandle identity_handle)
+{
+  struct find_by_identity_arg args;
+  args.object = NULL;
+  args.handle = identity_handle;
+  access_control_table_walk(ac->remote_permissions, remote_identity_handle_match, &args);
+  sanity_check_remote_access_rights((remote_participant_access_rights *)args.object);
+  return (remote_participant_access_rights *)args.object;
+}
+
+struct find_by_permissions_handle_arg
+{
+  AccessControlObject *object;
+  DDS_Security_PermissionsHandle handle;
+};
+
+static int
+remote_permissions_handle_match(
+    AccessControlObject *obj,
+    void *arg)
+{
+  struct find_by_permissions_handle_arg *info = arg;
+  if (obj->handle == info->handle)
+  {
+    info->object = ACCESS_CONTROL_OBJECT_KEEP(obj);
+    return 0;
+  }
+  return 1;
+}
+
+static remote_participant_access_rights *
+find_remote_permissions_by_permissions_handle(
+    dds_security_access_control_impl *ac,
+    DDS_Security_PermissionsHandle permissions_handle)
+{
+  struct find_by_permissions_handle_arg args;
+  args.object = NULL;
+  args.handle = permissions_handle;
+  access_control_table_walk(ac->remote_permissions, remote_permissions_handle_match, &args);
+  sanity_check_remote_access_rights((remote_participant_access_rights *)args.object);
+  return (remote_participant_access_rights *)args.object;
+}
+
+#if TIMED_CALLBACK_IMPLEMENTED
+
+typedef struct
+{
+  dds_security_access_control_impl *ac;
+  DDS_Security_PermissionsHandle hdl;
+} validity_cb_info;
+
+static void
+validity_callback(struct ut_timed_dispatcher_t *d,
+                  ut_timed_cb_kind kind,
+                  void *listener,
+                  void *arg)
+{
+  validity_cb_info *info = arg;
+  assert(d);
+  assert(arg);
+  if (kind == UT_TIMED_CB_KIND_TIMEOUT)
+  {
+    assert(listener);
+    if (1 /* TODO: Check if hdl is still valid or if it has been already returned. */)
+    {
+      dds_security_access_control_listener *ac_listener = (dds_security_access_control_listener *)listener;
+      if (ac_listener->on_revoke_permissions)
+        ac_listener->on_revoke_permissions(ac_listener, (dds_security_access_control *)info->ac, info->hdl);
+    }
+  }
+  ddsrt_free(arg);
+}
+
+static void
+add_validity_end_trigger(dds_security_access_control_impl *ac,
+                         const DDS_Security_PermissionsHandle permissions_handle,
+                         dds_time_t end)
+{
+  validity_cb_info *arg = ddsrt_malloc(sizeof(validity_cb_info));
+  arg->ac = ac;
+  arg->hdl = permissions_handle;
+  ut_timed_dispatcher_add(ac->timed_callbacks, validity_callback, end, (void *)arg);
+}
+#endif
+
+static DDS_Security_boolean
+is_allowed_by_permissions(struct permissions_parser *permissions,
+                          int domain_id,
+                          const char *topic_name,
+                          const DDS_Security_PartitionQosPolicy *partitions,
+                          const char *identity_subject_name,
+                          permission_criteria_type criteria_type,
+                          DDS_Security_SecurityException *ex)
+{
+  struct grant *permissions_grant;
+  struct allow_deny_rule *current_rule;
+  struct criteria *current_criteria;
+
+  assert(permissions);
+  assert(permissions->dds);
+  assert(permissions->dds->permissions);
+
+  permissions_grant = permissions->dds->permissions->grant;
+
+  /* Check for a matching grant */
+  while (permissions_grant != NULL)
+  {
+    /* Verify that it is within the validity date and the subject name matches */
+    if (permissions_grant->subject_name != NULL &&
+        permissions_grant->subject_name->value != NULL &&
+        strcmp(permissions_grant->subject_name->value, identity_subject_name) == 0)
+    {
+      dds_time_t tnow = dds_time();
+      if (tnow <= DDS_Security_parse_xml_date(permissions_grant->validity->not_before->value))
+      {
+        DDS_Security_Exception_set(ex, DDS_ACCESS_CONTROL_PLUGIN_CONTEXT, DDS_SECURITY_ERR_VALIDITY_PERIOD_NOT_STARTED_CODE, 0,
+            DDS_SECURITY_ERR_VALIDITY_PERIOD_NOT_STARTED_MESSAGE, permissions_grant->subject_name->value, permissions_grant->validity->not_before->value);
+        return false;
+      }
+      if (tnow >= DDS_Security_parse_xml_date(permissions_grant->validity->not_after->value))
+      {
+        DDS_Security_Exception_set(ex, DDS_ACCESS_CONTROL_PLUGIN_CONTEXT, DDS_SECURITY_ERR_VALIDITY_PERIOD_EXPIRED_CODE, 0,
+            DDS_SECURITY_ERR_VALIDITY_PERIOD_EXPIRED_MESSAGE, permissions_grant->subject_name->value, permissions_grant->validity->not_after->value);
+        return false;
+      }
+
+      current_rule = permissions_grant->allow_deny_rule;
+      while (current_rule != NULL)
+      {
+        /* Check if the domain matches the given ID otherwise move on */
+        if (domainid_within_sets(current_rule->domains->domain_id_set, domain_id))
+        {
+          if (topic_name == NULL)
+          {
+            if (current_rule->rule_type == ALLOW_RULE)
+              return true;
+          }
+
+          /* Check all subscribe criteria to find the topics, partition and tags */
+          current_criteria = current_rule->criteria;
+          while (current_criteria != NULL)
+          {
+            if (current_criteria->criteria_type == criteria_type || (int)criteria_type == UNKNOWN_CRITERIA)
+            {
+              if (is_topic_in_criteria(current_criteria, topic_name) && is_partition_qos_in_criteria(current_criteria, partitions))
+              {
+                if (current_rule->rule_type == ALLOW_RULE)
+                  return true;
+                if (current_rule->rule_type == DENY_RULE)
+                {
+                  DDS_Security_Exception_set(ex, DDS_ACCESS_CONTROL_PLUGIN_CONTEXT, DDS_SECURITY_ERR_ACCESS_DENIED_CODE, 0, "%s found in deny_rule.", topic_name);
+                  return false;
+                }
+              }
+            }
+            current_criteria = (struct criteria *)current_criteria->node.next;
+          }
+        }
+        current_rule = (struct allow_deny_rule *)current_rule->node.next;
+      }
+
+      /* If nothing found but the grant matches, return the default value */
+      if (permissions_grant->default_action == NULL)
+      {
+        DDS_Security_Exception_set(ex, DDS_ACCESS_CONTROL_PLUGIN_CONTEXT, DDS_SECURITY_ERR_ACCESS_DENIED_CODE, 0, "No rule found for %s", topic_name ? topic_name : "participant");
+        return false;
+      }
+
+      if (strcmp(permissions_grant->default_action->value, "ALLOW") != 0)
+      {
+        DDS_Security_Exception_set(ex, DDS_ACCESS_CONTROL_PLUGIN_CONTEXT, DDS_SECURITY_ERR_ACCESS_DENIED_CODE, 0, "%s denied by default rule", topic_name ? topic_name : "participant");
+        return false;
+      }
+
+      return true;
+    }
+    permissions_grant = (struct grant *)permissions_grant->node.next;
+  }
+
+  DDS_Security_Exception_set(ex, DDS_ACCESS_CONTROL_PLUGIN_CONTEXT, DDS_SECURITY_ERR_CAN_NOT_FIND_PERMISSIONS_GRANT_CODE, 0, DDS_SECURITY_ERR_CAN_NOT_FIND_PERMISSIONS_GRANT_MESSAGE);
+  return false;
+}
+
+static bool
+read_document_from_file(
+    const char *filename,
+    char **doc,
+    DDS_Security_SecurityException *ex)
+{
+  DDSRT_WARNING_MSVC_OFF(4996);
+  FILE *fp;
+  char *document = NULL;
+  char *fname = NULL;
+  size_t sz, r;
+
+  assert(doc);
+  *doc = NULL;
+  /* Get portable file name. */
+  fname = DDS_Security_normalize_file(filename);
+  if (fname)
+  {
+    /* Get size if it is a accessible regular file (no dir or link). */
+    sz = ac_regular_file_size(fname);
+    if (sz > 0)
+    {
+      /* Open the actual file. */
+      fp = fopen(fname, "r");
+      if (fp)
+      {
+        /* Read the content. */
+        document = ddsrt_malloc(sz + 1);
+        r = fread(document, 1, sz, fp);
+        if (r == 0)
+        {
+          ddsrt_free(document);
+        }
+        else
+        {
+          document[r] = '\0';
+          *doc = document;
+        }
+        (void)fclose(fp);
+      }
+    }
+    ddsrt_free(fname);
+  }
+
+  if ((*doc) == NULL)
+  {
+    DDS_Security_Exception_set(ex, DDS_ACCESS_CONTROL_PLUGIN_CONTEXT, DDS_SECURITY_ERR_INVALID_FILE_PATH_CODE, 0, DDS_SECURITY_ERR_INVALID_FILE_PATH_MESSAGE, (filename ? filename : "NULL"));
+    return false;
+  }
+  return true;
+  DDSRT_WARNING_MSVC_ON(4996);
+}
+
+static bool
+read_document(
+    const char *doc_uri,
+    char **doc,
+    DDS_Security_SecurityException *ex)
+{
+  bool result = true;
+  char *data = NULL;
+
+  switch (DDS_Security_get_conf_item_type(doc_uri, &data))
+  {
+  case DDS_SECURITY_CONFIG_ITEM_PREFIX_DATA:
+    *doc = data;
+    break;
+  case DDS_SECURITY_CONFIG_ITEM_PREFIX_FILE:
+    result = read_document_from_file(data, doc, ex);
+    ddsrt_free(data);
+    break;
+  default:
+    DDS_Security_Exception_set(ex, DDS_ACCESS_CONTROL_PLUGIN_CONTEXT, DDS_SECURITY_ERR_URI_TYPE_NOT_SUPPORTED_CODE, 0, DDS_SECURITY_ERR_URI_TYPE_NOT_SUPPORTED_MESSAGE, doc_uri);
+    return false;
+  }
+  return result;
+}
+
+static bool
+validate_subject_name_in_permissions(struct permissions_parser *permissions_tree,
+                                     const char *identity_subject_name,
+                                     char **permission_subject_name,
+                                     dds_time_t *permission_validity_not_after,
+                                     DDS_Security_SecurityException *ex)
+{
+
+  struct grant *permissions_grant;
+  assert(permission_subject_name);
+
+  *permission_subject_name = NULL;
+  if (permissions_tree == NULL || permissions_tree->dds == NULL || permissions_tree->dds->permissions == NULL || permissions_tree->dds->permissions->grant == NULL)
+  {
+    DDS_Security_Exception_set(ex, DDS_ACCESS_CONTROL_PLUGIN_CONTEXT, DDS_SECURITY_ERR_INVALID_PARAMETER_CODE, 0, DDS_SECURITY_ERR_INVALID_PARAMETER_MESSAGE);
+    return false;
+  }
+
+  permissions_grant = permissions_tree->dds->permissions->grant;
+  while (permissions_grant != NULL)
+  {
+    /* Verify that it is within the validity date and the subject name matches */
+    if (identity_subject_name != NULL && ac_check_subjects_are_equal(permissions_grant->subject_name->value, identity_subject_name))
+    {
+      dds_time_t tnow = dds_time ();
+      if (tnow <= DDS_Security_parse_xml_date(permissions_grant->validity->not_before->value))
+      {
+        DDS_Security_Exception_set(ex, DDS_ACCESS_CONTROL_PLUGIN_CONTEXT, DDS_SECURITY_ERR_VALIDITY_PERIOD_NOT_STARTED_CODE, 0,
+            DDS_SECURITY_ERR_VALIDITY_PERIOD_NOT_STARTED_MESSAGE, permissions_grant->subject_name->value, permissions_grant->validity->not_before->value);
+        return false;
+      }
+      if (tnow >= DDS_Security_parse_xml_date(permissions_grant->validity->not_after->value))
+      {
+        DDS_Security_Exception_set(ex, DDS_ACCESS_CONTROL_PLUGIN_CONTEXT, DDS_SECURITY_ERR_VALIDITY_PERIOD_EXPIRED_CODE, 0,
+            DDS_SECURITY_ERR_VALIDITY_PERIOD_EXPIRED_MESSAGE, permissions_grant->subject_name->value, permissions_grant->validity->not_after->value);
+        return false;
+      }
+
+      /* identity subject name and permission subject name may not be exactly same because of different string representations
+        * That's why we are returning the string in permissions file to be stored for further comparisons */
+      *permission_subject_name = ddsrt_strdup(permissions_grant->subject_name->value);
+      *permission_validity_not_after = DDS_Security_parse_xml_date(permissions_grant->validity->not_after->value);
+      return true;
+    }
+    permissions_grant = (struct grant *)permissions_grant->node.next;
+  }
+
+  DDS_Security_Exception_set(ex, DDS_ACCESS_CONTROL_PLUGIN_CONTEXT, DDS_SECURITY_ERR_INVALID_SUBJECT_NAME_CODE, 0,
+      DDS_SECURITY_ERR_INVALID_SUBJECT_NAME_MESSAGE);
+  return false;
+}
+
+static local_participant_access_rights *
+check_and_create_local_participant_rights(
+    DDS_Security_IdentityHandle identity_handle,
+    int domain_id,
+    const DDS_Security_Qos *participant_qos,
+    DDS_Security_SecurityException *ex)
+{
+  local_participant_access_rights *rights = NULL;
+  X509 *identity_cert;
+  X509 *permission_ca = NULL;
+  size_t pdlen;
+  size_t gvlen;
+  char *identity_cert_data = NULL;
+  char *permission_ca_data = NULL;
+  char *permission_document = NULL;
+  char *governance_document = NULL;
+  char *permission_xml = NULL;
+  char *governance_xml = NULL;
+  char *identity_subject = NULL;
+  struct governance_parser *governance_tree = NULL;
+  struct permissions_parser *permissions_tree = NULL;
+  char *permission_subject = NULL;
+  char *permissions_uri = NULL;
+  char *governance_uri = NULL;
+  dds_time_t permission_expiry = DDS_TIME_INVALID;
+
+  /* Retrieve the identity certificate from the participant QoS */
+  identity_cert_data = DDS_Security_Property_get_value(&participant_qos->property.value, QOS_PROPERTY_IDENTITY_CERT);
+  if (!identity_cert_data)
+  {
+    DDS_Security_Exception_set(ex, DDS_ACCESS_CONTROL_PLUGIN_CONTEXT, DDS_SECURITY_ERR_MISSING_PROPERTY_CODE, 0,
+        DDS_SECURITY_ERR_MISSING_PROPERTY_MESSAGE, QOS_PROPERTY_IDENTITY_CERT);
+    goto err_no_identity_cert;
+  }
+
+  if (!ac_X509_certificate_read(identity_cert_data, &identity_cert, ex))
+    goto err_inv_identity_cert;
+
+  if (!(identity_subject = ac_get_certificate_subject_name(identity_cert, ex)))
+    goto err_inv_identity_cert;
+
+  if (!(governance_uri = DDS_Security_Property_get_value(&participant_qos->property.value, QOS_PROPERTY_GOVERNANCE_DOCUMENT)))
+  {
+    DDS_Security_Exception_set(ex, DDS_ACCESS_CONTROL_PLUGIN_CONTEXT, DDS_SECURITY_ERR_MISSING_PROPERTY_CODE, 0,
+        DDS_SECURITY_ERR_MISSING_PROPERTY_MESSAGE, QOS_PROPERTY_GOVERNANCE_DOCUMENT);
+    goto err_no_governance;
+  }
+
+  if (!(permissions_uri = DDS_Security_Property_get_value(&participant_qos->property.value, QOS_PROPERTY_PERMISSIONS_DOCUMENT)))
+  {
+    DDS_Security_Exception_set(ex, DDS_ACCESS_CONTROL_PLUGIN_CONTEXT, DDS_SECURITY_ERR_MISSING_PROPERTY_CODE, 0,
+        DDS_SECURITY_ERR_MISSING_PROPERTY_MESSAGE, QOS_PROPERTY_PERMISSIONS_DOCUMENT);
+    goto err_no_permissions;
+  }
+
+  if (!(permission_ca_data = DDS_Security_Property_get_value(&participant_qos->property.value, QOS_PROPERTY_PERMISSIONS_CA)))
+  {
+    DDS_Security_Exception_set(ex, DDS_ACCESS_CONTROL_PLUGIN_CONTEXT, DDS_SECURITY_ERR_MISSING_PROPERTY_CODE, 0,
+        DDS_SECURITY_ERR_MISSING_PROPERTY_MESSAGE, QOS_PROPERTY_PERMISSIONS_CA);
+    goto err_no_permission_ca;
+  }
+
+  if (strlen(governance_uri) == 0 && strlen(permissions_uri) == 0 && strlen(permission_ca_data) == 0)
+  {
+    bool result;
+
+    result = ac_parse_governance_xml(DDS_SECURITY_DEFAULT_GOVERNANCE, &governance_tree, ex);
+    assert(result);
+    DDSRT_UNUSED_ARG(result);
+
+    result = ac_parse_permissions_xml(DDS_SECURITY_DEFAULT_PERMISSIONS, &permissions_tree, ex);
+    assert(result);
+    DDSRT_UNUSED_ARG(result);
+
+    /*set subject name on default permissions */
+    ddsrt_free(permissions_tree->dds->permissions->grant->subject_name->value);
+    permissions_tree->dds->permissions->grant->subject_name->value = ddsrt_strdup(identity_subject);
+    permission_document = ddsrt_strdup("");
+
+    rights = ac_local_participant_access_rights_new(identity_handle, domain_id, permission_document, NULL, identity_subject, governance_tree, permissions_tree);
+    sanity_check_local_access_rights(rights);
+  }
+  else if (strlen(governance_uri) > 0 && strlen(permissions_uri) > 0 && strlen(permission_ca_data) > 0)
+  {
+    /* Retrieve the permission ca certificate from the participant QoS */
+    if (!ac_X509_certificate_read(permission_ca_data, &permission_ca, ex))
+      goto err_inv_permission_ca;
+
+    /* Retrieve the permissions document from the participant QoS */
+    if (!read_document(permissions_uri, &permission_document, ex))
+      goto err_read_perm_doc;
+
+    if ((pdlen = strlen(permission_document)) == 0)
+    {
+      DDS_Security_Exception_set(ex, DDS_ACCESS_CONTROL_PLUGIN_CONTEXT, DDS_SECURITY_ERR_INVALID_PERMISSION_DOCUMENT_PROPERTY_CODE,
+          DDS_SECURITY_VALIDATION_FAILED, DDS_SECURITY_ERR_INVALID_PERMISSION_DOCUMENT_PROPERTY_MESSAGE);
+      goto err_read_perm_doc;
+    }
+
+    /* Retrieve the governance from the participant QoS */
+    if (!read_document(governance_uri, &governance_document, ex))
+      goto err_read_gov_doc;
+
+    if ((gvlen = strlen(governance_document)) == 0)
+    {
+      DDS_Security_Exception_set(ex, DDS_ACCESS_CONTROL_PLUGIN_CONTEXT, DDS_SECURITY_ERR_INVALID_GOVERNANCE_DOCUMENT_PROPERTY_CODE,
+          DDS_SECURITY_VALIDATION_FAILED, DDS_SECURITY_ERR_INVALID_GOVERNANCE_DOCUMENT_PROPERTY_MESSAGE);
+      goto err_read_gov_doc;
+    }
+
+    if (!ac_PKCS7_document_check(permission_document, pdlen, permission_ca, &permission_xml, ex))
+      goto err_inv_perm_doc;
+
+    if (!ac_PKCS7_document_check(governance_document, gvlen, permission_ca, &governance_xml, ex))
+      goto err_inv_gov_doc;
+
+    if (!ac_parse_governance_xml(governance_xml, &governance_tree, ex))
+      goto err_inv_gov_xml;
+
+    if (!ac_parse_permissions_xml(permission_xml, &permissions_tree, ex))
+    {
+      ac_return_governance_tree(governance_tree);
+      goto err_inv_perm_xml;
+    }
+
+    /* check if subject name of identity certificate matches the subject name in the permissions document */
+    if (!validate_subject_name_in_permissions(permissions_tree, identity_subject, &permission_subject, &permission_expiry, ex))
+    {
+      ac_return_governance_tree(governance_tree);
+      ac_return_permissions_tree(permissions_tree);
+      goto err_inv_subject;
+    }
+
+    rights = ac_local_participant_access_rights_new(identity_handle, domain_id, permission_document, permission_ca, permission_subject, governance_tree, permissions_tree);
+    rights->permissions_expiry = permission_expiry;
+    sanity_check_local_access_rights(rights);
+  }
+  else
+  { /*one of them is not empty but the others */
+    DDS_Security_Exception_set(ex, DDS_ACCESS_CONTROL_PLUGIN_CONTEXT, DDS_SECURITY_ERR_INVALID_PARAMETER_CODE, DDS_SECURITY_VALIDATION_FAILED,
+        "Governance, Permissions and Permissions CA properties do not exist properly. Either all must be empty or all must be valid");
+    goto err_inv_properties;
+  }
+
+err_inv_subject:
+err_inv_perm_xml:
+err_inv_gov_xml:
+  ddsrt_free(governance_xml);
+err_inv_gov_doc:
+  ddsrt_free(permission_xml);
+err_inv_perm_doc:
+err_read_gov_doc:
+  ddsrt_free(governance_document);
+err_read_perm_doc:
+  if (!rights)
+  {
+    ddsrt_free(permission_document);
+    X509_free(permission_ca);
+  }
+err_inv_properties:
+err_inv_permission_ca:
+  ddsrt_free(permission_ca_data);
+err_no_permission_ca:
+  ddsrt_free(permissions_uri);
+err_no_permissions:
+  ddsrt_free(governance_uri);
+err_no_governance:
+  X509_free(identity_cert);
+err_inv_identity_cert:
+  ddsrt_free(identity_subject);
+  ddsrt_free(permission_subject);
+  ddsrt_free(identity_cert_data);
+err_no_identity_cert:
+  return rights;
+}
+
+static remote_participant_access_rights *
+check_and_create_remote_participant_rights(
+    DDS_Security_IdentityHandle remote_identity_handle,
+    local_participant_access_rights *local_rights,
+    const DDS_Security_PermissionsToken *remote_permissions_token,
+    const DDS_Security_AuthenticatedPeerCredentialToken *remote_credential_token,
+    DDS_Security_SecurityException *ex)
+{
+  remote_participant_access_rights *rights = NULL;
+  X509 *identity_cert = NULL;
+  const DDS_Security_Property_t *identity_cert_property;
+  const DDS_Security_Property_t *permission_doc_property;
+  char *identity_subject = NULL;
+  char *permissions_xml = NULL;
+  remote_permissions *permissions = NULL;
+  char *permission_subject = NULL;
+  dds_time_t permission_expiry = DDS_TIME_INVALID;
+  size_t len;
+
+  /* Retrieve the remote identity certificate from the remote_credential_token */
+  identity_cert_property = DDS_Security_DataHolder_find_property(remote_credential_token, "c.id");
+  if (!identity_cert_property || !identity_cert_property->value)
+  {
+    DDS_Security_Exception_set(ex, DDS_ACCESS_CONTROL_PLUGIN_CONTEXT, DDS_SECURITY_ERR_MISSING_PROPERTY_CODE, 0,
+        DDS_SECURITY_ERR_MISSING_PROPERTY_MESSAGE, "c.id");
+    goto err_no_identity_cert;
+  }
+
+  len = strlen(identity_cert_property->value);
+  assert (len <= INT32_MAX);
+  if (!ac_X509_certificate_from_data(identity_cert_property->value, (int) len, &identity_cert, ex))
+    goto err_inv_identity_cert;
+
+  if (!(identity_subject = ac_get_certificate_subject_name(identity_cert, ex)))
+    goto err_inv_identity_cert;
+
+  /* Retrieve the remote permissions document from the remote_credential_token */
+  permission_doc_property = DDS_Security_DataHolder_find_property(remote_credential_token, "c.perm");
+  if (!permission_doc_property || !permission_doc_property->value)
+  {
+    DDS_Security_Exception_set(ex, DDS_ACCESS_CONTROL_PLUGIN_CONTEXT, DDS_SECURITY_ERR_MISSING_PROPERTY_CODE, 0, DDS_SECURITY_ERR_MISSING_PROPERTY_MESSAGE, "c.perm");
+    goto err_inv_perm_doc;
+  }
+
+  if (strlen(permission_doc_property->value) == 0)
+  {
+    /* use default permissions document (all deny) if there is no permissions file
+         *to communicate with access_control=false and comply with previous release */
+    struct domain_rule *domainRule = find_domain_rule_in_governance(local_rights->governance_tree->dds->domain_access_rules->domain_rule, local_rights->domain_id);
+    if (!domainRule->enable_join_access_control->value)
+    {
+      permissions_xml = ddsrt_str_replace(DDS_SECURITY_DEFAULT_PERMISSIONS, "DEFAULT_SUBJECT", identity_subject, 1);
+    }
+    else
+    {
+      DDS_Security_Exception_set(ex, DDS_ACCESS_CONTROL_PLUGIN_CONTEXT, DDS_SECURITY_ERR_INVALID_PERMISSION_DOCUMENT_PROPERTY_CODE, 0, DDS_SECURITY_ERR_INVALID_PERMISSION_DOCUMENT_PROPERTY_MESSAGE);
+      goto err_inv_perm_doc;
+    }
+  }
+  else
+  {
+    if (!ac_PKCS7_document_check(permission_doc_property->value, strlen(permission_doc_property->value), local_rights->permissions_ca, &permissions_xml, ex))
+      goto err_inv_perm_doc;
+  }
+
+  permissions = ddsrt_malloc(sizeof(remote_permissions));
+  permissions->ref_cnt = 0;
+  permissions->permissions_tree = NULL;
+  if (!ac_parse_permissions_xml(permissions_xml, &(permissions->permissions_tree), ex))
+  {
+    ddsrt_free(permissions);
+    goto err_inv_perm_xml;
+  }
+
+  /* check if subject name of identity certificate matches the subject name in the permissions document */
+  if (!validate_subject_name_in_permissions(permissions->permissions_tree, identity_subject, &permission_subject, &permission_expiry, ex))
+  {
+    ac_return_permissions_tree(permissions->permissions_tree);
+    ddsrt_free(permissions);
+    goto err_inv_subject;
+  }
+  rights = ac_remote_participant_access_rights_new(remote_identity_handle, local_rights, permissions, permission_expiry, remote_permissions_token, permission_subject);
+  sanity_check_remote_access_rights(rights);
+  ddsrt_free(permission_subject);
+
+err_inv_subject:
+err_inv_perm_xml:
+  ddsrt_free(permissions_xml);
+err_inv_perm_doc:
+  X509_free(identity_cert);
+err_inv_identity_cert:
+  ddsrt_free(identity_subject);
+err_no_identity_cert:
+  return rights;
+}
+
+static TOPIC_TYPE
+get_topic_type(
+    const char *topic_name)
+{
+  TOPIC_TYPE type = TOPIC_TYPE_USER;
+  assert(topic_name);
+
+  /* All builtin topics start with "DCPS" */
+  if (strncmp(topic_name, "DCPS", 4) == 0)
+  {
+    /* There are a number of builtin topics starting with "DCPSParticipant" */
+    if (strncmp(&(topic_name[4]), "Participant", 11) == 0)
+    {
+      if (strcmp(&(topic_name[15]), "") == 0)
+        type = TOPIC_TYPE_NON_SECURE_BUILTIN; /* DCPSParticipant */
+      else if (strcmp(&(topic_name[15]), "Message") == 0)
+        type = TOPIC_TYPE_NON_SECURE_BUILTIN; /* DCPSParticipantMessage */
+      else if (strcmp(&(topic_name[15]), "MessageSecure") == 0)
+        type = TOPIC_TYPE_SECURE_ParticipantMessageSecure; /* DCPSParticipantMessageSecure */
+      else if (strcmp(&(topic_name[15]), "VolatileMessageSecure") == 0)
+        type = TOPIC_TYPE_SECURE_ParticipantVolatileMessageSecure; /* DCPSParticipantVolatileMessageSecure */
+      else if (strcmp(&(topic_name[15]), "StatelessMessage") == 0)
+        type = TOPIC_TYPE_SECURE_ParticipantStatelessMessage; /* DCPSParticipantStatelessMessage */
+      else if (strcmp(&(topic_name[15]), "sSecure") == 0)
+        type = TOPIC_TYPE_SECURE_ParticipantsSecure; /* DCPSParticipantsSecure */
+    }
+    else if (strcmp(&(topic_name[4]), "SubscriptionsSecure") == 0)
+      type = TOPIC_TYPE_SECURE_SubscriptionsSecure; /* DCPSSubscriptionsSecure */
+    else if (strcmp(&(topic_name[4]), "PublicationsSecure") == 0)
+      type = TOPIC_TYPE_SECURE_PublicationsSecure; /* DCPSPublicationsSecure */
+    else if ((strcmp(&(topic_name[4]), "Topic") == 0) ||
+             (strcmp(&(topic_name[4]), "Publication") == 0) ||
+             (strcmp(&(topic_name[4]), "Subscription") == 0))
+    {
+      /* DCPSTopic        */
+      /* DCPSPublication  */
+      /* DCPSSubscription */
+      type = TOPIC_TYPE_NON_SECURE_BUILTIN;
+    }
+  }
+  return type;
+}
+
+int finalize_access_control(void *context)
+{
+  dds_security_access_control_impl *access_control = context;
+  if (access_control)
+  {
+#if TIMED_CALLBACK_IMPLEMENTED
+    ut_timed_dispatcher_free(access_control->timed_callbacks);
+#endif
+    access_control_table_free(access_control->remote_permissions);
+#ifdef ACCESS_CONTROL_USE_ONE_PERMISSION
+    if (access_control->local_access_rights)
+      access_control_object_free((AccessControlObject *)access_control->local_access_rights);
+#else
+    access_control_table_free(access_control->local_permissions);
+#endif
+    ddsrt_mutex_destroy(&access_control->lock);
+    ddsrt_free(access_control);
+  }
+  EVP_cleanup();
+  CRYPTO_cleanup_all_ex_data();
+  REMOVE_THREAD_STATE();
+  ERR_free_strings();
+  return 0;
+}
diff --git a/src/security/builtin_plugins/access_control/src/access_control.h b/src/security/builtin_plugins/access_control/src/access_control.h
new file mode 100644
index 0000000..b98d2d7
--- /dev/null
+++ b/src/security/builtin_plugins/access_control/src/access_control.h
@@ -0,0 +1,21 @@
+/*
+ * Copyright(c) 2006 to 2019 ADLINK Technology Limited and others
+ *
+ * This program and the accompanying materials are made available under the
+ * terms of the Eclipse Public License v. 2.0 which is available at
+ * http://www.eclipse.org/legal/epl-2.0, or the Eclipse Distribution License
+ * v. 1.0 which is available at
+ * http://www.eclipse.org/org/documents/edl-v10.php.
+ *
+ * SPDX-License-Identifier: EPL-2.0 OR BSD-3-Clause
+ */
+#ifndef ACCESS_CONTROL_H
+#define ACCESS_CONTROL_H
+
+#include "dds/security/dds_security_api.h"
+#include "dds/security/export.h"
+
+SECURITY_EXPORT int init_access_control(const char *argument, void **context);
+SECURITY_EXPORT int finalize_access_control(void *context);
+
+#endif /* ACCESS_CONTROL_H */
diff --git a/src/security/builtin_plugins/access_control/src/access_control_objects.c b/src/security/builtin_plugins/access_control/src/access_control_objects.c
new file mode 100644
index 0000000..cee88cb
--- /dev/null
+++ b/src/security/builtin_plugins/access_control/src/access_control_objects.c
@@ -0,0 +1,283 @@
+/*
+ * Copyright(c) 2006 to 2019 ADLINK Technology Limited and others
+ *
+ * This program and the accompanying materials are made available under the
+ * terms of the Eclipse Public License v. 2.0 which is available at
+ * http://www.eclipse.org/legal/epl-2.0, or the Eclipse Distribution License
+ * v. 1.0 which is available at
+ * http://www.eclipse.org/org/documents/edl-v10.php.
+ *
+ * SPDX-License-Identifier: EPL-2.0 OR BSD-3-Clause
+ */
+#include <assert.h>
+#include <string.h>
+#include "dds/ddsrt/atomics.h"
+#include "dds/ddsrt/heap.h"
+#include "dds/ddsrt/hopscotch.h"
+#include "dds/ddsrt/string.h"
+#include "dds/ddsrt/sync.h"
+#include "dds/ddsrt/types.h"
+#include "access_control_objects.h"
+#include "access_control_utils.h"
+#include "access_control_parser.h"
+
+struct AccessControlTable
+{
+  struct ddsrt_hh *htab;
+  ddsrt_mutex_t lock;
+};
+
+bool access_control_object_valid(const AccessControlObject *obj, const AccessControlObjectKind_t kind)
+{
+  if (!obj)
+    return false;
+  if (obj->kind != kind)
+    return false;
+  if (obj->handle != (int64_t)(uintptr_t)obj)
+    return false;
+
+  return true;
+}
+
+static uint32_t access_control_object_hash(const void *obj)
+{
+  const AccessControlObject *object = obj;
+  const uint64_t c = 0xE21B371BEB9E6C05;
+  const uint32_t x = (uint32_t)object->handle;
+  return (unsigned)((x * c) >> 32);
+}
+
+static int access_control_object_equal(const void *ha, const void *hb)
+{
+  const AccessControlObject *la = ha;
+  const AccessControlObject *lb = hb;
+  return la->handle == lb->handle;
+}
+
+void access_control_object_init(AccessControlObject *obj, AccessControlObjectKind_t kind, AccessControlObjectDestructor destructor)
+{
+  assert(obj);
+  obj->kind = kind;
+  obj->handle = (int64_t)(uintptr_t)obj;
+  obj->destructor = destructor;
+  ddsrt_atomic_st32(&obj->refcount, 1);
+}
+
+static void access_control_object_deinit(AccessControlObject *obj)
+{
+  assert(obj);
+  obj->handle = DDS_SECURITY_HANDLE_NIL;
+  obj->kind = ACCESS_CONTROL_OBJECT_KIND_UNKNOWN;
+  obj->destructor = NULL;
+}
+
+void access_control_object_free(AccessControlObject *obj)
+{
+  if (obj && obj->destructor)
+    obj->destructor(obj);
+}
+
+AccessControlObject *access_control_object_keep(AccessControlObject *obj)
+{
+  if (obj)
+    ddsrt_atomic_inc32(&obj->refcount);
+  return obj;
+}
+
+void access_control_object_release(AccessControlObject *obj)
+{
+  if (obj)
+  {
+    if (ddsrt_atomic_dec32_nv(&obj->refcount) == 0)
+      access_control_object_free(obj);
+  }
+}
+
+struct AccessControlTable *access_control_table_new(void)
+{
+  struct AccessControlTable *table;
+
+  table = ddsrt_malloc(sizeof(*table));
+  table->htab = ddsrt_hh_new(32, access_control_object_hash, access_control_object_equal);
+  ddsrt_mutex_init(&table->lock);
+  return table;
+}
+
+void access_control_table_free(struct AccessControlTable *table)
+{
+  struct ddsrt_hh_iter it;
+  AccessControlObject *obj;
+
+  if (!table)
+    return;
+  for (obj = ddsrt_hh_iter_first(table->htab, &it); obj; obj = ddsrt_hh_iter_next(&it))
+  {
+    (void)ddsrt_hh_remove(table->htab, obj);
+    access_control_object_release(obj);
+  }
+  ddsrt_hh_free(table->htab);
+  ddsrt_mutex_destroy(&table->lock);
+  ddsrt_free(table);
+}
+
+AccessControlObject *access_control_table_insert(struct AccessControlTable *table, AccessControlObject *object)
+{
+  AccessControlObject template;
+  AccessControlObject *cur;
+  assert(table);
+  assert(object);
+  template.handle = object->handle;
+  ddsrt_mutex_lock(&table->lock);
+  if (!(cur = access_control_object_keep(ddsrt_hh_lookup(table->htab, &template))))
+  {
+    cur = access_control_object_keep(object);
+    (void)ddsrt_hh_add(table->htab, cur);
+  }
+  ddsrt_mutex_unlock(&table->lock);
+  return cur;
+}
+
+void access_control_table_remove_object(struct AccessControlTable *table, AccessControlObject *object)
+{
+  assert(table);
+  assert(object);
+  ddsrt_mutex_lock(&table->lock);
+  (void)ddsrt_hh_remove(table->htab, object);
+  ddsrt_mutex_unlock(&table->lock);
+  access_control_object_release(object);
+}
+
+AccessControlObject *access_control_table_remove(struct AccessControlTable *table, int64_t handle)
+{
+  AccessControlObject template;
+  AccessControlObject *object;
+  assert(table);
+  template.handle = handle;
+  ddsrt_mutex_lock(&table->lock);
+  if ((object = access_control_object_keep(ddsrt_hh_lookup(table->htab, &template))))
+  {
+    (void)ddsrt_hh_remove(table->htab, object);
+    access_control_object_release(object);
+  }
+  ddsrt_mutex_unlock(&table->lock);
+  return object;
+}
+
+AccessControlObject *access_control_table_find(struct AccessControlTable *table, int64_t handle)
+{
+  AccessControlObject template;
+  AccessControlObject *object;
+  assert(table);
+  template.handle = handle;
+  ddsrt_mutex_lock(&table->lock);
+  object = access_control_object_keep(ddsrt_hh_lookup(table->htab, &template));
+  ddsrt_mutex_unlock(&table->lock);
+  return object;
+}
+
+void access_control_table_walk(struct AccessControlTable *table, AccessControlTableCallback callback, void *arg)
+{
+  struct ddsrt_hh_iter it;
+  AccessControlObject *obj;
+  int r = 1;
+  assert(table);
+  assert(callback);
+  ddsrt_mutex_lock(&table->lock);
+  for (obj = ddsrt_hh_iter_first(table->htab, &it); r && obj; obj = ddsrt_hh_iter_next(&it))
+    r = callback(obj, arg);
+  ddsrt_mutex_unlock(&table->lock);
+}
+
+static void local_participant_access_rights_free(AccessControlObject *obj)
+{
+  local_participant_access_rights *rights = (local_participant_access_rights *)obj;
+  if (rights)
+  {
+    ddsrt_free(rights->permissions_document);
+    if (rights->permissions_ca)
+      X509_free(rights->permissions_ca);
+    access_control_object_deinit((AccessControlObject *)rights);
+    if (rights->governance_tree)
+      ac_return_governance_tree(rights->governance_tree);
+    if (rights->permissions_tree)
+      ac_return_permissions_tree(rights->permissions_tree);
+    ddsrt_free(rights->identity_subject_name);
+    ddsrt_free(rights);
+  }
+}
+
+local_participant_access_rights *ac_local_participant_access_rights_new(
+    DDS_Security_IdentityHandle local_identity,
+    int domain_id,
+    char *permissions_document,
+    X509 *permissions_ca,
+    const char *identity_subject_name,
+    struct governance_parser *governance_tree,
+    struct permissions_parser *permissions_tree)
+{
+  local_participant_access_rights *rights = ddsrt_malloc(sizeof(local_participant_access_rights));
+  memset(rights, 0, sizeof(local_participant_access_rights));
+  access_control_object_init((AccessControlObject *)rights, ACCESS_CONTROL_OBJECT_KIND_LOCAL_PARTICIPANT, local_participant_access_rights_free);
+  rights->local_identity = local_identity;
+  rights->domain_id = domain_id;
+  rights->permissions_document = permissions_document;
+  rights->permissions_ca = permissions_ca;
+  rights->identity_subject_name = ddsrt_strdup(identity_subject_name);
+  rights->governance_tree = governance_tree;
+  rights->permissions_tree = permissions_tree;
+  return rights;
+}
+
+
+static void remote_participant_access_rights_free(AccessControlObject *obj)
+{
+  remote_participant_access_rights *rights = (remote_participant_access_rights *)obj;
+  if (rights)
+  {
+    if (rights->permissions)
+    {
+      assert(rights->permissions->ref_cnt > 0);
+      rights->permissions->ref_cnt--;
+      if (rights->permissions->ref_cnt == 0)
+      {
+        ac_return_permissions_tree(rights->permissions->permissions_tree);
+        ddsrt_free(rights->permissions->remote_permissions_token_class_id);
+        ddsrt_free(rights->permissions);
+      }
+    }
+    ddsrt_free(rights->identity_subject_name);
+    ACCESS_CONTROL_OBJECT_RELEASE(rights->local_rights);
+    access_control_object_deinit((AccessControlObject *)rights);
+    ddsrt_free(rights);
+  }
+}
+
+remote_participant_access_rights *
+ac_remote_participant_access_rights_new(
+    DDS_Security_IdentityHandle remote_identity,
+    const local_participant_access_rights *local_rights,
+    remote_permissions *permissions,
+    dds_time_t permission_expiry,
+    const DDS_Security_PermissionsToken *remote_permissions_token,
+    const char *identity_subject)
+{
+  remote_participant_access_rights *rights = ddsrt_malloc(sizeof(remote_participant_access_rights));
+  memset(rights, 0, sizeof(remote_participant_access_rights));
+  access_control_object_init((AccessControlObject *)rights, ACCESS_CONTROL_OBJECT_KIND_REMOTE_PARTICIPANT, remote_participant_access_rights_free);
+  rights->remote_identity = remote_identity;
+  rights->permissions = permissions;
+  rights->permissions_expiry = permission_expiry;
+  rights->local_rights = (local_participant_access_rights *)ACCESS_CONTROL_OBJECT_KEEP(local_rights);
+  if (rights->permissions)
+  {
+    rights->permissions->remote_permissions_token_class_id = ddsrt_strdup(remote_permissions_token->class_id);
+    rights->permissions->ref_cnt++;
+    rights->identity_subject_name = ddsrt_strdup(identity_subject);
+  }
+  else
+  {
+    assert(identity_subject == NULL);
+    rights->identity_subject_name = NULL;
+  }
+  return rights;
+}
diff --git a/src/security/builtin_plugins/access_control/src/access_control_objects.h b/src/security/builtin_plugins/access_control/src/access_control_objects.h
new file mode 100644
index 0000000..b1f033b
--- /dev/null
+++ b/src/security/builtin_plugins/access_control/src/access_control_objects.h
@@ -0,0 +1,106 @@
+/*
+ * Copyright(c) 2006 to 2019 ADLINK Technology Limited and others
+ *
+ * This program and the accompanying materials are made available under the
+ * terms of the Eclipse Public License v. 2.0 which is available at
+ * http://www.eclipse.org/legal/epl-2.0, or the Eclipse Distribution License
+ * v. 1.0 which is available at
+ * http://www.eclipse.org/org/documents/edl-v10.php.
+ *
+ * SPDX-License-Identifier: EPL-2.0 OR BSD-3-Clause
+ */
+#ifndef ACCESS_CONTROL_OBJECTS_H
+#define ACCESS_CONTROL_OBJECTS_H
+
+#include <openssl/x509.h>
+#include "dds/ddsrt/atomics.h"
+#include "dds/ddsrt/types.h"
+#include "dds/security/dds_security_api.h"
+
+#define ACCESS_CONTROL_OBJECT(o)            ((AccessControlObject *)(o))
+#define ACCESS_CONTROL_OBJECT_HANDLE(o)     ((o) ? ACCESS_CONTROL_OBJECT(o)->handle : DDS_SECURITY_HANDLE_NIL)
+
+#define ACCESS_CONTROL_OBJECT_KEEP(o)       access_control_object_keep((AccessControlObject *)(o))
+#define ACCESS_CONTROL_OBJECT_RELEASE(o)    access_control_object_release((AccessControlObject *)(o))
+#define ACCESS_CONTROL_OBJECT_VALID(o,k)    access_control_object_valid((AccessControlObject *)(o), k)
+
+typedef enum {
+    ACCESS_CONTROL_OBJECT_KIND_UNKNOWN,
+    ACCESS_CONTROL_OBJECT_KIND_LOCAL_PARTICIPANT,
+    ACCESS_CONTROL_OBJECT_KIND_REMOTE_PARTICIPANT,
+} AccessControlObjectKind_t;
+
+typedef struct AccessControlObject AccessControlObject;
+typedef void (*AccessControlObjectDestructor)(AccessControlObject *obj);
+
+struct AccessControlObject {
+    int64_t handle;
+    ddsrt_atomic_uint32_t refcount;
+    AccessControlObjectKind_t kind;
+    AccessControlObjectDestructor destructor;
+};
+
+typedef struct local_participant_access_rights {
+    AccessControlObject _parent;
+    DDS_Security_ParticipantSecurityAttributes participant_attributes;
+    DDS_Security_IdentityHandle local_identity;
+    struct governance_parser *governance_tree;
+    struct permissions_parser *permissions_tree;
+    int domain_id;
+    char *identity_subject_name;
+    char *permissions_document;
+    X509 *permissions_ca;
+    dds_time_t permissions_expiry;
+} local_participant_access_rights;
+
+
+typedef struct remote_permissions {
+    int ref_cnt;
+    struct permissions_parser *permissions_tree;
+    DDS_Security_string remote_permissions_token_class_id;
+} remote_permissions;
+
+typedef struct remote_participant_access_rights {
+    AccessControlObject _parent;
+    DDS_Security_IdentityHandle remote_identity;
+    local_participant_access_rights *local_rights;
+    remote_permissions *permissions;
+    char *identity_subject_name;
+    dds_time_t permissions_expiry;
+} remote_participant_access_rights;
+
+void access_control_object_init(AccessControlObject *obj, AccessControlObjectKind_t kind, AccessControlObjectDestructor destructor);
+AccessControlObject *access_control_object_keep(AccessControlObject *obj);
+void access_control_object_release(AccessControlObject *obj);
+bool access_control_object_valid(const AccessControlObject *obj, AccessControlObjectKind_t kind);
+void access_control_object_free(AccessControlObject *obj);
+
+struct AccessControlTable;
+typedef int (*AccessControlTableCallback)(AccessControlObject *obj, void *arg);
+struct AccessControlTable *access_control_table_new(void);
+
+void access_control_table_free(struct AccessControlTable *table);
+AccessControlObject *access_control_table_insert(struct AccessControlTable *table, AccessControlObject *object);
+void access_control_table_remove_object(struct AccessControlTable *table, AccessControlObject *object);
+AccessControlObject *access_control_table_remove(struct AccessControlTable *table, int64_t handle);
+AccessControlObject *access_control_table_find(struct AccessControlTable *table, int64_t handle);
+void access_control_table_walk(struct AccessControlTable *table, AccessControlTableCallback callback, void *arg);
+
+local_participant_access_rights *ac_local_participant_access_rights_new(
+    DDS_Security_IdentityHandle local_identity,
+    int domain_id,
+    char *permissions_document,
+    X509 *permissions_ca,
+    const char* identity_subject_name,
+    struct governance_parser *governance_tree,
+    struct permissions_parser *permissions_tree);
+
+remote_participant_access_rights *ac_remote_participant_access_rights_new(
+    DDS_Security_IdentityHandle remote_identity,
+    const local_participant_access_rights *local_rights,
+    remote_permissions *permissions,
+    dds_time_t permission_expiry,
+    const DDS_Security_PermissionsToken *remote_permissions_token,
+    const char *identity_subject);
+
+#endif /* ACCESS_CONTROL_OBJECTS_H */
diff --git a/src/security/builtin_plugins/access_control/src/access_control_parser.c b/src/security/builtin_plugins/access_control/src/access_control_parser.c
new file mode 100644
index 0000000..5f1cf2d
--- /dev/null
+++ b/src/security/builtin_plugins/access_control/src/access_control_parser.c
@@ -0,0 +1,1212 @@
+/*
+ * Copyright(c) 2006 to 2019 ADLINK Technology Limited and others
+ *
+ * This program and the accompanying materials are made available under the
+ * terms of the Eclipse Public License v. 2.0 which is available at
+ * http://www.eclipse.org/legal/epl-2.0, or the Eclipse Distribution License
+ * v. 1.0 which is available at
+ * http://www.eclipse.org/org/documents/edl-v10.php.
+ *
+ * SPDX-License-Identifier: EPL-2.0 OR BSD-3-Clause
+ */
+#include <assert.h>
+#include <string.h>
+#include <openssl/x509.h>
+#include <openssl/pkcs7.h>
+#include <openssl/pem.h>
+#include <openssl/bio.h>
+#include <openssl/err.h>
+#include "dds/ddsrt/heap.h"
+#include "dds/ddsrt/misc.h"
+#include "dds/ddsrt/string.h"
+#include "dds/ddsrt/strtol.h"
+#include "dds/ddsrt/types.h"
+#include "dds/ddsrt/xmlparser.h"
+#include "dds/security/dds_security_api.h"
+#include "dds/security/core/dds_security_utils.h"
+#include "access_control_parser.h"
+#include "access_control_utils.h"
+
+#define DEBUG_PARSER 0
+#if (DEBUG_PARSER)
+
+static void print_tab(int spaces)
+{
+  while (spaces > 0)
+  {
+    printf(" ");
+    spaces--;
+  }
+}
+
+static void print_string_value(struct string_value *val, const char *info, int spaces)
+{
+  print_tab(spaces);
+  printf("%s", info);
+  if (val)
+    printf(": %s", val->value ? val->value : "<noval>");
+  printf("\n");
+}
+
+#define PRINT_VALUE_BASIC(name_, type_) \
+  static void print_##name_##_value (type_ *val, const char *info, int spaces) \
+  { \
+    print_tab(spaces); \
+    printf("%s", info); \
+    if (val) \
+      printf(": %d", val->value); \
+    printf("\n"); \
+  }
+PRINT_VALUE_BASIC(bool, struct boolean_value)
+PRINT_VALUE_BASIC(int, struct integer_value)
+PRINT_VALUE_BASIC(protection, struct protection_kind_value)
+PRINT_VALUE_BASIC(basic_protection, struct basicprotection_kind_value)
+#undef PRINT_VALUE_BASIC
+
+static void print_domains(struct domains *domains, int spaces)
+{
+  print_tab(spaces);
+  printf("domains {\n");
+  if (domains)
+  {
+    struct domain_id_set *current = domains->domain_id_set;
+    while (current != NULL)
+    {
+      if (current->max == NULL)
+      {
+        print_int_value(current->min, "id", spaces + 3);
+      }
+      else
+      {
+        print_int_value(current->min, "min", spaces + 3);
+        print_int_value(current->max, "max", spaces + 3);
+      }
+      current = (struct domain_id_set *)current->node.next;
+    }
+  }
+  else
+  {
+    printf(" {\n");
+  }
+  print_tab(spaces);
+  printf("}\n");
+}
+
+static void print_topic_rule(struct topic_rule *rule, int spaces)
+{
+  print_tab(spaces);
+  printf("topic_rule {\n");
+  if (rule)
+  {
+    print_string_value(rule->topic_expression, "topic_expression", spaces + 3);
+    print_bool_value(rule->enable_discovery_protection, "enable_discovery_protection", spaces + 3);
+    print_bool_value(rule->enable_liveliness_protection, "enable_liveliness_protection", spaces + 3);
+    print_bool_value(rule->enable_read_access_control, "enable_read_access_control", spaces + 3);
+    print_bool_value(rule->enable_write_access_control, "enable_write_access_control", spaces + 3);
+    print_protection_value(rule->metadata_protection_kind, "metadata_protection_kind", spaces + 3);
+    print_basic_protection_value(rule->data_protection_kind, "data_protection_kind", spaces + 3);
+  }
+  else
+  {
+    printf(" {\n");
+  }
+  print_tab(spaces);
+  printf("}\n");
+}
+
+static void print_topic_access_rules(struct topic_access_rules *tar, int spaces)
+{
+  print_tab(spaces);
+  printf("topic_access_rules {\n");
+  if (tar)
+  {
+    struct topic_rule *current = tar->topic_rule;
+    while (current != NULL)
+    {
+      print_topic_rule(current, spaces + 3);
+      current = (struct topic_rule *)current->node.next;
+    }
+  }
+  else
+  {
+    printf(" {\n");
+  }
+  print_tab(spaces);
+  printf("}\n");
+}
+
+static void print_domain_rule(struct domain_rule *rule, int spaces)
+{
+  print_tab(spaces);
+  printf("domain_rule {\n");
+  if (rule)
+  {
+    print_domains(rule->domains, spaces + 3);
+    print_bool_value(rule->allow_unauthenticated_participants, "allow_unauthenticated_participants", spaces + 3);
+    print_bool_value(rule->enable_join_access_control, "enable_join_access_control", spaces + 3);
+    print_protection_value(rule->rtps_protection_kind, "rtps_protection_kind", spaces + 3);
+    print_protection_value(rule->discovery_protection_kind, "discovery_protection_kind", spaces + 3);
+    print_protection_value(rule->liveliness_protection_kind, "liveliness_protection_kind", spaces + 3);
+    print_topic_access_rules(rule->topic_access_rules, spaces + 3);
+  }
+  else
+  {
+    printf(" {\n");
+  }
+  print_tab(spaces);
+  printf("}\n");
+}
+
+static void print_domain_access_rules(struct domain_access_rules *dar, int spaces)
+{
+  print_tab(spaces);
+  printf("domain_access_rules {\n");
+  if (dar)
+  {
+    struct domain_rule *current = dar->domain_rule;
+    while (current != NULL)
+    {
+      print_domain_rule(current, spaces + 3);
+      current = (struct domain_rule *)current->node.next;
+    }
+  }
+  else
+  {
+    printf(" {\n");
+  }
+  print_tab(spaces);
+  printf("}\n");
+}
+
+static void print_governance_parser_result(struct governance_parser *parser)
+{
+  assert(parser);
+  assert(parser->dds);
+  assert(parser->dds->domain_access_rules);
+  printf("-----------------------------------------------\n");
+  print_domain_access_rules(parser->dds->domain_access_rules, 0);
+  printf("-----------------------------------------------\n");
+}
+
+static void print_topic(struct string_value *topic, int spaces)
+{
+  if (topic)
+  {
+    print_string_value(topic, "topic", spaces);
+    print_topic((struct string_value *)topic->node.next, spaces);
+  }
+}
+
+static void print_topics(struct topics *topics, int spaces)
+{
+  if (topics)
+  {
+    print_tab(spaces);
+    printf("topics {\n");
+    print_topic(topics->topic, spaces + 3);
+    print_tab(spaces);
+    printf("}\n");
+  }
+}
+
+static void print_partition(struct string_value *partition, int spaces)
+{
+  if (partition)
+  {
+    print_string_value(partition, "partition", spaces);
+    print_partition((struct string_value *)partition->node.next, spaces);
+  }
+}
+
+static void print_partitions(struct partitions *partitions, int spaces)
+{
+  if (partitions)
+  {
+    print_tab(spaces);
+    printf("partitions {\n");
+    print_partition(partitions->partition, spaces + 3);
+    print_tab(spaces);
+    printf("}\n");
+  }
+}
+
+static void print_criteria(struct criteria *criteria, int spaces)
+{
+  if (criteria)
+  {
+    struct criteria *current = criteria;
+    while (current != NULL)
+    {
+      print_tab(spaces);
+      if (current->criteria_type == SUBSCRIBE_CRITERIA)
+        printf("subscribe {\n");
+      else if (current->criteria_type == PUBLISH_CRITERIA)
+        printf("publish {\n");
+      else
+        assert(0);
+      print_topics(current->topics, spaces + 3);
+      print_partitions(current->partitions, spaces + 3);
+      print_tab(spaces);
+      printf("}\n");
+      current = (struct criteria *)current->node.next;
+    }
+  }
+}
+
+static void print_allow_deny_rule(struct allow_deny_rule *allow_deny_rule, int spaces)
+{
+  if (allow_deny_rule)
+  {
+    struct allow_deny_rule *current = allow_deny_rule;
+    while (current != NULL)
+    {
+      print_tab(spaces);
+      if (current->rule_type == ALLOW_RULE)
+        printf("allow_rule {\n");
+      else if (current->rule_type == DENY_RULE)
+        printf("deny_rule {\n");
+      else
+        assert(0);
+      print_domains(current->domains, spaces + 3);
+      print_criteria(current->criteria, spaces + 3);
+      print_tab(spaces);
+      printf("}\n");
+      current = (struct allow_deny_rule *)current->node.next;
+    }
+  }
+}
+
+static void print_permissions(struct permissions *permissions, int spaces)
+{
+  struct grant *current = permissions->grant;
+  print_tab(spaces);
+  printf("permissions {\n");
+  while (current != NULL)
+  {
+    print_tab(spaces + 3);
+    printf("grant {\n");
+    print_tab(spaces + 6);
+    printf("name: %s\n", current->name);
+    print_string_value(current->subject_name, "subject_name", spaces + 6);
+    print_string_value(current->validity->not_before, "validity_not_before", spaces + 6);
+    print_string_value(current->validity->not_after, "validity_not_after", spaces + 6);
+    print_allow_deny_rule(current->allow_deny_rule, spaces + 6);
+    print_string_value(current->default_action, "default", spaces + 6);
+    current = (struct grant *)current->node.next;
+    print_tab(spaces + 3);
+    printf("}\n");
+  }
+  print_tab(spaces);
+  printf("}\n");
+}
+
+static void print_permissions_parser_result(struct permissions_parser *parser)
+{
+  assert(parser);
+  assert(parser->dds);
+  assert(parser->dds->permissions);
+  printf("-----------------------------------------------\n");
+  print_permissions(parser->dds->permissions, 0);
+  printf("-----------------------------------------------\n");
+}
+
+#endif /* DEBUG_PARSER */
+
+static struct element *new_element(element_kind kind, struct element *parent, size_t size)
+{
+  struct element *e = ddsrt_malloc(size);
+  memset(e, 0, size);
+  e->parent = parent;
+  e->kind = kind;
+  e->next = NULL;
+  return e;
+}
+
+#define PREPARE_NODE(element_type, element_kind, element_name, parent_type, parent_kind, current) \
+  {                                                                                               \
+    xml_##parent_type *P = (xml_##parent_type *)current;                                          \
+    if (!current || current->kind != ELEMENT_KIND_##parent_kind)                                  \
+    {                                                                                             \
+      return -1;                                                                                  \
+    }                                                                                             \
+    current = new_element(ELEMENT_KIND_##element_kind, current, sizeof(xml_##element_type));      \
+    P->element_name = (xml_##element_type *)current;                                              \
+  }
+
+#define PREPARE_NODE_WITH_LIST(element_type, element_kind, element_name, parent_type, parent_kind, current) \
+  {                                                                                                         \
+    xml_##parent_type *P = (xml_##parent_type *)current;                                                    \
+    xml_element *tail;                                                                                      \
+    if (!current || current->kind != ELEMENT_KIND_##parent_kind)                                            \
+    {                                                                                                       \
+      return -1;                                                                                            \
+    }                                                                                                       \
+    tail = (xml_element *)P->element_name;                                                                  \
+    current = new_element(ELEMENT_KIND_##element_kind, current, sizeof(xml_##element_type));                \
+    if (!P->element_name)                                                                                   \
+    {                                                                                                       \
+      P->element_name = (xml_##element_type *)current;                                                      \
+    }                                                                                                       \
+    else                                                                                                    \
+    {                                                                                                       \
+      while (tail->next != NULL)                                                                            \
+      {                                                                                                     \
+        tail = tail->next;                                                                                  \
+      }                                                                                                     \
+      tail->next = current;                                                                                 \
+      tail->next->next = NULL;                                                                              \
+    }                                                                                                       \
+  }
+
+static void validate_domains(const struct domain_id_set *domains_set, DDS_Security_SecurityException *ex)
+{
+  const struct domain_id_set *domain = domains_set;
+  if (!domains_set)
+  {
+    DDS_Security_Exception_set(ex, DDS_ACCESS_CONTROL_PLUGIN_CONTEXT, DDS_SECURITY_ERR_IDENTITY_EMPTY_CODE, 0, "Found domain set in Governance file without domain ids.");
+    return;
+  }
+  while (domain != NULL && ex->code == 0)
+  {
+    if (!domain->min)
+      DDS_Security_Exception_set(ex, DDS_ACCESS_CONTROL_PLUGIN_CONTEXT, DDS_SECURITY_ERR_IDENTITY_EMPTY_CODE, 0, "Found domain range in Governance file without minimum value.");
+    else if (!domain->max)
+      ; /* The max isn't set with only an id (no range), so no error. */
+    else if (domain->max->value < domain->min->value)
+      DDS_Security_Exception_set(ex, DDS_ACCESS_CONTROL_PLUGIN_CONTEXT, DDS_SECURITY_ERR_IDENTITY_EMPTY_CODE, 0, "Found domain range in Governance file with invalid range min(%d) max(%d).", domain->min->value, domain->max->value);
+    domain = (struct domain_id_set *)domain->node.next;
+  }
+}
+
+static void validate_topic_rules(const struct topic_rule *topic_rule, DDS_Security_SecurityException *ex)
+{
+  while (topic_rule && ex->code == 0)
+  {
+    if (!topic_rule->data_protection_kind)
+      DDS_Security_Exception_set(ex, DDS_ACCESS_CONTROL_PLUGIN_CONTEXT, DDS_SECURITY_ERR_IDENTITY_EMPTY_CODE, 0, "Found topic rule in Governance file without data_protection_kind");
+    else if (!topic_rule->enable_discovery_protection)
+      DDS_Security_Exception_set(ex, DDS_ACCESS_CONTROL_PLUGIN_CONTEXT, DDS_SECURITY_ERR_IDENTITY_EMPTY_CODE, 0, "Found topic rule in Governance file without enable_discovery_protection");
+    else if (!topic_rule->enable_liveliness_protection)
+      DDS_Security_Exception_set(ex, DDS_ACCESS_CONTROL_PLUGIN_CONTEXT, DDS_SECURITY_ERR_IDENTITY_EMPTY_CODE, 0, "Found topic rule in Governance file without enable_liveliness_protection");
+    else if (!topic_rule->enable_read_access_control)
+      DDS_Security_Exception_set(ex, DDS_ACCESS_CONTROL_PLUGIN_CONTEXT, DDS_SECURITY_ERR_IDENTITY_EMPTY_CODE, 0, "Found topic rule in Governance file without enable_read_access_control");
+    else if (!topic_rule->enable_write_access_control)
+      DDS_Security_Exception_set(ex, DDS_ACCESS_CONTROL_PLUGIN_CONTEXT, DDS_SECURITY_ERR_IDENTITY_EMPTY_CODE, 0, "Found topic rule in Governance file without enable_write_access_control");
+    else if (!topic_rule->metadata_protection_kind)
+      DDS_Security_Exception_set(ex, DDS_ACCESS_CONTROL_PLUGIN_CONTEXT, DDS_SECURITY_ERR_IDENTITY_EMPTY_CODE, 0, "Found topic rule in Governance file without metadata_protection_kind");
+    else
+      topic_rule = (struct topic_rule *)topic_rule->node.next;
+  }
+}
+
+static DDS_Security_boolean validate_rules(const struct domain_rule *rule, DDS_Security_SecurityException *ex)
+{
+  while (rule && ex->code == 0)
+  {
+    if (!rule->domains)
+      DDS_Security_Exception_set(ex, DDS_ACCESS_CONTROL_PLUGIN_CONTEXT, DDS_SECURITY_ERR_IDENTITY_EMPTY_CODE, 0, "Found rule in Governance file without domain ids.");
+    else if (!rule->allow_unauthenticated_participants)
+      DDS_Security_Exception_set(ex, DDS_ACCESS_CONTROL_PLUGIN_CONTEXT, DDS_SECURITY_ERR_IDENTITY_EMPTY_CODE, 0, "Found rule in Governance file without allow_unauthenticated_participants.");
+    else if (!rule->enable_join_access_control)
+      DDS_Security_Exception_set(ex, DDS_ACCESS_CONTROL_PLUGIN_CONTEXT, DDS_SECURITY_ERR_IDENTITY_EMPTY_CODE, 0, "Found rule in Governance file without enable_join_access_control.");
+    else if (!rule->rtps_protection_kind)
+      DDS_Security_Exception_set(ex, DDS_ACCESS_CONTROL_PLUGIN_CONTEXT, DDS_SECURITY_ERR_IDENTITY_EMPTY_CODE, 0, "Found rule in Governance file without rtps_protection_kind.");
+    else if (!rule->discovery_protection_kind)
+      DDS_Security_Exception_set(ex, DDS_ACCESS_CONTROL_PLUGIN_CONTEXT, DDS_SECURITY_ERR_IDENTITY_EMPTY_CODE, 0, "Found rule in Governance file without discovery_protection_kind.");
+    else if (!rule->liveliness_protection_kind)
+      DDS_Security_Exception_set(ex, DDS_ACCESS_CONTROL_PLUGIN_CONTEXT, DDS_SECURITY_ERR_IDENTITY_EMPTY_CODE, 0, "Found rule in Governance file without liveliness_protection_kind.");
+    else
+    {
+      /* Last but not least, check the domain ids (ex is set when there's a failure) */
+      validate_domains(rule->domains->domain_id_set, ex);
+      if (!rule->topic_access_rules && rule->topic_access_rules->topic_rule)
+        DDS_Security_Exception_set(ex, DDS_ACCESS_CONTROL_PLUGIN_CONTEXT, DDS_SECURITY_ERR_IDENTITY_EMPTY_CODE, 0, "Found rule in Governance file without topic_access_rules");
+      else
+      {
+        validate_topic_rules(rule->topic_access_rules->topic_rule, ex);
+        rule = (struct domain_rule *)rule->node.next;
+      }
+    }
+  }
+  return (ex->code == 0);
+}
+
+static int validate_permissions_tree(const struct grant *grant, DDS_Security_SecurityException *ex)
+{
+  while (grant && (ex->code == 0))
+  {
+    xml_allow_deny_rule *allow_deny_rule;
+    if (!grant->subject_name || !grant->subject_name->value)
+      DDS_Security_Exception_set(ex, DDS_ACCESS_CONTROL_PLUGIN_CONTEXT, DDS_SECURITY_ERR_CAN_NOT_PARSE_PERMISSIONS_CODE, 0, "Found tree in Permissions file without subject name.");
+    else if (!grant->validity)
+      DDS_Security_Exception_set(ex, DDS_ACCESS_CONTROL_PLUGIN_CONTEXT, DDS_SECURITY_ERR_CAN_NOT_PARSE_PERMISSIONS_CODE, 0, "Found tree in Permissions file without Validity.");
+    else if (!grant->validity->not_after || !grant->validity->not_after->value)
+      DDS_Security_Exception_set(ex, DDS_ACCESS_CONTROL_PLUGIN_CONTEXT, DDS_SECURITY_ERR_CAN_NOT_PARSE_PERMISSIONS_CODE, 0, "Found tree in Permissions file without Validity/not_after.");
+    else if (!grant->validity->not_before || !grant->validity->not_before->value)
+      DDS_Security_Exception_set(ex, DDS_ACCESS_CONTROL_PLUGIN_CONTEXT, DDS_SECURITY_ERR_CAN_NOT_PARSE_PERMISSIONS_CODE, 0, "Found tree in Permissions file without Validity/not_before.");
+    else
+    {
+      /*validate partitions*/
+      allow_deny_rule = grant->allow_deny_rule;
+      while (allow_deny_rule)
+      {
+        xml_criteria *criteria = allow_deny_rule->criteria;
+        while (criteria)
+        {
+          /* set to default partition, if there is no partition specifien in the XML. (DDS Security SPEC 9.4.1.3.2.3.1.4)*/
+          if (criteria->partitions == NULL)
+          {
+            xml_element *criteria_element = &(criteria->node);
+            xml_element *partitions_element;
+            PREPARE_NODE(partitions, PARTITIONS, partitions, criteria, CRITERIA, criteria_element)
+            assert(criteria->partitions);
+            partitions_element = &(criteria->partitions->node);
+            PREPARE_NODE_WITH_LIST(string_value, STRING_VALUE, partition, partitions, PARTITIONS, partitions_element)
+            assert(criteria->partitions->partition);
+            criteria->partitions->partition->value = ddsrt_strdup("");
+          }
+          criteria = (xml_criteria *)criteria->node.next;
+        }
+        allow_deny_rule = (xml_allow_deny_rule *)allow_deny_rule->node.next;
+      }
+    }
+    grant = (struct grant *)grant->node.next;
+  }
+  return (ex->code == 0);
+}
+
+static int to_protection_kind(const char *kindStr, DDS_Security_ProtectionKind *kindEnum)
+{
+  if (strcmp(kindStr, "ENCRYPT_WITH_ORIGIN_AUTHENTICATION") == 0)
+    *kindEnum = DDS_SECURITY_PROTECTION_KIND_ENCRYPT_WITH_ORIGIN_AUTHENTICATION;
+  else if (strcmp(kindStr, "SIGN_WITH_ORIGIN_AUTHENTICATION") == 0)
+    *kindEnum = DDS_SECURITY_PROTECTION_KIND_SIGN_WITH_ORIGIN_AUTHENTICATION;
+  else if (strcmp(kindStr, "ENCRYPT") == 0)
+    *kindEnum = DDS_SECURITY_PROTECTION_KIND_ENCRYPT;
+  else if (strcmp(kindStr, "SIGN") == 0)
+    *kindEnum = DDS_SECURITY_PROTECTION_KIND_SIGN;
+  else if (strcmp(kindStr, "NONE") == 0)
+    *kindEnum = DDS_SECURITY_PROTECTION_KIND_NONE;
+  else
+    return -1;
+  return 0;
+}
+
+static int to_basic_protection_kind(const char *kindStr, DDS_Security_BasicProtectionKind *kindEnum)
+{
+  if (strcmp(kindStr, "ENCRYPT") == 0)
+    *kindEnum = DDS_SECURITY_BASICPROTECTION_KIND_ENCRYPT;
+  else if (strcmp(kindStr, "SIGN") == 0)
+    *kindEnum = DDS_SECURITY_BASICPROTECTION_KIND_SIGN;
+  else if (strcmp(kindStr, "NONE") == 0)
+    *kindEnum = DDS_SECURITY_BASICPROTECTION_KIND_NONE;
+  else
+    return -1;
+  return 0;
+}
+
+static int governance_element_open_cb(void *varg, uintptr_t parentinfo, uintptr_t *eleminfo, const char *name, int line)
+{
+  governance_parser *parser = (governance_parser *)varg;
+  DDS_Security_SecurityException ex;
+  memset(&ex, 0, sizeof(DDS_Security_SecurityException));
+  DDSRT_UNUSED_ARG(parentinfo);
+  DDSRT_UNUSED_ARG(eleminfo);
+  DDSRT_UNUSED_ARG(line);
+  if (ddsrt_strcasecmp(name, "dds") == 0)
+  {
+    /* This should be the first element. */
+    if (parser->current || parser->dds)
+      return -1;
+    parser->current = new_element(ELEMENT_KIND_DDS, NULL, sizeof(struct governance_dds));
+    parser->dds = (struct governance_dds *)parser->current;
+  }
+  else if (ddsrt_strcasecmp(name, "domain_access_rules") == 0)
+    PREPARE_NODE(domain_access_rules, DOMAIN_ACCESS_RULES, domain_access_rules, governance_dds, DDS, parser->current)
+  else if (ddsrt_strcasecmp(name, "domain_rule") == 0)
+    PREPARE_NODE_WITH_LIST(domain_rule, DOMAIN_RULE, domain_rule, domain_access_rules, DOMAIN_ACCESS_RULES, parser->current)
+  else if (ddsrt_strcasecmp(name, "domains") == 0)
+    PREPARE_NODE(domains, DOMAINS, domains, domain_rule, DOMAIN_RULE, parser->current)
+  else if (ddsrt_strcasecmp(name, "id") == 0)
+  {
+    xml_domains *domains = (xml_domains *)parser->current;
+    xml_domain_id_set *tail;
+    if (!parser->current || parser->current->kind != ELEMENT_KIND_DOMAINS)
+      return -1;
+    tail = domains->domain_id_set;
+    parser->current = new_element(ELEMENT_KIND_DOMAIN_VALUE, parser->current, sizeof(xml_integer_value));
+    if (!tail)
+    {
+      domains->domain_id_set = (xml_domain_id_set *)new_element(ELEMENT_KIND_DOMAIN_ID_SET, parser->current, sizeof(xml_domain_id_set));
+      tail = domains->domain_id_set;
+    }
+    else
+    {
+      while (tail->node.next != NULL)
+        tail = (xml_domain_id_set *)tail->node.next;
+      tail->node.next = new_element(ELEMENT_KIND_DOMAIN_ID_SET, parser->current, sizeof(xml_domain_id_set));
+      tail = (xml_domain_id_set *)tail->node.next;
+    }
+    tail->min = (xml_integer_value *)parser->current;
+    tail->max = NULL;
+  }
+  else if (ddsrt_strcasecmp(name, "id_range") == 0)
+    PREPARE_NODE_WITH_LIST(domain_id_set, DOMAIN_ID_SET, domain_id_set, domains, DOMAINS, parser->current)
+  else if (ddsrt_strcasecmp(name, "min") == 0)
+    PREPARE_NODE(integer_value, DOMAIN_VALUE, min, domain_id_set, DOMAIN_ID_SET, parser->current)
+  else if (ddsrt_strcasecmp(name, "max") == 0)
+    PREPARE_NODE(integer_value, DOMAIN_VALUE, max, domain_id_set, DOMAIN_ID_SET, parser->current)
+  else if (ddsrt_strcasecmp(name, "allow_unauthenticated_participants") == 0)
+    PREPARE_NODE(boolean_value, BOOLEAN_VALUE, allow_unauthenticated_participants, domain_rule, DOMAIN_RULE, parser->current)
+  else if (ddsrt_strcasecmp(name, "enable_join_access_control") == 0)
+    PREPARE_NODE(boolean_value, BOOLEAN_VALUE, enable_join_access_control, domain_rule, DOMAIN_RULE, parser->current)
+  else if (ddsrt_strcasecmp(name, "rtps_protection_kind") == 0)
+    PREPARE_NODE(protection_kind_value, PROTECTION_KIND_VALUE, rtps_protection_kind, domain_rule, DOMAIN_RULE, parser->current)
+  else if (ddsrt_strcasecmp(name, "discovery_protection_kind") == 0)
+    PREPARE_NODE(protection_kind_value, PROTECTION_KIND_VALUE, discovery_protection_kind, domain_rule, DOMAIN_RULE, parser->current)
+  else if (ddsrt_strcasecmp(name, "liveliness_protection_kind") == 0)
+    PREPARE_NODE(protection_kind_value, PROTECTION_KIND_VALUE, liveliness_protection_kind, domain_rule, DOMAIN_RULE, parser->current)
+  else if (ddsrt_strcasecmp(name, "topic_access_rules") == 0)
+    PREPARE_NODE(topic_access_rules, TOPIC_ACCESS_RULES, topic_access_rules, domain_rule, DOMAIN_RULE, parser->current)
+  else if (ddsrt_strcasecmp(name, "topic_rule") == 0)
+    PREPARE_NODE_WITH_LIST(topic_rule, TOPIC_RULE, topic_rule, topic_access_rules, TOPIC_ACCESS_RULES, parser->current)
+  else if (ddsrt_strcasecmp(name, "enable_read_access_control") == 0)
+    PREPARE_NODE(boolean_value, BOOLEAN_VALUE, enable_read_access_control, topic_rule, TOPIC_RULE, parser->current)
+  else if (ddsrt_strcasecmp(name, "enable_write_access_control") == 0)
+    PREPARE_NODE(boolean_value, BOOLEAN_VALUE, enable_write_access_control, topic_rule, TOPIC_RULE, parser->current)
+  else if (ddsrt_strcasecmp(name, "metadata_protection_kind") == 0)
+    PREPARE_NODE(protection_kind_value, PROTECTION_KIND_VALUE, metadata_protection_kind, topic_rule, TOPIC_RULE, parser->current)
+  else if (ddsrt_strcasecmp(name, "data_protection_kind") == 0)
+    PREPARE_NODE(basicprotection_kind_value, BASICPROTECTION_KIND_VALUE, data_protection_kind, topic_rule, TOPIC_RULE, parser->current)
+  else if (ddsrt_strcasecmp(name, "enable_liveliness_protection") == 0)
+    PREPARE_NODE(boolean_value, BOOLEAN_VALUE, enable_liveliness_protection, topic_rule, TOPIC_RULE, parser->current)
+  else if (ddsrt_strcasecmp(name, "enable_discovery_protection") == 0)
+    PREPARE_NODE(boolean_value, BOOLEAN_VALUE, enable_discovery_protection, topic_rule, TOPIC_RULE, parser->current)
+  else if (ddsrt_strcasecmp(name, "topic_expression") == 0)
+  {
+    /* Current should be topic_rule. */
+    struct topic_rule *topicRule = (struct topic_rule *)parser->current;
+    if (!parser->current || parser->current->kind != ELEMENT_KIND_TOPIC_RULE)
+      return -1;
+    parser->current = new_element(ELEMENT_KIND_STRING_VALUE, parser->current, sizeof(struct string_value));
+    topicRule->topic_expression = (struct string_value *)parser->current;
+  }
+  else
+  {
+    printf("Unknown XML element: %s\n", name);
+    return -1;
+  }
+
+  return 0;
+}
+
+/* The function that is called on each attribute captured in XML.
+ * Only the following attributes will be handled:
+ * - name : the name of an element or attribute
+ */
+static int governance_element_attr_cb(void *varg, uintptr_t eleminfo, const char *name, const char *value, int line)
+{
+  /* There is no attribute in that XML */
+  DDSRT_UNUSED_ARG(eleminfo);
+  DDSRT_UNUSED_ARG(varg);
+  DDSRT_UNUSED_ARG(value);
+  DDSRT_UNUSED_ARG(line);
+
+  if (ddsrt_strcasecmp(name, "xmlns:xsi") == 0 || ddsrt_strcasecmp(name, "xsi:noNamespaceSchemaLocation") == 0)
+    return 0;
+  return -1;
+}
+
+static bool str_to_intvalue(const char *image, int32_t *value)
+{
+  char *endptr;
+  long long l;
+  if (ddsrt_strtoll(image, &endptr, 0, &l) != DDS_RETCODE_OK)
+    return false;
+  *value = (int32_t)l;
+  if (*endptr != '\0')
+    return false;
+  return true;
+}
+
+/* The function that is called on each data item captured in XML.
+ * - data: the string value between the element tags
+ */
+static int governance_element_data_cb(void *varg, uintptr_t eleminfo, const char *data, int line)
+{
+  struct governance_parser *parser = (struct governance_parser *)varg;
+  DDSRT_UNUSED_ARG(eleminfo);
+  DDSRT_UNUSED_ARG(line);
+  if (!parser || !parser->current)
+    return -1;
+  if (parser->current->kind == ELEMENT_KIND_STRING_VALUE)
+  {
+    struct string_value *value = (struct string_value *)parser->current;
+    value->value = ddsrt_strdup(data);
+  }
+  else if (parser->current->kind == ELEMENT_KIND_DOMAIN_VALUE)
+  {
+    struct integer_value *value = (struct integer_value *)parser->current;
+    if (str_to_intvalue(data, &value->value))
+    {
+      if (value->value < 0 || value->value > 230)
+        return -1;
+    }
+    else
+    {
+      return -1;
+    }
+  }
+  else if (parser->current->kind == ELEMENT_KIND_BOOLEAN_VALUE)
+  {
+    struct boolean_value *value = (struct boolean_value *)parser->current;
+    if (ddsrt_strcasecmp("true", data) == 0 || strcmp("1", data) == 0)
+      value->value = true;
+    else if (ddsrt_strcasecmp("false", data) == 0 || strcmp("0", data) == 0)
+      value->value = false;
+    else
+      return -1;
+  }
+  else if (parser->current->kind == ELEMENT_KIND_PROTECTION_KIND_VALUE)
+  {
+    struct protection_kind_value *value = (struct protection_kind_value *)parser->current;
+    if (to_protection_kind(data, &(value->value)) != 0)
+      return -1;
+  }
+  else if (parser->current->kind == ELEMENT_KIND_BASICPROTECTION_KIND_VALUE)
+  {
+    struct basicprotection_kind_value *value = (struct basicprotection_kind_value *)parser->current;
+    if (to_basic_protection_kind(data, &(value->value)) != 0)
+      return -1;
+  }
+  else
+  {
+    return -1;
+  }
+
+  return 0;
+}
+
+static int governance_element_close_cb(void *varg, uintptr_t eleminfo, int line)
+{
+  struct governance_parser *parser = (struct governance_parser *)varg;
+  DDSRT_UNUSED_ARG(eleminfo);
+  DDSRT_UNUSED_ARG(line);
+  if (!parser->current)
+    return -1;
+  parser->current = parser->current->parent;
+  return 0;
+}
+
+static void governance_error_cb(void *varg, const char *msg, int line)
+{
+  DDSRT_UNUSED_ARG(varg);
+  printf("Failed to parse configuration file: error %d - %s\n", line, msg);
+}
+
+static void free_stringvalue(struct string_value *str)
+{
+  if (str)
+  {
+    ddsrt_free(str->value);
+    ddsrt_free(str);
+  }
+}
+
+static void free_domainid_set(struct domain_id_set *dis)
+{
+  if (dis)
+  {
+    if (dis->node.next)
+    {
+      free_domainid_set((struct domain_id_set *)dis->node.next);
+    }
+    ddsrt_free(dis->min);
+    ddsrt_free(dis->max);
+    ddsrt_free(dis);
+  }
+}
+
+static void free_domains(struct domains *domains)
+{
+  if (domains)
+  {
+    free_domainid_set(domains->domain_id_set);
+    ddsrt_free(domains);
+  }
+}
+
+static void free_topic_rule(struct topic_rule *rule)
+{
+  if (rule)
+  {
+    if (rule->node.next)
+      free_topic_rule((struct topic_rule *)rule->node.next);
+    free_stringvalue(rule->topic_expression);
+    ddsrt_free(rule->enable_discovery_protection);
+    ddsrt_free(rule->enable_liveliness_protection);
+    ddsrt_free(rule->enable_read_access_control);
+    ddsrt_free(rule->enable_write_access_control);
+    ddsrt_free(rule->metadata_protection_kind);
+    ddsrt_free(rule->data_protection_kind);
+    ddsrt_free(rule);
+  }
+}
+
+static void free_topic_access_rules(struct topic_access_rules *tar)
+{
+  if (tar)
+  {
+    struct topic_rule *current = tar->topic_rule;
+    free_topic_rule(current);
+  }
+  ddsrt_free(tar);
+}
+
+static void free_domain_rule(struct domain_rule *rule)
+{
+  if (rule)
+  {
+    if (rule->node.next)
+      free_domain_rule((struct domain_rule *)rule->node.next);
+    free_domains(rule->domains);
+    ddsrt_free(rule->allow_unauthenticated_participants);
+    ddsrt_free(rule->enable_join_access_control);
+    ddsrt_free(rule->rtps_protection_kind);
+    ddsrt_free(rule->discovery_protection_kind);
+    ddsrt_free(rule->liveliness_protection_kind);
+    free_topic_access_rules(rule->topic_access_rules);
+    ddsrt_free(rule);
+  }
+}
+
+static void free_domain_access_rules(struct domain_access_rules *dar)
+{
+  if (dar)
+  {
+    free_domain_rule(dar->domain_rule);
+    ddsrt_free(dar);
+  }
+}
+
+bool ac_parse_governance_xml(const char *xml, struct governance_parser **governance_tree, DDS_Security_SecurityException *ex)
+{
+  struct governance_parser *parser = NULL;
+  struct ddsrt_xmlp_state *st = NULL;
+  if (xml)
+  {
+    struct ddsrt_xmlp_callbacks cb;
+    cb.elem_open = governance_element_open_cb;
+    cb.elem_data = governance_element_data_cb;
+    cb.elem_close = governance_element_close_cb;
+    cb.attr = governance_element_attr_cb;
+    cb.error = governance_error_cb;
+    parser = ddsrt_malloc(sizeof(struct governance_parser));
+    parser->current = NULL;
+    parser->dds = NULL;
+    st = ddsrt_xmlp_new_string(xml, parser, &cb);
+    if (ddsrt_xmlp_parse(st) != 0)
+    {
+      DDS_Security_Exception_set(ex, DDS_ACCESS_CONTROL_PLUGIN_CONTEXT, DDS_SECURITY_ERR_CAN_NOT_PARSE_GOVERNANCE_CODE, 0, DDS_SECURITY_ERR_CAN_NOT_PARSE_GOVERNANCE_MESSAGE);
+      goto err_xml_parsing;
+    }
+#if DEBUG_PARSER
+    print_governance_parser_result(parser);
+#endif
+    if ((parser->dds != NULL) && (parser->dds->domain_access_rules != NULL) && (parser->dds->domain_access_rules->domain_rule != NULL))
+    {
+      if (!validate_rules(parser->dds->domain_access_rules->domain_rule, ex))
+        goto err_rules_validation;
+    }
+    else
+    {
+      DDS_Security_Exception_set(ex, DDS_ACCESS_CONTROL_PLUGIN_CONTEXT, DDS_SECURITY_ERR_CAN_NOT_PARSE_GOVERNANCE_CODE, 0, DDS_SECURITY_ERR_CAN_NOT_PARSE_GOVERNANCE_MESSAGE);
+      goto err_parser_content;
+    }
+    *governance_tree = parser;
+  }
+  else
+  {
+    DDS_Security_Exception_set(ex, DDS_ACCESS_CONTROL_PLUGIN_CONTEXT, DDS_SECURITY_ERR_CAN_NOT_PARSE_GOVERNANCE_CODE, 0, DDS_SECURITY_ERR_CAN_NOT_PARSE_GOVERNANCE_MESSAGE);
+    goto err_xml;
+  }
+  ddsrt_xmlp_free(st);
+  return true;
+
+err_parser_content:
+err_rules_validation:
+err_xml_parsing:
+  ddsrt_xmlp_free(st);
+  ac_return_governance_tree(parser);
+err_xml:
+  return false;
+}
+
+void ac_return_governance_tree(struct governance_parser *parser)
+{
+  if (parser)
+  {
+    if (parser->dds)
+    {
+      free_domain_access_rules(parser->dds->domain_access_rules);
+      ddsrt_free(parser->dds);
+    }
+    ddsrt_free(parser);
+  }
+}
+
+/* Permissions Callback functions */
+
+static int permissions_element_open_cb(void *varg, uintptr_t parentinfo, uintptr_t *eleminfo, const char *name, int line)
+{
+  permissions_parser *parser = (permissions_parser *)varg;
+  DDS_Security_SecurityException ex;
+  memset(&ex, 0, sizeof(DDS_Security_SecurityException));
+  DDSRT_UNUSED_ARG(parentinfo);
+  DDSRT_UNUSED_ARG(eleminfo);
+  DDSRT_UNUSED_ARG(line);
+
+  /*it may be a valid element under an ignored element */
+  if (parser->current && parser->current->kind == ELEMENT_KIND_IGNORED)
+    parser->current = new_element(ELEMENT_KIND_IGNORED, parser->current, sizeof(struct element));
+  else if (ddsrt_strcasecmp(name, "dds") == 0)
+  {
+    /* This should be the first element. */
+    if (parser->current || parser->dds)
+      return -1;
+    parser->current = new_element(ELEMENT_KIND_DDS, NULL, sizeof(struct permissions_dds));
+    parser->dds = (struct permissions_dds *)parser->current;
+  }
+  else if (ddsrt_strcasecmp(name, "permissions") == 0)
+    PREPARE_NODE(permissions, PERMISSIONS, permissions, permissions_dds, DDS, parser->current)
+  else if (ddsrt_strcasecmp(name, "grant") == 0)
+    PREPARE_NODE_WITH_LIST(grant, GRANT, grant, permissions, PERMISSIONS, parser->current)
+  else if (ddsrt_strcasecmp(name, "domains") == 0)
+    PREPARE_NODE(domains, DOMAINS, domains, allow_deny_rule, ALLOW_DENY_RULE, parser->current)
+  else if (ddsrt_strcasecmp(name, "id") == 0)
+  {
+    xml_domains *domains = (xml_domains *)parser->current;
+    xml_domain_id_set *tail;
+    if (!parser->current || parser->current->kind != ELEMENT_KIND_DOMAINS)
+      return -1;
+    tail = domains->domain_id_set;
+    parser->current = new_element(ELEMENT_KIND_DOMAIN_VALUE, parser->current, sizeof(xml_integer_value));
+    if (!tail)
+    {
+      domains->domain_id_set = (xml_domain_id_set *)new_element(ELEMENT_KIND_DOMAIN_ID_SET, parser->current, sizeof(xml_domain_id_set));
+      tail = domains->domain_id_set;
+    }
+    else
+    {
+      while (tail->node.next != NULL)
+        tail = (xml_domain_id_set *)tail->node.next;
+      tail->node.next = new_element(ELEMENT_KIND_DOMAIN_ID_SET, parser->current, sizeof(xml_domain_id_set));
+      tail = (xml_domain_id_set *)tail->node.next;
+    }
+    tail->min = (xml_integer_value *)parser->current;
+    tail->max = NULL;
+  }
+  else if (ddsrt_strcasecmp(name, "id_range") == 0)
+    PREPARE_NODE_WITH_LIST(domain_id_set, DOMAIN_ID_SET, domain_id_set, domains, DOMAINS, parser->current)
+  else if (ddsrt_strcasecmp(name, "min") == 0)
+    PREPARE_NODE(integer_value, DOMAIN_VALUE, min, domain_id_set, DOMAIN_ID_SET, parser->current)
+  else if (ddsrt_strcasecmp(name, "max") == 0)
+    PREPARE_NODE(integer_value, DOMAIN_VALUE, max, domain_id_set, DOMAIN_ID_SET, parser->current)
+  else if (ddsrt_strcasecmp(name, "subject_name") == 0)
+    PREPARE_NODE(string_value, STRING_VALUE, subject_name, grant, GRANT, parser->current)
+  else if (ddsrt_strcasecmp(name, "validity") == 0)
+    PREPARE_NODE(validity, VALIDITY, validity, grant, GRANT, parser->current)
+  else if (ddsrt_strcasecmp(name, "not_before") == 0)
+    PREPARE_NODE(string_value, STRING_VALUE, not_before, validity, VALIDITY, parser->current)
+  else if (ddsrt_strcasecmp(name, "not_after") == 0)
+    PREPARE_NODE(string_value, STRING_VALUE, not_after, validity, VALIDITY, parser->current)
+  else if (ddsrt_strcasecmp(name, "allow_rule") == 0)
+  {
+    PREPARE_NODE_WITH_LIST(allow_deny_rule, ALLOW_DENY_RULE, allow_deny_rule, grant, GRANT, parser->current)
+    ((xml_allow_deny_rule *)parser->current)->rule_type = ALLOW_RULE;
+  }
+  else if (ddsrt_strcasecmp(name, "deny_rule") == 0)
+  {
+    PREPARE_NODE_WITH_LIST(allow_deny_rule, ALLOW_DENY_RULE, allow_deny_rule, grant, GRANT, parser->current)
+    ((xml_allow_deny_rule *)parser->current)->rule_type = DENY_RULE;
+  }
+  else if (ddsrt_strcasecmp(name, "subscribe") == 0)
+  {
+    PREPARE_NODE_WITH_LIST(criteria, CRITERIA, criteria, allow_deny_rule, ALLOW_DENY_RULE, parser->current)
+    ((xml_criteria *)parser->current)->criteria_type = SUBSCRIBE_CRITERIA;
+  }
+  else if (ddsrt_strcasecmp(name, "publish") == 0)
+  {
+    PREPARE_NODE_WITH_LIST(criteria, CRITERIA, criteria, allow_deny_rule, ALLOW_DENY_RULE, parser->current)
+    ((xml_criteria *)parser->current)->criteria_type = PUBLISH_CRITERIA;
+  }
+  else if (ddsrt_strcasecmp(name, "topics") == 0)
+    PREPARE_NODE(topics, TOPICS, topics, criteria, CRITERIA, parser->current)
+  else if (ddsrt_strcasecmp(name, "topic") == 0)
+    PREPARE_NODE_WITH_LIST(string_value, STRING_VALUE, topic, topics, TOPICS, parser->current)
+  else if (ddsrt_strcasecmp(name, "partitions") == 0)
+    PREPARE_NODE(partitions, PARTITIONS, partitions, criteria, CRITERIA, parser->current)
+  else if (ddsrt_strcasecmp(name, "partition") == 0)
+    PREPARE_NODE_WITH_LIST(string_value, STRING_VALUE, partition, partitions, PARTITIONS, parser->current)
+  else if (ddsrt_strcasecmp(name, "default") == 0)
+    PREPARE_NODE(string_value, STRING_VALUE, default_action, grant, GRANT, parser->current)
+  else if (ddsrt_strcasecmp(name, "relay") == 0 ||
+           ddsrt_strcasecmp(name, "value") == 0 ||
+           ddsrt_strcasecmp(name, "name") == 0 ||
+           ddsrt_strcasecmp(name, "tag") == 0 ||
+           ddsrt_strcasecmp(name, "data_tags") == 0)
+  {
+    parser->current = new_element(ELEMENT_KIND_IGNORED, parser->current, sizeof(struct element));
+    /*if this is the first element in the IGNORED branch, then give warning for the user*/
+    if (parser->current->parent->kind != ELEMENT_KIND_IGNORED)
+      printf("Warning: Unsupported element \"%s\" has been ignored in permissions file.\n", name);
+  }
+  else
+  {
+    printf("Unknown XML element: %s\n", name);
+    return -1;
+  }
+
+  return 0;
+}
+
+/* The function that is called on each attribute captured in XML.
+ * Only the following attributes will be handled:
+ * - name : the name of an element or attribute
+ */
+static int permissions_element_attr_cb(void *varg, uintptr_t eleminfo, const char *name, const char *value, int line)
+{
+  struct permissions_parser *parser = (struct permissions_parser *)varg;
+  DDSRT_UNUSED_ARG(eleminfo);
+  DDSRT_UNUSED_ARG(line);
+  if (ddsrt_strcasecmp(name, "xmlns:xsi") == 0 || ddsrt_strcasecmp(name, "xsi:noNamespaceSchemaLocation") == 0)
+    return 0;
+  if (strcmp(name, "name") == 0)
+  {
+    /* Parent should be grants. */
+    struct grant *grant = (struct grant *)parser->current;
+    if (!parser->current || parser->current->kind != ELEMENT_KIND_GRANT)
+      return -1;
+    grant->name = ddsrt_strdup(value);
+    return 0;
+  }
+  return -1;
+}
+
+/* The function that is called on each data item captured in XML.
+ * - data: the string value between the element tags */
+static int permissions_element_data_cb(void *varg, uintptr_t eleminfo, const char *data, int line)
+{
+  struct permissions_parser *parser = (struct permissions_parser *)varg;
+  DDS_Security_SecurityException ex;
+  memset(&ex, 0, sizeof(DDS_Security_SecurityException));
+  DDSRT_UNUSED_ARG(eleminfo);
+  DDSRT_UNUSED_ARG(line);
+  if (!parser || !parser->current)
+    return -1;
+  if (parser->current->kind == ELEMENT_KIND_STRING_VALUE)
+  {
+    struct string_value *value = (struct string_value *)parser->current;
+    value->value = ddsrt_strdup(data);
+  }
+  else if (parser->current->kind == ELEMENT_KIND_DOMAIN_VALUE)
+  {
+    struct integer_value *value = (struct integer_value *)parser->current;
+    if (str_to_intvalue(data, &value->value))
+    {
+      if (value->value < 0 || value->value > 230)
+        return -1;
+    }
+    else
+      return -1;
+  }
+  else
+  {
+    if (parser->current->kind != ELEMENT_KIND_IGNORED)
+      return -1;
+  }
+  return 0;
+}
+
+static int permissions_element_close_cb(void *varg, uintptr_t eleminfo, int line)
+{
+  struct permissions_parser *parser = (struct permissions_parser *)varg;
+  struct element *parent;
+  DDSRT_UNUSED_ARG(eleminfo);
+  DDSRT_UNUSED_ARG(line);
+
+  if (!parser->current)
+    return -1;
+  parent = parser->current->parent;
+  if (parser->current->kind == ELEMENT_KIND_IGNORED)
+    ddsrt_free(parser->current);
+  parser->current = parent;
+  return 0;
+}
+
+static void permissions_error_cb(void *varg, const char *msg, int line)
+{
+  DDSRT_UNUSED_ARG(varg);
+  printf("Failed to parse configuration file: error %d - %s\n", line, msg);
+}
+
+bool ac_parse_permissions_xml(const char *xml, struct permissions_parser **permissions_tree, DDS_Security_SecurityException *ex)
+{
+  struct permissions_parser *parser = NULL;
+  struct ddsrt_xmlp_state *st = NULL;
+
+  if (xml)
+  {
+    struct ddsrt_xmlp_callbacks cb;
+    cb.elem_open = permissions_element_open_cb;
+    cb.elem_data = permissions_element_data_cb;
+    cb.elem_close = permissions_element_close_cb;
+    cb.attr = permissions_element_attr_cb;
+    cb.error = permissions_error_cb;
+    parser = ddsrt_malloc(sizeof(struct permissions_parser));
+    parser->current = NULL;
+    parser->dds = NULL;
+    st = ddsrt_xmlp_new_string(xml, parser, &cb);
+    if (ddsrt_xmlp_parse(st) != 0)
+    {
+      DDS_Security_Exception_set(ex, DDS_ACCESS_CONTROL_PLUGIN_CONTEXT, DDS_SECURITY_ERR_CAN_NOT_PARSE_PERMISSIONS_CODE, 0, DDS_SECURITY_ERR_CAN_NOT_PARSE_PERMISSIONS_MESSAGE);
+      goto err_xml_parsing;
+    }
+#if DEBUG_PARSER
+    print_permissions_parser_result(parser);
+#endif
+    if ((parser->dds != NULL) && (parser->dds->permissions != NULL) && (parser->dds->permissions->grant != NULL))
+    {
+      if (!validate_permissions_tree(parser->dds->permissions->grant, ex))
+        goto err_parser_content;
+    }
+    else
+    {
+      DDS_Security_Exception_set(ex, DDS_ACCESS_CONTROL_PLUGIN_CONTEXT, DDS_SECURITY_ERR_CAN_NOT_PARSE_PERMISSIONS_CODE, 0, DDS_SECURITY_ERR_CAN_NOT_PARSE_PERMISSIONS_MESSAGE);
+      goto err_parser_content;
+    }
+    *permissions_tree = parser;
+  }
+  else
+  {
+    DDS_Security_Exception_set(ex, DDS_ACCESS_CONTROL_PLUGIN_CONTEXT, DDS_SECURITY_ERR_CAN_NOT_PARSE_PERMISSIONS_CODE, 0, DDS_SECURITY_ERR_CAN_NOT_PARSE_PERMISSIONS_MESSAGE);
+    goto err_xml;
+  }
+  ddsrt_xmlp_free(st);
+  return true;
+
+err_parser_content:
+err_xml_parsing:
+  ddsrt_xmlp_free(st);
+  ac_return_permissions_tree(parser);
+err_xml:
+  return false;
+}
+
+static void free_topic(struct string_value *topic)
+{
+  if (topic)
+  {
+    if (topic->node.next != NULL)
+      free_topic((struct string_value *)topic->node.next);
+    free_stringvalue(topic);
+  }
+}
+
+static void free_topics(struct topics *topics)
+{
+  if (topics)
+  {
+    free_topic(topics->topic);
+    ddsrt_free(topics);
+  }
+}
+
+static void free_partition(struct string_value *partition)
+{
+  if (partition)
+  {
+    if (partition->node.next != NULL)
+      free_partition((struct string_value *)partition->node.next);
+    free_stringvalue(partition);
+  }
+}
+
+static void free_partitions(struct partitions *partitions)
+{
+  if (partitions)
+  {
+    free_partition(partitions->partition);
+    ddsrt_free(partitions);
+  }
+}
+
+static void free_validity(struct validity *validity)
+{
+  if (validity)
+  {
+    free_stringvalue(validity->not_after);
+    free_stringvalue(validity->not_before);
+    ddsrt_free(validity);
+  }
+}
+
+static void free_criteria(struct criteria *criteria)
+{
+  if (criteria)
+  {
+    if (criteria->node.next)
+      free_criteria((struct criteria *)criteria->node.next);
+    free_partitions(criteria->partitions);
+    free_topics(criteria->topics);
+    ddsrt_free(criteria);
+  }
+}
+
+static void free_allow_deny_rule(struct allow_deny_rule *rule)
+{
+  if (rule)
+  {
+    free_allow_deny_rule((struct allow_deny_rule *)rule->node.next);
+    free_domains(rule->domains);
+    free_criteria(rule->criteria);
+    ddsrt_free(rule);
+  }
+}
+
+static void free_grant(struct grant *grant)
+{
+  if (grant)
+  {
+    if (grant->node.next)
+      free_grant((struct grant *)grant->node.next);
+    ddsrt_free(grant->name);
+    free_stringvalue(grant->subject_name);
+    free_stringvalue(grant->default_action);
+    free_validity(grant->validity);
+    free_allow_deny_rule(grant->allow_deny_rule);
+    ddsrt_free(grant);
+  }
+}
+
+static void free_permissions(struct permissions *permissions)
+{
+  if (permissions)
+  {
+    free_grant(permissions->grant);
+    ddsrt_free(permissions);
+  }
+}
+
+void ac_return_permissions_tree(struct permissions_parser *parser)
+{
+  if (parser)
+  {
+    if (parser->dds)
+    {
+      free_permissions(parser->dds->permissions);
+      ddsrt_free(parser->dds);
+    }
+    ddsrt_free(parser);
+  }
+}
diff --git a/src/security/builtin_plugins/access_control/src/access_control_parser.h b/src/security/builtin_plugins/access_control/src/access_control_parser.h
new file mode 100644
index 0000000..b4ed491
--- /dev/null
+++ b/src/security/builtin_plugins/access_control/src/access_control_parser.h
@@ -0,0 +1,301 @@
+/*
+ * Copyright(c) 2006 to 2019 ADLINK Technology Limited and others
+ *
+ * This program and the accompanying materials are made available under the
+ * terms of the Eclipse Public License v. 2.0 which is available at
+ * http://www.eclipse.org/legal/epl-2.0, or the Eclipse Distribution License
+ * v. 1.0 which is available at
+ * http://www.eclipse.org/org/documents/edl-v10.php.
+ *
+ * SPDX-License-Identifier: EPL-2.0 OR BSD-3-Clause
+ */
+#ifndef ACCESS_CONTROL_PARSER_H
+#define ACCESS_CONTROL_PARSER_H
+
+#include "dds/ddsrt/types.h"
+#include "dds/security/dds_security_api.h"
+
+typedef enum
+{
+  ELEMENT_KIND_UNDEFINED,
+  ELEMENT_KIND_DDS,
+  ELEMENT_KIND_DOMAIN_ACCESS_RULES,
+  ELEMENT_KIND_DOMAIN_RULE,
+  ELEMENT_KIND_DOMAINS,
+  ELEMENT_KIND_DOMAIN_ID_SET,
+  ELEMENT_KIND_RANGE,
+  ELEMENT_KIND_ALLOW_UNAUTHENTICATED_PARTICIPANTS,
+  ELEMENT_KIND_ENABLE_JOIN_ACCESS_CONTROL,
+  ELEMENT_KIND_RTPS_PROTECTION,
+  ELEMENT_KIND_DISCOVERY_PROTECTION,
+  ELEMENT_KIND_LIVELINESS_PROTECTION,
+  ELEMENT_KIND_TOPIC_ACCESS_RULES,
+  ELEMENT_KIND_TOPIC_RULE,
+  ELEMENT_KIND_STRING_VALUE,
+  ELEMENT_KIND_BOOLEAN_VALUE,
+  ELEMENT_KIND_DOMAIN_VALUE,
+  ELEMENT_KIND_PROTECTION_KIND_VALUE,
+  ELEMENT_KIND_BASICPROTECTION_KIND_VALUE,
+  ELEMENT_KIND_PERMISSIONS,
+  ELEMENT_KIND_GRANT,
+  ELEMENT_KIND_ALLOW_DENY_RULE,
+  ELEMENT_KIND_CRITERIA,
+  ELEMENT_KIND_VALIDITY,
+  ELEMENT_KIND_TOPICS,
+  ELEMENT_KIND_PARTITIONS,
+  ELEMENT_KIND_DEFAULT,
+  ELEMENT_KIND_IGNORED
+} element_kind;
+
+typedef enum
+{
+  UNKNOWN_CRITERIA,
+  SUBSCRIBE_CRITERIA,
+  PUBLISH_CRITERIA
+} permission_criteria_type;
+
+typedef enum
+{
+  ALLOW_RULE,
+  DENY_RULE
+} permission_rule_type;
+
+typedef struct element
+{
+  struct element *parent;
+  element_kind kind;
+  struct element *next; /*used in case of string list usage */
+} xml_element;
+
+/* TODO: Change the value nodes for specific nodes for
+ * proper value parsing and validating. */
+
+typedef struct string_value
+{
+  struct element node;
+  char *value;
+} xml_string_value;
+
+typedef struct boolean_value
+{
+  struct element node;
+  bool value;
+} xml_boolean_value;
+
+typedef struct integer_value
+{
+  struct element node;
+  int32_t value;
+} xml_integer_value;
+
+typedef struct protection_kind_value
+{
+  struct element node;
+  DDS_Security_ProtectionKind value;
+} xml_protection_kind_value;
+
+typedef struct basicprotection_kind_value
+{
+  struct element node;
+  DDS_Security_BasicProtectionKind value;
+} xml_basicprotection_kind_value;
+
+typedef struct domain_id_set
+{
+  struct element node;
+  struct integer_value *min;
+  struct integer_value *max;
+} xml_domain_id_set;
+
+typedef struct domains
+{
+  struct element node;
+  struct domain_id_set *domain_id_set; /*linked list*/
+} xml_domains;
+
+typedef struct topic_rule
+{
+  struct element node;
+  struct string_value *topic_expression;
+  struct boolean_value *enable_discovery_protection;
+  struct boolean_value *enable_liveliness_protection;
+  struct boolean_value *enable_read_access_control;
+  struct boolean_value *enable_write_access_control;
+  struct protection_kind_value *metadata_protection_kind;
+  struct basicprotection_kind_value *data_protection_kind;
+} xml_topic_rule;
+
+typedef struct topic_access_rules
+{
+  struct element node;
+  struct topic_rule *topic_rule; /*linked_list*/
+} xml_topic_access_rules;
+
+typedef struct domain_rule
+{
+  struct element node;
+  struct domains *domains;
+  struct boolean_value *allow_unauthenticated_participants;
+  struct boolean_value *enable_join_access_control;
+  struct protection_kind_value *discovery_protection_kind;
+  struct protection_kind_value *liveliness_protection_kind;
+  struct protection_kind_value *rtps_protection_kind;
+  struct topic_access_rules *topic_access_rules;
+} xml_domain_rule;
+
+typedef struct domain_access_rules
+{
+  struct element node;
+  struct domain_rule *domain_rule;
+} xml_domain_access_rules;
+
+typedef struct governance_dds
+{
+  struct element node;
+  struct domain_access_rules *domain_access_rules;
+} xml_governance_dds;
+
+typedef struct governance_parser
+{
+  struct governance_dds *dds;
+  struct element *current;
+} governance_parser;
+
+/* permissions file specific types */
+typedef struct validity
+{
+  struct element node;
+  struct string_value *not_before;
+  struct string_value *not_after;
+} xml_validity;
+
+typedef struct topics
+{
+  struct element node;
+  struct string_value *topic;
+} xml_topics;
+
+typedef struct partitions
+{
+  struct element node;
+  struct string_value *partition;
+} xml_partitions;
+
+typedef struct criteria
+{
+  struct element node;
+  permission_criteria_type criteria_type;
+  struct topics *topics;
+  struct partitions *partitions;
+} xml_criteria;
+
+typedef struct allow_deny_rule
+{
+  struct element node;
+  permission_rule_type rule_type;
+  struct domains *domains;
+  struct criteria *criteria;
+} xml_allow_deny_rule;
+
+typedef struct grant
+{
+  struct element node;
+  char *name;
+  struct string_value *subject_name;
+  struct validity *validity;
+  struct allow_deny_rule *allow_deny_rule;
+  struct string_value *default_action;
+} xml_grant;
+
+typedef struct permissions
+{
+  struct element node;
+  struct grant *grant;
+} xml_permissions;
+
+typedef struct permissions_dds
+{
+  struct element node;
+  struct permissions *permissions;
+} xml_permissions_dds;
+
+typedef struct permissions_parser
+{
+  struct permissions_dds *dds;
+  struct element *current;
+} permissions_parser;
+
+bool ac_parse_governance_xml(const char *xml, struct governance_parser **governance_tree, DDS_Security_SecurityException *ex);
+bool ac_parse_permissions_xml(const char *xml, struct permissions_parser **permissions_tree, DDS_Security_SecurityException *ex);
+void ac_return_governance_tree(struct governance_parser *parser);
+void ac_return_permissions_tree(struct permissions_parser *parser);
+
+#define DDS_SECURITY_DEFAULT_GOVERNANCE "<?xml version=\"1.0\" encoding=\"utf-8\"?> \
+<dds xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\" \
+    xsi:noNamespaceSchemaLocation=\"https://www.omg.org/spec/DDS-SECURITY/20170901/omg_shared_ca_governance.xsd\"> \
+    <domain_access_rules>                                                                                               \
+        <domain_rule>                                                                                                   \
+            <domains>                                                                                                   \
+                <!-- All domains -->                                                                                    \
+                <id_range>                                                                                              \
+                    <min>0</min>                                                                                        \
+                    <max>230</max>                                                                                      \
+                </id_range>                                                                                             \
+            </domains>                                                                                                  \
+                                                                                                                        \
+            <allow_unauthenticated_participants>false</allow_unauthenticated_participants>                              \
+            <enable_join_access_control>false</enable_join_access_control>                                               \
+            <discovery_protection_kind>ENCRYPT</discovery_protection_kind>                                              \
+            <liveliness_protection_kind>ENCRYPT</liveliness_protection_kind>                                            \
+            <rtps_protection_kind>NONE</rtps_protection_kind>                                                           \
+            <topic_access_rules>                                                                                        \
+                <topic_rule>                                                                                            \
+                    <topic_expression>*</topic_expression>                                                              \
+                    <enable_liveliness_protection>true</enable_liveliness_protection>                                   \
+                    <enable_discovery_protection>true</enable_discovery_protection>                                     \
+                    <enable_read_access_control>false</enable_read_access_control>                                      \
+                    <enable_write_access_control>false</enable_write_access_control>                                    \
+                    <metadata_protection_kind>ENCRYPT</metadata_protection_kind>                                        \
+                    <data_protection_kind>ENCRYPT</data_protection_kind>                                                \
+                </topic_rule>                                                                                           \
+            </topic_access_rules>                                                                                       \
+        </domain_rule>                                                                                                  \
+    </domain_access_rules>                                                                                              \
+</dds>                                      "
+
+#define DDS_SECURITY_DEFAULT_PERMISSIONS "<?xml version=\"1.0\" encoding=\"utf-8\"?>                                    \
+<dds xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\"                                                            \
+    xsi:noNamespaceSchemaLocation=\"https://www.omg.org/spec/DDS-SECURITY/20170901/omg_shared_ca_permissions.xsd\">      \
+    <permissions>                                                                                                       \
+        <grant name=\"DEFAULT_PERMISSIONS\">                                                                            \
+            <subject_name>DEFAULT_SUBJECT</subject_name>                                                                               \
+            <validity>                                                                                                  \
+                <not_before>2015-09-15T01:00:00</not_before>                                                            \
+                <not_after>2115-09-15T01:00:00</not_after>                                                              \
+            </validity>                                                                                                 \
+            <deny_rule>                                                                                                \
+                <domains>                                                                                               \
+                    <id_range>                                                                                          \
+                        <min>0</min>                                                                                    \
+                        <max>230</max>                                                                                  \
+                    </id_range>                                                                                         \
+                </domains>                                                                                              \
+                <publish>                                                                                               \
+                    <topics>                                                                                            \
+                        <topic>*</topic>                                                                                \
+                    </topics>                                                                                           \
+                    <partitions/>                                                                                       \
+                </publish>                                                                                              \
+                <subscribe>                                                                                             \
+                    <topics>                                                                                            \
+                        <topic>*</topic>                                                                                \
+                    </topics>                                                                                           \
+                    <partitions/>                                                                                       \
+                </subscribe>                                                                                            \
+           </deny_rule>                                                                                                \
+           <default>DENY</default>                                                                                     \
+        </grant>                                                                                                        \
+    </permissions>                                                                                                      \
+</dds>                                  "
+
+#endif /* ACCESS_CONTROL_UTILS_H */
diff --git a/src/security/builtin_plugins/access_control/src/access_control_utils.c b/src/security/builtin_plugins/access_control/src/access_control_utils.c
new file mode 100644
index 0000000..6c56d9e
--- /dev/null
+++ b/src/security/builtin_plugins/access_control/src/access_control_utils.c
@@ -0,0 +1,406 @@
+/*
+ * Copyright(c) 2006 to 2019 ADLINK Technology Limited and others
+ *
+ * This program and the accompanying materials are made available under the
+ * terms of the Eclipse Public License v. 2.0 which is available at
+ * http://www.eclipse.org/legal/epl-2.0, or the Eclipse Distribution License
+ * v. 1.0 which is available at
+ * http://www.eclipse.org/org/documents/edl-v10.php.
+ *
+ * SPDX-License-Identifier: EPL-2.0 OR BSD-3-Clause
+ */
+#include <assert.h>
+#include <stdio.h>
+#include <string.h>
+#include <sys/types.h>
+#include <sys/stat.h>
+#include <openssl/x509.h>
+#include <openssl/pkcs7.h>
+#include <openssl/pem.h>
+#include <openssl/bio.h>
+#include <openssl/err.h>
+#include "dds/ddsrt/heap.h"
+#include "dds/ddsrt/misc.h"
+#include "dds/ddsrt/string.h"
+#include "dds/ddsrt/time.h"
+#include "dds/ddsrt/types.h"
+#include "dds/security/dds_security_api.h"
+#include "dds/security/core/dds_security_utils.h"
+#include "access_control_utils.h"
+
+#define SEQ_ERR -1
+#define SEQ_NOMATCH 0
+#define SEQ_MATCH 1
+
+bool ac_X509_certificate_from_data(const char *data, int len, X509 **x509Cert, DDS_Security_SecurityException *ex)
+{
+  BIO *bio;
+  assert(data);
+  assert(len >= 0);
+  assert(x509Cert);
+
+  /* load certificate in buffer */
+  if ((bio = BIO_new_mem_buf((void *)data, len)) == NULL)
+  {
+    DDS_Security_Exception_set_with_openssl_error(ex, DDS_ACCESS_CONTROL_PLUGIN_CONTEXT, DDS_SECURITY_ERR_ALLOCATION_FAILED_CODE, 0, DDS_SECURITY_ERR_ALLOCATION_FAILED_MESSAGE ": ");
+    return false;
+  }
+  if ((*x509Cert = PEM_read_bio_X509(bio, NULL, NULL, NULL)) == NULL)
+  {
+    DDS_Security_Exception_set_with_openssl_error(ex, DDS_ACCESS_CONTROL_PLUGIN_CONTEXT, DDS_SECURITY_ERR_INVALID_CERTIFICATE_CODE, 0, DDS_SECURITY_ERR_INVALID_CERTICICATE_MESSAGE ": ");
+    BIO_free(bio);
+    return false;
+  }
+  BIO_free(bio);
+  return true;
+}
+
+static bool X509_certificate_from_file(const char *filename, X509 **x509Cert, DDS_Security_SecurityException *ex)
+{
+  DDSRT_WARNING_MSVC_OFF(4996);
+  FILE *fp;
+  assert(filename);
+  assert(x509Cert);
+
+  /* Check if this is a valid file by getting its size. */
+  if (ac_regular_file_size(filename) == 0)
+  {
+    DDS_Security_Exception_set(ex, DDS_ACCESS_CONTROL_PLUGIN_CONTEXT, DDS_SECURITY_ERR_INVALID_FILE_PATH_CODE, 0, DDS_SECURITY_ERR_INVALID_FILE_PATH_MESSAGE, filename);
+    return false;
+  }
+  if ((fp = fopen(filename, "r")) == NULL)
+  {
+    DDS_Security_Exception_set(ex, DDS_ACCESS_CONTROL_PLUGIN_CONTEXT, DDS_SECURITY_ERR_INVALID_FILE_PATH_CODE, 0, DDS_SECURITY_ERR_INVALID_FILE_PATH_MESSAGE, filename);
+    return false;
+  }
+  if ((*x509Cert = PEM_read_X509(fp, NULL, NULL, NULL)) == NULL)
+  {
+    DDS_Security_Exception_set_with_openssl_error(ex, DDS_ACCESS_CONTROL_PLUGIN_CONTEXT, DDS_SECURITY_ERR_INVALID_CERTIFICATE_CODE, 0, DDS_SECURITY_ERR_INVALID_CERTICICATE_MESSAGE ": ");
+    fclose(fp);
+    return false;
+  }
+  fclose(fp);
+  return true;
+  DDSRT_WARNING_MSVC_ON(4996);
+}
+
+bool ac_X509_certificate_read(const char *data, X509 **x509Cert, DDS_Security_SecurityException *ex)
+{
+  bool result = false;
+  char *contents = NULL;
+  assert(data);
+  assert(x509Cert);
+
+  switch (DDS_Security_get_conf_item_type(data, &contents))
+  {
+  case DDS_SECURITY_CONFIG_ITEM_PREFIX_FILE:
+    result = X509_certificate_from_file(contents, x509Cert, ex);
+    break;
+  case DDS_SECURITY_CONFIG_ITEM_PREFIX_DATA:
+    result = ac_X509_certificate_from_data(contents, (int)strlen(contents), x509Cert, ex);
+    break;
+  case DDS_SECURITY_CONFIG_ITEM_PREFIX_PKCS11:
+    DDS_Security_Exception_set(
+        ex, DDS_ACCESS_CONTROL_PLUGIN_CONTEXT, DDS_SECURITY_ERR_CERTIFICATE_TYPE_NOT_SUPPORTED_CODE, 0,
+        DDS_SECURITY_ERR_CERTIFICATE_TYPE_NOT_SUPPORTED_MESSAGE " (pkcs11)");
+    break;
+  default:
+    DDS_Security_Exception_set(
+        ex, DDS_ACCESS_CONTROL_PLUGIN_CONTEXT, DDS_SECURITY_ERR_CERTIFICATE_TYPE_NOT_SUPPORTED_CODE, 0,
+        DDS_SECURITY_ERR_CERTIFICATE_TYPE_NOT_SUPPORTED_MESSAGE);
+    break;
+  }
+  ddsrt_free(contents);
+  return result;
+}
+
+char *ac_get_certificate_subject_name(X509 *cert, DDS_Security_SecurityException *ex)
+{
+  X509_NAME *name;
+  BIO *bio;
+  char *subject = NULL;
+  char *pmem;
+  size_t sz;
+  assert(cert);
+  if (!(bio = BIO_new(BIO_s_mem())))
+  {
+    DDS_Security_Exception_set_with_openssl_error(ex, DDS_ACCESS_CONTROL_PLUGIN_CONTEXT, DDS_SECURITY_ERR_ALLOCATION_FAILED_CODE, 0, DDS_SECURITY_ERR_ALLOCATION_FAILED_MESSAGE ": ");
+    goto err_bio_alloc;
+  }
+  if (!(name = X509_get_subject_name(cert)))
+  {
+    DDS_Security_Exception_set_with_openssl_error(ex, DDS_ACCESS_CONTROL_PLUGIN_CONTEXT, DDS_SECURITY_ERR_INVALID_SUBJECT_NAME_CODE, 0, DDS_SECURITY_ERR_INVALID_SUBJECT_NAME_MESSAGE ": ");
+    goto err_get_subject;
+  }
+
+  /* TODO: check if this is the correct format of the subject name: check spec */
+  X509_NAME_print_ex(bio, name, 0, XN_FLAG_RFC2253);
+
+  sz = (size_t) BIO_get_mem_data(bio, &pmem);
+  subject = ddsrt_malloc(sz + 1);
+
+  if (BIO_gets(bio, subject, (int)sz + 1) < 0)
+  {
+    DDS_Security_Exception_set_with_openssl_error(ex, DDS_ACCESS_CONTROL_PLUGIN_CONTEXT, DDS_SECURITY_ERR_INVALID_SUBJECT_NAME_CODE, 0, DDS_SECURITY_ERR_INVALID_SUBJECT_NAME_MESSAGE ": ");
+    ddsrt_free(subject);
+    subject = NULL;
+  }
+  BIO_free(bio);
+  return subject;
+
+err_get_subject:
+  BIO_free(bio);
+err_bio_alloc:
+  return NULL;
+}
+
+static bool PKCS7_document_from_data(const char *data, size_t len, PKCS7 **p7, BIO **bcont, DDS_Security_SecurityException *ex)
+{
+  BIO *bio;
+  assert(data);
+  assert(p7);
+  assert(bcont);
+
+  *bcont = NULL;
+  assert (len < INT32_MAX);
+  if ((bio = BIO_new_mem_buf((void *)data, (int)len)) == NULL)
+  {
+    DDS_Security_Exception_set_with_openssl_error(ex, DDS_ACCESS_CONTROL_PLUGIN_CONTEXT, DDS_SECURITY_ERR_ALLOCATION_FAILED_CODE, 0, DDS_SECURITY_ERR_ALLOCATION_FAILED_MESSAGE ": ");
+    return false;
+  }
+  if ((*p7 = SMIME_read_PKCS7(bio, bcont)) == NULL)
+  {
+    DDS_Security_Exception_set_with_openssl_error(ex, DDS_ACCESS_CONTROL_PLUGIN_CONTEXT, DDS_SECURITY_ERR_INVALID_SMIME_DOCUMENT_CODE, 0, DDS_SECURITY_ERR_INVALID_SMIME_DOCUMENT_MESSAGE ": ");
+    BIO_free(bio);
+    return false;
+  }
+  BIO_free(bio);
+  return true;
+}
+
+static bool PKCS7_document_verify(PKCS7 *p7, X509 *cert, BIO *inbio, BIO **outbio, DDS_Security_SecurityException *ex)
+{
+  bool result = false;
+  X509_STORE *store = NULL;
+
+  assert(p7);
+  assert(cert);
+  assert(inbio);
+  assert(outbio);
+
+  if ((*outbio = BIO_new(BIO_s_mem())) == NULL)
+    DDS_Security_Exception_set_with_openssl_error(ex, DDS_ACCESS_CONTROL_PLUGIN_CONTEXT, DDS_SECURITY_ERR_ALLOCATION_FAILED_CODE, 0, DDS_SECURITY_ERR_ALLOCATION_FAILED_MESSAGE ": ");
+  else if ((store = X509_STORE_new()) == NULL)
+    DDS_Security_Exception_set_with_openssl_error(ex, DDS_ACCESS_CONTROL_PLUGIN_CONTEXT, DDS_SECURITY_ERR_ALLOCATION_FAILED_CODE, 0, DDS_SECURITY_ERR_ALLOCATION_FAILED_MESSAGE ": ");
+  else
+  {
+    X509_STORE_add_cert(store, cert);
+    if (PKCS7_verify(p7, NULL, store, inbio, *outbio, PKCS7_TEXT) != 1)
+      DDS_Security_Exception_set_with_openssl_error(ex, DDS_ACCESS_CONTROL_PLUGIN_CONTEXT, DDS_SECURITY_ERR_INVALID_SMIME_DOCUMENT_CODE, 0, DDS_SECURITY_ERR_INVALID_SMIME_DOCUMENT_MESSAGE ": ");
+    else
+      result = true;
+  }
+  if (store)
+    X509_STORE_free(store);
+  if (!result && *outbio)
+  {
+    BIO_free(*outbio);
+    *outbio = NULL;
+  }
+  return result;
+}
+
+bool ac_PKCS7_document_check(const char *data, size_t len, X509 *cert, char **document, DDS_Security_SecurityException *ex)
+{
+  bool result = false;
+  PKCS7 *p7;
+  BIO *bcont, *bdoc;
+  char *pmem;
+  size_t sz;
+
+  assert(data);
+  assert(cert);
+  assert(document);
+
+  if (!PKCS7_document_from_data(data, len, &p7, &bcont, ex))
+    goto err_read_data;
+
+  if (!PKCS7_document_verify(p7, cert, bcont, &bdoc, ex))
+    goto err_verify;
+
+  sz = (size_t) BIO_get_mem_data(bdoc, &pmem);
+  *document = ddsrt_malloc(sz + 1);
+  memcpy(*document, pmem, sz);
+  (*document)[sz] = '\0';
+  result = true;
+  BIO_free(bdoc);
+
+err_verify:
+  PKCS7_free(p7);
+  BIO_free(bcont);
+err_read_data:
+  return result;
+}
+
+static bool string_to_properties(const char *str, DDS_Security_PropertySeq *properties)
+{
+  char *copy = ddsrt_strdup (str), *cursor = copy, *tok;
+  while ((tok = ddsrt_strsep (&cursor, ",/|")) != NULL)
+  {
+    if (strlen(tok) == 0)
+      continue;
+    char *name = ddsrt_strsep (&tok, "=");
+    if (name == NULL || tok == NULL || properties->_length >= properties->_maximum)
+    {
+      ddsrt_free (copy);
+      return false;
+    }
+    properties->_buffer[properties->_length].name = ddsrt_strdup(name);
+    properties->_buffer[properties->_length].value = ddsrt_strdup(tok);
+    properties->_length++;
+  }
+  ddsrt_free (copy);
+  return true;
+}
+
+bool ac_check_subjects_are_equal(const char *permissions_sn, const char *identity_sn)
+{
+  bool result = false;
+  char *copy_idsn = ddsrt_strdup (identity_sn), *cursor_idsn = copy_idsn, *tok_idsn;
+  DDS_Security_PropertySeq prop_pmsn;
+  prop_pmsn._length = 0;
+  prop_pmsn._maximum = 20;
+  prop_pmsn._buffer = ddsrt_malloc(prop_pmsn._maximum * sizeof(DDS_Security_Property_t));
+
+  if (!string_to_properties(permissions_sn, &prop_pmsn))
+    goto check_subj_equal_failed;
+
+  while ((tok_idsn = ddsrt_strsep (&cursor_idsn, ",/|")) != NULL)
+  {
+    char *value_pmsn;
+    char *name_idsn = ddsrt_strsep (&tok_idsn, "=");
+    if (name_idsn == NULL || tok_idsn == NULL)
+      goto check_subj_equal_failed;
+    value_pmsn = DDS_Security_Property_get_value(&prop_pmsn, name_idsn);
+    if (value_pmsn == NULL || strcmp(value_pmsn, value_pmsn) != 0)
+    {
+      ddsrt_free(value_pmsn);
+      goto check_subj_equal_failed;
+    }
+    ddsrt_free(value_pmsn);
+  }
+  result = true;
+
+check_subj_equal_failed:
+  ddsrt_free(copy_idsn);
+  DDS_Security_PropertySeq_deinit(&prop_pmsn);
+  return result;
+}
+
+size_t ac_regular_file_size(const char *filename)
+{
+  if (filename)
+  {
+#if _WIN32
+    struct _stat stat_info;
+    if (_stat (filename, &stat_info) == 0)
+      if (stat_info.st_mode & _S_IFREG)
+        return (size_t) stat_info.st_size;
+#else
+    struct stat stat_info;
+    if (stat (filename, &stat_info) == 0)
+      if (S_ISREG(stat_info.st_mode))
+        return (size_t) stat_info.st_size;
+#endif
+  }
+  return 0;
+}
+
+static int sequencematch(const char *pat, char c, char **new_pat)
+{
+  char patc = *pat;
+  char rpatc;
+  const bool neg = (patc == '!');
+  bool m = false;
+
+  if (neg)
+    ++pat;
+  for (patc = *pat; patc != ']'; pat++)
+  {
+    patc = *pat;
+    if (patc == '\0')
+      return SEQ_ERR;
+    if (*(pat + 1) == '-')
+    {
+      rpatc = *(pat + 2);
+      if (rpatc == '\0' || rpatc == ']')
+        return SEQ_ERR;
+      if ((uint8_t)patc <= (uint8_t)c && (uint8_t)c <= (uint8_t)rpatc)
+        m = true;
+      pat += 2;
+    }
+    else if (patc == c)
+      m = true;
+  }
+  *new_pat = (char *) pat;
+  return (m != neg) ? SEQ_MATCH : SEQ_NOMATCH;
+}
+
+bool ac_fnmatch(const char* pat, const char* str)
+{
+  char patc;
+  bool ret;
+  char *new_pat;
+
+  assert(pat != NULL);
+  assert(str != NULL);
+
+  for (;;)
+  {
+    switch (patc = *pat++)
+    {
+    case '\0':
+      return (*str == '\0');
+    case '?':
+      if (*str == '\0')
+        return false;
+      ++str;
+      break;
+    case '*':
+      patc = *pat;
+      while (patc == '*')
+        patc = *++pat;
+      if (patc == '\0')
+        return true;
+      while (*str != '\0')
+      {
+        ret = ac_fnmatch(pat, str);
+        if (ret)
+          return true;
+        ++str;
+      }
+      return false;
+      break;
+    case '[':
+      if (*str == '\0')
+        return false;
+      switch (sequencematch(pat, *str, &new_pat))
+      {
+      case SEQ_MATCH:
+        pat = new_pat;
+        ++str;
+        break;
+      case SEQ_NOMATCH:
+      case SEQ_ERR:
+        return false;
+      }
+      break;
+    default: /* Regular character */
+      if (*str != patc)
+        return false;
+      str++;
+      break;
+    }
+  }
+}
+
diff --git a/src/security/builtin_plugins/access_control/src/access_control_utils.h b/src/security/builtin_plugins/access_control/src/access_control_utils.h
new file mode 100644
index 0000000..008ab21
--- /dev/null
+++ b/src/security/builtin_plugins/access_control/src/access_control_utils.h
@@ -0,0 +1,30 @@
+/*
+ * Copyright(c) 2006 to 2019 ADLINK Technology Limited and others
+ *
+ * This program and the accompanying materials are made available under the
+ * terms of the Eclipse Public License v. 2.0 which is available at
+ * http://www.eclipse.org/legal/epl-2.0, or the Eclipse Distribution License
+ * v. 1.0 which is available at
+ * http://www.eclipse.org/org/documents/edl-v10.php.
+ *
+ * SPDX-License-Identifier: EPL-2.0 OR BSD-3-Clause
+ */
+#ifndef ACCESS_CONTROL_UTILS_H
+#define ACCESS_CONTROL_UTILS_H
+
+#include <openssl/x509.h>
+#include "dds/ddsrt/types.h"
+#include "dds/security/dds_security_api.h"
+#include "dds/security/export.h"
+
+#define DDS_ACCESS_CONTROL_PLUGIN_CONTEXT "Access Control"
+
+bool ac_X509_certificate_read(const char *data, X509 **x509Cert, DDS_Security_SecurityException *ex);
+bool ac_X509_certificate_from_data(const char *data, int len, X509 **x509Cert, DDS_Security_SecurityException *ex);
+char *ac_get_certificate_subject_name(X509 *cert, DDS_Security_SecurityException *ex);
+bool ac_PKCS7_document_check(const char *data, size_t len, X509 *cert, char **document, DDS_Security_SecurityException *ex);
+bool ac_check_subjects_are_equal(const char *permissions_sn, const char *identity_sn);
+size_t ac_regular_file_size(const char *filename);
+SECURITY_EXPORT bool ac_fnmatch(const char* pattern, const char* string);
+
+#endif /* ACCESS_CONTROL_UTILS_H */
diff --git a/src/security/builtin_plugins/tests/CMakeLists.txt b/src/security/builtin_plugins/tests/CMakeLists.txt
index d3250d0..d822524 100644
--- a/src/security/builtin_plugins/tests/CMakeLists.txt
+++ b/src/security/builtin_plugins/tests/CMakeLists.txt
@@ -23,6 +23,16 @@ set(security_auth_test_sources
     "validate_remote_identity/src/validate_remote_identity_utests.c"
 )
 
+set(security_ac_test_sources
+    "access_control_fnmatch/src/access_control_fnmatch_utests.c"
+    "get_permissions_credential_token/src/get_permissions_credential_token_utests.c"
+    "get_permissions_token/src/get_permissions_token_utests.c"
+    "get_xxx_sec_attributes/src/get_xxx_sec_attributes_utests.c"
+    # "listeners_access_control/src/listeners_access_control_utests.c"
+    "validate_local_permissions/src/validate_local_permissions_utests.c"
+    "validate_remote_permissions/src/validate_remote_permissions_utests.c"
+)
+
 set(security_crypto_test_sources
     "common/src/crypto_helper.c"
     "create_local_datareader_crypto_tokens/src/create_local_datareader_crypto_tokens_utests.c"
@@ -48,9 +58,21 @@ set(security_crypto_test_sources
     "set_remote_participant_crypto_tokens/src/set_remote_participant_crypto_tokens_utests.c"
 )
 
-add_cunit_executable(cunit_security_plugins ${security_auth_test_sources} ${security_crypto_test_sources})
+add_cunit_executable(cunit_security_plugins ${security_auth_test_sources} ${security_ac_test_sources} ${security_crypto_test_sources})
+target_include_directories(
+  cunit_security_plugins PRIVATE
+  "$<BUILD_INTERFACE:${CMAKE_BINARY_DIR}/src/include/>"
+  "$<BUILD_INTERFACE:$<TARGET_PROPERTY:security_api,INTERFACE_INCLUDE_DIRECTORIES>>"
+  "$<BUILD_INTERFACE:$<TARGET_PROPERTY:security_core,INTERFACE_INCLUDE_DIRECTORIES>>"
+  "$<BUILD_INTERFACE:$<TARGET_PROPERTY:ddsrt,INTERFACE_INCLUDE_DIRECTORIES>>"
+  "$<BUILD_INTERFACE:${CMAKE_CURRENT_LIST_DIR}>"
+  "$<BUILD_INTERFACE:${CMAKE_CURRENT_BINARY_DIR}>"
+)
+target_link_libraries(cunit_security_plugins PRIVATE ddsc security_api)
+
 if(OPENSSL_FOUND)
-  target_link_libraries(cunit_security_plugins PRIVATE ddsc dds_security_crypto)
+target_link_libraries(cunit_security_plugins PRIVATE ddsc dds_security_ac)
+target_link_libraries(cunit_security_plugins PRIVATE ddsc dds_security_crypto)
   target_link_libraries(cunit_security_plugins PRIVATE OpenSSL::SSL)
 else()
   message(FATAL_ERROR "To build with openssl support, set ENABLE_OPENSSL to ON")
@@ -58,6 +80,7 @@ endif()
 
 target_include_directories(
   cunit_security_plugins PRIVATE
+      "$<BUILD_INTERFACE:${CMAKE_CURRENT_LIST_DIR}/../access_control/src/>"
       "$<BUILD_INTERFACE:${CMAKE_CURRENT_LIST_DIR}/../cryptographic/src/>"
       "$<BUILD_INTERFACE:$<TARGET_PROPERTY:security_api,INTERFACE_INCLUDE_DIRECTORIES>>"
       "$<BUILD_INTERFACE:$<TARGET_PROPERTY:security_core,INTERFACE_INCLUDE_DIRECTORIES>>"
diff --git a/src/security/builtin_plugins/tests/access_control_fnmatch/src/access_control_fnmatch_utests.c b/src/security/builtin_plugins/tests/access_control_fnmatch/src/access_control_fnmatch_utests.c
new file mode 100644
index 0000000..08568a3
--- /dev/null
+++ b/src/security/builtin_plugins/tests/access_control_fnmatch/src/access_control_fnmatch_utests.c
@@ -0,0 +1,67 @@
+/*
+ * Copyright(c) 2006 to 2019 ADLINK Technology Limited and others
+ *
+ * This program and the accompanying materials are made available under the
+ * terms of the Eclipse Public License v. 2.0 which is available at
+ * http://www.eclipse.org/legal/epl-2.0, or the Eclipse Distribution License
+ * v. 1.0 which is available at
+ * http://www.eclipse.org/org/documents/edl-v10.php.
+ *
+ * SPDX-License-Identifier: EPL-2.0 OR BSD-3-Clause
+ */
+
+#include <stdio.h>
+#include <string.h>
+#include "CUnit/CUnit.h"
+#include "CUnit/Test.h"
+#include "assert.h"
+#include "access_control_utils.h"
+
+
+CU_Test(ddssec_builtin_access_control_fnmatch, basic)
+{
+  CU_ASSERT(ac_fnmatch("", ""));
+  CU_ASSERT(ac_fnmatch("abc", "abc"));
+  CU_ASSERT(!ac_fnmatch("abc", "ab"));
+  CU_ASSERT(!ac_fnmatch("", "a"));
+  CU_ASSERT(!ac_fnmatch("a", ""));
+
+  CU_ASSERT(ac_fnmatch("a?", "ab"));
+  CU_ASSERT(ac_fnmatch("?b", "ab"));
+  CU_ASSERT(ac_fnmatch("a?c", "abc"));
+  CU_ASSERT(!ac_fnmatch("a?", "abc"));
+  CU_ASSERT(!ac_fnmatch("?c", "abc"));
+
+  CU_ASSERT(ac_fnmatch("a*", "a"));
+  CU_ASSERT(ac_fnmatch("a*", "abc"));
+  CU_ASSERT(ac_fnmatch("a*c", "abc"));
+  CU_ASSERT(ac_fnmatch("a*c", "abbc"));
+  CU_ASSERT(ac_fnmatch("*c", "abc"));
+  CU_ASSERT(ac_fnmatch("*c", "c"));
+  CU_ASSERT(!ac_fnmatch("a*", ""));
+  CU_ASSERT(!ac_fnmatch("a*c", "bc"));
+
+  CU_ASSERT(ac_fnmatch("[ab]", "a"));
+  CU_ASSERT(ac_fnmatch("[ab]", "b"));
+  CU_ASSERT(ac_fnmatch("a[bc]", "ab"));
+  CU_ASSERT(ac_fnmatch("a[bc]", "ac"));
+  CU_ASSERT(ac_fnmatch("a[bc]d", "abd"));
+  CU_ASSERT(ac_fnmatch("a[b-d]", "ab"));
+  CU_ASSERT(ac_fnmatch("a[b-d]", "ac"));
+  CU_ASSERT(ac_fnmatch("a[b-d]", "ad"));
+  CU_ASSERT(ac_fnmatch("a[-b]", "ab"));
+  CU_ASSERT(ac_fnmatch("a[!b]", "ac"));
+  CU_ASSERT(ac_fnmatch("a[!bc]d", "aad"));
+  CU_ASSERT(ac_fnmatch("a]", "a]"));
+  CU_ASSERT(!ac_fnmatch("[ab]", "c"));
+  CU_ASSERT(!ac_fnmatch("a[bc]", "ad"));
+  CU_ASSERT(!ac_fnmatch("a[bc]", "abc"));
+  CU_ASSERT(!ac_fnmatch("a[b-]", "ab"));
+  CU_ASSERT(!ac_fnmatch("a[-", "a"));
+  CU_ASSERT(!ac_fnmatch("a[", "a["));
+  CU_ASSERT(!ac_fnmatch("a[-", "a[-"));
+  CU_ASSERT(!ac_fnmatch("a[!b]", "ab"));
+  CU_ASSERT(!ac_fnmatch("a[!bc]d", "abd"));
+  CU_ASSERT(!ac_fnmatch("a[!b-d]", "ac"));
+  CU_ASSERT(!ac_fnmatch("a[!-b]", "ab"));
+}
diff --git a/src/security/builtin_plugins/tests/get_permissions_credential_token/etc/Test_Governance_ok.p7s b/src/security/builtin_plugins/tests/get_permissions_credential_token/etc/Test_Governance_ok.p7s
new file mode 100644
index 0000000..c39903f
--- /dev/null
+++ b/src/security/builtin_plugins/tests/get_permissions_credential_token/etc/Test_Governance_ok.p7s
@@ -0,0 +1,114 @@
+MIME-Version: 1.0
+Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg="sha-256"; boundary="----DB94A190D9780A24156FB0E8F1E76B5F"
+
+This is an S/MIME signed message
+
+------DB94A190D9780A24156FB0E8F1E76B5F
+Content-Type: text/plain
+
+<?xml version="1.0" encoding="utf-8"?>
+<dds xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xsi:noNamespaceSchemaLocation="http://www.omg.org/spec/DDSSecurity/
+20170801/omg_shared_ca_domain_governance.xsd">
+    <domain_access_rules>
+        <domain_rule>
+            <domains>
+                <!-- All domains -->
+                <id_range>
+                    <min>0</min>
+                    <max>230</max>
+                </id_range>
+            </domains>
+
+            <!-- DomainParticipant that cann not authenticate or fail the authentication should be
+                 allowed to join the domain and see any any discovery data that are configured as "unprotected"
+                 and topics that are configured as "unprotected" -->
+            <allow_unauthenticated_participants>false</allow_unauthenticated_participants>
+
+            <!--  Only and any authenticated DomainParticipant should be allowed to join the domain and
+                  see the discovery data without checking access control  -->
+            <enable_join_access_control>true</enable_join_access_control>
+
+            <!-- Discovery information should be protected with encryption followed by MAC (Message Authentication Codes) -->
+            <discovery_protection_kind>ENCRYPT</discovery_protection_kind>
+
+            <!--  Liveliness messages are also encrypted -->
+            <liveliness_protection_kind>ENCRYPT</liveliness_protection_kind>
+
+            <!-- Whole RTPS message is not protected -->
+            <rtps_protection_kind>NONE</rtps_protection_kind>
+
+            <topic_access_rules>
+                <topic_rule>
+                    <!-- All (non-builtin) topics -->
+                    <topic_expression>*</topic_expression>
+
+                    <!-- Liveliness QoS data is protected -->
+                    <enable_liveliness_protection>true</enable_liveliness_protection>
+
+                    <!-- The discovery information on specific Topics should be sent
+                         using the secure (protected) discovery writers -->
+                    <enable_discovery_protection>true</enable_discovery_protection>
+
+                    <!-- The read access to all topics should be open to all. -->
+                    <enable_read_access_control>false</enable_read_access_control>
+
+                    <!-- The write access to all topics should be open to all. -->
+                    <enable_write_access_control>false</enable_write_access_control>
+
+                    <!-- Whole RTPS sub-message is protected. This includes metadata information
+                         like sequence numbers, heartbeats, key hashes, gaps,
+                         acknowledgment messages, etc. It also includes th possible payload. -->
+                    <metadata_protection_kind>ENCRYPT</metadata_protection_kind>
+
+                    <!-- The payload data sent on the Topic (serialized application level data) should be
+                         protected with Encrypt then MAC. -->
+                    <data_protection_kind>ENCRYPT</data_protection_kind>
+                </topic_rule>
+            </topic_access_rules>
+        </domain_rule>
+    </domain_access_rules>
+</dds>
+
+------DB94A190D9780A24156FB0E8F1E76B5F
+Content-Type: application/x-pkcs7-signature; name="smime.p7s"
+Content-Transfer-Encoding: base64
+Content-Disposition: attachment; filename="smime.p7s"
+
+MIIGSAYJKoZIhvcNAQcCoIIGOTCCBjUCAQExDzANBglghkgBZQMEAgEFADALBgkq
+hkiG9w0BBwGgggORMIIDjTCCAnWgAwIBAgIJANsr3sm0NrypMA0GCSqGSIb3DQEB
+CwUAMFwxCzAJBgNVBAYTAk5MMRMwEQYDVQQIDApTb21lLVN0YXRlMR8wHQYDVQQK
+DBZBRExJTksgVGVjaG5vbG9jeSBJbmMuMRcwFQYDVQQDDA5hZGxpbmt0ZWNoLmNv
+bTAgFw0xODA3MzAxMjQ1NTVaGA8yMTE4MDcwNjEyNDU1NVowXDELMAkGA1UEBhMC
+TkwxEzARBgNVBAgMClNvbWUtU3RhdGUxHzAdBgNVBAoMFkFETElOSyBUZWNobm9s
+b2N5IEluYy4xFzAVBgNVBAMMDmFkbGlua3RlY2guY29tMIIBIjANBgkqhkiG9w0B
+AQEFAAOCAQ8AMIIBCgKCAQEAu7jfnJ0wYVuXgG+PgNawdN38+dRpa8jceqi+blID
+ehV6XCxrnGXusTCDuFmo7HMOBVMVNDXlcBWgoGd+u5EultnOEiIeGTgtHc1O6V9w
+icp3BGSpZZax/TcONjMVORaqHCADbQ2J8wsz1FHxuKDwX6BJElYOlK77lb/x3yLs
+DFFC+a0qn2RFh37rcWBRAHy8VEASXKZElT9ZmfKd+KUq34KojhNJ4DepKStTq074
+BRDXVivx+wVD951LFNPiQXq+mgHcLj1k37KlZflTFhdP5oEMtATNsXNJPHlEymiy
+SogRWAmKhysLQudukHfNKN+r0FEQMk/hzpYcFeZSOvbfNQIDAQABo1AwTjAdBgNV
+HQ4EFgQURWMbWvBKZwJvRV1/tyc1R82k0+gwHwYDVR0jBBgwFoAURWMbWvBKZwJv
+RV1/tyc1R82k0+gwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAkPF+
+ysVtvHnk2hpu9yNDLCJ96ZzIoKOyY7uRj4ovzlAHFdpNOJQdcJihTmN8i7Trht9X
+Vh0rGoR/6nHzo3TIeiogRC80RlDtuA3PF2dDQBMVDStlZMTZPb693hfjdAjhyyw9
+yghhKHHqNDvSsAL0KfBqjG4yGfGpJylYXIT5fWuKlo/ln/yyPa5s54T5XDo+CMbt
+lLX3QnwVOmaRyzylPiTcPCDIkdLBdXmlfyJcmW6fWa6kPx+35MOxPsXZbujCo+42
++OyLqcH1rKT6XhcshjXBEf+kdgUfSClrM1pNRWsw2ChIYim0F+nry5JFy0Y+8Hbb
+6SDB340BFmtgDHbFHTGCAnswggJ3AgEBMGkwXDELMAkGA1UEBhMCTkwxEzARBgNV
+BAgMClNvbWUtU3RhdGUxHzAdBgNVBAoMFkFETElOSyBUZWNobm9sb2N5IEluYy4x
+FzAVBgNVBAMMDmFkbGlua3RlY2guY29tAgkA2yveybQ2vKkwDQYJYIZIAWUDBAIB
+BQCggeQwGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAcBgkqhkiG9w0BCQUxDxcN
+MTgwOTEzMDczOTUwWjAvBgkqhkiG9w0BCQQxIgQgXv8DkvlwebXMwHDbNc0/Pc30
+gyG3xWCnwet49TRMWFsweQYJKoZIhvcNAQkPMWwwajALBglghkgBZQMEASowCwYJ
+YIZIAWUDBAEWMAsGCWCGSAFlAwQBAjAKBggqhkiG9w0DBzAOBggqhkiG9w0DAgIC
+AIAwDQYIKoZIhvcNAwICAUAwBwYFKw4DAgcwDQYIKoZIhvcNAwICASgwDQYJKoZI
+hvcNAQEBBQAEggEANy8t0EFmv5j1n0+mMn2ut3Chu8PSJceC8gd34IiKq79uC1O3
+PbL9xgiJ2vz7QiTEEeNL2q+CG77cXOcHGUWa4nvbggr/9CqLfHEKGQxDfyXlJZfM
+8l550xIXRRBOQ7ilOGLD4QJFfbf9XA4rMuRe8WEYN3FleAaYBJag1tMPg1SS6tgA
+BBDM9b1kXHU319zYOk6kZFjlbwHv6XO22SEVRUpXrKudAI8hrGvwksF/+W0S/jS5
+NmYtj/1oMGlCGIaA5rs27H9CkgwrzoMQ3MsR98JlwEUSa4PEe8CClsIziOulQxsp
+MicBlMWL0rzpBPVfPTE4gZ/kP7hGBDEQlRzVTA==
+
+------DB94A190D9780A24156FB0E8F1E76B5F--
+
diff --git a/src/security/builtin_plugins/tests/get_permissions_credential_token/etc/Test_Permissions_ok.p7s b/src/security/builtin_plugins/tests/get_permissions_credential_token/etc/Test_Permissions_ok.p7s
new file mode 100644
index 0000000..052075b
--- /dev/null
+++ b/src/security/builtin_plugins/tests/get_permissions_credential_token/etc/Test_Permissions_ok.p7s
@@ -0,0 +1,85 @@
+MIME-Version: 1.0
+Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg="sha-256"; boundary="----6B91005B007BBA8EDE10CD1CE487DB27"
+
+This is an S/MIME signed message
+
+------6B91005B007BBA8EDE10CD1CE487DB27
+Content-Type: text/plain
+
+<?xml version="1.0" encoding="utf-8"?>
+<dds xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xsi:noNamespaceSchemaLocation="https://www.omg.org/spec/DDS-SECURITY/20170901/omg_shared_ca_permissions.xsd">
+    <permissions>
+        <grant name="OpenSplicePermissions">
+            <subject_name>CN=CHAM500 cert,O=Internet Widgits Pty Ltd,ST=Some-State,C=NL</subject_name>
+            <validity>
+                <!-- Format is CCYY-MM-DDThh:mm:ss[Z|(+|-)hh:mm] in GMT -->
+                <not_before>2015-09-15T01:00:00</not_before>
+                <not_after>2115-09-15T01:00:00</not_after>
+            </validity>
+            <allow_rule>
+                <domains>
+                    <id_range>
+                        <min>0</min>
+                        <max>230</max>
+                    </id_range>
+                </domains>
+                <publish>
+                    <topics>
+                        <topic>*</topic>
+                    </topics>
+                </publish>
+                <subscribe>
+                    <topics>
+                        <topic>*</topic>
+                    </topics>
+                </subscribe>
+            </allow_rule>
+            <default>DENY</default>
+        </grant>
+    </permissions>
+</dds>
+
+------6B91005B007BBA8EDE10CD1CE487DB27
+Content-Type: application/x-pkcs7-signature; name="smime.p7s"
+Content-Transfer-Encoding: base64
+Content-Disposition: attachment; filename="smime.p7s"
+
+MIIGXgYJKoZIhvcNAQcCoIIGTzCCBksCAQExDzANBglghkgBZQMEAgEFADALBgkq
+hkiG9w0BBwGgggORMIIDjTCCAnWgAwIBAgIJANsr3sm0NrypMA0GCSqGSIb3DQEB
+CwUAMFwxCzAJBgNVBAYTAk5MMRMwEQYDVQQIDApTb21lLVN0YXRlMR8wHQYDVQQK
+DBZBRExJTksgVGVjaG5vbG9jeSBJbmMuMRcwFQYDVQQDDA5hZGxpbmt0ZWNoLmNv
+bTAgFw0xODA3MzAxMjQ1NTVaGA8yMTE4MDcwNjEyNDU1NVowXDELMAkGA1UEBhMC
+TkwxEzARBgNVBAgMClNvbWUtU3RhdGUxHzAdBgNVBAoMFkFETElOSyBUZWNobm9s
+b2N5IEluYy4xFzAVBgNVBAMMDmFkbGlua3RlY2guY29tMIIBIjANBgkqhkiG9w0B
+AQEFAAOCAQ8AMIIBCgKCAQEAu7jfnJ0wYVuXgG+PgNawdN38+dRpa8jceqi+blID
+ehV6XCxrnGXusTCDuFmo7HMOBVMVNDXlcBWgoGd+u5EultnOEiIeGTgtHc1O6V9w
+icp3BGSpZZax/TcONjMVORaqHCADbQ2J8wsz1FHxuKDwX6BJElYOlK77lb/x3yLs
+DFFC+a0qn2RFh37rcWBRAHy8VEASXKZElT9ZmfKd+KUq34KojhNJ4DepKStTq074
+BRDXVivx+wVD951LFNPiQXq+mgHcLj1k37KlZflTFhdP5oEMtATNsXNJPHlEymiy
+SogRWAmKhysLQudukHfNKN+r0FEQMk/hzpYcFeZSOvbfNQIDAQABo1AwTjAdBgNV
+HQ4EFgQURWMbWvBKZwJvRV1/tyc1R82k0+gwHwYDVR0jBBgwFoAURWMbWvBKZwJv
+RV1/tyc1R82k0+gwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAkPF+
+ysVtvHnk2hpu9yNDLCJ96ZzIoKOyY7uRj4ovzlAHFdpNOJQdcJihTmN8i7Trht9X
+Vh0rGoR/6nHzo3TIeiogRC80RlDtuA3PF2dDQBMVDStlZMTZPb693hfjdAjhyyw9
+yghhKHHqNDvSsAL0KfBqjG4yGfGpJylYXIT5fWuKlo/ln/yyPa5s54T5XDo+CMbt
+lLX3QnwVOmaRyzylPiTcPCDIkdLBdXmlfyJcmW6fWa6kPx+35MOxPsXZbujCo+42
++OyLqcH1rKT6XhcshjXBEf+kdgUfSClrM1pNRWsw2ChIYim0F+nry5JFy0Y+8Hbb
+6SDB340BFmtgDHbFHTGCApEwggKNAgEBMGkwXDELMAkGA1UEBhMCTkwxEzARBgNV
+BAgMClNvbWUtU3RhdGUxHzAdBgNVBAoMFkFETElOSyBUZWNobm9sb2N5IEluYy4x
+FzAVBgNVBAMMDmFkbGlua3RlY2guY29tAgkA2yveybQ2vKkwDQYJYIZIAWUDBAIB
+BQCggfowGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAcBgkqhkiG9w0BCQUxDxcN
+MTkwMzI5MTMwODAzWjAvBgkqhkiG9w0BCQQxIgQgl3LfUhn9L0vG/3QRPVYptcYw
+/NH5HMN99aMe9JAT+LAwgY4GCSqGSIb3DQEJDzGBgDB+MAsGCWCGSAFlAwQBKjAI
+BgYqhQMCAgkwCAYGKoUDAgIVMAsGCWCGSAFlAwQBFjALBglghkgBZQMEAQIwCgYI
+KoZIhvcNAwcwDgYIKoZIhvcNAwICAgCAMA0GCCqGSIb3DQMCAgFAMAcGBSsOAwIH
+MA0GCCqGSIb3DQMCAgEoMA0GCSqGSIb3DQEBAQUABIIBAHe9vakfXPvbpgMeqlhG
+SW6Z3uVA3Yri9bgQDpJ9daIUsM0/TLBSQVs85twTMXvqUSntKbfSGehxDQ9F+yje
+mOEPMIwxOqcVyc2jpqoYsUWqpwiiZyk49DHUFrOfWJUx+rKdBftZWkxD05Wkovhk
+2d4hGS/65Haoho4Z0AZwcyH+F52FZMiqw7I9FKrPlhxvJfQXmhIjOKtnvWnQ+Ar7
+YYiSrBEHMCy82LF1aKzz0nkL1SYWQHuQX475qoU4LMYY1J8WsD3rSBeq4GYZrl2K
+X/JcOquMYqjfJLMYZY4fsc3FgEBkKNqJz1tDZ3ir24VMl+WsbEjVK8oXe/wt4V0U
+aNQ=
+
+------6B91005B007BBA8EDE10CD1CE487DB27--
+
diff --git a/src/security/builtin_plugins/tests/get_permissions_credential_token/src/get_permissions_credential_token_utests.c b/src/security/builtin_plugins/tests/get_permissions_credential_token/src/get_permissions_credential_token_utests.c
new file mode 100644
index 0000000..bed337f
--- /dev/null
+++ b/src/security/builtin_plugins/tests/get_permissions_credential_token/src/get_permissions_credential_token_utests.c
@@ -0,0 +1,497 @@
+/*
+ * Copyright(c) 2006 to 2019 ADLINK Technology Limited and others
+ *
+ * This program and the accompanying materials are made available under the
+ * terms of the Eclipse Public License v. 2.0 which is available at
+ * http://www.eclipse.org/legal/epl-2.0, or the Eclipse Distribution License
+ * v. 1.0 which is available at
+ * http://www.eclipse.org/org/documents/edl-v10.php.
+ *
+ * SPDX-License-Identifier: EPL-2.0 OR BSD-3-Clause
+ */
+#include <assert.h>
+#include <string.h>
+#include <openssl/evp.h>
+#include <openssl/hmac.h>
+#include <openssl/bio.h>
+#include <openssl/err.h>
+
+#include "dds/ddsrt/environ.h"
+#include "dds/ddsrt/heap.h"
+#include "dds/ddsrt/io.h"
+#include "dds/ddsrt/string.h"
+#include "dds/ddsrt/types.h"
+#include "dds/security/dds_security_api.h"
+#include "dds/security/core/dds_security_utils.h"
+#include "CUnit/CUnit.h"
+#include "CUnit/Test.h"
+#include "common/src/loader.h"
+#include "config_env.h"
+
+static const char *PERMISSIONS_FILE_NAME = "Test_Permissions_ok.p7s";
+static const char *GOVERNANCE_FILE_NAME = "Test_Governance_ok.p7s";
+
+static const char *PROPERTY_IDENTITY_CA = "dds.sec.auth.identity_ca";
+static const char *PROPERTY_PRIVATE_KEY = "dds.sec.auth.private_key";
+static const char *PROPERTY_IDENTITY_CERT = "dds.sec.auth.identity_certificate";
+static const char *PROPERTY_PERMISSIONS_CA = "dds.sec.access.permissions_ca";
+static const char *PROPERTY_PERMISSIONS = "dds.sec.access.permissions";
+static const char *PROPERTY_GOVERNANCE = "dds.sec.access.governance";
+
+static const char *RELATIVE_PATH_TO_ETC_DIR = "/get_permissions_credential_token/etc/";
+
+static const char *IDENTITY_CERTIFICATE =
+    "data:,-----BEGIN CERTIFICATE-----\n"
+    "MIIEQTCCAymgAwIBAgIINpuaAAnrQZIwDQYJKoZIhvcNAQELBQAwXzELMAkGA1UE\n"
+    "BhMCTkwxEzARBgNVBAgTClNvbWUtU3RhdGUxITAfBgNVBAoTGEludGVybmV0IFdp\n"
+    "ZGdpdHMgUHR5IEx0ZDEYMBYGA1UEAxMPQ0hBTTUwMCByb290IGNhMCAXDTE3MDIy\n"
+    "MjIyMjIwMFoYDzIyMjIwMjIyMjIyMjAwWjBcMQswCQYDVQQGEwJOTDETMBEGA1UE\n"
+    "CBMKU29tZS1TdGF0ZTEhMB8GA1UEChMYSW50ZXJuZXQgV2lkZ2l0cyBQdHkgTHRk\n"
+    "MRUwEwYDVQQDEwxDSEFNNTAwIGNlcnQwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw\n"
+    "ggEKAoIBAQDCpVhivH/wBIyu74rvQncnSZqKyspN6CvD1pmV9wft5PHhVt9jV79v\n"
+    "gSub5LADoRHAgFdv9duYgBr17Ob6uRrIY4B18CcrCjhQcC4gjx8y2jl9PeYm+qYD\n"
+    "3o44FYBrBq0QCnrQgKsb/qX9Z+Mw/VUiw65x68W876LEHQQoEgT4kxSuagwBoVRk\n"
+    "ePD6fYAKmT4XS3x+O0v+rHESTcsKF6yMadgp7h3eH1b8kJTzSx8JV9Zzq++mxjox\n"
+    "qhbBVP5nDze2hhSIeCkCvSrx7efkgKS4AQXa5/Z44GiAu1TfXXUqdic9rxwD0edn\n"
+    "ajNElnZe7sjok/0yuqvH+2hSqpNva/zpAgMBAAGjggEAMIH9MAwGA1UdDwQFAwMH\n"
+    "/4AwgewGA1UdJQSB5DCB4QYIKwYBBQUHAwEGCCsGAQUFBwMCBggrBgEFBQcDAwYI\n"
+    "KwYBBQUHAwQGCCsGAQUFBwMIBgorBgEEAYI3AgEVBgorBgEEAYI3AgEWBgorBgEE\n"
+    "AYI3CgMBBgorBgEEAYI3CgMDBgorBgEEAYI3CgMEBglghkgBhvhCBAEGCysGAQQB\n"
+    "gjcKAwQBBggrBgEFBQcDBQYIKwYBBQUHAwYGCCsGAQUFBwMHBggrBgEFBQgCAgYK\n"
+    "KwYBBAGCNxQCAgYIKwYBBQUHAwkGCCsGAQUFBwMNBggrBgEFBQcDDgYHKwYBBQID\n"
+    "BTANBgkqhkiG9w0BAQsFAAOCAQEAawdHy0Xw7nTK2ltp91Ion6fJ7hqYuj///zr7\n"
+    "Adt6uonpDh/xl3esuwcFimIJrJrHujnGkL0nLddRCikmnzuBMNDWS6yq0/Ckl/YG\n"
+    "yjNr44dlX24wo+MVAgkj3/8CyWDZ3a8kBg9QT3bs2SqbjmhTrXN1DRyf9S5vJysE\n"
+    "I7V1gTN66BeKL64hOrAlRVrEu8Ds6TWL6Q/YH+61ViZkoLTeSaPjH4nknaFr4C35\n"
+    "iji0JhkyfRHRRVPHFnaj25AkxOrSV64qVKoTMjDl5fji5iMGtjm6iJ7q05ml/qDl\n"
+    "nLotHXemZNvYhbwUmRzbt4Dls9EMH4VRbP85I94nM5TAvtHVNA==\n"
+    "-----END CERTIFICATE-----\n";
+
+static const char *IDENTITY_CA =
+    "data:,-----BEGIN CERTIFICATE-----\n"
+    "MIIEmTCCA4GgAwIBAgIIZ5gEIUFhO5wwDQYJKoZIhvcNAQELBQAwXzELMAkGA1UE\n"
+    "BhMCTkwxEzARBgNVBAgTClNvbWUtU3RhdGUxITAfBgNVBAoTGEludGVybmV0IFdp\n"
+    "ZGdpdHMgUHR5IEx0ZDEYMBYGA1UEAxMPQ0hBTTUwMCByb290IGNhMCAXDTE4MDIx\n"
+    "MjE1MDUwMFoYDzIyMjIwMjIyMjIyMjAwWjBfMQswCQYDVQQGEwJOTDETMBEGA1UE\n"
+    "CBMKU29tZS1TdGF0ZTEhMB8GA1UEChMYSW50ZXJuZXQgV2lkZ2l0cyBQdHkgTHRk\n"
+    "MRgwFgYDVQQDEw9DSEFNNTAwIHJvb3QgY2EwggEiMA0GCSqGSIb3DQEBAQUAA4IB\n"
+    "DwAwggEKAoIBAQC6Fa3TheL+UrdZCp9GhU/2WbneP2t/avUa3muwDttPxeI2XU9k\n"
+    "ZjBR95mAXme4SPXHk5+YDN319AqIje3oKhzky/ngvKH2GkoJKYxWnuDBfMEHdViz\n"
+    "2Q9/xso2ZvH50ukwWa0pfx2/EVV1wRxeQcRd/UVfq3KTJizG0M88mOYvGEAw3LFf\n"
+    "zef7k1aCuOofQmBvLukUudcYpMzfyHFp7lQqU4CcrrR5RtmfiUfrWfdGLea2iPDB\n"
+    "pJgN8ESOMwEHtOTEBDclYnH9L4t7CHQz+fXXS5IWFsDK9fCMQjnxDsDVeNrNzTYL\n"
+    "FaZrMg9S6IUQCEsQWsnq5weS8omOpVLUm9klAgMBAAGjggFVMIIBUTAMBgNVHRME\n"
+    "BTADAQH/MB0GA1UdDgQWBBQg2FZB/j8uWDVnJhjwXkX278znSTAfBgNVHSMEGDAW\n"
+    "gBQg2FZB/j8uWDVnJhjwXkX278znSTAPBgNVHQ8BAf8EBQMDB/+AMIHvBgNVHSUB\n"
+    "Af8EgeQwgeEGCCsGAQUFBwMBBggrBgEFBQcDAgYIKwYBBQUHAwMGCCsGAQUFBwME\n"
+    "BggrBgEFBQcDCAYKKwYBBAGCNwIBFQYKKwYBBAGCNwIBFgYKKwYBBAGCNwoDAQYK\n"
+    "KwYBBAGCNwoDAwYKKwYBBAGCNwoDBAYJYIZIAYb4QgQBBgsrBgEEAYI3CgMEAQYI\n"
+    "KwYBBQUHAwUGCCsGAQUFBwMGBggrBgEFBQcDBwYIKwYBBQUIAgIGCisGAQQBgjcU\n"
+    "AgIGCCsGAQUFBwMJBggrBgEFBQcDDQYIKwYBBQUHAw4GBysGAQUCAwUwDQYJKoZI\n"
+    "hvcNAQELBQADggEBAKHmwejWRwGE1wf1k2rG8SNRV/neGsZ6Qfqf6co3TpR/Wi1s\n"
+    "iZDvSeT/rbqNBS7z34xnG88NIUwu00y78e8Mfon31ZZbK4Uo7fla9/D3ukdJqPQC\n"
+    "LKdbKJjR2kH+KCukY/1rghjJ8/X+t2egBit0LCOdsFCl07Sfksb9kpGUIZSFcYYm\n"
+    "geqhjhoNwxazzHiw+QWHC5HG9248JIizBmy1aymNWuMnPudhjHAnPcsIlqMVNq3t\n"
+    "Rv9ap7S8JeCxHVRPJvJeCwXWvW3dW/v3xH52Yn/fqRblN1w9Fxz5NhopKx0gj/Jd\n"
+    "sw2N4Fk4gaOWEolFpa0bwNw8nAx7moehZpowzfw=\n"
+    "-----END CERTIFICATE-----\n";
+
+static const char *PRIVATE_KEY =
+    "data:,-----BEGIN RSA PRIVATE KEY-----\n"
+    "MIIEogIBAAKCAQEAwqVYYrx/8ASMru+K70J3J0maisrKTegrw9aZlfcH7eTx4Vbf\n"
+    "Y1e/b4Erm+SwA6ERwIBXb/XbmIAa9ezm+rkayGOAdfAnKwo4UHAuII8fMto5fT3m\n"
+    "JvqmA96OOBWAawatEAp60ICrG/6l/WfjMP1VIsOucevFvO+ixB0EKBIE+JMUrmoM\n"
+    "AaFUZHjw+n2ACpk+F0t8fjtL/qxxEk3LChesjGnYKe4d3h9W/JCU80sfCVfWc6vv\n"
+    "psY6MaoWwVT+Zw83toYUiHgpAr0q8e3n5ICkuAEF2uf2eOBogLtU3111KnYnPa8c\n"
+    "A9HnZ2ozRJZ2Xu7I6JP9Mrqrx/toUqqTb2v86QIDAQABAoIBAC1q32DKkx+yMBFx\n"
+    "m32QiLUGG6VfBC2BixS7MkMnzRXZYgcuehl4FBc0kLRjfB6cqsO8LqrVN1QyMBhK\n"
+    "GutN3c38SbE7RChqzhEW2+yE+Mao3Nk4ZEecHLiyaYT0n25ZtHAVwep823BAzwJ+\n"
+    "BykbM45VEpNKbG1VjSktjBa9faNyZiZAEJEjVyla+6R8N4kHV52LbZcLjvJv3IQ2\n"
+    "iPYRrmMyI5C23qTni0vy7yJbAXBo3CqgSlwie9FARBWT7Puu7F4mF1O1c/SnTysw\n"
+    "Tm3e5FzgfHipQbnRVn0w4rDprPMKmPxMnvf/Wkw0zVgNadp1Tc1I6Yj525DEQ07i\n"
+    "2gIn/gECgYEA4jNnY1u2Eu7x3pAQF3dRO0x35boVtuq9iwQk7q+uaZaK4RJRr+0Y\n"
+    "T68S3bPnfer6SHvcxtST89Bvs/j/Ky4SOaX037UYjFh6T7OIzPl+MzO1yb+VOBT6\n"
+    "D6FVGEJGp8ZAITU1OfJPeTYViUeEC8tHFGoKUCk50FbB6jOf1oKtv/ECgYEA3EnB\n"
+    "Y7kSbJJaUuj9ciFUL/pAno86Cim3VjegK1wKgEiyDb610bhoMErovPwfVJbtcttG\n"
+    "eKJNuwizkRcVbj+vpjDvqqaP5eMxLl6/Nd4haPMJYzGo88Z8NJpwFRNF2KEWjOpQ\n"
+    "2NEvoCeRtVulCJyka2Tpljzw8cOXkxhPOe2UhHkCgYBo3entj0QO7QXm56T+LAvV\n"
+    "0PK45xdQEO3EuCwjGAFk5C0IgUSrqeCeeIzniZMltj1IQ1wsNbtNynEu3530t8wt\n"
+    "O7oVyFBUKGSz9IjUdkpClJOPr6kPMfJoMqRPtdIpz+hFPPSrI6IikKdVWHloOlp+\n"
+    "pVaYqTQrWT1XRY2xli3VEQKBgGySmZN6Cx+h/oywswIGdUT0VdcQhq2to+QFpJba\n"
+    "VX6m1cM6hMip2Ag9U3qZ1SNPBBdBBfm9HQybHE3dj713/C2wHuAAGhpXIM1W+20k\n"
+    "X1knuC/AsSH9aQhQOf/ZMOq1crTfZBuI9q0782/sjGmzMsKPySU4QhUWruVb7OiD\n"
+    "NVkZAoGAEvihW7G+8/iOE40vGHyBqUeopAAWLciTAUIEwM/Oi3BYfNWNTWF/FWNc\n"
+    "nMvCZPYigY8C1vO+1iT2Frtd3CIU+f01Q3fJNJoRLlEiKLNZUJRF48OKUqjKSmsi\n"
+    "w6pucFO40z05YW7utApj4L82rZnOS0pd1tUI1yexqvj0i4ThJfk=\n"
+    "-----END RSA PRIVATE KEY-----\n";
+
+static const char *PERMISSIONS_CA =
+    "data:,-----BEGIN CERTIFICATE-----\n"
+    "MIIDjTCCAnWgAwIBAgIJANsr3sm0NrypMA0GCSqGSIb3DQEBCwUAMFwxCzAJBgNV\n"
+    "BAYTAk5MMRMwEQYDVQQIDApTb21lLVN0YXRlMR8wHQYDVQQKDBZBRExJTksgVGVj\n"
+    "aG5vbG9jeSBJbmMuMRcwFQYDVQQDDA5hZGxpbmt0ZWNoLmNvbTAgFw0xODA3MzAx\n"
+    "MjQ1NTVaGA8yMTE4MDcwNjEyNDU1NVowXDELMAkGA1UEBhMCTkwxEzARBgNVBAgM\n"
+    "ClNvbWUtU3RhdGUxHzAdBgNVBAoMFkFETElOSyBUZWNobm9sb2N5IEluYy4xFzAV\n"
+    "BgNVBAMMDmFkbGlua3RlY2guY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB\n"
+    "CgKCAQEAu7jfnJ0wYVuXgG+PgNawdN38+dRpa8jceqi+blIDehV6XCxrnGXusTCD\n"
+    "uFmo7HMOBVMVNDXlcBWgoGd+u5EultnOEiIeGTgtHc1O6V9wicp3BGSpZZax/TcO\n"
+    "NjMVORaqHCADbQ2J8wsz1FHxuKDwX6BJElYOlK77lb/x3yLsDFFC+a0qn2RFh37r\n"
+    "cWBRAHy8VEASXKZElT9ZmfKd+KUq34KojhNJ4DepKStTq074BRDXVivx+wVD951L\n"
+    "FNPiQXq+mgHcLj1k37KlZflTFhdP5oEMtATNsXNJPHlEymiySogRWAmKhysLQudu\n"
+    "kHfNKN+r0FEQMk/hzpYcFeZSOvbfNQIDAQABo1AwTjAdBgNVHQ4EFgQURWMbWvBK\n"
+    "ZwJvRV1/tyc1R82k0+gwHwYDVR0jBBgwFoAURWMbWvBKZwJvRV1/tyc1R82k0+gw\n"
+    "DAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAkPF+ysVtvHnk2hpu9yND\n"
+    "LCJ96ZzIoKOyY7uRj4ovzlAHFdpNOJQdcJihTmN8i7Trht9XVh0rGoR/6nHzo3TI\n"
+    "eiogRC80RlDtuA3PF2dDQBMVDStlZMTZPb693hfjdAjhyyw9yghhKHHqNDvSsAL0\n"
+    "KfBqjG4yGfGpJylYXIT5fWuKlo/ln/yyPa5s54T5XDo+CMbtlLX3QnwVOmaRyzyl\n"
+    "PiTcPCDIkdLBdXmlfyJcmW6fWa6kPx+35MOxPsXZbujCo+42+OyLqcH1rKT6Xhcs\n"
+    "hjXBEf+kdgUfSClrM1pNRWsw2ChIYim0F+nry5JFy0Y+8Hbb6SDB340BFmtgDHbF\n"
+    "HQ==\n"
+    "-----END CERTIFICATE-----\n";
+
+static char *permissions = NULL;
+static char *g_path_to_etc_dir = NULL;
+static struct plugins_hdl *plugins = NULL;
+static dds_security_authentication *auth = NULL;
+static dds_security_access_control *access_control = NULL;
+
+static DDS_Security_IdentityHandle local_identity_handle = DDS_SECURITY_HANDLE_NIL;
+static DDS_Security_PermissionsHandle local_permissions_handle = DDS_SECURITY_HANDLE_NIL;
+
+static void reset_exception(DDS_Security_SecurityException *ex)
+{
+  ex->code = 0;
+  ex->minor_code = 0;
+  ddsrt_free(ex->message);
+  ex->message = NULL;
+}
+
+static DDS_Security_Property_t *find_property(DDS_Security_DataHolder *token, const char *name)
+{
+  DDS_Security_Property_t *result = NULL;
+  uint32_t i;
+
+  for (i = 0; i < token->properties._length && !result; i++)
+    if (token->properties._buffer[i].name && (strcmp(token->properties._buffer[i].name, name) == 0))
+      result = &token->properties._buffer[i];
+  return result;
+}
+
+static void dds_security_property_init(DDS_Security_PropertySeq *seq, DDS_Security_unsigned_long size)
+{
+  seq->_length = size;
+  seq->_maximum = size;
+  seq->_buffer = ddsrt_malloc(size * sizeof(DDS_Security_Property_t));
+  memset(seq->_buffer, 0, size * sizeof(DDS_Security_Property_t));
+}
+
+static void dds_security_property_deinit(DDS_Security_PropertySeq *seq)
+{
+  uint32_t i;
+  for (i = 0; i < seq->_length; i++)
+  {
+    ddsrt_free(seq->_buffer[i].name);
+    ddsrt_free(seq->_buffer[i].value);
+  }
+  ddsrt_free(seq->_buffer);
+}
+
+static char *read_document_from_file(const char *filename)
+{
+  char *document;
+  char *normalized;
+  char *name;
+
+  /* Get proper file name. */
+  ddsrt_asprintf(&name, "%s%s", g_path_to_etc_dir, filename);
+  normalized = DDS_Security_normalize_file(name);
+  ddsrt_free(name);
+  document = load_file_contents(normalized);
+
+  ddsrt_free(normalized);
+
+  return document;
+}
+
+static void fill_participant_qos(DDS_Security_Qos *qos, const char *permission_filename, const char *governance_filename)
+{
+  char *permission_uri;
+  char *governance_uri;
+
+  ddsrt_asprintf(&permission_uri, "file:%s%s", g_path_to_etc_dir, permission_filename);
+  ddsrt_asprintf(&governance_uri, "file:%s%s", g_path_to_etc_dir, governance_filename);
+
+  memset(qos, 0, sizeof(*qos));
+  dds_security_property_init(&qos->property.value, 6);
+  qos->property.value._buffer[0].name = ddsrt_strdup(PROPERTY_IDENTITY_CERT);
+  qos->property.value._buffer[0].value = ddsrt_strdup(IDENTITY_CERTIFICATE);
+  qos->property.value._buffer[1].name = ddsrt_strdup(PROPERTY_IDENTITY_CA);
+  qos->property.value._buffer[1].value = ddsrt_strdup(IDENTITY_CA);
+  qos->property.value._buffer[2].name = ddsrt_strdup(PROPERTY_PRIVATE_KEY);
+  qos->property.value._buffer[2].value = ddsrt_strdup(PRIVATE_KEY);
+  qos->property.value._buffer[3].name = ddsrt_strdup(PROPERTY_PERMISSIONS_CA);
+  qos->property.value._buffer[3].value = ddsrt_strdup(PERMISSIONS_CA);
+  qos->property.value._buffer[4].name = ddsrt_strdup(PROPERTY_PERMISSIONS);
+  qos->property.value._buffer[4].value = ddsrt_strdup(permission_uri);
+  qos->property.value._buffer[5].name = ddsrt_strdup(PROPERTY_GOVERNANCE);
+  qos->property.value._buffer[5].value = ddsrt_strdup(governance_uri);
+
+  ddsrt_free(permission_uri);
+  ddsrt_free(governance_uri);
+}
+
+static int local_permissions_init(DDS_Security_DomainId domain_id)
+{
+  int res = 0;
+  DDS_Security_ValidationResult_t result;
+  DDS_Security_Qos participant_qos;
+  DDS_Security_GUID_t local_participant_guid;
+  DDS_Security_GUID_t candidate_participant_guid;
+  DDS_Security_SecurityException exception = {NULL, 0, 0};
+  DDS_Security_GuidPrefix_t prefix = {0xb0, 0xb1, 0xb2, 0xb3, 0xb4, 0xb5, 0xb6, 0xb7, 0xb8, 0xb9, 0xba, 0xbb};
+  DDS_Security_EntityId_t entityId = {{0xb0, 0xb1, 0xb2}, 0x1};
+
+  memset(&local_participant_guid, 0, sizeof(local_participant_guid));
+  memcpy(&candidate_participant_guid.prefix, &prefix, sizeof(prefix));
+  memcpy(&candidate_participant_guid.entityId, &entityId, sizeof(entityId));
+
+  fill_participant_qos(&participant_qos, PERMISSIONS_FILE_NAME, GOVERNANCE_FILE_NAME);
+
+  result = auth->validate_local_identity(
+      auth,
+      &local_identity_handle,
+      &local_participant_guid,
+      domain_id,
+      &participant_qos,
+      &candidate_participant_guid,
+      &exception);
+
+  if (result != DDS_SECURITY_VALIDATION_OK)
+  {
+    res = -1;
+    printf("validate_local_identity_failed: %s\n", exception.message ? exception.message : "Error message missing");
+  }
+
+  reset_exception(&exception);
+
+  if (res == 0)
+  {
+    local_permissions_handle = access_control->validate_local_permissions(
+        access_control,
+        auth,
+        local_identity_handle,
+        domain_id,
+        &participant_qos,
+        &exception);
+
+    if (local_permissions_handle == DDS_SECURITY_HANDLE_NIL)
+    {
+      res = -1;
+      printf("validate_local_permissions_failed: %s\n", exception.message ? exception.message : "Error message missing");
+    }
+  }
+
+  reset_exception(&exception);
+
+  dds_security_property_deinit(&participant_qos.property.value);
+
+  return res;
+}
+
+static void local_permissions_clean(void)
+{
+  DDS_Security_SecurityException exception = {NULL, 0, 0};
+  DDS_Security_boolean success;
+
+  if (local_permissions_handle != DDS_SECURITY_HANDLE_NIL)
+  {
+    success = access_control->return_permissions_handle(access_control, local_permissions_handle, &exception);
+    if (!success)
+    {
+      printf("return_permission_handle failed: %s\n", exception.message ? exception.message : "Error message missing");
+    }
+    reset_exception(&exception);
+  }
+
+  if (local_identity_handle != DDS_SECURITY_HANDLE_NIL)
+  {
+    success = auth->return_identity_handle(auth, local_identity_handle, &exception);
+    if (!success)
+    {
+      printf("return_identity_handle failed: %s\n", exception.message ? exception.message : "Error message missing");
+    }
+    reset_exception(&exception);
+  }
+}
+
+static void set_path_to_etc_dir(void)
+{
+  ddsrt_asprintf(&g_path_to_etc_dir, "%s%s", CONFIG_ENV_TESTS_DIR, RELATIVE_PATH_TO_ETC_DIR);
+}
+
+static void suite_get_permissions_credential_token_init(void)
+{
+  plugins = load_plugins(&access_control, &auth, NULL /* Cryptograpy */);
+  CU_ASSERT_FATAL (plugins != NULL);
+  set_path_to_etc_dir();
+  local_permissions_init(0);
+  permissions = read_document_from_file(PERMISSIONS_FILE_NAME);
+  CU_ASSERT_FATAL (permissions != NULL);
+}
+
+static void suite_get_permissions_credential_token_fini(void)
+{
+  local_permissions_clean();
+  unload_plugins(plugins);
+  ddsrt_free(g_path_to_etc_dir);
+  ddsrt_free(permissions);
+}
+
+static bool validate_permissions_token(DDS_Security_PermissionsCredentialToken *token)
+{
+  DDS_Security_Property_t *property;
+
+  if (!token->class_id || strcmp(token->class_id, "DDS:Access:PermissionsCredential") != 0)
+  {
+    CU_FAIL("PermissionsCredentialToken incorrect class_id");
+    return false;
+  }
+
+  property = find_property(token, "dds.perm.cert");
+  if (property == NULL)
+  {
+    CU_FAIL("PermissionsCredentialToken property 'dds.perm.cert' not found");
+    return false;
+  }
+  if (property->value == NULL)
+  {
+    CU_FAIL("PermissionsCredentialToken property 'dds.perm.cert' does not have a value");
+    return false;
+  }
+  if (strcmp(property->value, permissions) != 0)
+  {
+    CU_FAIL("PermissionsCredentialToken property 'dds.perm.cert' content does not match the permissions file");
+    return false;
+  }
+
+  return true;
+}
+
+CU_Test(ddssec_builtin_get_permissions_credential_token, happy_day, .init = suite_get_permissions_credential_token_init, .fini = suite_get_permissions_credential_token_fini)
+{
+  DDS_Security_PermissionsCredentialToken token;
+  DDS_Security_SecurityException exception;
+  DDS_Security_boolean result;
+
+  /* Pre-requisites. */
+  CU_ASSERT_FATAL(access_control != NULL);
+  CU_ASSERT_FATAL(access_control->get_permissions_credential_token != NULL);
+  memset(&exception, 0, sizeof(DDS_Security_SecurityException));
+  memset(&token, 0, sizeof(token));
+
+  /* Test function call. */
+  result = access_control->get_permissions_credential_token(
+      access_control,
+      &token,
+      local_permissions_handle,
+      &exception);
+  if (!result)
+  {
+    printf("get_permissions_credential_token: %s\n", exception.message ? exception.message : "Error message missing");
+  }
+  CU_ASSERT_FATAL(result);
+  CU_ASSERT(exception.code == 0);
+  CU_ASSERT(exception.message == NULL);
+
+  /* Test token contents. */
+  CU_ASSERT(validate_permissions_token(&token));
+
+  /* Post-requisites. */
+  DDS_Security_DataHolder_deinit(&token);
+  reset_exception(&exception);
+}
+
+CU_Test(ddssec_builtin_get_permissions_credential_token, invalid_args, .init = suite_get_permissions_credential_token_init, .fini = suite_get_permissions_credential_token_fini)
+{
+  DDS_Security_PermissionsCredentialToken token;
+  DDS_Security_SecurityException exception;
+  DDS_Security_boolean result;
+
+  /* Pre-requisites. */
+  CU_ASSERT_FATAL(access_control != NULL);
+  CU_ASSERT_FATAL(access_control->get_permissions_token != NULL);
+  memset(&exception, 0, sizeof(DDS_Security_SecurityException));
+  memset(&token, 0, sizeof(token));
+
+  /* Test function calls with different invalid args. */
+  result = access_control->get_permissions_credential_token(
+      NULL,
+      &token,
+      local_permissions_handle,
+      &exception);
+  if (!result)
+  {
+    printf("get_permissions_token: %s\n", exception.message ? exception.message : "Error message missing");
+  }
+  CU_ASSERT(!result);
+  CU_ASSERT(exception.code == DDS_SECURITY_ERR_INVALID_PARAMETER_CODE);
+  CU_ASSERT(exception.message != NULL);
+  reset_exception(&exception);
+
+  result = access_control->get_permissions_credential_token(
+      access_control,
+      NULL,
+      local_permissions_handle,
+      &exception);
+  if (!result)
+  {
+    printf("get_permissions_credential_token: %s\n", exception.message ? exception.message : "Error message missing");
+  }
+  CU_ASSERT(!result);
+  CU_ASSERT(exception.code == DDS_SECURITY_ERR_INVALID_PARAMETER_CODE);
+  CU_ASSERT(exception.message != NULL);
+  reset_exception(&exception);
+
+  result = access_control->get_permissions_credential_token(
+      access_control,
+      &token,
+      0,
+      &exception);
+  if (!result)
+  {
+    printf("get_permissions_credential_token: %s\n", exception.message ? exception.message : "Error message missing");
+  }
+  CU_ASSERT(!result);
+  CU_ASSERT(exception.code == DDS_SECURITY_ERR_INVALID_PARAMETER_CODE);
+  CU_ASSERT(exception.message != NULL);
+  reset_exception(&exception);
+
+  result = access_control->get_permissions_credential_token(
+      access_control,
+      &token,
+      local_permissions_handle,
+      NULL);
+  if (!result)
+  {
+    printf("get_permissions_credential_token: %s\n", exception.message ? exception.message : "Error message missing");
+  }
+  CU_ASSERT(!result);
+  CU_ASSERT(exception.code == 0);
+  CU_ASSERT(exception.message == NULL);
+  reset_exception(&exception);
+
+  result = access_control->get_permissions_credential_token(
+      access_control,
+      &token,
+      local_permissions_handle + 12345 /* invalid handle */,
+      &exception);
+  if (!result)
+  {
+    printf("get_permissions_credential_token: %s\n", exception.message ? exception.message : "Error message missing");
+  }
+  CU_ASSERT(!result);
+  CU_ASSERT(exception.code == DDS_SECURITY_ERR_INVALID_PARAMETER_CODE);
+  CU_ASSERT(exception.message != NULL);
+  reset_exception(&exception);
+}
+
diff --git a/src/security/builtin_plugins/tests/get_permissions_token/etc/Test_Governance_ok.p7s b/src/security/builtin_plugins/tests/get_permissions_token/etc/Test_Governance_ok.p7s
new file mode 100644
index 0000000..c39903f
--- /dev/null
+++ b/src/security/builtin_plugins/tests/get_permissions_token/etc/Test_Governance_ok.p7s
@@ -0,0 +1,114 @@
+MIME-Version: 1.0
+Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg="sha-256"; boundary="----DB94A190D9780A24156FB0E8F1E76B5F"
+
+This is an S/MIME signed message
+
+------DB94A190D9780A24156FB0E8F1E76B5F
+Content-Type: text/plain
+
+<?xml version="1.0" encoding="utf-8"?>
+<dds xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xsi:noNamespaceSchemaLocation="http://www.omg.org/spec/DDSSecurity/
+20170801/omg_shared_ca_domain_governance.xsd">
+    <domain_access_rules>
+        <domain_rule>
+            <domains>
+                <!-- All domains -->
+                <id_range>
+                    <min>0</min>
+                    <max>230</max>
+                </id_range>
+            </domains>
+
+            <!-- DomainParticipant that cann not authenticate or fail the authentication should be
+                 allowed to join the domain and see any any discovery data that are configured as "unprotected"
+                 and topics that are configured as "unprotected" -->
+            <allow_unauthenticated_participants>false</allow_unauthenticated_participants>
+
+            <!--  Only and any authenticated DomainParticipant should be allowed to join the domain and
+                  see the discovery data without checking access control  -->
+            <enable_join_access_control>true</enable_join_access_control>
+
+            <!-- Discovery information should be protected with encryption followed by MAC (Message Authentication Codes) -->
+            <discovery_protection_kind>ENCRYPT</discovery_protection_kind>
+
+            <!--  Liveliness messages are also encrypted -->
+            <liveliness_protection_kind>ENCRYPT</liveliness_protection_kind>
+
+            <!-- Whole RTPS message is not protected -->
+            <rtps_protection_kind>NONE</rtps_protection_kind>
+
+            <topic_access_rules>
+                <topic_rule>
+                    <!-- All (non-builtin) topics -->
+                    <topic_expression>*</topic_expression>
+
+                    <!-- Liveliness QoS data is protected -->
+                    <enable_liveliness_protection>true</enable_liveliness_protection>
+
+                    <!-- The discovery information on specific Topics should be sent
+                         using the secure (protected) discovery writers -->
+                    <enable_discovery_protection>true</enable_discovery_protection>
+
+                    <!-- The read access to all topics should be open to all. -->
+                    <enable_read_access_control>false</enable_read_access_control>
+
+                    <!-- The write access to all topics should be open to all. -->
+                    <enable_write_access_control>false</enable_write_access_control>
+
+                    <!-- Whole RTPS sub-message is protected. This includes metadata information
+                         like sequence numbers, heartbeats, key hashes, gaps,
+                         acknowledgment messages, etc. It also includes th possible payload. -->
+                    <metadata_protection_kind>ENCRYPT</metadata_protection_kind>
+
+                    <!-- The payload data sent on the Topic (serialized application level data) should be
+                         protected with Encrypt then MAC. -->
+                    <data_protection_kind>ENCRYPT</data_protection_kind>
+                </topic_rule>
+            </topic_access_rules>
+        </domain_rule>
+    </domain_access_rules>
+</dds>
+
+------DB94A190D9780A24156FB0E8F1E76B5F
+Content-Type: application/x-pkcs7-signature; name="smime.p7s"
+Content-Transfer-Encoding: base64
+Content-Disposition: attachment; filename="smime.p7s"
+
+MIIGSAYJKoZIhvcNAQcCoIIGOTCCBjUCAQExDzANBglghkgBZQMEAgEFADALBgkq
+hkiG9w0BBwGgggORMIIDjTCCAnWgAwIBAgIJANsr3sm0NrypMA0GCSqGSIb3DQEB
+CwUAMFwxCzAJBgNVBAYTAk5MMRMwEQYDVQQIDApTb21lLVN0YXRlMR8wHQYDVQQK
+DBZBRExJTksgVGVjaG5vbG9jeSBJbmMuMRcwFQYDVQQDDA5hZGxpbmt0ZWNoLmNv
+bTAgFw0xODA3MzAxMjQ1NTVaGA8yMTE4MDcwNjEyNDU1NVowXDELMAkGA1UEBhMC
+TkwxEzARBgNVBAgMClNvbWUtU3RhdGUxHzAdBgNVBAoMFkFETElOSyBUZWNobm9s
+b2N5IEluYy4xFzAVBgNVBAMMDmFkbGlua3RlY2guY29tMIIBIjANBgkqhkiG9w0B
+AQEFAAOCAQ8AMIIBCgKCAQEAu7jfnJ0wYVuXgG+PgNawdN38+dRpa8jceqi+blID
+ehV6XCxrnGXusTCDuFmo7HMOBVMVNDXlcBWgoGd+u5EultnOEiIeGTgtHc1O6V9w
+icp3BGSpZZax/TcONjMVORaqHCADbQ2J8wsz1FHxuKDwX6BJElYOlK77lb/x3yLs
+DFFC+a0qn2RFh37rcWBRAHy8VEASXKZElT9ZmfKd+KUq34KojhNJ4DepKStTq074
+BRDXVivx+wVD951LFNPiQXq+mgHcLj1k37KlZflTFhdP5oEMtATNsXNJPHlEymiy
+SogRWAmKhysLQudukHfNKN+r0FEQMk/hzpYcFeZSOvbfNQIDAQABo1AwTjAdBgNV
+HQ4EFgQURWMbWvBKZwJvRV1/tyc1R82k0+gwHwYDVR0jBBgwFoAURWMbWvBKZwJv
+RV1/tyc1R82k0+gwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAkPF+
+ysVtvHnk2hpu9yNDLCJ96ZzIoKOyY7uRj4ovzlAHFdpNOJQdcJihTmN8i7Trht9X
+Vh0rGoR/6nHzo3TIeiogRC80RlDtuA3PF2dDQBMVDStlZMTZPb693hfjdAjhyyw9
+yghhKHHqNDvSsAL0KfBqjG4yGfGpJylYXIT5fWuKlo/ln/yyPa5s54T5XDo+CMbt
+lLX3QnwVOmaRyzylPiTcPCDIkdLBdXmlfyJcmW6fWa6kPx+35MOxPsXZbujCo+42
++OyLqcH1rKT6XhcshjXBEf+kdgUfSClrM1pNRWsw2ChIYim0F+nry5JFy0Y+8Hbb
+6SDB340BFmtgDHbFHTGCAnswggJ3AgEBMGkwXDELMAkGA1UEBhMCTkwxEzARBgNV
+BAgMClNvbWUtU3RhdGUxHzAdBgNVBAoMFkFETElOSyBUZWNobm9sb2N5IEluYy4x
+FzAVBgNVBAMMDmFkbGlua3RlY2guY29tAgkA2yveybQ2vKkwDQYJYIZIAWUDBAIB
+BQCggeQwGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAcBgkqhkiG9w0BCQUxDxcN
+MTgwOTEzMDczOTUwWjAvBgkqhkiG9w0BCQQxIgQgXv8DkvlwebXMwHDbNc0/Pc30
+gyG3xWCnwet49TRMWFsweQYJKoZIhvcNAQkPMWwwajALBglghkgBZQMEASowCwYJ
+YIZIAWUDBAEWMAsGCWCGSAFlAwQBAjAKBggqhkiG9w0DBzAOBggqhkiG9w0DAgIC
+AIAwDQYIKoZIhvcNAwICAUAwBwYFKw4DAgcwDQYIKoZIhvcNAwICASgwDQYJKoZI
+hvcNAQEBBQAEggEANy8t0EFmv5j1n0+mMn2ut3Chu8PSJceC8gd34IiKq79uC1O3
+PbL9xgiJ2vz7QiTEEeNL2q+CG77cXOcHGUWa4nvbggr/9CqLfHEKGQxDfyXlJZfM
+8l550xIXRRBOQ7ilOGLD4QJFfbf9XA4rMuRe8WEYN3FleAaYBJag1tMPg1SS6tgA
+BBDM9b1kXHU319zYOk6kZFjlbwHv6XO22SEVRUpXrKudAI8hrGvwksF/+W0S/jS5
+NmYtj/1oMGlCGIaA5rs27H9CkgwrzoMQ3MsR98JlwEUSa4PEe8CClsIziOulQxsp
+MicBlMWL0rzpBPVfPTE4gZ/kP7hGBDEQlRzVTA==
+
+------DB94A190D9780A24156FB0E8F1E76B5F--
+
diff --git a/src/security/builtin_plugins/tests/get_permissions_token/etc/Test_Permissions_ok.p7s b/src/security/builtin_plugins/tests/get_permissions_token/etc/Test_Permissions_ok.p7s
new file mode 100644
index 0000000..052075b
--- /dev/null
+++ b/src/security/builtin_plugins/tests/get_permissions_token/etc/Test_Permissions_ok.p7s
@@ -0,0 +1,85 @@
+MIME-Version: 1.0
+Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg="sha-256"; boundary="----6B91005B007BBA8EDE10CD1CE487DB27"
+
+This is an S/MIME signed message
+
+------6B91005B007BBA8EDE10CD1CE487DB27
+Content-Type: text/plain
+
+<?xml version="1.0" encoding="utf-8"?>
+<dds xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xsi:noNamespaceSchemaLocation="https://www.omg.org/spec/DDS-SECURITY/20170901/omg_shared_ca_permissions.xsd">
+    <permissions>
+        <grant name="OpenSplicePermissions">
+            <subject_name>CN=CHAM500 cert,O=Internet Widgits Pty Ltd,ST=Some-State,C=NL</subject_name>
+            <validity>
+                <!-- Format is CCYY-MM-DDThh:mm:ss[Z|(+|-)hh:mm] in GMT -->
+                <not_before>2015-09-15T01:00:00</not_before>
+                <not_after>2115-09-15T01:00:00</not_after>
+            </validity>
+            <allow_rule>
+                <domains>
+                    <id_range>
+                        <min>0</min>
+                        <max>230</max>
+                    </id_range>
+                </domains>
+                <publish>
+                    <topics>
+                        <topic>*</topic>
+                    </topics>
+                </publish>
+                <subscribe>
+                    <topics>
+                        <topic>*</topic>
+                    </topics>
+                </subscribe>
+            </allow_rule>
+            <default>DENY</default>
+        </grant>
+    </permissions>
+</dds>
+
+------6B91005B007BBA8EDE10CD1CE487DB27
+Content-Type: application/x-pkcs7-signature; name="smime.p7s"
+Content-Transfer-Encoding: base64
+Content-Disposition: attachment; filename="smime.p7s"
+
+MIIGXgYJKoZIhvcNAQcCoIIGTzCCBksCAQExDzANBglghkgBZQMEAgEFADALBgkq
+hkiG9w0BBwGgggORMIIDjTCCAnWgAwIBAgIJANsr3sm0NrypMA0GCSqGSIb3DQEB
+CwUAMFwxCzAJBgNVBAYTAk5MMRMwEQYDVQQIDApTb21lLVN0YXRlMR8wHQYDVQQK
+DBZBRExJTksgVGVjaG5vbG9jeSBJbmMuMRcwFQYDVQQDDA5hZGxpbmt0ZWNoLmNv
+bTAgFw0xODA3MzAxMjQ1NTVaGA8yMTE4MDcwNjEyNDU1NVowXDELMAkGA1UEBhMC
+TkwxEzARBgNVBAgMClNvbWUtU3RhdGUxHzAdBgNVBAoMFkFETElOSyBUZWNobm9s
+b2N5IEluYy4xFzAVBgNVBAMMDmFkbGlua3RlY2guY29tMIIBIjANBgkqhkiG9w0B
+AQEFAAOCAQ8AMIIBCgKCAQEAu7jfnJ0wYVuXgG+PgNawdN38+dRpa8jceqi+blID
+ehV6XCxrnGXusTCDuFmo7HMOBVMVNDXlcBWgoGd+u5EultnOEiIeGTgtHc1O6V9w
+icp3BGSpZZax/TcONjMVORaqHCADbQ2J8wsz1FHxuKDwX6BJElYOlK77lb/x3yLs
+DFFC+a0qn2RFh37rcWBRAHy8VEASXKZElT9ZmfKd+KUq34KojhNJ4DepKStTq074
+BRDXVivx+wVD951LFNPiQXq+mgHcLj1k37KlZflTFhdP5oEMtATNsXNJPHlEymiy
+SogRWAmKhysLQudukHfNKN+r0FEQMk/hzpYcFeZSOvbfNQIDAQABo1AwTjAdBgNV
+HQ4EFgQURWMbWvBKZwJvRV1/tyc1R82k0+gwHwYDVR0jBBgwFoAURWMbWvBKZwJv
+RV1/tyc1R82k0+gwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAkPF+
+ysVtvHnk2hpu9yNDLCJ96ZzIoKOyY7uRj4ovzlAHFdpNOJQdcJihTmN8i7Trht9X
+Vh0rGoR/6nHzo3TIeiogRC80RlDtuA3PF2dDQBMVDStlZMTZPb693hfjdAjhyyw9
+yghhKHHqNDvSsAL0KfBqjG4yGfGpJylYXIT5fWuKlo/ln/yyPa5s54T5XDo+CMbt
+lLX3QnwVOmaRyzylPiTcPCDIkdLBdXmlfyJcmW6fWa6kPx+35MOxPsXZbujCo+42
++OyLqcH1rKT6XhcshjXBEf+kdgUfSClrM1pNRWsw2ChIYim0F+nry5JFy0Y+8Hbb
+6SDB340BFmtgDHbFHTGCApEwggKNAgEBMGkwXDELMAkGA1UEBhMCTkwxEzARBgNV
+BAgMClNvbWUtU3RhdGUxHzAdBgNVBAoMFkFETElOSyBUZWNobm9sb2N5IEluYy4x
+FzAVBgNVBAMMDmFkbGlua3RlY2guY29tAgkA2yveybQ2vKkwDQYJYIZIAWUDBAIB
+BQCggfowGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAcBgkqhkiG9w0BCQUxDxcN
+MTkwMzI5MTMwODAzWjAvBgkqhkiG9w0BCQQxIgQgl3LfUhn9L0vG/3QRPVYptcYw
+/NH5HMN99aMe9JAT+LAwgY4GCSqGSIb3DQEJDzGBgDB+MAsGCWCGSAFlAwQBKjAI
+BgYqhQMCAgkwCAYGKoUDAgIVMAsGCWCGSAFlAwQBFjALBglghkgBZQMEAQIwCgYI
+KoZIhvcNAwcwDgYIKoZIhvcNAwICAgCAMA0GCCqGSIb3DQMCAgFAMAcGBSsOAwIH
+MA0GCCqGSIb3DQMCAgEoMA0GCSqGSIb3DQEBAQUABIIBAHe9vakfXPvbpgMeqlhG
+SW6Z3uVA3Yri9bgQDpJ9daIUsM0/TLBSQVs85twTMXvqUSntKbfSGehxDQ9F+yje
+mOEPMIwxOqcVyc2jpqoYsUWqpwiiZyk49DHUFrOfWJUx+rKdBftZWkxD05Wkovhk
+2d4hGS/65Haoho4Z0AZwcyH+F52FZMiqw7I9FKrPlhxvJfQXmhIjOKtnvWnQ+Ar7
+YYiSrBEHMCy82LF1aKzz0nkL1SYWQHuQX475qoU4LMYY1J8WsD3rSBeq4GYZrl2K
+X/JcOquMYqjfJLMYZY4fsc3FgEBkKNqJz1tDZ3ir24VMl+WsbEjVK8oXe/wt4V0U
+aNQ=
+
+------6B91005B007BBA8EDE10CD1CE487DB27--
+
diff --git a/src/security/builtin_plugins/tests/get_permissions_token/src/get_permissions_token_utests.c b/src/security/builtin_plugins/tests/get_permissions_token/src/get_permissions_token_utests.c
new file mode 100644
index 0000000..ca4f708
--- /dev/null
+++ b/src/security/builtin_plugins/tests/get_permissions_token/src/get_permissions_token_utests.c
@@ -0,0 +1,439 @@
+/*
+ * Copyright(c) 2006 to 2019 ADLINK Technology Limited and others
+ *
+ * This program and the accompanying materials are made available under the
+ * terms of the Eclipse Public License v. 2.0 which is available at
+ * http://www.eclipse.org/legal/epl-2.0, or the Eclipse Distribution License
+ * v. 1.0 which is available at
+ * http://www.eclipse.org/org/documents/edl-v10.php.
+ *
+ * SPDX-License-Identifier: EPL-2.0 OR BSD-3-Clause
+ */
+#include <assert.h>
+#include <openssl/evp.h>
+#include <openssl/hmac.h>
+#include <openssl/bio.h>
+#include <openssl/err.h>
+
+#include "dds/ddsrt/environ.h"
+#include "dds/ddsrt/heap.h"
+#include "dds/ddsrt/io.h"
+#include "dds/ddsrt/string.h"
+#include "dds/ddsrt/types.h"
+#include "dds/security/dds_security_api.h"
+#include "dds/security/core/dds_security_utils.h"
+#include "CUnit/CUnit.h"
+#include "CUnit/Test.h"
+#include "common/src/loader.h"
+#include "config_env.h"
+
+static const char *PROPERTY_IDENTITY_CA = "dds.sec.auth.identity_ca";
+static const char *PROPERTY_PRIVATE_KEY = "dds.sec.auth.private_key";
+static const char *PROPERTY_IDENTITY_CERT = "dds.sec.auth.identity_certificate";
+static const char *PROPERTY_PERMISSIONS_CA = "dds.sec.access.permissions_ca";
+static const char *PROPERTY_PERMISSIONS = "dds.sec.access.permissions";
+static const char *PROPERTY_GOVERNANCE = "dds.sec.access.governance";
+
+static const char *RELATIVE_PATH_TO_ETC_DIR = "/get_permissions_token/etc/";
+
+static const char *IDENTITY_CERTIFICATE =
+    "data:,-----BEGIN CERTIFICATE-----\n"
+    "MIIEQTCCAymgAwIBAgIINpuaAAnrQZIwDQYJKoZIhvcNAQELBQAwXzELMAkGA1UE\n"
+    "BhMCTkwxEzARBgNVBAgTClNvbWUtU3RhdGUxITAfBgNVBAoTGEludGVybmV0IFdp\n"
+    "ZGdpdHMgUHR5IEx0ZDEYMBYGA1UEAxMPQ0hBTTUwMCByb290IGNhMCAXDTE3MDIy\n"
+    "MjIyMjIwMFoYDzIyMjIwMjIyMjIyMjAwWjBcMQswCQYDVQQGEwJOTDETMBEGA1UE\n"
+    "CBMKU29tZS1TdGF0ZTEhMB8GA1UEChMYSW50ZXJuZXQgV2lkZ2l0cyBQdHkgTHRk\n"
+    "MRUwEwYDVQQDEwxDSEFNNTAwIGNlcnQwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw\n"
+    "ggEKAoIBAQDCpVhivH/wBIyu74rvQncnSZqKyspN6CvD1pmV9wft5PHhVt9jV79v\n"
+    "gSub5LADoRHAgFdv9duYgBr17Ob6uRrIY4B18CcrCjhQcC4gjx8y2jl9PeYm+qYD\n"
+    "3o44FYBrBq0QCnrQgKsb/qX9Z+Mw/VUiw65x68W876LEHQQoEgT4kxSuagwBoVRk\n"
+    "ePD6fYAKmT4XS3x+O0v+rHESTcsKF6yMadgp7h3eH1b8kJTzSx8JV9Zzq++mxjox\n"
+    "qhbBVP5nDze2hhSIeCkCvSrx7efkgKS4AQXa5/Z44GiAu1TfXXUqdic9rxwD0edn\n"
+    "ajNElnZe7sjok/0yuqvH+2hSqpNva/zpAgMBAAGjggEAMIH9MAwGA1UdDwQFAwMH\n"
+    "/4AwgewGA1UdJQSB5DCB4QYIKwYBBQUHAwEGCCsGAQUFBwMCBggrBgEFBQcDAwYI\n"
+    "KwYBBQUHAwQGCCsGAQUFBwMIBgorBgEEAYI3AgEVBgorBgEEAYI3AgEWBgorBgEE\n"
+    "AYI3CgMBBgorBgEEAYI3CgMDBgorBgEEAYI3CgMEBglghkgBhvhCBAEGCysGAQQB\n"
+    "gjcKAwQBBggrBgEFBQcDBQYIKwYBBQUHAwYGCCsGAQUFBwMHBggrBgEFBQgCAgYK\n"
+    "KwYBBAGCNxQCAgYIKwYBBQUHAwkGCCsGAQUFBwMNBggrBgEFBQcDDgYHKwYBBQID\n"
+    "BTANBgkqhkiG9w0BAQsFAAOCAQEAawdHy0Xw7nTK2ltp91Ion6fJ7hqYuj///zr7\n"
+    "Adt6uonpDh/xl3esuwcFimIJrJrHujnGkL0nLddRCikmnzuBMNDWS6yq0/Ckl/YG\n"
+    "yjNr44dlX24wo+MVAgkj3/8CyWDZ3a8kBg9QT3bs2SqbjmhTrXN1DRyf9S5vJysE\n"
+    "I7V1gTN66BeKL64hOrAlRVrEu8Ds6TWL6Q/YH+61ViZkoLTeSaPjH4nknaFr4C35\n"
+    "iji0JhkyfRHRRVPHFnaj25AkxOrSV64qVKoTMjDl5fji5iMGtjm6iJ7q05ml/qDl\n"
+    "nLotHXemZNvYhbwUmRzbt4Dls9EMH4VRbP85I94nM5TAvtHVNA==\n"
+    "-----END CERTIFICATE-----\n";
+
+static const char *IDENTITY_CA =
+    "data:,-----BEGIN CERTIFICATE-----\n"
+    "MIIEmTCCA4GgAwIBAgIIZ5gEIUFhO5wwDQYJKoZIhvcNAQELBQAwXzELMAkGA1UE\n"
+    "BhMCTkwxEzARBgNVBAgTClNvbWUtU3RhdGUxITAfBgNVBAoTGEludGVybmV0IFdp\n"
+    "ZGdpdHMgUHR5IEx0ZDEYMBYGA1UEAxMPQ0hBTTUwMCByb290IGNhMCAXDTE4MDIx\n"
+    "MjE1MDUwMFoYDzIyMjIwMjIyMjIyMjAwWjBfMQswCQYDVQQGEwJOTDETMBEGA1UE\n"
+    "CBMKU29tZS1TdGF0ZTEhMB8GA1UEChMYSW50ZXJuZXQgV2lkZ2l0cyBQdHkgTHRk\n"
+    "MRgwFgYDVQQDEw9DSEFNNTAwIHJvb3QgY2EwggEiMA0GCSqGSIb3DQEBAQUAA4IB\n"
+    "DwAwggEKAoIBAQC6Fa3TheL+UrdZCp9GhU/2WbneP2t/avUa3muwDttPxeI2XU9k\n"
+    "ZjBR95mAXme4SPXHk5+YDN319AqIje3oKhzky/ngvKH2GkoJKYxWnuDBfMEHdViz\n"
+    "2Q9/xso2ZvH50ukwWa0pfx2/EVV1wRxeQcRd/UVfq3KTJizG0M88mOYvGEAw3LFf\n"
+    "zef7k1aCuOofQmBvLukUudcYpMzfyHFp7lQqU4CcrrR5RtmfiUfrWfdGLea2iPDB\n"
+    "pJgN8ESOMwEHtOTEBDclYnH9L4t7CHQz+fXXS5IWFsDK9fCMQjnxDsDVeNrNzTYL\n"
+    "FaZrMg9S6IUQCEsQWsnq5weS8omOpVLUm9klAgMBAAGjggFVMIIBUTAMBgNVHRME\n"
+    "BTADAQH/MB0GA1UdDgQWBBQg2FZB/j8uWDVnJhjwXkX278znSTAfBgNVHSMEGDAW\n"
+    "gBQg2FZB/j8uWDVnJhjwXkX278znSTAPBgNVHQ8BAf8EBQMDB/+AMIHvBgNVHSUB\n"
+    "Af8EgeQwgeEGCCsGAQUFBwMBBggrBgEFBQcDAgYIKwYBBQUHAwMGCCsGAQUFBwME\n"
+    "BggrBgEFBQcDCAYKKwYBBAGCNwIBFQYKKwYBBAGCNwIBFgYKKwYBBAGCNwoDAQYK\n"
+    "KwYBBAGCNwoDAwYKKwYBBAGCNwoDBAYJYIZIAYb4QgQBBgsrBgEEAYI3CgMEAQYI\n"
+    "KwYBBQUHAwUGCCsGAQUFBwMGBggrBgEFBQcDBwYIKwYBBQUIAgIGCisGAQQBgjcU\n"
+    "AgIGCCsGAQUFBwMJBggrBgEFBQcDDQYIKwYBBQUHAw4GBysGAQUCAwUwDQYJKoZI\n"
+    "hvcNAQELBQADggEBAKHmwejWRwGE1wf1k2rG8SNRV/neGsZ6Qfqf6co3TpR/Wi1s\n"
+    "iZDvSeT/rbqNBS7z34xnG88NIUwu00y78e8Mfon31ZZbK4Uo7fla9/D3ukdJqPQC\n"
+    "LKdbKJjR2kH+KCukY/1rghjJ8/X+t2egBit0LCOdsFCl07Sfksb9kpGUIZSFcYYm\n"
+    "geqhjhoNwxazzHiw+QWHC5HG9248JIizBmy1aymNWuMnPudhjHAnPcsIlqMVNq3t\n"
+    "Rv9ap7S8JeCxHVRPJvJeCwXWvW3dW/v3xH52Yn/fqRblN1w9Fxz5NhopKx0gj/Jd\n"
+    "sw2N4Fk4gaOWEolFpa0bwNw8nAx7moehZpowzfw=\n"
+    "-----END CERTIFICATE-----\n";
+
+static const char *PRIVATE_KEY =
+    "data:,-----BEGIN RSA PRIVATE KEY-----\n"
+    "MIIEogIBAAKCAQEAwqVYYrx/8ASMru+K70J3J0maisrKTegrw9aZlfcH7eTx4Vbf\n"
+    "Y1e/b4Erm+SwA6ERwIBXb/XbmIAa9ezm+rkayGOAdfAnKwo4UHAuII8fMto5fT3m\n"
+    "JvqmA96OOBWAawatEAp60ICrG/6l/WfjMP1VIsOucevFvO+ixB0EKBIE+JMUrmoM\n"
+    "AaFUZHjw+n2ACpk+F0t8fjtL/qxxEk3LChesjGnYKe4d3h9W/JCU80sfCVfWc6vv\n"
+    "psY6MaoWwVT+Zw83toYUiHgpAr0q8e3n5ICkuAEF2uf2eOBogLtU3111KnYnPa8c\n"
+    "A9HnZ2ozRJZ2Xu7I6JP9Mrqrx/toUqqTb2v86QIDAQABAoIBAC1q32DKkx+yMBFx\n"
+    "m32QiLUGG6VfBC2BixS7MkMnzRXZYgcuehl4FBc0kLRjfB6cqsO8LqrVN1QyMBhK\n"
+    "GutN3c38SbE7RChqzhEW2+yE+Mao3Nk4ZEecHLiyaYT0n25ZtHAVwep823BAzwJ+\n"
+    "BykbM45VEpNKbG1VjSktjBa9faNyZiZAEJEjVyla+6R8N4kHV52LbZcLjvJv3IQ2\n"
+    "iPYRrmMyI5C23qTni0vy7yJbAXBo3CqgSlwie9FARBWT7Puu7F4mF1O1c/SnTysw\n"
+    "Tm3e5FzgfHipQbnRVn0w4rDprPMKmPxMnvf/Wkw0zVgNadp1Tc1I6Yj525DEQ07i\n"
+    "2gIn/gECgYEA4jNnY1u2Eu7x3pAQF3dRO0x35boVtuq9iwQk7q+uaZaK4RJRr+0Y\n"
+    "T68S3bPnfer6SHvcxtST89Bvs/j/Ky4SOaX037UYjFh6T7OIzPl+MzO1yb+VOBT6\n"
+    "D6FVGEJGp8ZAITU1OfJPeTYViUeEC8tHFGoKUCk50FbB6jOf1oKtv/ECgYEA3EnB\n"
+    "Y7kSbJJaUuj9ciFUL/pAno86Cim3VjegK1wKgEiyDb610bhoMErovPwfVJbtcttG\n"
+    "eKJNuwizkRcVbj+vpjDvqqaP5eMxLl6/Nd4haPMJYzGo88Z8NJpwFRNF2KEWjOpQ\n"
+    "2NEvoCeRtVulCJyka2Tpljzw8cOXkxhPOe2UhHkCgYBo3entj0QO7QXm56T+LAvV\n"
+    "0PK45xdQEO3EuCwjGAFk5C0IgUSrqeCeeIzniZMltj1IQ1wsNbtNynEu3530t8wt\n"
+    "O7oVyFBUKGSz9IjUdkpClJOPr6kPMfJoMqRPtdIpz+hFPPSrI6IikKdVWHloOlp+\n"
+    "pVaYqTQrWT1XRY2xli3VEQKBgGySmZN6Cx+h/oywswIGdUT0VdcQhq2to+QFpJba\n"
+    "VX6m1cM6hMip2Ag9U3qZ1SNPBBdBBfm9HQybHE3dj713/C2wHuAAGhpXIM1W+20k\n"
+    "X1knuC/AsSH9aQhQOf/ZMOq1crTfZBuI9q0782/sjGmzMsKPySU4QhUWruVb7OiD\n"
+    "NVkZAoGAEvihW7G+8/iOE40vGHyBqUeopAAWLciTAUIEwM/Oi3BYfNWNTWF/FWNc\n"
+    "nMvCZPYigY8C1vO+1iT2Frtd3CIU+f01Q3fJNJoRLlEiKLNZUJRF48OKUqjKSmsi\n"
+    "w6pucFO40z05YW7utApj4L82rZnOS0pd1tUI1yexqvj0i4ThJfk=\n"
+    "-----END RSA PRIVATE KEY-----\n";
+
+static const char *PERMISSIONS_CA =
+    "data:,-----BEGIN CERTIFICATE-----\n"
+    "MIIDjTCCAnWgAwIBAgIJANsr3sm0NrypMA0GCSqGSIb3DQEBCwUAMFwxCzAJBgNV\n"
+    "BAYTAk5MMRMwEQYDVQQIDApTb21lLVN0YXRlMR8wHQYDVQQKDBZBRExJTksgVGVj\n"
+    "aG5vbG9jeSBJbmMuMRcwFQYDVQQDDA5hZGxpbmt0ZWNoLmNvbTAgFw0xODA3MzAx\n"
+    "MjQ1NTVaGA8yMTE4MDcwNjEyNDU1NVowXDELMAkGA1UEBhMCTkwxEzARBgNVBAgM\n"
+    "ClNvbWUtU3RhdGUxHzAdBgNVBAoMFkFETElOSyBUZWNobm9sb2N5IEluYy4xFzAV\n"
+    "BgNVBAMMDmFkbGlua3RlY2guY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB\n"
+    "CgKCAQEAu7jfnJ0wYVuXgG+PgNawdN38+dRpa8jceqi+blIDehV6XCxrnGXusTCD\n"
+    "uFmo7HMOBVMVNDXlcBWgoGd+u5EultnOEiIeGTgtHc1O6V9wicp3BGSpZZax/TcO\n"
+    "NjMVORaqHCADbQ2J8wsz1FHxuKDwX6BJElYOlK77lb/x3yLsDFFC+a0qn2RFh37r\n"
+    "cWBRAHy8VEASXKZElT9ZmfKd+KUq34KojhNJ4DepKStTq074BRDXVivx+wVD951L\n"
+    "FNPiQXq+mgHcLj1k37KlZflTFhdP5oEMtATNsXNJPHlEymiySogRWAmKhysLQudu\n"
+    "kHfNKN+r0FEQMk/hzpYcFeZSOvbfNQIDAQABo1AwTjAdBgNVHQ4EFgQURWMbWvBK\n"
+    "ZwJvRV1/tyc1R82k0+gwHwYDVR0jBBgwFoAURWMbWvBKZwJvRV1/tyc1R82k0+gw\n"
+    "DAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAkPF+ysVtvHnk2hpu9yND\n"
+    "LCJ96ZzIoKOyY7uRj4ovzlAHFdpNOJQdcJihTmN8i7Trht9XVh0rGoR/6nHzo3TI\n"
+    "eiogRC80RlDtuA3PF2dDQBMVDStlZMTZPb693hfjdAjhyyw9yghhKHHqNDvSsAL0\n"
+    "KfBqjG4yGfGpJylYXIT5fWuKlo/ln/yyPa5s54T5XDo+CMbtlLX3QnwVOmaRyzyl\n"
+    "PiTcPCDIkdLBdXmlfyJcmW6fWa6kPx+35MOxPsXZbujCo+42+OyLqcH1rKT6Xhcs\n"
+    "hjXBEf+kdgUfSClrM1pNRWsw2ChIYim0F+nry5JFy0Y+8Hbb6SDB340BFmtgDHbF\n"
+    "HQ==\n"
+    "-----END CERTIFICATE-----\n";
+
+static char *g_path_to_etc_dir = NULL;
+static struct plugins_hdl *plugins = NULL;
+static dds_security_authentication *auth = NULL;
+static dds_security_access_control *access_control = NULL;
+
+static DDS_Security_IdentityHandle local_identity_handle = DDS_SECURITY_HANDLE_NIL;
+static DDS_Security_PermissionsHandle local_permissions_handle = DDS_SECURITY_HANDLE_NIL;
+
+static void reset_exception(DDS_Security_SecurityException *ex)
+{
+  ex->code = 0;
+  ex->minor_code = 0;
+  ddsrt_free(ex->message);
+  ex->message = NULL;
+}
+
+static DDS_Security_Property_t *find_property(DDS_Security_DataHolder *token, const char *name)
+{
+  DDS_Security_Property_t *result = NULL;
+  uint32_t i;
+  for (i = 0; i < token->properties._length && !result; i++)
+    if (token->properties._buffer[i].name && (strcmp(token->properties._buffer[i].name, name) == 0))
+      result = &token->properties._buffer[i];
+  return result;
+}
+
+static void dds_security_property_init(DDS_Security_PropertySeq *seq, DDS_Security_unsigned_long size)
+{
+  seq->_length = size;
+  seq->_maximum = size;
+  seq->_buffer = ddsrt_malloc(size * sizeof(DDS_Security_Property_t));
+  memset(seq->_buffer, 0, size * sizeof(DDS_Security_Property_t));
+}
+
+static void dds_security_property_deinit(DDS_Security_PropertySeq *seq)
+{
+  uint32_t i;
+  for (i = 0; i < seq->_length; i++)
+  {
+    ddsrt_free(seq->_buffer[i].name);
+    ddsrt_free(seq->_buffer[i].value);
+  }
+  ddsrt_free(seq->_buffer);
+}
+
+static void fill_participant_qos(DDS_Security_Qos *qos, const char *permission_filename, const char *governance_filename)
+{
+  char *permission_uri;
+  char *governance_uri;
+
+  ddsrt_asprintf(&permission_uri, "file:%s%s", g_path_to_etc_dir, permission_filename);
+  ddsrt_asprintf(&governance_uri, "file:%s%s", g_path_to_etc_dir, governance_filename);
+
+  memset(qos, 0, sizeof(*qos));
+  dds_security_property_init(&qos->property.value, 6);
+  qos->property.value._buffer[0].name = ddsrt_strdup(PROPERTY_IDENTITY_CERT);
+  qos->property.value._buffer[0].value = ddsrt_strdup(IDENTITY_CERTIFICATE);
+  qos->property.value._buffer[1].name = ddsrt_strdup(PROPERTY_IDENTITY_CA);
+  qos->property.value._buffer[1].value = ddsrt_strdup(IDENTITY_CA);
+  qos->property.value._buffer[2].name = ddsrt_strdup(PROPERTY_PRIVATE_KEY);
+  qos->property.value._buffer[2].value = ddsrt_strdup(PRIVATE_KEY);
+  qos->property.value._buffer[3].name = ddsrt_strdup(PROPERTY_PERMISSIONS_CA);
+  qos->property.value._buffer[3].value = ddsrt_strdup(PERMISSIONS_CA);
+  qos->property.value._buffer[4].name = ddsrt_strdup(PROPERTY_PERMISSIONS);
+  qos->property.value._buffer[4].value = ddsrt_strdup(permission_uri);
+  qos->property.value._buffer[5].name = ddsrt_strdup(PROPERTY_GOVERNANCE);
+  qos->property.value._buffer[5].value = ddsrt_strdup(governance_uri);
+
+  ddsrt_free(permission_uri);
+  ddsrt_free(governance_uri);
+}
+
+static void local_permissions_init(DDS_Security_DomainId domain_id)
+{
+  DDS_Security_ValidationResult_t result;
+  DDS_Security_Qos participant_qos;
+  DDS_Security_GUID_t local_participant_guid;
+  DDS_Security_GUID_t candidate_participant_guid;
+  DDS_Security_SecurityException exception = {NULL, 0, 0};
+  DDS_Security_GuidPrefix_t prefix = {0xb0, 0xb1, 0xb2, 0xb3, 0xb4, 0xb5, 0xb6, 0xb7, 0xb8, 0xb9, 0xba, 0xbb};
+  DDS_Security_EntityId_t entityId = {{0xb0, 0xb1, 0xb2}, 0x1};
+
+  memset(&local_participant_guid, 0, sizeof(local_participant_guid));
+  memcpy(&candidate_participant_guid.prefix, &prefix, sizeof(prefix));
+  memcpy(&candidate_participant_guid.entityId, &entityId, sizeof(entityId));
+
+  fill_participant_qos(&participant_qos, "Test_Permissions_ok.p7s", "Test_Governance_ok.p7s");
+
+  result = auth->validate_local_identity(
+      auth,
+      &local_identity_handle,
+      &local_participant_guid,
+      domain_id,
+      &participant_qos,
+      &candidate_participant_guid,
+      &exception);
+
+  CU_ASSERT_EQUAL_FATAL (result, DDS_SECURITY_VALIDATION_OK);
+  reset_exception(&exception);
+  local_permissions_handle = access_control->validate_local_permissions(
+      access_control,
+      auth,
+      local_identity_handle,
+      domain_id,
+      &participant_qos,
+      &exception);
+
+  CU_ASSERT_FATAL (local_permissions_handle != DDS_SECURITY_HANDLE_NIL);
+  reset_exception(&exception);
+  dds_security_property_deinit(&participant_qos.property.value);
+}
+
+static void local_permissions_clean(void)
+{
+  DDS_Security_SecurityException exception = {NULL, 0, 0};
+  DDS_Security_boolean success;
+
+  if (local_permissions_handle != DDS_SECURITY_HANDLE_NIL)
+  {
+    success = access_control->return_permissions_handle(access_control, local_permissions_handle, &exception);
+    if (!success)
+    {
+      printf("return_permission_handle failed: %s\n", exception.message ? exception.message : "Error message missing");
+    }
+    reset_exception(&exception);
+  }
+
+  if (local_identity_handle != DDS_SECURITY_HANDLE_NIL)
+  {
+    success = auth->return_identity_handle(auth, local_identity_handle, &exception);
+    if (!success)
+    {
+      printf("return_identity_handle failed: %s\n", exception.message ? exception.message : "Error message missing");
+    }
+    reset_exception(&exception);
+  }
+}
+
+static void set_path_to_etc_dir(void)
+{
+  ddsrt_asprintf(&g_path_to_etc_dir, "%s%s", CONFIG_ENV_TESTS_DIR, RELATIVE_PATH_TO_ETC_DIR);
+}
+
+static void suite_get_permissions_token_init(void)
+{
+  plugins = load_plugins(&access_control, &auth, NULL /* Cryptograpy */);
+  CU_ASSERT_FATAL (plugins != NULL);
+  set_path_to_etc_dir();
+  local_permissions_init(0);
+}
+
+static void suite_get_permissions_token_fini(void)
+{
+  local_permissions_clean();
+  unload_plugins(plugins);
+  ddsrt_free(g_path_to_etc_dir);
+}
+
+static bool validate_permissions_token(
+    DDS_Security_PermissionsToken *token)
+{
+  if (!token->class_id || strcmp(token->class_id, "DDS:Access:Permissions:1.0") != 0)
+  {
+    CU_FAIL("PermissionsToken incorrect class_id");
+    return false;
+  }
+
+  /* Optional. */
+  if (find_property(token, "dds.perm_ca.sn") == NULL)
+    printf("Optional PermissionsToken property 'dds.perm_ca.sn' not found\n");
+  if (find_property(token, "dds.perm_ca.algo") == NULL)
+    printf("Optional PermissionsToken property 'dds.perm_ca.algo' not found\n");
+  return true;
+}
+
+CU_Test(ddssec_builtin_get_permissions_token, happy_day, .init = suite_get_permissions_token_init, .fini = suite_get_permissions_token_fini)
+{
+  DDS_Security_SecurityException exception;
+  DDS_Security_PermissionsToken token;
+  DDS_Security_boolean result;
+
+  /* Pre-requisites. */
+  CU_ASSERT_FATAL(access_control != NULL);
+  CU_ASSERT_FATAL(access_control->get_permissions_token != NULL);
+  memset(&exception, 0, sizeof(DDS_Security_SecurityException));
+  memset(&token, 0, sizeof(token));
+
+  /* Test function call. */
+  result = access_control->get_permissions_token(
+      access_control,
+      &token,
+      local_permissions_handle,
+      &exception);
+  if (!result)
+  {
+    printf("get_permissions_token: %s\n", exception.message ? exception.message : "Error message missing");
+  }
+  CU_ASSERT_FATAL(result);
+  CU_ASSERT(exception.code == 0);
+  CU_ASSERT(exception.message == NULL);
+
+  /* Test token contents. */
+  CU_ASSERT(validate_permissions_token(&token));
+
+  /* Post-requisites. */
+  DDS_Security_DataHolder_deinit(&token);
+  reset_exception(&exception);
+}
+
+CU_Test(ddssec_builtin_get_permissions_token, invalid_args, .init = suite_get_permissions_token_init, .fini = suite_get_permissions_token_fini)
+{
+  DDS_Security_SecurityException exception;
+  DDS_Security_PermissionsToken token;
+  DDS_Security_boolean result;
+
+  /* Pre-requisites. */
+  CU_ASSERT_FATAL(access_control != NULL);
+  CU_ASSERT_FATAL(access_control->get_permissions_token != NULL);
+  memset(&exception, 0, sizeof(DDS_Security_SecurityException));
+  memset(&token, 0, sizeof(token));
+
+  /* Test function calls with different invalid args. */
+  result = access_control->get_permissions_token(
+      NULL,
+      &token,
+      local_permissions_handle,
+      &exception);
+  if (!result)
+  {
+    printf("get_permissions_token: %s\n", exception.message ? exception.message : "Error message missing");
+  }
+  CU_ASSERT(!result);
+  CU_ASSERT(exception.code == DDS_SECURITY_ERR_INVALID_PARAMETER_CODE);
+  CU_ASSERT(exception.message != NULL);
+  reset_exception(&exception);
+
+  result = access_control->get_permissions_token(
+      access_control,
+      NULL,
+      local_permissions_handle,
+      &exception);
+  if (!result)
+  {
+    printf("get_permissions_token: %s\n", exception.message ? exception.message : "Error message missing");
+  }
+  CU_ASSERT(!result);
+  CU_ASSERT(exception.code == DDS_SECURITY_ERR_INVALID_PARAMETER_CODE);
+  CU_ASSERT(exception.message != NULL);
+  reset_exception(&exception);
+
+  result = access_control->get_permissions_token(
+      access_control,
+      &token,
+      0,
+      &exception);
+  if (!result)
+  {
+    printf("get_permissions_token: %s\n", exception.message ? exception.message : "Error message missing");
+  }
+  CU_ASSERT(!result);
+  CU_ASSERT(exception.code == DDS_SECURITY_ERR_INVALID_PARAMETER_CODE);
+  CU_ASSERT(exception.message != NULL);
+  reset_exception(&exception);
+
+  result = access_control->get_permissions_token(
+      access_control,
+      &token,
+      local_permissions_handle,
+      NULL);
+  if (!result)
+  {
+    printf("get_permissions_token: %s\n", exception.message ? exception.message : "Error message missing");
+  }
+  CU_ASSERT(!result);
+  CU_ASSERT(exception.code == 0);
+  CU_ASSERT(exception.message == NULL);
+  reset_exception(&exception);
+
+  result = access_control->get_permissions_token(
+      access_control,
+      &token,
+      local_permissions_handle + 12345 /* invalid handle */,
+      &exception);
+  if (!result)
+  {
+    printf("get_permissions_token: %s\n", exception.message ? exception.message : "Error message missing");
+  }
+  CU_ASSERT(!result);
+  CU_ASSERT(exception.code == DDS_SECURITY_ERR_INVALID_PARAMETER_CODE);
+  CU_ASSERT(exception.message != NULL);
+  reset_exception(&exception);
+}
diff --git a/src/security/builtin_plugins/tests/get_xxx_sec_attributes/etc/Test_Governance_full.p7s b/src/security/builtin_plugins/tests/get_xxx_sec_attributes/etc/Test_Governance_full.p7s
new file mode 100644
index 0000000..4ea8fe8
--- /dev/null
+++ b/src/security/builtin_plugins/tests/get_xxx_sec_attributes/etc/Test_Governance_full.p7s
@@ -0,0 +1,267 @@
+MIME-Version: 1.0
+Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg="sha-256"; boundary="----05DBD6F6E587875751A79EAC78048D60"
+
+This is an S/MIME signed message
+
+------05DBD6F6E587875751A79EAC78048D60
+Content-Type: text/plain
+
+<?xml version="1.0" encoding="utf-8"?>
+<dds xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xsi:noNamespaceSchemaLocation="https://www.omg.org/spec/DDS-SECURITY/20170901/omg_shared_ca_governance.xsd">
+    <domain_access_rules>
+        <domain_rule>
+            <domains>
+                <!-- All domains -->
+                <id>20</id>
+                <id_range>
+                    <min>0</min>
+                    <max>23</max>
+                </id_range>
+                <id_range>
+                    <min>100</min>
+                    <max>120</max>
+                </id_range>
+                <id>200</id>
+            </domains>
+
+            <!-- DomainParticipant that cann not authenticate or fail the authentication should be
+                 allowed to join the domain and see any any discovery data that are configured as "unprotected"
+                 and topics that are configured as "unprotected" -->
+            <allow_unauthenticated_participants>false</allow_unauthenticated_participants>
+
+            <!--  Only and any authenticated DomainParticipant should be allowed to join the domain and
+                  see the discovery data without checking access control  -->
+            <enable_join_access_control>TRUE</enable_join_access_control>
+
+            <!-- Discovery information should be protected with encryption followed by MAC (Message Authentication Codes) -->
+            <discovery_protection_kind>SIGN_WITH_ORIGIN_AUTHENTICATION</discovery_protection_kind>
+
+            <!--  Liveliness messages are also encrypted -->
+            <liveliness_protection_kind>ENCRYPT</liveliness_protection_kind>
+
+            <!-- Whole RTPS message is not protected -->
+            <rtps_protection_kind>ENCRYPT_WITH_ORIGIN_AUTHENTICATION</rtps_protection_kind>
+
+            <topic_access_rules>
+                                
+                <topic_rule>
+                    <!-- All (non-builtin) topics -->
+                    <topic_expression>OwnShip?ata</topic_expression>
+
+                    <!-- Liveliness QoS data is protected -->
+                    <enable_liveliness_protection>FALSE</enable_liveliness_protection>
+
+                    <!-- The discovery information on specific Topics should be sent
+                         using the secure (protected) discovery writers -->
+                    <enable_discovery_protection>false</enable_discovery_protection>
+
+                    <!-- The read access to all topics should be open to all. -->
+                    <enable_read_access_control>false</enable_read_access_control>
+
+                    <!-- The write access to all topics should be open to all. -->
+                    <enable_write_access_control>true</enable_write_access_control>
+
+                    <!-- Whole RTPS sub-message is protected. This includes metadata information
+                         like sequence numbers, heartbeats, key hashes, gaps,
+                         acknowledgment messages, etc. It also includes th possible payload. -->
+                    <metadata_protection_kind>SIGN</metadata_protection_kind>
+
+                    <!-- The payload data sent on the Topic (serialized application level data) should be
+                         protected with Encrypt then MAC. -->
+                    <data_protection_kind>ENCRYPT</data_protection_kind>
+                </topic_rule>
+                
+                <topic_rule>
+                    <!-- All (non-builtin) topics -->
+                    <topic_expression>Kinematics</topic_expression>
+
+                    <!-- Liveliness QoS data is protected -->
+                    <enable_liveliness_protection>true</enable_liveliness_protection>
+
+                    <!-- The discovery information on specific Topics should be sent
+                         using the secure (protected) discovery writers -->
+                    <enable_discovery_protection>true</enable_discovery_protection>
+
+                    <!-- The read access to all topics should be open to all. -->
+                    <enable_read_access_control>true</enable_read_access_control>
+
+                    <!-- The write access to all topics should be open to all. -->
+                    <enable_write_access_control>false</enable_write_access_control>
+
+                    <!-- Whole RTPS sub-message is protected. This includes metadata information
+                         like sequence numbers, heartbeats, key hashes, gaps,
+                         acknowledgment messages, etc. It also includes th possible payload. -->
+                    <metadata_protection_kind>NONE</metadata_protection_kind>
+
+                    <!-- The payload data sent on the Topic (serialized application level data) should be
+                         protected with Encrypt then MAC. -->
+                    <data_protection_kind>NONE</data_protection_kind>
+                </topic_rule>
+
+                <topic_rule>
+                    <!-- All (non-builtin) topics -->
+                    <topic_expression>*other</topic_expression>
+
+                    <!-- Liveliness QoS data is protected -->
+                    <enable_liveliness_protection>true</enable_liveliness_protection>
+
+                    <!-- The discovery information on specific Topics should be sent
+                         using the secure (protected) discovery writers -->
+                    <enable_discovery_protection>true</enable_discovery_protection>
+
+                    <!-- The read access to all topics should be open to all. -->
+                    <enable_read_access_control>true</enable_read_access_control>
+
+                    <!-- The write access to all topics should be open to all. -->
+                    <enable_write_access_control>true</enable_write_access_control>
+
+                    <!-- Whole RTPS sub-message is protected. This includes metadata information
+                         like sequence numbers, heartbeats, key hashes, gaps,
+                         acknowledgment messages, etc. It also includes th possible payload. -->
+                    <metadata_protection_kind>NONE</metadata_protection_kind>
+
+                    <!-- The payload data sent on the Topic (serialized application level data) should be
+                         protected with Encrypt then MAC. -->
+                    <data_protection_kind>NONE</data_protection_kind>
+                </topic_rule>
+
+                <topic_rule>
+                    <!-- All (non-builtin) topics -->
+                    <topic_expression>*</topic_expression>
+
+                    <!-- Liveliness QoS data is protected -->
+                    <enable_liveliness_protection>true</enable_liveliness_protection>
+
+                    <!-- The discovery information on specific Topics should be sent
+                         using the secure (protected) discovery writers -->
+                    <enable_discovery_protection>true</enable_discovery_protection>
+
+                    <!-- The read access to all topics should be open to all. -->
+                    <enable_read_access_control>false</enable_read_access_control>
+
+                    <!-- The write access to all topics should be open to all. -->
+                    <enable_write_access_control>false</enable_write_access_control>
+
+                    <!-- Whole RTPS sub-message is protected. This includes metadata information
+                         like sequence numbers, heartbeats, key hashes, gaps,
+                         acknowledgment messages, etc. It also includes th possible payload. -->
+                    <metadata_protection_kind>ENCRYPT_WITH_ORIGIN_AUTHENTICATION</metadata_protection_kind>
+
+                    <!-- The payload data sent on the Topic (serialized application level data) should be
+                         protected with Encrypt then MAC. -->
+                    <data_protection_kind>ENCRYPT</data_protection_kind>
+                </topic_rule>
+            </topic_access_rules>
+        </domain_rule>
+        <domain_rule>
+            <domains>
+                <!-- All domains -->
+                <id_range>
+                    <min>100</min>
+                    <max>120</max>
+                </id_range>
+                <id>20</id>
+                <id_range>
+                    <min>0</min>
+                    <max>23</max>
+                </id_range>                
+                <id>200</id>
+                <id>30</id>
+            </domains>
+
+            <!-- DomainParticipant that cann not authenticate or fail the authentication should be
+                 allowed to join the domain and see any any discovery data that are configured as "unprotected"
+                 and topics that are configured as "unprotected" -->
+            <allow_unauthenticated_participants>1</allow_unauthenticated_participants>
+
+            <!--  Only and any authenticated DomainParticipant should be allowed to join the domain and
+                  see the discovery data without checking access control  -->
+            <enable_join_access_control>0</enable_join_access_control>
+
+            <!-- Discovery information should be protected with encryption followed by MAC (Message Authentication Codes) -->
+            <discovery_protection_kind>SIGN</discovery_protection_kind>
+
+            <!--  Liveliness messages are also encrypted -->
+            <liveliness_protection_kind>ENCRYPT</liveliness_protection_kind>
+
+            <!-- Whole RTPS message is not protected -->
+            <rtps_protection_kind>NONE</rtps_protection_kind>
+
+            <topic_access_rules>
+                <topic_rule>
+                    <!-- All (non-builtin) topics -->
+                    <topic_expression>OwnShipData</topic_expression>
+
+                    <!-- Liveliness QoS data is protected -->
+                    <enable_liveliness_protection>true</enable_liveliness_protection>
+
+                    <!-- The discovery information on specific Topics should be sent
+                         using the secure (protected) discovery writers -->
+                    <enable_discovery_protection>true</enable_discovery_protection>
+
+                    <!-- The read access to all topics should be open to all. -->
+                    <enable_read_access_control>false</enable_read_access_control>
+
+                    <!-- The write access to all topics should be open to all. -->
+                    <enable_write_access_control>false</enable_write_access_control>
+
+                    <!-- Whole RTPS sub-message is protected. This includes metadata information
+                         like sequence numbers, heartbeats, key hashes, gaps,
+                         acknowledgment messages, etc. It also includes th possible payload. -->
+                    <metadata_protection_kind>ENCRYPT_WITH_ORIGIN_AUTHENTICATION</metadata_protection_kind>
+
+                    <!-- The payload data sent on the Topic (serialized application level data) should be
+                         protected with Encrypt then MAC. -->
+                    <data_protection_kind>ENCRYPT</data_protection_kind>
+                </topic_rule>
+                
+           
+            </topic_access_rules>
+        </domain_rule>
+    </domain_access_rules>
+</dds>
+
+------05DBD6F6E587875751A79EAC78048D60
+Content-Type: application/x-pkcs7-signature; name="smime.p7s"
+Content-Transfer-Encoding: base64
+Content-Disposition: attachment; filename="smime.p7s"
+
+MIIGXgYJKoZIhvcNAQcCoIIGTzCCBksCAQExDzANBglghkgBZQMEAgEFADALBgkq
+hkiG9w0BBwGgggORMIIDjTCCAnWgAwIBAgIJANsr3sm0NrypMA0GCSqGSIb3DQEB
+CwUAMFwxCzAJBgNVBAYTAk5MMRMwEQYDVQQIDApTb21lLVN0YXRlMR8wHQYDVQQK
+DBZBRExJTksgVGVjaG5vbG9jeSBJbmMuMRcwFQYDVQQDDA5hZGxpbmt0ZWNoLmNv
+bTAgFw0xODA3MzAxMjQ1NTVaGA8yMTE4MDcwNjEyNDU1NVowXDELMAkGA1UEBhMC
+TkwxEzARBgNVBAgMClNvbWUtU3RhdGUxHzAdBgNVBAoMFkFETElOSyBUZWNobm9s
+b2N5IEluYy4xFzAVBgNVBAMMDmFkbGlua3RlY2guY29tMIIBIjANBgkqhkiG9w0B
+AQEFAAOCAQ8AMIIBCgKCAQEAu7jfnJ0wYVuXgG+PgNawdN38+dRpa8jceqi+blID
+ehV6XCxrnGXusTCDuFmo7HMOBVMVNDXlcBWgoGd+u5EultnOEiIeGTgtHc1O6V9w
+icp3BGSpZZax/TcONjMVORaqHCADbQ2J8wsz1FHxuKDwX6BJElYOlK77lb/x3yLs
+DFFC+a0qn2RFh37rcWBRAHy8VEASXKZElT9ZmfKd+KUq34KojhNJ4DepKStTq074
+BRDXVivx+wVD951LFNPiQXq+mgHcLj1k37KlZflTFhdP5oEMtATNsXNJPHlEymiy
+SogRWAmKhysLQudukHfNKN+r0FEQMk/hzpYcFeZSOvbfNQIDAQABo1AwTjAdBgNV
+HQ4EFgQURWMbWvBKZwJvRV1/tyc1R82k0+gwHwYDVR0jBBgwFoAURWMbWvBKZwJv
+RV1/tyc1R82k0+gwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAkPF+
+ysVtvHnk2hpu9yNDLCJ96ZzIoKOyY7uRj4ovzlAHFdpNOJQdcJihTmN8i7Trht9X
+Vh0rGoR/6nHzo3TIeiogRC80RlDtuA3PF2dDQBMVDStlZMTZPb693hfjdAjhyyw9
+yghhKHHqNDvSsAL0KfBqjG4yGfGpJylYXIT5fWuKlo/ln/yyPa5s54T5XDo+CMbt
+lLX3QnwVOmaRyzylPiTcPCDIkdLBdXmlfyJcmW6fWa6kPx+35MOxPsXZbujCo+42
++OyLqcH1rKT6XhcshjXBEf+kdgUfSClrM1pNRWsw2ChIYim0F+nry5JFy0Y+8Hbb
+6SDB340BFmtgDHbFHTGCApEwggKNAgEBMGkwXDELMAkGA1UEBhMCTkwxEzARBgNV
+BAgMClNvbWUtU3RhdGUxHzAdBgNVBAoMFkFETElOSyBUZWNobm9sb2N5IEluYy4x
+FzAVBgNVBAMMDmFkbGlua3RlY2guY29tAgkA2yveybQ2vKkwDQYJYIZIAWUDBAIB
+BQCggfowGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAcBgkqhkiG9w0BCQUxDxcN
+MTkwMzI5MTMwODAzWjAvBgkqhkiG9w0BCQQxIgQg0GyBZYdNlmQT2Nv1CHrUEB6+
+C0U0yXvpmj5+mlGojPAwgY4GCSqGSIb3DQEJDzGBgDB+MAsGCWCGSAFlAwQBKjAI
+BgYqhQMCAgkwCAYGKoUDAgIVMAsGCWCGSAFlAwQBFjALBglghkgBZQMEAQIwCgYI
+KoZIhvcNAwcwDgYIKoZIhvcNAwICAgCAMA0GCCqGSIb3DQMCAgFAMAcGBSsOAwIH
+MA0GCCqGSIb3DQMCAgEoMA0GCSqGSIb3DQEBAQUABIIBAJXrVHO7KdgYM20uGGNL
+P4VRPmYVWoWIkl5/OEzZ8uirs+oGJR7tYLiFl1wzXUzPBB/03qsANmlshDpFgbmV
+thTV7AGRg3SXUDa/cG4N9PupE5VRZaVdbcbdH1DfoIZCLLp4HK3HgqUXkH9vnC92
+tdtgzxZOCrQ4A6WbGiBkWr5LtMWg2lnwPp55vrfRoh6u0qVEumD+VQi+Lroo9M1E
+659LB2dwEcNb1g1HyoodpKlUSsbGsY/JA7bbNrw/KIGVYcoXfmpgWmtzUjfpkPDj
+zVPImqr6jdxP4quGmGWRmrLHPrEYJscJqCwjNTi6naXnAvaE4nxQ4HBgveEodTuP
+8tM=
+
+------05DBD6F6E587875751A79EAC78048D60--
+
diff --git a/src/security/builtin_plugins/tests/get_xxx_sec_attributes/etc/Test_Governance_liveliness_discovery_clear.p7s b/src/security/builtin_plugins/tests/get_xxx_sec_attributes/etc/Test_Governance_liveliness_discovery_clear.p7s
new file mode 100644
index 0000000..3ef33a2
--- /dev/null
+++ b/src/security/builtin_plugins/tests/get_xxx_sec_attributes/etc/Test_Governance_liveliness_discovery_clear.p7s
@@ -0,0 +1,114 @@
+MIME-Version: 1.0
+Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg="sha-256"; boundary="----D5AADCFDEEF9EC8B0B116AC356AF41CA"
+
+This is an S/MIME signed message
+
+------D5AADCFDEEF9EC8B0B116AC356AF41CA
+Content-Type: text/plain
+
+<?xml version="1.0" encoding="utf-8"?>
+<dds xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xsi:noNamespaceSchemaLocation="https://www.omg.org/spec/DDS-SECURITY/20170901/omg_shared_ca_governance.xsd">
+    <domain_access_rules>
+        <domain_rule>
+            <domains>
+                <!-- All domains -->
+                <id_range>
+                    <min>0</min>
+                    <max>230</max>
+                </id_range>
+            </domains>
+
+            <!-- DomainParticipant that cann not authenticate or fail the authentication should be
+                 allowed to join the domain and see any any discovery data that are configured as "unprotected"
+                 and topics that are configured as "unprotected" -->
+            <allow_unauthenticated_participants>false</allow_unauthenticated_participants>
+
+            <!--  Only and any authenticated DomainParticipant should be allowed to join the domain and
+                  see the discovery data without checking access control  -->
+            <enable_join_access_control>TRUE</enable_join_access_control>
+
+            <!-- Discovery information should be protected with encryption followed by MAC (Message Authentication Codes) -->
+            <discovery_protection_kind>NONE</discovery_protection_kind>
+
+            <!--  Liveliness messages are also encrypted -->
+            <liveliness_protection_kind>NONE</liveliness_protection_kind>
+
+            <!-- Whole RTPS message is not protected -->
+            <rtps_protection_kind>NONE</rtps_protection_kind>
+
+            <topic_access_rules>
+                <topic_rule>
+                    <!-- All (non-builtin) topics -->
+                    <topic_expression>*</topic_expression>
+
+                    <!-- Liveliness QoS data is protected -->
+                    <enable_liveliness_protection>FALSE</enable_liveliness_protection>
+
+                    <!-- The discovery information on specific Topics should be sent
+                         using the secure (protected) discovery writers -->
+                    <enable_discovery_protection>false</enable_discovery_protection>
+
+                    <!-- The read access to all topics should be open to all. -->
+                    <enable_read_access_control>false</enable_read_access_control>
+
+                    <!-- The write access to all topics should be open to all. -->
+                    <enable_write_access_control>false</enable_write_access_control>
+
+                    <!-- Whole RTPS sub-message is protected. This includes metadata information
+                         like sequence numbers, heartbeats, key hashes, gaps,
+                         acknowledgment messages, etc. It also includes th possible payload. -->
+                    <metadata_protection_kind>NONE</metadata_protection_kind>
+
+                    <!-- The payload data sent on the Topic (serialized application level data) should be
+                         protected with Encrypt then MAC. -->
+                    <data_protection_kind>NONE</data_protection_kind>
+                </topic_rule>
+            </topic_access_rules>
+        </domain_rule>
+    </domain_access_rules>
+</dds>
+
+------D5AADCFDEEF9EC8B0B116AC356AF41CA
+Content-Type: application/x-pkcs7-signature; name="smime.p7s"
+Content-Transfer-Encoding: base64
+Content-Disposition: attachment; filename="smime.p7s"
+
+MIIGXgYJKoZIhvcNAQcCoIIGTzCCBksCAQExDzANBglghkgBZQMEAgEFADALBgkq
+hkiG9w0BBwGgggORMIIDjTCCAnWgAwIBAgIJANsr3sm0NrypMA0GCSqGSIb3DQEB
+CwUAMFwxCzAJBgNVBAYTAk5MMRMwEQYDVQQIDApTb21lLVN0YXRlMR8wHQYDVQQK
+DBZBRExJTksgVGVjaG5vbG9jeSBJbmMuMRcwFQYDVQQDDA5hZGxpbmt0ZWNoLmNv
+bTAgFw0xODA3MzAxMjQ1NTVaGA8yMTE4MDcwNjEyNDU1NVowXDELMAkGA1UEBhMC
+TkwxEzARBgNVBAgMClNvbWUtU3RhdGUxHzAdBgNVBAoMFkFETElOSyBUZWNobm9s
+b2N5IEluYy4xFzAVBgNVBAMMDmFkbGlua3RlY2guY29tMIIBIjANBgkqhkiG9w0B
+AQEFAAOCAQ8AMIIBCgKCAQEAu7jfnJ0wYVuXgG+PgNawdN38+dRpa8jceqi+blID
+ehV6XCxrnGXusTCDuFmo7HMOBVMVNDXlcBWgoGd+u5EultnOEiIeGTgtHc1O6V9w
+icp3BGSpZZax/TcONjMVORaqHCADbQ2J8wsz1FHxuKDwX6BJElYOlK77lb/x3yLs
+DFFC+a0qn2RFh37rcWBRAHy8VEASXKZElT9ZmfKd+KUq34KojhNJ4DepKStTq074
+BRDXVivx+wVD951LFNPiQXq+mgHcLj1k37KlZflTFhdP5oEMtATNsXNJPHlEymiy
+SogRWAmKhysLQudukHfNKN+r0FEQMk/hzpYcFeZSOvbfNQIDAQABo1AwTjAdBgNV
+HQ4EFgQURWMbWvBKZwJvRV1/tyc1R82k0+gwHwYDVR0jBBgwFoAURWMbWvBKZwJv
+RV1/tyc1R82k0+gwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAkPF+
+ysVtvHnk2hpu9yNDLCJ96ZzIoKOyY7uRj4ovzlAHFdpNOJQdcJihTmN8i7Trht9X
+Vh0rGoR/6nHzo3TIeiogRC80RlDtuA3PF2dDQBMVDStlZMTZPb693hfjdAjhyyw9
+yghhKHHqNDvSsAL0KfBqjG4yGfGpJylYXIT5fWuKlo/ln/yyPa5s54T5XDo+CMbt
+lLX3QnwVOmaRyzylPiTcPCDIkdLBdXmlfyJcmW6fWa6kPx+35MOxPsXZbujCo+42
++OyLqcH1rKT6XhcshjXBEf+kdgUfSClrM1pNRWsw2ChIYim0F+nry5JFy0Y+8Hbb
+6SDB340BFmtgDHbFHTGCApEwggKNAgEBMGkwXDELMAkGA1UEBhMCTkwxEzARBgNV
+BAgMClNvbWUtU3RhdGUxHzAdBgNVBAoMFkFETElOSyBUZWNobm9sb2N5IEluYy4x
+FzAVBgNVBAMMDmFkbGlua3RlY2guY29tAgkA2yveybQ2vKkwDQYJYIZIAWUDBAIB
+BQCggfowGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAcBgkqhkiG9w0BCQUxDxcN
+MTkwMzI5MTMwODAzWjAvBgkqhkiG9w0BCQQxIgQg1l4l1hEFvxsjc65MThWHhvCb
+YoBySw0UQA61LL+lSsEwgY4GCSqGSIb3DQEJDzGBgDB+MAsGCWCGSAFlAwQBKjAI
+BgYqhQMCAgkwCAYGKoUDAgIVMAsGCWCGSAFlAwQBFjALBglghkgBZQMEAQIwCgYI
+KoZIhvcNAwcwDgYIKoZIhvcNAwICAgCAMA0GCCqGSIb3DQMCAgFAMAcGBSsOAwIH
+MA0GCCqGSIb3DQMCAgEoMA0GCSqGSIb3DQEBAQUABIIBAF88Gg525eeqmgAtBky5
+lMnQehnA0c37pSL5uTklEcb0xwkQcdWQVerkAwKQb8CJGz4ttwvVqIde2Jn8boJP
+Tb8xYvk38HXFHOpzSEv0qAj0u6dVB+go3OnrdhcM1R7jrHfReBRgnict8pLOPb+Y
+khdlqzOMVxoTpJSiXUWdt5ucKbNvuWROG6TsNs4S5+lJ3EEvDn3++g32VRX9V3h4
+5Hni4AMGmZrjBbmL/S02iR33ltwXYqfipUQjR5S5V/HS0LHX/mjYwuiWCtHNiSIi
+s+8mqW8vNebYA9LeK7bvWXCygqnVr3qJT+ryeXUXtBl7dCTV+QVAlUzbW1wgHSuq
+wtc=
+
+------D5AADCFDEEF9EC8B0B116AC356AF41CA--
+
diff --git a/src/security/builtin_plugins/tests/get_xxx_sec_attributes/etc/Test_Governance_liveliness_discovery_clear.xml b/src/security/builtin_plugins/tests/get_xxx_sec_attributes/etc/Test_Governance_liveliness_discovery_clear.xml
new file mode 100644
index 0000000..e829911
--- /dev/null
+++ b/src/security/builtin_plugins/tests/get_xxx_sec_attributes/etc/Test_Governance_liveliness_discovery_clear.xml
@@ -0,0 +1,62 @@
+<?xml version="1.0" encoding="utf-8"?>
+<dds xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xsi:noNamespaceSchemaLocation="https://www.omg.org/spec/DDS-SECURITY/20170901/omg_shared_ca_governance.xsd">
+    <domain_access_rules>
+        <domain_rule>
+            <domains>
+                <!-- All domains -->
+                <id_range>
+                    <min>0</min>
+                    <max>230</max>
+                </id_range>
+            </domains>
+
+            <!-- DomainParticipant that cann not authenticate or fail the authentication should be
+                 allowed to join the domain and see any any discovery data that are configured as "unprotected"
+                 and topics that are configured as "unprotected" -->
+            <allow_unauthenticated_participants>false</allow_unauthenticated_participants>
+
+            <!--  Only and any authenticated DomainParticipant should be allowed to join the domain and
+                  see the discovery data without checking access control  -->
+            <enable_join_access_control>TRUE</enable_join_access_control>
+
+            <!-- Discovery information should be protected with encryption followed by MAC (Message Authentication Codes) -->
+            <discovery_protection_kind>NONE</discovery_protection_kind>
+
+            <!--  Liveliness messages are also encrypted -->
+            <liveliness_protection_kind>NONE</liveliness_protection_kind>
+
+            <!-- Whole RTPS message is not protected -->
+            <rtps_protection_kind>NONE</rtps_protection_kind>
+
+            <topic_access_rules>
+                <topic_rule>
+                    <!-- All (non-builtin) topics -->
+                    <topic_expression>*</topic_expression>
+
+                    <!-- Liveliness QoS data is protected -->
+                    <enable_liveliness_protection>FALSE</enable_liveliness_protection>
+
+                    <!-- The discovery information on specific Topics should be sent
+                         using the secure (protected) discovery writers -->
+                    <enable_discovery_protection>false</enable_discovery_protection>
+
+                    <!-- The read access to all topics should be open to all. -->
+                    <enable_read_access_control>false</enable_read_access_control>
+
+                    <!-- The write access to all topics should be open to all. -->
+                    <enable_write_access_control>false</enable_write_access_control>
+
+                    <!-- Whole RTPS sub-message is protected. This includes metadata information
+                         like sequence numbers, heartbeats, key hashes, gaps,
+                         acknowledgment messages, etc. It also includes th possible payload. -->
+                    <metadata_protection_kind>NONE</metadata_protection_kind>
+
+                    <!-- The payload data sent on the Topic (serialized application level data) should be
+                         protected with Encrypt then MAC. -->
+                    <data_protection_kind>NONE</data_protection_kind>
+                </topic_rule>
+            </topic_access_rules>
+        </domain_rule>
+    </domain_access_rules>
+</dds>
diff --git a/src/security/builtin_plugins/tests/get_xxx_sec_attributes/etc/Test_Governance_liveliness_discovery_different.p7s b/src/security/builtin_plugins/tests/get_xxx_sec_attributes/etc/Test_Governance_liveliness_discovery_different.p7s
new file mode 100644
index 0000000..38b2c26
--- /dev/null
+++ b/src/security/builtin_plugins/tests/get_xxx_sec_attributes/etc/Test_Governance_liveliness_discovery_different.p7s
@@ -0,0 +1,114 @@
+MIME-Version: 1.0
+Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg="sha-256"; boundary="----37F7530AAA327BE7C00C18ECA28FFF95"
+
+This is an S/MIME signed message
+
+------37F7530AAA327BE7C00C18ECA28FFF95
+Content-Type: text/plain
+
+<?xml version="1.0" encoding="utf-8"?>
+<dds xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xsi:noNamespaceSchemaLocation="https://www.omg.org/spec/DDS-SECURITY/20170901/omg_shared_ca_governance.xsd">
+    <domain_access_rules>
+        <domain_rule>
+            <domains>
+                <!-- All domains -->
+                <id_range>
+                    <min>0</min>
+                    <max>230</max>
+                </id_range>
+            </domains>
+
+            <!-- DomainParticipant that cann not authenticate or fail the authentication should be
+                 allowed to join the domain and see any any discovery data that are configured as "unprotected"
+                 and topics that are configured as "unprotected" -->
+            <allow_unauthenticated_participants>false</allow_unauthenticated_participants>
+
+            <!--  Only and any authenticated DomainParticipant should be allowed to join the domain and
+                  see the discovery data without checking access control  -->
+            <enable_join_access_control>TRUE</enable_join_access_control>
+
+            <!-- Discovery information should be protected with encryption followed by MAC (Message Authentication Codes) -->
+            <discovery_protection_kind>ENCRYPT</discovery_protection_kind>
+
+            <!--  Liveliness messages are also encrypted -->
+            <liveliness_protection_kind>NONE</liveliness_protection_kind>
+
+            <!-- Whole RTPS message is not protected -->
+            <rtps_protection_kind>NONE</rtps_protection_kind>
+
+            <topic_access_rules>
+                <topic_rule>
+                    <!-- All (non-builtin) topics -->
+                    <topic_expression>*</topic_expression>
+
+                    <!-- Liveliness QoS data is protected -->
+                    <enable_liveliness_protection>false</enable_liveliness_protection>
+
+                    <!-- The discovery information on specific Topics should be sent
+                         using the secure (protected) discovery writers -->
+                    <enable_discovery_protection>true</enable_discovery_protection>
+
+                    <!-- The read access to all topics should be open to all. -->
+                    <enable_read_access_control>false</enable_read_access_control>
+
+                    <!-- The write access to all topics should be open to all. -->
+                    <enable_write_access_control>false</enable_write_access_control>
+
+                    <!-- Whole RTPS sub-message is protected. This includes metadata information
+                         like sequence numbers, heartbeats, key hashes, gaps,
+                         acknowledgment messages, etc. It also includes th possible payload. -->
+                    <metadata_protection_kind>NONE</metadata_protection_kind>
+
+                    <!-- The payload data sent on the Topic (serialized application level data) should be
+                         protected with Encrypt then MAC. -->
+                    <data_protection_kind>NONE</data_protection_kind>
+                </topic_rule>
+            </topic_access_rules>
+        </domain_rule>
+    </domain_access_rules>
+</dds>
+
+------37F7530AAA327BE7C00C18ECA28FFF95
+Content-Type: application/x-pkcs7-signature; name="smime.p7s"
+Content-Transfer-Encoding: base64
+Content-Disposition: attachment; filename="smime.p7s"
+
+MIIGXgYJKoZIhvcNAQcCoIIGTzCCBksCAQExDzANBglghkgBZQMEAgEFADALBgkq
+hkiG9w0BBwGgggORMIIDjTCCAnWgAwIBAgIJANsr3sm0NrypMA0GCSqGSIb3DQEB
+CwUAMFwxCzAJBgNVBAYTAk5MMRMwEQYDVQQIDApTb21lLVN0YXRlMR8wHQYDVQQK
+DBZBRExJTksgVGVjaG5vbG9jeSBJbmMuMRcwFQYDVQQDDA5hZGxpbmt0ZWNoLmNv
+bTAgFw0xODA3MzAxMjQ1NTVaGA8yMTE4MDcwNjEyNDU1NVowXDELMAkGA1UEBhMC
+TkwxEzARBgNVBAgMClNvbWUtU3RhdGUxHzAdBgNVBAoMFkFETElOSyBUZWNobm9s
+b2N5IEluYy4xFzAVBgNVBAMMDmFkbGlua3RlY2guY29tMIIBIjANBgkqhkiG9w0B
+AQEFAAOCAQ8AMIIBCgKCAQEAu7jfnJ0wYVuXgG+PgNawdN38+dRpa8jceqi+blID
+ehV6XCxrnGXusTCDuFmo7HMOBVMVNDXlcBWgoGd+u5EultnOEiIeGTgtHc1O6V9w
+icp3BGSpZZax/TcONjMVORaqHCADbQ2J8wsz1FHxuKDwX6BJElYOlK77lb/x3yLs
+DFFC+a0qn2RFh37rcWBRAHy8VEASXKZElT9ZmfKd+KUq34KojhNJ4DepKStTq074
+BRDXVivx+wVD951LFNPiQXq+mgHcLj1k37KlZflTFhdP5oEMtATNsXNJPHlEymiy
+SogRWAmKhysLQudukHfNKN+r0FEQMk/hzpYcFeZSOvbfNQIDAQABo1AwTjAdBgNV
+HQ4EFgQURWMbWvBKZwJvRV1/tyc1R82k0+gwHwYDVR0jBBgwFoAURWMbWvBKZwJv
+RV1/tyc1R82k0+gwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAkPF+
+ysVtvHnk2hpu9yNDLCJ96ZzIoKOyY7uRj4ovzlAHFdpNOJQdcJihTmN8i7Trht9X
+Vh0rGoR/6nHzo3TIeiogRC80RlDtuA3PF2dDQBMVDStlZMTZPb693hfjdAjhyyw9
+yghhKHHqNDvSsAL0KfBqjG4yGfGpJylYXIT5fWuKlo/ln/yyPa5s54T5XDo+CMbt
+lLX3QnwVOmaRyzylPiTcPCDIkdLBdXmlfyJcmW6fWa6kPx+35MOxPsXZbujCo+42
++OyLqcH1rKT6XhcshjXBEf+kdgUfSClrM1pNRWsw2ChIYim0F+nry5JFy0Y+8Hbb
+6SDB340BFmtgDHbFHTGCApEwggKNAgEBMGkwXDELMAkGA1UEBhMCTkwxEzARBgNV
+BAgMClNvbWUtU3RhdGUxHzAdBgNVBAoMFkFETElOSyBUZWNobm9sb2N5IEluYy4x
+FzAVBgNVBAMMDmFkbGlua3RlY2guY29tAgkA2yveybQ2vKkwDQYJYIZIAWUDBAIB
+BQCggfowGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAcBgkqhkiG9w0BCQUxDxcN
+MTkwMzI5MTMwODAzWjAvBgkqhkiG9w0BCQQxIgQgqqTuijPzgi5UyYnaRmfKMSwt
+M8Mbr6egpAxWLt7vkkAwgY4GCSqGSIb3DQEJDzGBgDB+MAsGCWCGSAFlAwQBKjAI
+BgYqhQMCAgkwCAYGKoUDAgIVMAsGCWCGSAFlAwQBFjALBglghkgBZQMEAQIwCgYI
+KoZIhvcNAwcwDgYIKoZIhvcNAwICAgCAMA0GCCqGSIb3DQMCAgFAMAcGBSsOAwIH
+MA0GCCqGSIb3DQMCAgEoMA0GCSqGSIb3DQEBAQUABIIBACmMVANcUvNpeIpdG6is
+IbAJWbvoIh68B4nMLMU8gij1ZcNavWg6dDU709AJcrCU2ZbVsHKPyBvRuSctkbKe
+XHCRv5bAkcqkLsEVPc4Yu8w2hIC8nSTW1E2l1I+tChcXepcSsmrRFjZI8myDWmre
+Slzcq0nSwKayhMSkv0CJeSzhQGCHBhRnVCb7ZDJXL94VKh1OBxlqTWGLRNQcIk0p
+WXI0B2j5n8nM+neQd1gnKKuvqjSh2/IwUPariRfqpfVm1e8Mc0zNAubHOfuZ/hXj
+tDAPBcJq8gz3sKSbwvN4Rk1J7YV0AnA8pPq3nfoZWvqcUzbdExn2zvzawRgteUyf
+luw=
+
+------37F7530AAA327BE7C00C18ECA28FFF95--
+
diff --git a/src/security/builtin_plugins/tests/get_xxx_sec_attributes/etc/Test_Governance_liveliness_discovery_different.xml b/src/security/builtin_plugins/tests/get_xxx_sec_attributes/etc/Test_Governance_liveliness_discovery_different.xml
new file mode 100644
index 0000000..6f12d18
--- /dev/null
+++ b/src/security/builtin_plugins/tests/get_xxx_sec_attributes/etc/Test_Governance_liveliness_discovery_different.xml
@@ -0,0 +1,62 @@
+<?xml version="1.0" encoding="utf-8"?>
+<dds xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xsi:noNamespaceSchemaLocation="https://www.omg.org/spec/DDS-SECURITY/20170901/omg_shared_ca_governance.xsd">
+    <domain_access_rules>
+        <domain_rule>
+            <domains>
+                <!-- All domains -->
+                <id_range>
+                    <min>0</min>
+                    <max>230</max>
+                </id_range>
+            </domains>
+
+            <!-- DomainParticipant that cann not authenticate or fail the authentication should be
+                 allowed to join the domain and see any any discovery data that are configured as "unprotected"
+                 and topics that are configured as "unprotected" -->
+            <allow_unauthenticated_participants>false</allow_unauthenticated_participants>
+
+            <!--  Only and any authenticated DomainParticipant should be allowed to join the domain and
+                  see the discovery data without checking access control  -->
+            <enable_join_access_control>TRUE</enable_join_access_control>
+
+            <!-- Discovery information should be protected with encryption followed by MAC (Message Authentication Codes) -->
+            <discovery_protection_kind>ENCRYPT</discovery_protection_kind>
+
+            <!--  Liveliness messages are also encrypted -->
+            <liveliness_protection_kind>NONE</liveliness_protection_kind>
+
+            <!-- Whole RTPS message is not protected -->
+            <rtps_protection_kind>NONE</rtps_protection_kind>
+
+            <topic_access_rules>
+                <topic_rule>
+                    <!-- All (non-builtin) topics -->
+                    <topic_expression>*</topic_expression>
+
+                    <!-- Liveliness QoS data is protected -->
+                    <enable_liveliness_protection>false</enable_liveliness_protection>
+
+                    <!-- The discovery information on specific Topics should be sent
+                         using the secure (protected) discovery writers -->
+                    <enable_discovery_protection>true</enable_discovery_protection>
+
+                    <!-- The read access to all topics should be open to all. -->
+                    <enable_read_access_control>false</enable_read_access_control>
+
+                    <!-- The write access to all topics should be open to all. -->
+                    <enable_write_access_control>false</enable_write_access_control>
+
+                    <!-- Whole RTPS sub-message is protected. This includes metadata information
+                         like sequence numbers, heartbeats, key hashes, gaps,
+                         acknowledgment messages, etc. It also includes th possible payload. -->
+                    <metadata_protection_kind>NONE</metadata_protection_kind>
+
+                    <!-- The payload data sent on the Topic (serialized application level data) should be
+                         protected with Encrypt then MAC. -->
+                    <data_protection_kind>NONE</data_protection_kind>
+                </topic_rule>
+            </topic_access_rules>
+        </domain_rule>
+    </domain_access_rules>
+</dds>
diff --git a/src/security/builtin_plugins/tests/get_xxx_sec_attributes/etc/Test_Governance_liveliness_discovery_encrypted.p7s b/src/security/builtin_plugins/tests/get_xxx_sec_attributes/etc/Test_Governance_liveliness_discovery_encrypted.p7s
new file mode 100644
index 0000000..cfc92ac
--- /dev/null
+++ b/src/security/builtin_plugins/tests/get_xxx_sec_attributes/etc/Test_Governance_liveliness_discovery_encrypted.p7s
@@ -0,0 +1,114 @@
+MIME-Version: 1.0
+Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg="sha-256"; boundary="----E6FE6351D381785F2D971BF5DB266909"
+
+This is an S/MIME signed message
+
+------E6FE6351D381785F2D971BF5DB266909
+Content-Type: text/plain
+
+<?xml version="1.0" encoding="utf-8"?>
+<dds xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xsi:noNamespaceSchemaLocation="https://www.omg.org/spec/DDS-SECURITY/20170901/omg_shared_ca_governance.xsd">
+    <domain_access_rules>
+        <domain_rule>
+            <domains>
+                <!-- All domains -->
+                <id_range>
+                    <min>0</min>
+                    <max>230</max>
+                </id_range>
+            </domains>
+
+            <!-- DomainParticipant that cann not authenticate or fail the authentication should be
+                 allowed to join the domain and see any any discovery data that are configured as "unprotected"
+                 and topics that are configured as "unprotected" -->
+            <allow_unauthenticated_participants>false</allow_unauthenticated_participants>
+
+            <!--  Only and any authenticated DomainParticipant should be allowed to join the domain and
+                  see the discovery data without checking access control  -->
+            <enable_join_access_control>TRUE</enable_join_access_control>
+
+            <!-- Discovery information should be protected with encryption followed by MAC (Message Authentication Codes) -->
+            <discovery_protection_kind>ENCRYPT</discovery_protection_kind>
+
+            <!--  Liveliness messages are also encrypted -->
+            <liveliness_protection_kind>ENCRYPT</liveliness_protection_kind>
+
+            <!-- Whole RTPS message is not protected -->
+            <rtps_protection_kind>NONE</rtps_protection_kind>
+
+            <topic_access_rules>
+                <topic_rule>
+                    <!-- All (non-builtin) topics -->
+                    <topic_expression>*</topic_expression>
+
+                    <!-- Liveliness QoS data is protected -->
+                    <enable_liveliness_protection>true</enable_liveliness_protection>
+
+                    <!-- The discovery information on specific Topics should be sent
+                         using the secure (protected) discovery writers -->
+                    <enable_discovery_protection>true</enable_discovery_protection>
+
+                    <!-- The read access to all topics should be open to all. -->
+                    <enable_read_access_control>false</enable_read_access_control>
+
+                    <!-- The write access to all topics should be open to all. -->
+                    <enable_write_access_control>false</enable_write_access_control>
+
+                    <!-- Whole RTPS sub-message is protected. This includes metadata information
+                         like sequence numbers, heartbeats, key hashes, gaps,
+                         acknowledgment messages, etc. It also includes th possible payload. -->
+                    <metadata_protection_kind>NONE</metadata_protection_kind>
+
+                    <!-- The payload data sent on the Topic (serialized application level data) should be
+                         protected with Encrypt then MAC. -->
+                    <data_protection_kind>NONE</data_protection_kind>
+                </topic_rule>
+            </topic_access_rules>
+        </domain_rule>
+    </domain_access_rules>
+</dds>
+
+------E6FE6351D381785F2D971BF5DB266909
+Content-Type: application/x-pkcs7-signature; name="smime.p7s"
+Content-Transfer-Encoding: base64
+Content-Disposition: attachment; filename="smime.p7s"
+
+MIIGXgYJKoZIhvcNAQcCoIIGTzCCBksCAQExDzANBglghkgBZQMEAgEFADALBgkq
+hkiG9w0BBwGgggORMIIDjTCCAnWgAwIBAgIJANsr3sm0NrypMA0GCSqGSIb3DQEB
+CwUAMFwxCzAJBgNVBAYTAk5MMRMwEQYDVQQIDApTb21lLVN0YXRlMR8wHQYDVQQK
+DBZBRExJTksgVGVjaG5vbG9jeSBJbmMuMRcwFQYDVQQDDA5hZGxpbmt0ZWNoLmNv
+bTAgFw0xODA3MzAxMjQ1NTVaGA8yMTE4MDcwNjEyNDU1NVowXDELMAkGA1UEBhMC
+TkwxEzARBgNVBAgMClNvbWUtU3RhdGUxHzAdBgNVBAoMFkFETElOSyBUZWNobm9s
+b2N5IEluYy4xFzAVBgNVBAMMDmFkbGlua3RlY2guY29tMIIBIjANBgkqhkiG9w0B
+AQEFAAOCAQ8AMIIBCgKCAQEAu7jfnJ0wYVuXgG+PgNawdN38+dRpa8jceqi+blID
+ehV6XCxrnGXusTCDuFmo7HMOBVMVNDXlcBWgoGd+u5EultnOEiIeGTgtHc1O6V9w
+icp3BGSpZZax/TcONjMVORaqHCADbQ2J8wsz1FHxuKDwX6BJElYOlK77lb/x3yLs
+DFFC+a0qn2RFh37rcWBRAHy8VEASXKZElT9ZmfKd+KUq34KojhNJ4DepKStTq074
+BRDXVivx+wVD951LFNPiQXq+mgHcLj1k37KlZflTFhdP5oEMtATNsXNJPHlEymiy
+SogRWAmKhysLQudukHfNKN+r0FEQMk/hzpYcFeZSOvbfNQIDAQABo1AwTjAdBgNV
+HQ4EFgQURWMbWvBKZwJvRV1/tyc1R82k0+gwHwYDVR0jBBgwFoAURWMbWvBKZwJv
+RV1/tyc1R82k0+gwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAkPF+
+ysVtvHnk2hpu9yNDLCJ96ZzIoKOyY7uRj4ovzlAHFdpNOJQdcJihTmN8i7Trht9X
+Vh0rGoR/6nHzo3TIeiogRC80RlDtuA3PF2dDQBMVDStlZMTZPb693hfjdAjhyyw9
+yghhKHHqNDvSsAL0KfBqjG4yGfGpJylYXIT5fWuKlo/ln/yyPa5s54T5XDo+CMbt
+lLX3QnwVOmaRyzylPiTcPCDIkdLBdXmlfyJcmW6fWa6kPx+35MOxPsXZbujCo+42
++OyLqcH1rKT6XhcshjXBEf+kdgUfSClrM1pNRWsw2ChIYim0F+nry5JFy0Y+8Hbb
+6SDB340BFmtgDHbFHTGCApEwggKNAgEBMGkwXDELMAkGA1UEBhMCTkwxEzARBgNV
+BAgMClNvbWUtU3RhdGUxHzAdBgNVBAoMFkFETElOSyBUZWNobm9sb2N5IEluYy4x
+FzAVBgNVBAMMDmFkbGlua3RlY2guY29tAgkA2yveybQ2vKkwDQYJYIZIAWUDBAIB
+BQCggfowGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAcBgkqhkiG9w0BCQUxDxcN
+MTkwMzI5MTMwODAzWjAvBgkqhkiG9w0BCQQxIgQg7ee1YxacZ9KtXJCLUCzhZB8p
+Sv4SXMFrKtVchg886ZkwgY4GCSqGSIb3DQEJDzGBgDB+MAsGCWCGSAFlAwQBKjAI
+BgYqhQMCAgkwCAYGKoUDAgIVMAsGCWCGSAFlAwQBFjALBglghkgBZQMEAQIwCgYI
+KoZIhvcNAwcwDgYIKoZIhvcNAwICAgCAMA0GCCqGSIb3DQMCAgFAMAcGBSsOAwIH
+MA0GCCqGSIb3DQMCAgEoMA0GCSqGSIb3DQEBAQUABIIBAB3tqkFmfwnk2HXgn9H1
+Ap6Hk7I3TIYBMMQkDTZHbPj3EMOls02+QI++ztvwaBzG7bS6f7qfxhHnNgXF/52t
+Qf20nOXjxAUL82UxVxNmJjqE+FHksSTqEjtKFMy8V+wz9doVSUgdfKKD8SUOOr1I
+nakp0o/Vk/E5bbYOoWaDXJKAo7iiEssbsw33/8eZgPpVOyPS0pqk7w6d/fmo2OMm
+niCl24qiXjdQbkuUT+zuhjKIfBjxqIPRKnOxK+HheR77m/EhkNsYYbsOgLaSXQVW
+O3Kv0GmJGKg0N2KXW5VH+6FhS5KA6TL/6Xz6LzLZFsSyAmhWsBK0l1Ted+z4Tgw3
+fP8=
+
+------E6FE6351D381785F2D971BF5DB266909--
+
diff --git a/src/security/builtin_plugins/tests/get_xxx_sec_attributes/etc/Test_Governance_liveliness_discovery_encrypted.xml b/src/security/builtin_plugins/tests/get_xxx_sec_attributes/etc/Test_Governance_liveliness_discovery_encrypted.xml
new file mode 100644
index 0000000..01b2d20
--- /dev/null
+++ b/src/security/builtin_plugins/tests/get_xxx_sec_attributes/etc/Test_Governance_liveliness_discovery_encrypted.xml
@@ -0,0 +1,62 @@
+<?xml version="1.0" encoding="utf-8"?>
+<dds xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xsi:noNamespaceSchemaLocation="https://www.omg.org/spec/DDS-SECURITY/20170901/omg_shared_ca_governance.xsd">
+    <domain_access_rules>
+        <domain_rule>
+            <domains>
+                <!-- All domains -->
+                <id_range>
+                    <min>0</min>
+                    <max>230</max>
+                </id_range>
+            </domains>
+
+            <!-- DomainParticipant that cann not authenticate or fail the authentication should be
+                 allowed to join the domain and see any any discovery data that are configured as "unprotected"
+                 and topics that are configured as "unprotected" -->
+            <allow_unauthenticated_participants>false</allow_unauthenticated_participants>
+
+            <!--  Only and any authenticated DomainParticipant should be allowed to join the domain and
+                  see the discovery data without checking access control  -->
+            <enable_join_access_control>TRUE</enable_join_access_control>
+
+            <!-- Discovery information should be protected with encryption followed by MAC (Message Authentication Codes) -->
+            <discovery_protection_kind>ENCRYPT</discovery_protection_kind>
+
+            <!--  Liveliness messages are also encrypted -->
+            <liveliness_protection_kind>ENCRYPT</liveliness_protection_kind>
+
+            <!-- Whole RTPS message is not protected -->
+            <rtps_protection_kind>NONE</rtps_protection_kind>
+
+            <topic_access_rules>
+                <topic_rule>
+                    <!-- All (non-builtin) topics -->
+                    <topic_expression>*</topic_expression>
+
+                    <!-- Liveliness QoS data is protected -->
+                    <enable_liveliness_protection>true</enable_liveliness_protection>
+
+                    <!-- The discovery information on specific Topics should be sent
+                         using the secure (protected) discovery writers -->
+                    <enable_discovery_protection>true</enable_discovery_protection>
+
+                    <!-- The read access to all topics should be open to all. -->
+                    <enable_read_access_control>false</enable_read_access_control>
+
+                    <!-- The write access to all topics should be open to all. -->
+                    <enable_write_access_control>false</enable_write_access_control>
+
+                    <!-- Whole RTPS sub-message is protected. This includes metadata information
+                         like sequence numbers, heartbeats, key hashes, gaps,
+                         acknowledgment messages, etc. It also includes th possible payload. -->
+                    <metadata_protection_kind>NONE</metadata_protection_kind>
+
+                    <!-- The payload data sent on the Topic (serialized application level data) should be
+                         protected with Encrypt then MAC. -->
+                    <data_protection_kind>NONE</data_protection_kind>
+                </topic_rule>
+            </topic_access_rules>
+        </domain_rule>
+    </domain_access_rules>
+</dds>
diff --git a/src/security/builtin_plugins/tests/get_xxx_sec_attributes/etc/Test_Governance_liveliness_discovery_encrypted_and_authenticated.p7s b/src/security/builtin_plugins/tests/get_xxx_sec_attributes/etc/Test_Governance_liveliness_discovery_encrypted_and_authenticated.p7s
new file mode 100644
index 0000000..c604b13
--- /dev/null
+++ b/src/security/builtin_plugins/tests/get_xxx_sec_attributes/etc/Test_Governance_liveliness_discovery_encrypted_and_authenticated.p7s
@@ -0,0 +1,114 @@
+MIME-Version: 1.0
+Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg="sha-256"; boundary="----4375434DF6819FB7435B04810D502609"
+
+This is an S/MIME signed message
+
+------4375434DF6819FB7435B04810D502609
+Content-Type: text/plain
+
+<?xml version="1.0" encoding="utf-8"?>
+<dds xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xsi:noNamespaceSchemaLocation="https://www.omg.org/spec/DDS-SECURITY/20170901/omg_shared_ca_governance.xsd">
+    <domain_access_rules>
+        <domain_rule>
+            <domains>
+                <!-- All domains -->
+                <id_range>
+                    <min>0</min>
+                    <max>230</max>
+                </id_range>
+            </domains>
+
+            <!-- DomainParticipant that cann not authenticate or fail the authentication should be
+                 allowed to join the domain and see any any discovery data that are configured as "unprotected"
+                 and topics that are configured as "unprotected" -->
+            <allow_unauthenticated_participants>false</allow_unauthenticated_participants>
+
+            <!--  Only and any authenticated DomainParticipant should be allowed to join the domain and
+                  see the discovery data without checking access control  -->
+            <enable_join_access_control>TRUE</enable_join_access_control>
+
+            <!-- Discovery information should be protected with encryption followed by MAC (Message Authentication Codes) -->
+            <discovery_protection_kind>ENCRYPT_WITH_ORIGIN_AUTHENTICATION</discovery_protection_kind>
+
+            <!--  Liveliness messages are also encrypted -->
+            <liveliness_protection_kind>ENCRYPT_WITH_ORIGIN_AUTHENTICATION</liveliness_protection_kind>
+
+            <!-- Whole RTPS message is not protected -->
+            <rtps_protection_kind>NONE</rtps_protection_kind>
+
+            <topic_access_rules>
+                <topic_rule>
+                    <!-- All (non-builtin) topics -->
+                    <topic_expression>*</topic_expression>
+
+                    <!-- Liveliness QoS data is protected -->
+                    <enable_liveliness_protection>true</enable_liveliness_protection>
+
+                    <!-- The discovery information on specific Topics should be sent
+                         using the secure (protected) discovery writers -->
+                    <enable_discovery_protection>true</enable_discovery_protection>
+
+                    <!-- The read access to all topics should be open to all. -->
+                    <enable_read_access_control>false</enable_read_access_control>
+
+                    <!-- The write access to all topics should be open to all. -->
+                    <enable_write_access_control>false</enable_write_access_control>
+
+                    <!-- Whole RTPS sub-message is protected. This includes metadata information
+                         like sequence numbers, heartbeats, key hashes, gaps,
+                         acknowledgment messages, etc. It also includes th possible payload. -->
+                    <metadata_protection_kind>NONE</metadata_protection_kind>
+
+                    <!-- The payload data sent on the Topic (serialized application level data) should be
+                         protected with Encrypt then MAC. -->
+                    <data_protection_kind>NONE</data_protection_kind>
+                </topic_rule>
+            </topic_access_rules>
+        </domain_rule>
+    </domain_access_rules>
+</dds>
+
+------4375434DF6819FB7435B04810D502609
+Content-Type: application/x-pkcs7-signature; name="smime.p7s"
+Content-Transfer-Encoding: base64
+Content-Disposition: attachment; filename="smime.p7s"
+
+MIIGXgYJKoZIhvcNAQcCoIIGTzCCBksCAQExDzANBglghkgBZQMEAgEFADALBgkq
+hkiG9w0BBwGgggORMIIDjTCCAnWgAwIBAgIJANsr3sm0NrypMA0GCSqGSIb3DQEB
+CwUAMFwxCzAJBgNVBAYTAk5MMRMwEQYDVQQIDApTb21lLVN0YXRlMR8wHQYDVQQK
+DBZBRExJTksgVGVjaG5vbG9jeSBJbmMuMRcwFQYDVQQDDA5hZGxpbmt0ZWNoLmNv
+bTAgFw0xODA3MzAxMjQ1NTVaGA8yMTE4MDcwNjEyNDU1NVowXDELMAkGA1UEBhMC
+TkwxEzARBgNVBAgMClNvbWUtU3RhdGUxHzAdBgNVBAoMFkFETElOSyBUZWNobm9s
+b2N5IEluYy4xFzAVBgNVBAMMDmFkbGlua3RlY2guY29tMIIBIjANBgkqhkiG9w0B
+AQEFAAOCAQ8AMIIBCgKCAQEAu7jfnJ0wYVuXgG+PgNawdN38+dRpa8jceqi+blID
+ehV6XCxrnGXusTCDuFmo7HMOBVMVNDXlcBWgoGd+u5EultnOEiIeGTgtHc1O6V9w
+icp3BGSpZZax/TcONjMVORaqHCADbQ2J8wsz1FHxuKDwX6BJElYOlK77lb/x3yLs
+DFFC+a0qn2RFh37rcWBRAHy8VEASXKZElT9ZmfKd+KUq34KojhNJ4DepKStTq074
+BRDXVivx+wVD951LFNPiQXq+mgHcLj1k37KlZflTFhdP5oEMtATNsXNJPHlEymiy
+SogRWAmKhysLQudukHfNKN+r0FEQMk/hzpYcFeZSOvbfNQIDAQABo1AwTjAdBgNV
+HQ4EFgQURWMbWvBKZwJvRV1/tyc1R82k0+gwHwYDVR0jBBgwFoAURWMbWvBKZwJv
+RV1/tyc1R82k0+gwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAkPF+
+ysVtvHnk2hpu9yNDLCJ96ZzIoKOyY7uRj4ovzlAHFdpNOJQdcJihTmN8i7Trht9X
+Vh0rGoR/6nHzo3TIeiogRC80RlDtuA3PF2dDQBMVDStlZMTZPb693hfjdAjhyyw9
+yghhKHHqNDvSsAL0KfBqjG4yGfGpJylYXIT5fWuKlo/ln/yyPa5s54T5XDo+CMbt
+lLX3QnwVOmaRyzylPiTcPCDIkdLBdXmlfyJcmW6fWa6kPx+35MOxPsXZbujCo+42
++OyLqcH1rKT6XhcshjXBEf+kdgUfSClrM1pNRWsw2ChIYim0F+nry5JFy0Y+8Hbb
+6SDB340BFmtgDHbFHTGCApEwggKNAgEBMGkwXDELMAkGA1UEBhMCTkwxEzARBgNV
+BAgMClNvbWUtU3RhdGUxHzAdBgNVBAoMFkFETElOSyBUZWNobm9sb2N5IEluYy4x
+FzAVBgNVBAMMDmFkbGlua3RlY2guY29tAgkA2yveybQ2vKkwDQYJYIZIAWUDBAIB
+BQCggfowGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAcBgkqhkiG9w0BCQUxDxcN
+MTkwMzI5MTMwODAzWjAvBgkqhkiG9w0BCQQxIgQglibSNHDswKA0PDJrsz8tZiXT
+1UrMUhYJJbXsLdvTGVowgY4GCSqGSIb3DQEJDzGBgDB+MAsGCWCGSAFlAwQBKjAI
+BgYqhQMCAgkwCAYGKoUDAgIVMAsGCWCGSAFlAwQBFjALBglghkgBZQMEAQIwCgYI
+KoZIhvcNAwcwDgYIKoZIhvcNAwICAgCAMA0GCCqGSIb3DQMCAgFAMAcGBSsOAwIH
+MA0GCCqGSIb3DQMCAgEoMA0GCSqGSIb3DQEBAQUABIIBACLqhHS8kapMUhLBjAfI
+17FuvzGjgJ2CSy7/yJDz1+OsUdbCofV8jA1rxxPIGv9Koq/BaKHtJdtzpLaag/CD
+SITepCjU+rRoGnZ5vOeSgaHJlDWcRBtAoFME3NrgdYT7ldUABuiPngR5HuwNAUTA
+aY2rPaSds2eWluqH6WJqO+qvRvSZEsypy+OSpRAu954rDfkFGyZ00aQnTpzJTVJT
+MLF8rXziOY9CAHXFN0w6jEBy7Y4pBjnp/bQQFmE41NH9KuATEGPLChInQOYEEeNK
+2rr96Z/rgfhcBE1qyZdt4RNgGNFNCRzeGIX5Kti/jTeas1430sQ+DYJypObVhrhY
+S/M=
+
+------4375434DF6819FB7435B04810D502609--
+
diff --git a/src/security/builtin_plugins/tests/get_xxx_sec_attributes/etc/Test_Governance_liveliness_discovery_encrypted_and_authenticated.xml b/src/security/builtin_plugins/tests/get_xxx_sec_attributes/etc/Test_Governance_liveliness_discovery_encrypted_and_authenticated.xml
new file mode 100644
index 0000000..d011e9c
--- /dev/null
+++ b/src/security/builtin_plugins/tests/get_xxx_sec_attributes/etc/Test_Governance_liveliness_discovery_encrypted_and_authenticated.xml
@@ -0,0 +1,62 @@
+<?xml version="1.0" encoding="utf-8"?>
+<dds xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xsi:noNamespaceSchemaLocation="https://www.omg.org/spec/DDS-SECURITY/20170901/omg_shared_ca_governance.xsd">
+    <domain_access_rules>
+        <domain_rule>
+            <domains>
+                <!-- All domains -->
+                <id_range>
+                    <min>0</min>
+                    <max>230</max>
+                </id_range>
+            </domains>
+
+            <!-- DomainParticipant that cann not authenticate or fail the authentication should be
+                 allowed to join the domain and see any any discovery data that are configured as "unprotected"
+                 and topics that are configured as "unprotected" -->
+            <allow_unauthenticated_participants>false</allow_unauthenticated_participants>
+
+            <!--  Only and any authenticated DomainParticipant should be allowed to join the domain and
+                  see the discovery data without checking access control  -->
+            <enable_join_access_control>TRUE</enable_join_access_control>
+
+            <!-- Discovery information should be protected with encryption followed by MAC (Message Authentication Codes) -->
+            <discovery_protection_kind>ENCRYPT_WITH_ORIGIN_AUTHENTICATION</discovery_protection_kind>
+
+            <!--  Liveliness messages are also encrypted -->
+            <liveliness_protection_kind>ENCRYPT_WITH_ORIGIN_AUTHENTICATION</liveliness_protection_kind>
+
+            <!-- Whole RTPS message is not protected -->
+            <rtps_protection_kind>NONE</rtps_protection_kind>
+
+            <topic_access_rules>
+                <topic_rule>
+                    <!-- All (non-builtin) topics -->
+                    <topic_expression>*</topic_expression>
+
+                    <!-- Liveliness QoS data is protected -->
+                    <enable_liveliness_protection>true</enable_liveliness_protection>
+
+                    <!-- The discovery information on specific Topics should be sent
+                         using the secure (protected) discovery writers -->
+                    <enable_discovery_protection>true</enable_discovery_protection>
+
+                    <!-- The read access to all topics should be open to all. -->
+                    <enable_read_access_control>false</enable_read_access_control>
+
+                    <!-- The write access to all topics should be open to all. -->
+                    <enable_write_access_control>false</enable_write_access_control>
+
+                    <!-- Whole RTPS sub-message is protected. This includes metadata information
+                         like sequence numbers, heartbeats, key hashes, gaps,
+                         acknowledgment messages, etc. It also includes th possible payload. -->
+                    <metadata_protection_kind>NONE</metadata_protection_kind>
+
+                    <!-- The payload data sent on the Topic (serialized application level data) should be
+                         protected with Encrypt then MAC. -->
+                    <data_protection_kind>NONE</data_protection_kind>
+                </topic_rule>
+            </topic_access_rules>
+        </domain_rule>
+    </domain_access_rules>
+</dds>
diff --git a/src/security/builtin_plugins/tests/get_xxx_sec_attributes/etc/Test_Governance_liveliness_discovery_signed.p7s b/src/security/builtin_plugins/tests/get_xxx_sec_attributes/etc/Test_Governance_liveliness_discovery_signed.p7s
new file mode 100644
index 0000000..55cf899
--- /dev/null
+++ b/src/security/builtin_plugins/tests/get_xxx_sec_attributes/etc/Test_Governance_liveliness_discovery_signed.p7s
@@ -0,0 +1,114 @@
+MIME-Version: 1.0
+Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg="sha-256"; boundary="----CAAC97AAFA02CB29461AE6EEFCBDADE0"
+
+This is an S/MIME signed message
+
+------CAAC97AAFA02CB29461AE6EEFCBDADE0
+Content-Type: text/plain
+
+<?xml version="1.0" encoding="utf-8"?>
+<dds xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xsi:noNamespaceSchemaLocation="https://www.omg.org/spec/DDS-SECURITY/20170901/omg_shared_ca_governance.xsd">
+    <domain_access_rules>
+        <domain_rule>
+            <domains>
+                <!-- All domains -->
+                <id_range>
+                    <min>0</min>
+                    <max>230</max>
+                </id_range>
+            </domains>
+
+            <!-- DomainParticipant that cann not authenticate or fail the authentication should be
+                 allowed to join the domain and see any any discovery data that are configured as "unprotected"
+                 and topics that are configured as "unprotected" -->
+            <allow_unauthenticated_participants>false</allow_unauthenticated_participants>
+
+            <!--  Only and any authenticated DomainParticipant should be allowed to join the domain and
+                  see the discovery data without checking access control  -->
+            <enable_join_access_control>TRUE</enable_join_access_control>
+
+            <!-- Discovery information should be protected with encryption followed by MAC (Message Authentication Codes) -->
+            <discovery_protection_kind>SIGN</discovery_protection_kind>
+
+            <!--  Liveliness messages are also encrypted -->
+            <liveliness_protection_kind>SIGN</liveliness_protection_kind>
+
+            <!-- Whole RTPS message is not protected -->
+            <rtps_protection_kind>NONE</rtps_protection_kind>
+
+            <topic_access_rules>
+                <topic_rule>
+                    <!-- All (non-builtin) topics -->
+                    <topic_expression>*</topic_expression>
+
+                    <!-- Liveliness QoS data is protected -->
+                    <enable_liveliness_protection>true</enable_liveliness_protection>
+
+                    <!-- The discovery information on specific Topics should be sent
+                         using the secure (protected) discovery writers -->
+                    <enable_discovery_protection>true</enable_discovery_protection>
+
+                    <!-- The read access to all topics should be open to all. -->
+                    <enable_read_access_control>false</enable_read_access_control>
+
+                    <!-- The write access to all topics should be open to all. -->
+                    <enable_write_access_control>false</enable_write_access_control>
+
+                    <!-- Whole RTPS sub-message is protected. This includes metadata information
+                         like sequence numbers, heartbeats, key hashes, gaps,
+                         acknowledgment messages, etc. It also includes th possible payload. -->
+                    <metadata_protection_kind>NONE</metadata_protection_kind>
+
+                    <!-- The payload data sent on the Topic (serialized application level data) should be
+                         protected with Encrypt then MAC. -->
+                    <data_protection_kind>NONE</data_protection_kind>
+                </topic_rule>
+            </topic_access_rules>
+        </domain_rule>
+    </domain_access_rules>
+</dds>
+
+------CAAC97AAFA02CB29461AE6EEFCBDADE0
+Content-Type: application/x-pkcs7-signature; name="smime.p7s"
+Content-Transfer-Encoding: base64
+Content-Disposition: attachment; filename="smime.p7s"
+
+MIIGXgYJKoZIhvcNAQcCoIIGTzCCBksCAQExDzANBglghkgBZQMEAgEFADALBgkq
+hkiG9w0BBwGgggORMIIDjTCCAnWgAwIBAgIJANsr3sm0NrypMA0GCSqGSIb3DQEB
+CwUAMFwxCzAJBgNVBAYTAk5MMRMwEQYDVQQIDApTb21lLVN0YXRlMR8wHQYDVQQK
+DBZBRExJTksgVGVjaG5vbG9jeSBJbmMuMRcwFQYDVQQDDA5hZGxpbmt0ZWNoLmNv
+bTAgFw0xODA3MzAxMjQ1NTVaGA8yMTE4MDcwNjEyNDU1NVowXDELMAkGA1UEBhMC
+TkwxEzARBgNVBAgMClNvbWUtU3RhdGUxHzAdBgNVBAoMFkFETElOSyBUZWNobm9s
+b2N5IEluYy4xFzAVBgNVBAMMDmFkbGlua3RlY2guY29tMIIBIjANBgkqhkiG9w0B
+AQEFAAOCAQ8AMIIBCgKCAQEAu7jfnJ0wYVuXgG+PgNawdN38+dRpa8jceqi+blID
+ehV6XCxrnGXusTCDuFmo7HMOBVMVNDXlcBWgoGd+u5EultnOEiIeGTgtHc1O6V9w
+icp3BGSpZZax/TcONjMVORaqHCADbQ2J8wsz1FHxuKDwX6BJElYOlK77lb/x3yLs
+DFFC+a0qn2RFh37rcWBRAHy8VEASXKZElT9ZmfKd+KUq34KojhNJ4DepKStTq074
+BRDXVivx+wVD951LFNPiQXq+mgHcLj1k37KlZflTFhdP5oEMtATNsXNJPHlEymiy
+SogRWAmKhysLQudukHfNKN+r0FEQMk/hzpYcFeZSOvbfNQIDAQABo1AwTjAdBgNV
+HQ4EFgQURWMbWvBKZwJvRV1/tyc1R82k0+gwHwYDVR0jBBgwFoAURWMbWvBKZwJv
+RV1/tyc1R82k0+gwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAkPF+
+ysVtvHnk2hpu9yNDLCJ96ZzIoKOyY7uRj4ovzlAHFdpNOJQdcJihTmN8i7Trht9X
+Vh0rGoR/6nHzo3TIeiogRC80RlDtuA3PF2dDQBMVDStlZMTZPb693hfjdAjhyyw9
+yghhKHHqNDvSsAL0KfBqjG4yGfGpJylYXIT5fWuKlo/ln/yyPa5s54T5XDo+CMbt
+lLX3QnwVOmaRyzylPiTcPCDIkdLBdXmlfyJcmW6fWa6kPx+35MOxPsXZbujCo+42
++OyLqcH1rKT6XhcshjXBEf+kdgUfSClrM1pNRWsw2ChIYim0F+nry5JFy0Y+8Hbb
+6SDB340BFmtgDHbFHTGCApEwggKNAgEBMGkwXDELMAkGA1UEBhMCTkwxEzARBgNV
+BAgMClNvbWUtU3RhdGUxHzAdBgNVBAoMFkFETElOSyBUZWNobm9sb2N5IEluYy4x
+FzAVBgNVBAMMDmFkbGlua3RlY2guY29tAgkA2yveybQ2vKkwDQYJYIZIAWUDBAIB
+BQCggfowGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAcBgkqhkiG9w0BCQUxDxcN
+MTkwMzI5MTMwODAzWjAvBgkqhkiG9w0BCQQxIgQgUQGGQlfgFH2GTdp8QcQHAf7c
+ytQO0EMxvnsXNDiWmfcwgY4GCSqGSIb3DQEJDzGBgDB+MAsGCWCGSAFlAwQBKjAI
+BgYqhQMCAgkwCAYGKoUDAgIVMAsGCWCGSAFlAwQBFjALBglghkgBZQMEAQIwCgYI
+KoZIhvcNAwcwDgYIKoZIhvcNAwICAgCAMA0GCCqGSIb3DQMCAgFAMAcGBSsOAwIH
+MA0GCCqGSIb3DQMCAgEoMA0GCSqGSIb3DQEBAQUABIIBABl+6OuVlW5UltPGg+9c
+6DlnX12Ah1feD0c/cmOkWjKW9A/soc+5npXvLcbxlkO/+MEkHlH00QKQmX7uY+3Z
+NybUU/2KbzEeqo8WwkqJPFBBPrjbHTAuIIPDHFcSq9oY6zUWMcHDFVjaXcNOfyiA
+clECqfcXesxfwGNXv5x58y0rJdxGiyptryLvJnZozwjNJ08ggY6d2mnitxbtSowY
+InQ02I95vWHYquonVAihvKX9NhaCSDEMyJb/ckL8tJuzQ3qUsEfc5DJVUSOEyCo8
+C7cZbfCpM9R+ZwyhRQOaleHs4kLvli7Q8OkpH8ecUBeg9gQmriju1G2/irvTg4t+
+Tlw=
+
+------CAAC97AAFA02CB29461AE6EEFCBDADE0--
+
diff --git a/src/security/builtin_plugins/tests/get_xxx_sec_attributes/etc/Test_Governance_liveliness_discovery_signed.xml b/src/security/builtin_plugins/tests/get_xxx_sec_attributes/etc/Test_Governance_liveliness_discovery_signed.xml
new file mode 100644
index 0000000..63ee9e4
--- /dev/null
+++ b/src/security/builtin_plugins/tests/get_xxx_sec_attributes/etc/Test_Governance_liveliness_discovery_signed.xml
@@ -0,0 +1,62 @@
+<?xml version="1.0" encoding="utf-8"?>
+<dds xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xsi:noNamespaceSchemaLocation="https://www.omg.org/spec/DDS-SECURITY/20170901/omg_shared_ca_governance.xsd">
+    <domain_access_rules>
+        <domain_rule>
+            <domains>
+                <!-- All domains -->
+                <id_range>
+                    <min>0</min>
+                    <max>230</max>
+                </id_range>
+            </domains>
+
+            <!-- DomainParticipant that cann not authenticate or fail the authentication should be
+                 allowed to join the domain and see any any discovery data that are configured as "unprotected"
+                 and topics that are configured as "unprotected" -->
+            <allow_unauthenticated_participants>false</allow_unauthenticated_participants>
+
+            <!--  Only and any authenticated DomainParticipant should be allowed to join the domain and
+                  see the discovery data without checking access control  -->
+            <enable_join_access_control>TRUE</enable_join_access_control>
+
+            <!-- Discovery information should be protected with encryption followed by MAC (Message Authentication Codes) -->
+            <discovery_protection_kind>SIGN</discovery_protection_kind>
+
+            <!--  Liveliness messages are also encrypted -->
+            <liveliness_protection_kind>SIGN</liveliness_protection_kind>
+
+            <!-- Whole RTPS message is not protected -->
+            <rtps_protection_kind>NONE</rtps_protection_kind>
+
+            <topic_access_rules>
+                <topic_rule>
+                    <!-- All (non-builtin) topics -->
+                    <topic_expression>*</topic_expression>
+
+                    <!-- Liveliness QoS data is protected -->
+                    <enable_liveliness_protection>true</enable_liveliness_protection>
+
+                    <!-- The discovery information on specific Topics should be sent
+                         using the secure (protected) discovery writers -->
+                    <enable_discovery_protection>true</enable_discovery_protection>
+
+                    <!-- The read access to all topics should be open to all. -->
+                    <enable_read_access_control>false</enable_read_access_control>
+
+                    <!-- The write access to all topics should be open to all. -->
+                    <enable_write_access_control>false</enable_write_access_control>
+
+                    <!-- Whole RTPS sub-message is protected. This includes metadata information
+                         like sequence numbers, heartbeats, key hashes, gaps,
+                         acknowledgment messages, etc. It also includes th possible payload. -->
+                    <metadata_protection_kind>NONE</metadata_protection_kind>
+
+                    <!-- The payload data sent on the Topic (serialized application level data) should be
+                         protected with Encrypt then MAC. -->
+                    <data_protection_kind>NONE</data_protection_kind>
+                </topic_rule>
+            </topic_access_rules>
+        </domain_rule>
+    </domain_access_rules>
+</dds>
diff --git a/src/security/builtin_plugins/tests/get_xxx_sec_attributes/etc/Test_Governance_liveliness_discovery_signed_and_authenticated.p7s b/src/security/builtin_plugins/tests/get_xxx_sec_attributes/etc/Test_Governance_liveliness_discovery_signed_and_authenticated.p7s
new file mode 100644
index 0000000..6273245
--- /dev/null
+++ b/src/security/builtin_plugins/tests/get_xxx_sec_attributes/etc/Test_Governance_liveliness_discovery_signed_and_authenticated.p7s
@@ -0,0 +1,114 @@
+MIME-Version: 1.0
+Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg="sha-256"; boundary="----7D08A7D2B4B01785900B9A7208F12A69"
+
+This is an S/MIME signed message
+
+------7D08A7D2B4B01785900B9A7208F12A69
+Content-Type: text/plain
+
+<?xml version="1.0" encoding="utf-8"?>
+<dds xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xsi:noNamespaceSchemaLocation="https://www.omg.org/spec/DDS-SECURITY/20170901/omg_shared_ca_governance.xsd">
+    <domain_access_rules>
+        <domain_rule>
+            <domains>
+                <!-- All domains -->
+                <id_range>
+                    <min>0</min>
+                    <max>230</max>
+                </id_range>
+            </domains>
+
+            <!-- DomainParticipant that cann not authenticate or fail the authentication should be
+                 allowed to join the domain and see any any discovery data that are configured as "unprotected"
+                 and topics that are configured as "unprotected" -->
+            <allow_unauthenticated_participants>false</allow_unauthenticated_participants>
+
+            <!--  Only and any authenticated DomainParticipant should be allowed to join the domain and
+                  see the discovery data without checking access control  -->
+            <enable_join_access_control>TRUE</enable_join_access_control>
+
+            <!-- Discovery information should be protected with encryption followed by MAC (Message Authentication Codes) -->
+            <discovery_protection_kind>SIGN_WITH_ORIGIN_AUTHENTICATION</discovery_protection_kind>
+
+            <!--  Liveliness messages are also encrypted -->
+            <liveliness_protection_kind>SIGN_WITH_ORIGIN_AUTHENTICATION</liveliness_protection_kind>
+
+            <!-- Whole RTPS message is not protected -->
+            <rtps_protection_kind>NONE</rtps_protection_kind>
+
+            <topic_access_rules>
+                <topic_rule>
+                    <!-- All (non-builtin) topics -->
+                    <topic_expression>*</topic_expression>
+
+                    <!-- Liveliness QoS data is protected -->
+                    <enable_liveliness_protection>true</enable_liveliness_protection>
+
+                    <!-- The discovery information on specific Topics should be sent
+                         using the secure (protected) discovery writers -->
+                    <enable_discovery_protection>true</enable_discovery_protection>
+
+                    <!-- The read access to all topics should be open to all. -->
+                    <enable_read_access_control>false</enable_read_access_control>
+
+                    <!-- The write access to all topics should be open to all. -->
+                    <enable_write_access_control>false</enable_write_access_control>
+
+                    <!-- Whole RTPS sub-message is protected. This includes metadata information
+                         like sequence numbers, heartbeats, key hashes, gaps,
+                         acknowledgment messages, etc. It also includes th possible payload. -->
+                    <metadata_protection_kind>NONE</metadata_protection_kind>
+
+                    <!-- The payload data sent on the Topic (serialized application level data) should be
+                         protected with Encrypt then MAC. -->
+                    <data_protection_kind>NONE</data_protection_kind>
+                </topic_rule>
+            </topic_access_rules>
+        </domain_rule>
+    </domain_access_rules>
+</dds>
+
+------7D08A7D2B4B01785900B9A7208F12A69
+Content-Type: application/x-pkcs7-signature; name="smime.p7s"
+Content-Transfer-Encoding: base64
+Content-Disposition: attachment; filename="smime.p7s"
+
+MIIGXgYJKoZIhvcNAQcCoIIGTzCCBksCAQExDzANBglghkgBZQMEAgEFADALBgkq
+hkiG9w0BBwGgggORMIIDjTCCAnWgAwIBAgIJANsr3sm0NrypMA0GCSqGSIb3DQEB
+CwUAMFwxCzAJBgNVBAYTAk5MMRMwEQYDVQQIDApTb21lLVN0YXRlMR8wHQYDVQQK
+DBZBRExJTksgVGVjaG5vbG9jeSBJbmMuMRcwFQYDVQQDDA5hZGxpbmt0ZWNoLmNv
+bTAgFw0xODA3MzAxMjQ1NTVaGA8yMTE4MDcwNjEyNDU1NVowXDELMAkGA1UEBhMC
+TkwxEzARBgNVBAgMClNvbWUtU3RhdGUxHzAdBgNVBAoMFkFETElOSyBUZWNobm9s
+b2N5IEluYy4xFzAVBgNVBAMMDmFkbGlua3RlY2guY29tMIIBIjANBgkqhkiG9w0B
+AQEFAAOCAQ8AMIIBCgKCAQEAu7jfnJ0wYVuXgG+PgNawdN38+dRpa8jceqi+blID
+ehV6XCxrnGXusTCDuFmo7HMOBVMVNDXlcBWgoGd+u5EultnOEiIeGTgtHc1O6V9w
+icp3BGSpZZax/TcONjMVORaqHCADbQ2J8wsz1FHxuKDwX6BJElYOlK77lb/x3yLs
+DFFC+a0qn2RFh37rcWBRAHy8VEASXKZElT9ZmfKd+KUq34KojhNJ4DepKStTq074
+BRDXVivx+wVD951LFNPiQXq+mgHcLj1k37KlZflTFhdP5oEMtATNsXNJPHlEymiy
+SogRWAmKhysLQudukHfNKN+r0FEQMk/hzpYcFeZSOvbfNQIDAQABo1AwTjAdBgNV
+HQ4EFgQURWMbWvBKZwJvRV1/tyc1R82k0+gwHwYDVR0jBBgwFoAURWMbWvBKZwJv
+RV1/tyc1R82k0+gwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAkPF+
+ysVtvHnk2hpu9yNDLCJ96ZzIoKOyY7uRj4ovzlAHFdpNOJQdcJihTmN8i7Trht9X
+Vh0rGoR/6nHzo3TIeiogRC80RlDtuA3PF2dDQBMVDStlZMTZPb693hfjdAjhyyw9
+yghhKHHqNDvSsAL0KfBqjG4yGfGpJylYXIT5fWuKlo/ln/yyPa5s54T5XDo+CMbt
+lLX3QnwVOmaRyzylPiTcPCDIkdLBdXmlfyJcmW6fWa6kPx+35MOxPsXZbujCo+42
++OyLqcH1rKT6XhcshjXBEf+kdgUfSClrM1pNRWsw2ChIYim0F+nry5JFy0Y+8Hbb
+6SDB340BFmtgDHbFHTGCApEwggKNAgEBMGkwXDELMAkGA1UEBhMCTkwxEzARBgNV
+BAgMClNvbWUtU3RhdGUxHzAdBgNVBAoMFkFETElOSyBUZWNobm9sb2N5IEluYy4x
+FzAVBgNVBAMMDmFkbGlua3RlY2guY29tAgkA2yveybQ2vKkwDQYJYIZIAWUDBAIB
+BQCggfowGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAcBgkqhkiG9w0BCQUxDxcN
+MTkwMzI5MTMwODAzWjAvBgkqhkiG9w0BCQQxIgQgu4lTESCOlPw4ua2e8RFY0V80
+KDwe7OyvA7k5OJvb70MwgY4GCSqGSIb3DQEJDzGBgDB+MAsGCWCGSAFlAwQBKjAI
+BgYqhQMCAgkwCAYGKoUDAgIVMAsGCWCGSAFlAwQBFjALBglghkgBZQMEAQIwCgYI
+KoZIhvcNAwcwDgYIKoZIhvcNAwICAgCAMA0GCCqGSIb3DQMCAgFAMAcGBSsOAwIH
+MA0GCCqGSIb3DQMCAgEoMA0GCSqGSIb3DQEBAQUABIIBAE6icR4lmUwDahVEA4BA
+QIl2Pp+WGo1wDLHRdR1YnKt9narfgi6YHlt37sppOuKYPZSrjkcE07nlj9IN3PNR
+2RxeUogt5fLHPll2E+GIfXRkPq5MtCscko+7MyrPkaMOPCv0pQ8e+nEvDkLeKqvS
+jinelekFzICvUd8vg9UozxyUQciPLvjmEVwe+czFiM0oFqN9O9d1y5n985HXc/T5
+RfhSXpXUk2KBPvU+tN9UtdInMylPs8PK8wbONTem7uG9nP/tKL7VCjLiTQm5zAuo
+ecEvLybuALPVwylTppB2a8jMwb3Qt3ERY/do9s9RyFszvMOqBXsDOpSGtjBHT2uU
+Bhs=
+
+------7D08A7D2B4B01785900B9A7208F12A69--
+
diff --git a/src/security/builtin_plugins/tests/get_xxx_sec_attributes/etc/Test_Governance_liveliness_discovery_signed_and_authenticated.xml b/src/security/builtin_plugins/tests/get_xxx_sec_attributes/etc/Test_Governance_liveliness_discovery_signed_and_authenticated.xml
new file mode 100644
index 0000000..3930f88
--- /dev/null
+++ b/src/security/builtin_plugins/tests/get_xxx_sec_attributes/etc/Test_Governance_liveliness_discovery_signed_and_authenticated.xml
@@ -0,0 +1,62 @@
+<?xml version="1.0" encoding="utf-8"?>
+<dds xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xsi:noNamespaceSchemaLocation="https://www.omg.org/spec/DDS-SECURITY/20170901/omg_shared_ca_governance.xsd">
+    <domain_access_rules>
+        <domain_rule>
+            <domains>
+                <!-- All domains -->
+                <id_range>
+                    <min>0</min>
+                    <max>230</max>
+                </id_range>
+            </domains>
+
+            <!-- DomainParticipant that cann not authenticate or fail the authentication should be
+                 allowed to join the domain and see any any discovery data that are configured as "unprotected"
+                 and topics that are configured as "unprotected" -->
+            <allow_unauthenticated_participants>false</allow_unauthenticated_participants>
+
+            <!--  Only and any authenticated DomainParticipant should be allowed to join the domain and
+                  see the discovery data without checking access control  -->
+            <enable_join_access_control>TRUE</enable_join_access_control>
+
+            <!-- Discovery information should be protected with encryption followed by MAC (Message Authentication Codes) -->
+            <discovery_protection_kind>SIGN_WITH_ORIGIN_AUTHENTICATION</discovery_protection_kind>
+
+            <!--  Liveliness messages are also encrypted -->
+            <liveliness_protection_kind>SIGN_WITH_ORIGIN_AUTHENTICATION</liveliness_protection_kind>
+
+            <!-- Whole RTPS message is not protected -->
+            <rtps_protection_kind>NONE</rtps_protection_kind>
+
+            <topic_access_rules>
+                <topic_rule>
+                    <!-- All (non-builtin) topics -->
+                    <topic_expression>*</topic_expression>
+
+                    <!-- Liveliness QoS data is protected -->
+                    <enable_liveliness_protection>true</enable_liveliness_protection>
+
+                    <!-- The discovery information on specific Topics should be sent
+                         using the secure (protected) discovery writers -->
+                    <enable_discovery_protection>true</enable_discovery_protection>
+
+                    <!-- The read access to all topics should be open to all. -->
+                    <enable_read_access_control>false</enable_read_access_control>
+
+                    <!-- The write access to all topics should be open to all. -->
+                    <enable_write_access_control>false</enable_write_access_control>
+
+                    <!-- Whole RTPS sub-message is protected. This includes metadata information
+                         like sequence numbers, heartbeats, key hashes, gaps,
+                         acknowledgment messages, etc. It also includes th possible payload. -->
+                    <metadata_protection_kind>NONE</metadata_protection_kind>
+
+                    <!-- The payload data sent on the Topic (serialized application level data) should be
+                         protected with Encrypt then MAC. -->
+                    <data_protection_kind>NONE</data_protection_kind>
+                </topic_rule>
+            </topic_access_rules>
+        </domain_rule>
+    </domain_access_rules>
+</dds>
diff --git a/src/security/builtin_plugins/tests/get_xxx_sec_attributes/etc/Test_Permissions_ok.p7s b/src/security/builtin_plugins/tests/get_xxx_sec_attributes/etc/Test_Permissions_ok.p7s
new file mode 100644
index 0000000..052075b
--- /dev/null
+++ b/src/security/builtin_plugins/tests/get_xxx_sec_attributes/etc/Test_Permissions_ok.p7s
@@ -0,0 +1,85 @@
+MIME-Version: 1.0
+Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg="sha-256"; boundary="----6B91005B007BBA8EDE10CD1CE487DB27"
+
+This is an S/MIME signed message
+
+------6B91005B007BBA8EDE10CD1CE487DB27
+Content-Type: text/plain
+
+<?xml version="1.0" encoding="utf-8"?>
+<dds xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xsi:noNamespaceSchemaLocation="https://www.omg.org/spec/DDS-SECURITY/20170901/omg_shared_ca_permissions.xsd">
+    <permissions>
+        <grant name="OpenSplicePermissions">
+            <subject_name>CN=CHAM500 cert,O=Internet Widgits Pty Ltd,ST=Some-State,C=NL</subject_name>
+            <validity>
+                <!-- Format is CCYY-MM-DDThh:mm:ss[Z|(+|-)hh:mm] in GMT -->
+                <not_before>2015-09-15T01:00:00</not_before>
+                <not_after>2115-09-15T01:00:00</not_after>
+            </validity>
+            <allow_rule>
+                <domains>
+                    <id_range>
+                        <min>0</min>
+                        <max>230</max>
+                    </id_range>
+                </domains>
+                <publish>
+                    <topics>
+                        <topic>*</topic>
+                    </topics>
+                </publish>
+                <subscribe>
+                    <topics>
+                        <topic>*</topic>
+                    </topics>
+                </subscribe>
+            </allow_rule>
+            <default>DENY</default>
+        </grant>
+    </permissions>
+</dds>
+
+------6B91005B007BBA8EDE10CD1CE487DB27
+Content-Type: application/x-pkcs7-signature; name="smime.p7s"
+Content-Transfer-Encoding: base64
+Content-Disposition: attachment; filename="smime.p7s"
+
+MIIGXgYJKoZIhvcNAQcCoIIGTzCCBksCAQExDzANBglghkgBZQMEAgEFADALBgkq
+hkiG9w0BBwGgggORMIIDjTCCAnWgAwIBAgIJANsr3sm0NrypMA0GCSqGSIb3DQEB
+CwUAMFwxCzAJBgNVBAYTAk5MMRMwEQYDVQQIDApTb21lLVN0YXRlMR8wHQYDVQQK
+DBZBRExJTksgVGVjaG5vbG9jeSBJbmMuMRcwFQYDVQQDDA5hZGxpbmt0ZWNoLmNv
+bTAgFw0xODA3MzAxMjQ1NTVaGA8yMTE4MDcwNjEyNDU1NVowXDELMAkGA1UEBhMC
+TkwxEzARBgNVBAgMClNvbWUtU3RhdGUxHzAdBgNVBAoMFkFETElOSyBUZWNobm9s
+b2N5IEluYy4xFzAVBgNVBAMMDmFkbGlua3RlY2guY29tMIIBIjANBgkqhkiG9w0B
+AQEFAAOCAQ8AMIIBCgKCAQEAu7jfnJ0wYVuXgG+PgNawdN38+dRpa8jceqi+blID
+ehV6XCxrnGXusTCDuFmo7HMOBVMVNDXlcBWgoGd+u5EultnOEiIeGTgtHc1O6V9w
+icp3BGSpZZax/TcONjMVORaqHCADbQ2J8wsz1FHxuKDwX6BJElYOlK77lb/x3yLs
+DFFC+a0qn2RFh37rcWBRAHy8VEASXKZElT9ZmfKd+KUq34KojhNJ4DepKStTq074
+BRDXVivx+wVD951LFNPiQXq+mgHcLj1k37KlZflTFhdP5oEMtATNsXNJPHlEymiy
+SogRWAmKhysLQudukHfNKN+r0FEQMk/hzpYcFeZSOvbfNQIDAQABo1AwTjAdBgNV
+HQ4EFgQURWMbWvBKZwJvRV1/tyc1R82k0+gwHwYDVR0jBBgwFoAURWMbWvBKZwJv
+RV1/tyc1R82k0+gwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAkPF+
+ysVtvHnk2hpu9yNDLCJ96ZzIoKOyY7uRj4ovzlAHFdpNOJQdcJihTmN8i7Trht9X
+Vh0rGoR/6nHzo3TIeiogRC80RlDtuA3PF2dDQBMVDStlZMTZPb693hfjdAjhyyw9
+yghhKHHqNDvSsAL0KfBqjG4yGfGpJylYXIT5fWuKlo/ln/yyPa5s54T5XDo+CMbt
+lLX3QnwVOmaRyzylPiTcPCDIkdLBdXmlfyJcmW6fWa6kPx+35MOxPsXZbujCo+42
++OyLqcH1rKT6XhcshjXBEf+kdgUfSClrM1pNRWsw2ChIYim0F+nry5JFy0Y+8Hbb
+6SDB340BFmtgDHbFHTGCApEwggKNAgEBMGkwXDELMAkGA1UEBhMCTkwxEzARBgNV
+BAgMClNvbWUtU3RhdGUxHzAdBgNVBAoMFkFETElOSyBUZWNobm9sb2N5IEluYy4x
+FzAVBgNVBAMMDmFkbGlua3RlY2guY29tAgkA2yveybQ2vKkwDQYJYIZIAWUDBAIB
+BQCggfowGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAcBgkqhkiG9w0BCQUxDxcN
+MTkwMzI5MTMwODAzWjAvBgkqhkiG9w0BCQQxIgQgl3LfUhn9L0vG/3QRPVYptcYw
+/NH5HMN99aMe9JAT+LAwgY4GCSqGSIb3DQEJDzGBgDB+MAsGCWCGSAFlAwQBKjAI
+BgYqhQMCAgkwCAYGKoUDAgIVMAsGCWCGSAFlAwQBFjALBglghkgBZQMEAQIwCgYI
+KoZIhvcNAwcwDgYIKoZIhvcNAwICAgCAMA0GCCqGSIb3DQMCAgFAMAcGBSsOAwIH
+MA0GCCqGSIb3DQMCAgEoMA0GCSqGSIb3DQEBAQUABIIBAHe9vakfXPvbpgMeqlhG
+SW6Z3uVA3Yri9bgQDpJ9daIUsM0/TLBSQVs85twTMXvqUSntKbfSGehxDQ9F+yje
+mOEPMIwxOqcVyc2jpqoYsUWqpwiiZyk49DHUFrOfWJUx+rKdBftZWkxD05Wkovhk
+2d4hGS/65Haoho4Z0AZwcyH+F52FZMiqw7I9FKrPlhxvJfQXmhIjOKtnvWnQ+Ar7
+YYiSrBEHMCy82LF1aKzz0nkL1SYWQHuQX475qoU4LMYY1J8WsD3rSBeq4GYZrl2K
+X/JcOquMYqjfJLMYZY4fsc3FgEBkKNqJz1tDZ3ir24VMl+WsbEjVK8oXe/wt4V0U
+aNQ=
+
+------6B91005B007BBA8EDE10CD1CE487DB27--
+
diff --git a/src/security/builtin_plugins/tests/get_xxx_sec_attributes/src/get_xxx_sec_attributes_utests.c b/src/security/builtin_plugins/tests/get_xxx_sec_attributes/src/get_xxx_sec_attributes_utests.c
new file mode 100644
index 0000000..91381aa
--- /dev/null
+++ b/src/security/builtin_plugins/tests/get_xxx_sec_attributes/src/get_xxx_sec_attributes_utests.c
@@ -0,0 +1,1649 @@
+/*
+ * Copyright(c) 2006 to 2019 ADLINK Technology Limited and others
+ *
+ * This program and the accompanying materials are made available under the
+ * terms of the Eclipse Public License v. 2.0 which is available at
+ * http://www.eclipse.org/legal/epl-2.0, or the Eclipse Distribution License
+ * v. 1.0 which is available at
+ * http://www.eclipse.org/org/documents/edl-v10.php.
+ *
+ * SPDX-License-Identifier: EPL-2.0 OR BSD-3-Clause
+ */
+#include <assert.h>
+#include <openssl/evp.h>
+#include <openssl/hmac.h>
+#include <openssl/bio.h>
+#include <openssl/err.h>
+
+#include "dds/ddsrt/environ.h"
+#include "dds/ddsrt/heap.h"
+#include "dds/ddsrt/io.h"
+#include "dds/ddsrt/string.h"
+#include "dds/ddsrt/types.h"
+#include "dds/security/dds_security_api.h"
+#include "dds/security/core/dds_security_utils.h"
+#include "CUnit/CUnit.h"
+#include "CUnit/Test.h"
+#include "common/src/loader.h"
+#include "config_env.h"
+
+#if OPENSLL_VERSION_NUMBER >= 0x10002000L
+#define AUTH_INCLUDE_EC
+#endif
+
+static const char *RELATIVE_PATH_TO_ETC_DIR = "/get_xxx_sec_attributes/etc/";
+
+static const char *PROPERTY_IDENTITY_CA = "dds.sec.auth.identity_ca";
+static const char *PROPERTY_PRIVATE_KEY = "dds.sec.auth.private_key";
+static const char *PROPERTY_IDENTITY_CERT = "dds.sec.auth.identity_certificate";
+static const char *PROPERTY_PERMISSIONS_CA = "dds.sec.access.permissions_ca";
+static const char *PROPERTY_PERMISSIONS = "dds.sec.access.permissions";
+static const char *PROPERTY_GOVERNANCE = "dds.sec.access.governance";
+
+static const char *IDENTITY_CERTIFICATE =
+    "data:,-----BEGIN CERTIFICATE-----\n"
+    "MIIEQTCCAymgAwIBAgIINpuaAAnrQZIwDQYJKoZIhvcNAQELBQAwXzELMAkGA1UE\n"
+    "BhMCTkwxEzARBgNVBAgTClNvbWUtU3RhdGUxITAfBgNVBAoTGEludGVybmV0IFdp\n"
+    "ZGdpdHMgUHR5IEx0ZDEYMBYGA1UEAxMPQ0hBTTUwMCByb290IGNhMCAXDTE3MDIy\n"
+    "MjIyMjIwMFoYDzIyMjIwMjIyMjIyMjAwWjBcMQswCQYDVQQGEwJOTDETMBEGA1UE\n"
+    "CBMKU29tZS1TdGF0ZTEhMB8GA1UEChMYSW50ZXJuZXQgV2lkZ2l0cyBQdHkgTHRk\n"
+    "MRUwEwYDVQQDEwxDSEFNNTAwIGNlcnQwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw\n"
+    "ggEKAoIBAQDCpVhivH/wBIyu74rvQncnSZqKyspN6CvD1pmV9wft5PHhVt9jV79v\n"
+    "gSub5LADoRHAgFdv9duYgBr17Ob6uRrIY4B18CcrCjhQcC4gjx8y2jl9PeYm+qYD\n"
+    "3o44FYBrBq0QCnrQgKsb/qX9Z+Mw/VUiw65x68W876LEHQQoEgT4kxSuagwBoVRk\n"
+    "ePD6fYAKmT4XS3x+O0v+rHESTcsKF6yMadgp7h3eH1b8kJTzSx8JV9Zzq++mxjox\n"
+    "qhbBVP5nDze2hhSIeCkCvSrx7efkgKS4AQXa5/Z44GiAu1TfXXUqdic9rxwD0edn\n"
+    "ajNElnZe7sjok/0yuqvH+2hSqpNva/zpAgMBAAGjggEAMIH9MAwGA1UdDwQFAwMH\n"
+    "/4AwgewGA1UdJQSB5DCB4QYIKwYBBQUHAwEGCCsGAQUFBwMCBggrBgEFBQcDAwYI\n"
+    "KwYBBQUHAwQGCCsGAQUFBwMIBgorBgEEAYI3AgEVBgorBgEEAYI3AgEWBgorBgEE\n"
+    "AYI3CgMBBgorBgEEAYI3CgMDBgorBgEEAYI3CgMEBglghkgBhvhCBAEGCysGAQQB\n"
+    "gjcKAwQBBggrBgEFBQcDBQYIKwYBBQUHAwYGCCsGAQUFBwMHBggrBgEFBQgCAgYK\n"
+    "KwYBBAGCNxQCAgYIKwYBBQUHAwkGCCsGAQUFBwMNBggrBgEFBQcDDgYHKwYBBQID\n"
+    "BTANBgkqhkiG9w0BAQsFAAOCAQEAawdHy0Xw7nTK2ltp91Ion6fJ7hqYuj///zr7\n"
+    "Adt6uonpDh/xl3esuwcFimIJrJrHujnGkL0nLddRCikmnzuBMNDWS6yq0/Ckl/YG\n"
+    "yjNr44dlX24wo+MVAgkj3/8CyWDZ3a8kBg9QT3bs2SqbjmhTrXN1DRyf9S5vJysE\n"
+    "I7V1gTN66BeKL64hOrAlRVrEu8Ds6TWL6Q/YH+61ViZkoLTeSaPjH4nknaFr4C35\n"
+    "iji0JhkyfRHRRVPHFnaj25AkxOrSV64qVKoTMjDl5fji5iMGtjm6iJ7q05ml/qDl\n"
+    "nLotHXemZNvYhbwUmRzbt4Dls9EMH4VRbP85I94nM5TAvtHVNA==\n"
+    "-----END CERTIFICATE-----\n";
+
+static const char *IDENTITY_CA =
+    "data:,-----BEGIN CERTIFICATE-----\n"
+    "MIIEmTCCA4GgAwIBAgIIZ5gEIUFhO5wwDQYJKoZIhvcNAQELBQAwXzELMAkGA1UE\n"
+    "BhMCTkwxEzARBgNVBAgTClNvbWUtU3RhdGUxITAfBgNVBAoTGEludGVybmV0IFdp\n"
+    "ZGdpdHMgUHR5IEx0ZDEYMBYGA1UEAxMPQ0hBTTUwMCByb290IGNhMCAXDTE4MDIx\n"
+    "MjE1MDUwMFoYDzIyMjIwMjIyMjIyMjAwWjBfMQswCQYDVQQGEwJOTDETMBEGA1UE\n"
+    "CBMKU29tZS1TdGF0ZTEhMB8GA1UEChMYSW50ZXJuZXQgV2lkZ2l0cyBQdHkgTHRk\n"
+    "MRgwFgYDVQQDEw9DSEFNNTAwIHJvb3QgY2EwggEiMA0GCSqGSIb3DQEBAQUAA4IB\n"
+    "DwAwggEKAoIBAQC6Fa3TheL+UrdZCp9GhU/2WbneP2t/avUa3muwDttPxeI2XU9k\n"
+    "ZjBR95mAXme4SPXHk5+YDN319AqIje3oKhzky/ngvKH2GkoJKYxWnuDBfMEHdViz\n"
+    "2Q9/xso2ZvH50ukwWa0pfx2/EVV1wRxeQcRd/UVfq3KTJizG0M88mOYvGEAw3LFf\n"
+    "zef7k1aCuOofQmBvLukUudcYpMzfyHFp7lQqU4CcrrR5RtmfiUfrWfdGLea2iPDB\n"
+    "pJgN8ESOMwEHtOTEBDclYnH9L4t7CHQz+fXXS5IWFsDK9fCMQjnxDsDVeNrNzTYL\n"
+    "FaZrMg9S6IUQCEsQWsnq5weS8omOpVLUm9klAgMBAAGjggFVMIIBUTAMBgNVHRME\n"
+    "BTADAQH/MB0GA1UdDgQWBBQg2FZB/j8uWDVnJhjwXkX278znSTAfBgNVHSMEGDAW\n"
+    "gBQg2FZB/j8uWDVnJhjwXkX278znSTAPBgNVHQ8BAf8EBQMDB/+AMIHvBgNVHSUB\n"
+    "Af8EgeQwgeEGCCsGAQUFBwMBBggrBgEFBQcDAgYIKwYBBQUHAwMGCCsGAQUFBwME\n"
+    "BggrBgEFBQcDCAYKKwYBBAGCNwIBFQYKKwYBBAGCNwIBFgYKKwYBBAGCNwoDAQYK\n"
+    "KwYBBAGCNwoDAwYKKwYBBAGCNwoDBAYJYIZIAYb4QgQBBgsrBgEEAYI3CgMEAQYI\n"
+    "KwYBBQUHAwUGCCsGAQUFBwMGBggrBgEFBQcDBwYIKwYBBQUIAgIGCisGAQQBgjcU\n"
+    "AgIGCCsGAQUFBwMJBggrBgEFBQcDDQYIKwYBBQUHAw4GBysGAQUCAwUwDQYJKoZI\n"
+    "hvcNAQELBQADggEBAKHmwejWRwGE1wf1k2rG8SNRV/neGsZ6Qfqf6co3TpR/Wi1s\n"
+    "iZDvSeT/rbqNBS7z34xnG88NIUwu00y78e8Mfon31ZZbK4Uo7fla9/D3ukdJqPQC\n"
+    "LKdbKJjR2kH+KCukY/1rghjJ8/X+t2egBit0LCOdsFCl07Sfksb9kpGUIZSFcYYm\n"
+    "geqhjhoNwxazzHiw+QWHC5HG9248JIizBmy1aymNWuMnPudhjHAnPcsIlqMVNq3t\n"
+    "Rv9ap7S8JeCxHVRPJvJeCwXWvW3dW/v3xH52Yn/fqRblN1w9Fxz5NhopKx0gj/Jd\n"
+    "sw2N4Fk4gaOWEolFpa0bwNw8nAx7moehZpowzfw=\n"
+    "-----END CERTIFICATE-----\n";
+
+static const char *PRIVATE_KEY =
+    "data:,-----BEGIN RSA PRIVATE KEY-----\n"
+    "MIIEogIBAAKCAQEAwqVYYrx/8ASMru+K70J3J0maisrKTegrw9aZlfcH7eTx4Vbf\n"
+    "Y1e/b4Erm+SwA6ERwIBXb/XbmIAa9ezm+rkayGOAdfAnKwo4UHAuII8fMto5fT3m\n"
+    "JvqmA96OOBWAawatEAp60ICrG/6l/WfjMP1VIsOucevFvO+ixB0EKBIE+JMUrmoM\n"
+    "AaFUZHjw+n2ACpk+F0t8fjtL/qxxEk3LChesjGnYKe4d3h9W/JCU80sfCVfWc6vv\n"
+    "psY6MaoWwVT+Zw83toYUiHgpAr0q8e3n5ICkuAEF2uf2eOBogLtU3111KnYnPa8c\n"
+    "A9HnZ2ozRJZ2Xu7I6JP9Mrqrx/toUqqTb2v86QIDAQABAoIBAC1q32DKkx+yMBFx\n"
+    "m32QiLUGG6VfBC2BixS7MkMnzRXZYgcuehl4FBc0kLRjfB6cqsO8LqrVN1QyMBhK\n"
+    "GutN3c38SbE7RChqzhEW2+yE+Mao3Nk4ZEecHLiyaYT0n25ZtHAVwep823BAzwJ+\n"
+    "BykbM45VEpNKbG1VjSktjBa9faNyZiZAEJEjVyla+6R8N4kHV52LbZcLjvJv3IQ2\n"
+    "iPYRrmMyI5C23qTni0vy7yJbAXBo3CqgSlwie9FARBWT7Puu7F4mF1O1c/SnTysw\n"
+    "Tm3e5FzgfHipQbnRVn0w4rDprPMKmPxMnvf/Wkw0zVgNadp1Tc1I6Yj525DEQ07i\n"
+    "2gIn/gECgYEA4jNnY1u2Eu7x3pAQF3dRO0x35boVtuq9iwQk7q+uaZaK4RJRr+0Y\n"
+    "T68S3bPnfer6SHvcxtST89Bvs/j/Ky4SOaX037UYjFh6T7OIzPl+MzO1yb+VOBT6\n"
+    "D6FVGEJGp8ZAITU1OfJPeTYViUeEC8tHFGoKUCk50FbB6jOf1oKtv/ECgYEA3EnB\n"
+    "Y7kSbJJaUuj9ciFUL/pAno86Cim3VjegK1wKgEiyDb610bhoMErovPwfVJbtcttG\n"
+    "eKJNuwizkRcVbj+vpjDvqqaP5eMxLl6/Nd4haPMJYzGo88Z8NJpwFRNF2KEWjOpQ\n"
+    "2NEvoCeRtVulCJyka2Tpljzw8cOXkxhPOe2UhHkCgYBo3entj0QO7QXm56T+LAvV\n"
+    "0PK45xdQEO3EuCwjGAFk5C0IgUSrqeCeeIzniZMltj1IQ1wsNbtNynEu3530t8wt\n"
+    "O7oVyFBUKGSz9IjUdkpClJOPr6kPMfJoMqRPtdIpz+hFPPSrI6IikKdVWHloOlp+\n"
+    "pVaYqTQrWT1XRY2xli3VEQKBgGySmZN6Cx+h/oywswIGdUT0VdcQhq2to+QFpJba\n"
+    "VX6m1cM6hMip2Ag9U3qZ1SNPBBdBBfm9HQybHE3dj713/C2wHuAAGhpXIM1W+20k\n"
+    "X1knuC/AsSH9aQhQOf/ZMOq1crTfZBuI9q0782/sjGmzMsKPySU4QhUWruVb7OiD\n"
+    "NVkZAoGAEvihW7G+8/iOE40vGHyBqUeopAAWLciTAUIEwM/Oi3BYfNWNTWF/FWNc\n"
+    "nMvCZPYigY8C1vO+1iT2Frtd3CIU+f01Q3fJNJoRLlEiKLNZUJRF48OKUqjKSmsi\n"
+    "w6pucFO40z05YW7utApj4L82rZnOS0pd1tUI1yexqvj0i4ThJfk=\n"
+    "-----END RSA PRIVATE KEY-----\n";
+
+static const char *PERMISSIONS_CA =
+    "data:,-----BEGIN CERTIFICATE-----\n"
+    "MIIDjTCCAnWgAwIBAgIJANsr3sm0NrypMA0GCSqGSIb3DQEBCwUAMFwxCzAJBgNV\n"
+    "BAYTAk5MMRMwEQYDVQQIDApTb21lLVN0YXRlMR8wHQYDVQQKDBZBRExJTksgVGVj\n"
+    "aG5vbG9jeSBJbmMuMRcwFQYDVQQDDA5hZGxpbmt0ZWNoLmNvbTAgFw0xODA3MzAx\n"
+    "MjQ1NTVaGA8yMTE4MDcwNjEyNDU1NVowXDELMAkGA1UEBhMCTkwxEzARBgNVBAgM\n"
+    "ClNvbWUtU3RhdGUxHzAdBgNVBAoMFkFETElOSyBUZWNobm9sb2N5IEluYy4xFzAV\n"
+    "BgNVBAMMDmFkbGlua3RlY2guY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB\n"
+    "CgKCAQEAu7jfnJ0wYVuXgG+PgNawdN38+dRpa8jceqi+blIDehV6XCxrnGXusTCD\n"
+    "uFmo7HMOBVMVNDXlcBWgoGd+u5EultnOEiIeGTgtHc1O6V9wicp3BGSpZZax/TcO\n"
+    "NjMVORaqHCADbQ2J8wsz1FHxuKDwX6BJElYOlK77lb/x3yLsDFFC+a0qn2RFh37r\n"
+    "cWBRAHy8VEASXKZElT9ZmfKd+KUq34KojhNJ4DepKStTq074BRDXVivx+wVD951L\n"
+    "FNPiQXq+mgHcLj1k37KlZflTFhdP5oEMtATNsXNJPHlEymiySogRWAmKhysLQudu\n"
+    "kHfNKN+r0FEQMk/hzpYcFeZSOvbfNQIDAQABo1AwTjAdBgNVHQ4EFgQURWMbWvBK\n"
+    "ZwJvRV1/tyc1R82k0+gwHwYDVR0jBBgwFoAURWMbWvBKZwJvRV1/tyc1R82k0+gw\n"
+    "DAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAkPF+ysVtvHnk2hpu9yND\n"
+    "LCJ96ZzIoKOyY7uRj4ovzlAHFdpNOJQdcJihTmN8i7Trht9XVh0rGoR/6nHzo3TI\n"
+    "eiogRC80RlDtuA3PF2dDQBMVDStlZMTZPb693hfjdAjhyyw9yghhKHHqNDvSsAL0\n"
+    "KfBqjG4yGfGpJylYXIT5fWuKlo/ln/yyPa5s54T5XDo+CMbtlLX3QnwVOmaRyzyl\n"
+    "PiTcPCDIkdLBdXmlfyJcmW6fWa6kPx+35MOxPsXZbujCo+42+OyLqcH1rKT6Xhcs\n"
+    "hjXBEf+kdgUfSClrM1pNRWsw2ChIYim0F+nry5JFy0Y+8Hbb6SDB340BFmtgDHbF\n"
+    "HQ==\n"
+    "-----END CERTIFICATE-----\n";
+
+static struct plugins_hdl *plugins = NULL;
+static dds_security_access_control *access_control = NULL;
+static dds_security_authentication *auth = NULL;
+static DDS_Security_IdentityHandle local_identity_handle = DDS_SECURITY_HANDLE_NIL;
+static DDS_Security_PermissionsHandle local_permissions_handle = DDS_SECURITY_HANDLE_NIL;
+static DDS_Security_GUID_t local_participant_guid;
+static char *g_path_to_etc_dir = NULL;
+
+typedef enum SEC_TOPIC_NAME
+{
+  SEC_TOPIC_DCPSPARTICIPANTSECURE,
+  SEC_TOPIC_DCPSPUBLICATIONSSECURE,
+  SEC_TOPIC_DCPSSUBSCRIPTIONSSECURE,
+  SEC_TOPIC_DCPSPARTICIPANTMESSAGESECURE,
+  SEC_TOPIC_DCPSPARTICIPANTSTATELESSMESSAGE,
+  SEC_TOPIC_DCPSPARTICIPANTVOLATILEMESSAGESECURE,
+  SEC_TOPIC_DCPS_KINEMATICS,
+  SEC_TOPIC_DCPS_OWNSHIPDATA,
+  SEC_TOPIC_DCPS_SHAPE
+} SEC_TOPIC_TYPE;
+
+const char *TOPIC_NAMES[] = {"DCPSParticipantsSecure",
+                             "DCPSPublicationsSecure",
+                             "DCPSSubscriptionsSecure",
+                             "DCPSParticipantMessageSecure",
+                             "DCPSParticipantStatelessMessage",
+                             "DCPSParticipantVolatileMessageSecure",
+                             "Kinematics",
+                             "OwnShipData",
+                             "Shape"
+
+};
+
+static DDS_Security_EndpointSecurityAttributes ATTRIBUTE_CHECKLIST[9];
+
+static void reset_exception(DDS_Security_SecurityException *ex)
+{
+  ex->code = 0;
+  ex->minor_code = 0;
+  ddsrt_free(ex->message);
+  ex->message = NULL;
+}
+
+static void dds_security_property_init(DDS_Security_PropertySeq *seq, DDS_Security_unsigned_long size)
+{
+  seq->_length = size;
+  seq->_maximum = size;
+  seq->_buffer = ddsrt_malloc(size * sizeof(DDS_Security_Property_t));
+  memset(seq->_buffer, 0, size * sizeof(DDS_Security_Property_t));
+}
+
+static void dds_security_property_deinit(DDS_Security_PropertySeq *seq)
+{
+  uint32_t i;
+  for (i = 0; i < seq->_length; i++)
+  {
+    ddsrt_free(seq->_buffer[i].name);
+    ddsrt_free(seq->_buffer[i].value);
+  }
+  ddsrt_free(seq->_buffer);
+}
+
+static void fill_participant_qos(DDS_Security_Qos *qos, const char *permission_filename,
+                                 const char *governance_filename)
+{
+  char *permission_uri;
+  char *governance_uri;
+
+  ddsrt_asprintf(&permission_uri, "file:%s%s", g_path_to_etc_dir, permission_filename);
+  ddsrt_asprintf(&governance_uri, "file:%s%s", g_path_to_etc_dir, governance_filename);
+
+  memset(qos, 0, sizeof(*qos));
+  dds_security_property_init(&qos->property.value, 6);
+  qos->property.value._buffer[0].name = ddsrt_strdup(PROPERTY_IDENTITY_CERT);
+  qos->property.value._buffer[0].value = ddsrt_strdup(IDENTITY_CERTIFICATE);
+  qos->property.value._buffer[1].name = ddsrt_strdup(PROPERTY_IDENTITY_CA);
+  qos->property.value._buffer[1].value = ddsrt_strdup(IDENTITY_CA);
+  qos->property.value._buffer[2].name = ddsrt_strdup(PROPERTY_PRIVATE_KEY);
+  qos->property.value._buffer[2].value = ddsrt_strdup(PRIVATE_KEY);
+  qos->property.value._buffer[3].name = ddsrt_strdup(PROPERTY_PERMISSIONS_CA);
+  qos->property.value._buffer[3].value = ddsrt_strdup(PERMISSIONS_CA);
+  qos->property.value._buffer[4].name = ddsrt_strdup(PROPERTY_PERMISSIONS);
+  qos->property.value._buffer[4].value = ddsrt_strdup(permission_uri);
+  qos->property.value._buffer[5].name = ddsrt_strdup(PROPERTY_GOVERNANCE);
+  qos->property.value._buffer[5].value = ddsrt_strdup(governance_uri);
+
+  ddsrt_free(permission_uri);
+  ddsrt_free(governance_uri);
+}
+
+static bool create_local_identity(DDS_Security_DomainId domain_id, const char *governance_file)
+{
+  DDS_Security_ValidationResult_t result;
+  DDS_Security_Qos participant_qos;
+  DDS_Security_GUID_t candidate_participant_guid;
+  DDS_Security_SecurityException exception = {NULL, 0, 0};
+  DDS_Security_GuidPrefix_t prefix = {0xb0, 0xb1, 0xb2, 0xb3, 0xb4, 0xb5, 0xb6, 0xb7, 0xb8, 0xb9, 0xba, 0xbb};
+  DDS_Security_EntityId_t entityId = {{0xb0, 0xb1, 0xb2}, 0x1};
+
+  memset(&local_participant_guid, 0, sizeof(local_participant_guid));
+  memcpy(&candidate_participant_guid.prefix, &prefix, sizeof(prefix));
+  memcpy(&candidate_participant_guid.entityId, &entityId, sizeof(entityId));
+
+  fill_participant_qos(&participant_qos, "Test_Permissions_ok.p7s", governance_file);
+
+  /* Now call the function. */
+  result = auth->validate_local_identity(
+      auth,
+      &local_identity_handle,
+      &local_participant_guid,
+      domain_id,
+      &participant_qos,
+      &candidate_participant_guid,
+      &exception);
+
+  if (result != DDS_SECURITY_VALIDATION_OK)
+  {
+    printf("[ERROR] validate_local_identity_failed: %s\n", exception.message ? exception.message : "Error message missing");
+    return false;
+  }
+
+  local_permissions_handle = access_control->validate_local_permissions(
+      access_control,
+      auth,
+      local_identity_handle,
+      domain_id,
+      &participant_qos,
+      &exception);
+
+  if (local_permissions_handle == DDS_SECURITY_HANDLE_NIL)
+  {
+    printf("[ERROR] validate_local_identity_failed: %s\n", exception.message ? exception.message : "Error message missing");
+    return false;
+  }
+
+  dds_security_property_deinit(&participant_qos.property.value);
+
+  return true;
+}
+
+static void clear_local_identity(void)
+{
+  DDS_Security_SecurityException exception = {NULL, 0, 0};
+  DDS_Security_boolean success;
+
+  if (local_identity_handle != DDS_SECURITY_HANDLE_NIL)
+  {
+    success = auth->return_identity_handle(auth, local_identity_handle, &exception);
+    if (!success)
+    {
+      printf("return_identity_handle failed: %s\n", exception.message ? exception.message : "Error message missing");
+    }
+    reset_exception(&exception);
+  }
+
+  if (local_permissions_handle != DDS_SECURITY_HANDLE_NIL)
+  {
+    success = access_control->return_permissions_handle(access_control, local_permissions_handle, &exception);
+    if (!success)
+    {
+      printf("return_permissions_handle failed: %s\n", exception.message ? exception.message : "Error message missing");
+    }
+    reset_exception(&exception);
+  }
+
+  local_identity_handle = DDS_SECURITY_HANDLE_NIL;
+  local_permissions_handle = DDS_SECURITY_HANDLE_NIL;
+}
+
+static void set_path_to_etc_dir(void)
+{
+  ddsrt_asprintf(&g_path_to_etc_dir, "%s%s", CONFIG_ENV_TESTS_DIR, RELATIVE_PATH_TO_ETC_DIR);
+}
+
+static DDS_Security_PluginEndpointSecurityAttributesMask get_plugin_endpoint_security_attributes_mask(DDS_Security_boolean is_payload_encrypted, DDS_Security_boolean is_submessage_encrypted, DDS_Security_boolean is_submessage_origin_authenticated)
+{
+  DDS_Security_PluginEndpointSecurityAttributesMask mask = DDS_SECURITY_ENDPOINT_ATTRIBUTES_FLAG_IS_VALID;
+  if (is_submessage_encrypted)
+    mask |= DDS_SECURITY_PLUGIN_ENDPOINT_ATTRIBUTES_FLAG_IS_SUBMESSAGE_ENCRYPTED;
+  if (is_payload_encrypted)
+    mask |= DDS_SECURITY_PLUGIN_ENDPOINT_ATTRIBUTES_FLAG_IS_PAYLOAD_ENCRYPTED;
+  if (is_submessage_origin_authenticated)
+    mask |= DDS_SECURITY_PLUGIN_ENDPOINT_ATTRIBUTES_FLAG_IS_SUBMESSAGE_ORIGIN_AUTHENTICATED;
+  return mask;
+}
+
+static void suite_get_xxx_sec_attributes_init(void)
+{
+  set_path_to_etc_dir();
+
+  ATTRIBUTE_CHECKLIST[SEC_TOPIC_DCPSPARTICIPANTSECURE].is_read_protected =
+      ATTRIBUTE_CHECKLIST[SEC_TOPIC_DCPSPUBLICATIONSSECURE].is_read_protected =
+          ATTRIBUTE_CHECKLIST[SEC_TOPIC_DCPSSUBSCRIPTIONSSECURE].is_read_protected =
+              ATTRIBUTE_CHECKLIST[SEC_TOPIC_DCPSPARTICIPANTMESSAGESECURE].is_read_protected =
+                  ATTRIBUTE_CHECKLIST[SEC_TOPIC_DCPSPARTICIPANTSTATELESSMESSAGE].is_read_protected =
+                      ATTRIBUTE_CHECKLIST[SEC_TOPIC_DCPSPARTICIPANTVOLATILEMESSAGESECURE].is_read_protected = false;
+
+  ATTRIBUTE_CHECKLIST[SEC_TOPIC_DCPSPARTICIPANTSECURE].is_write_protected =
+      ATTRIBUTE_CHECKLIST[SEC_TOPIC_DCPSPUBLICATIONSSECURE].is_write_protected =
+          ATTRIBUTE_CHECKLIST[SEC_TOPIC_DCPSSUBSCRIPTIONSSECURE].is_write_protected =
+              ATTRIBUTE_CHECKLIST[SEC_TOPIC_DCPSPARTICIPANTMESSAGESECURE].is_write_protected =
+                  ATTRIBUTE_CHECKLIST[SEC_TOPIC_DCPSPARTICIPANTSTATELESSMESSAGE].is_write_protected =
+                      ATTRIBUTE_CHECKLIST[SEC_TOPIC_DCPSPARTICIPANTVOLATILEMESSAGESECURE].is_write_protected = false;
+
+  ATTRIBUTE_CHECKLIST[SEC_TOPIC_DCPSPARTICIPANTSECURE].is_payload_protected =
+      ATTRIBUTE_CHECKLIST[SEC_TOPIC_DCPSPUBLICATIONSSECURE].is_payload_protected =
+          ATTRIBUTE_CHECKLIST[SEC_TOPIC_DCPSSUBSCRIPTIONSSECURE].is_payload_protected =
+              ATTRIBUTE_CHECKLIST[SEC_TOPIC_DCPSPARTICIPANTMESSAGESECURE].is_payload_protected =
+                  ATTRIBUTE_CHECKLIST[SEC_TOPIC_DCPSPARTICIPANTSTATELESSMESSAGE].is_payload_protected =
+                      ATTRIBUTE_CHECKLIST[SEC_TOPIC_DCPSPARTICIPANTVOLATILEMESSAGESECURE].is_payload_protected = false;
+
+  ATTRIBUTE_CHECKLIST[SEC_TOPIC_DCPSPARTICIPANTSECURE].is_key_protected =
+      ATTRIBUTE_CHECKLIST[SEC_TOPIC_DCPSPUBLICATIONSSECURE].is_key_protected =
+          ATTRIBUTE_CHECKLIST[SEC_TOPIC_DCPSSUBSCRIPTIONSSECURE].is_key_protected =
+              ATTRIBUTE_CHECKLIST[SEC_TOPIC_DCPSPARTICIPANTMESSAGESECURE].is_key_protected =
+                  ATTRIBUTE_CHECKLIST[SEC_TOPIC_DCPSPARTICIPANTSTATELESSMESSAGE].is_key_protected =
+                      ATTRIBUTE_CHECKLIST[SEC_TOPIC_DCPSPARTICIPANTVOLATILEMESSAGESECURE].is_key_protected = false;
+
+  ATTRIBUTE_CHECKLIST[SEC_TOPIC_DCPSPARTICIPANTSECURE].is_submessage_protected =
+      ATTRIBUTE_CHECKLIST[SEC_TOPIC_DCPSPUBLICATIONSSECURE].is_submessage_protected =
+          ATTRIBUTE_CHECKLIST[SEC_TOPIC_DCPSSUBSCRIPTIONSSECURE].is_submessage_protected =
+              ATTRIBUTE_CHECKLIST[SEC_TOPIC_DCPSPARTICIPANTMESSAGESECURE].is_submessage_protected = true;
+
+  ATTRIBUTE_CHECKLIST[SEC_TOPIC_DCPSPARTICIPANTSTATELESSMESSAGE].is_submessage_protected = false;
+  ATTRIBUTE_CHECKLIST[SEC_TOPIC_DCPSPARTICIPANTVOLATILEMESSAGESECURE].is_submessage_protected = true;
+
+  ATTRIBUTE_CHECKLIST[SEC_TOPIC_DCPS_KINEMATICS].is_read_protected = true;
+  ATTRIBUTE_CHECKLIST[SEC_TOPIC_DCPS_KINEMATICS].is_write_protected = false;
+  ATTRIBUTE_CHECKLIST[SEC_TOPIC_DCPS_KINEMATICS].is_discovery_protected = true;
+  ATTRIBUTE_CHECKLIST[SEC_TOPIC_DCPS_KINEMATICS].is_liveliness_protected = true;
+  ATTRIBUTE_CHECKLIST[SEC_TOPIC_DCPS_KINEMATICS].is_submessage_protected = false;
+  ATTRIBUTE_CHECKLIST[SEC_TOPIC_DCPS_KINEMATICS].is_payload_protected = false;
+  ATTRIBUTE_CHECKLIST[SEC_TOPIC_DCPS_KINEMATICS].is_key_protected = false;
+
+  ATTRIBUTE_CHECKLIST[SEC_TOPIC_DCPS_KINEMATICS].plugin_endpoint_attributes =
+      get_plugin_endpoint_security_attributes_mask(false, false, false);
+
+  ATTRIBUTE_CHECKLIST[SEC_TOPIC_DCPS_OWNSHIPDATA].is_read_protected = false;
+  ATTRIBUTE_CHECKLIST[SEC_TOPIC_DCPS_OWNSHIPDATA].is_write_protected = true;
+  ATTRIBUTE_CHECKLIST[SEC_TOPIC_DCPS_OWNSHIPDATA].is_discovery_protected = false;
+  ATTRIBUTE_CHECKLIST[SEC_TOPIC_DCPS_OWNSHIPDATA].is_liveliness_protected = false;
+  ATTRIBUTE_CHECKLIST[SEC_TOPIC_DCPS_OWNSHIPDATA].is_submessage_protected = true;
+  ATTRIBUTE_CHECKLIST[SEC_TOPIC_DCPS_OWNSHIPDATA].is_payload_protected = true;
+  ATTRIBUTE_CHECKLIST[SEC_TOPIC_DCPS_OWNSHIPDATA].is_key_protected = true;
+
+  ATTRIBUTE_CHECKLIST[SEC_TOPIC_DCPS_OWNSHIPDATA].plugin_endpoint_attributes =
+      get_plugin_endpoint_security_attributes_mask(true, false, false);
+
+  ATTRIBUTE_CHECKLIST[SEC_TOPIC_DCPS_SHAPE].is_read_protected = false;
+  ATTRIBUTE_CHECKLIST[SEC_TOPIC_DCPS_SHAPE].is_write_protected = false;
+  ATTRIBUTE_CHECKLIST[SEC_TOPIC_DCPS_SHAPE].is_discovery_protected = true;
+  ATTRIBUTE_CHECKLIST[SEC_TOPIC_DCPS_SHAPE].is_liveliness_protected = true;
+  ATTRIBUTE_CHECKLIST[SEC_TOPIC_DCPS_SHAPE].is_submessage_protected = true;
+  ATTRIBUTE_CHECKLIST[SEC_TOPIC_DCPS_SHAPE].is_payload_protected = true;
+  ATTRIBUTE_CHECKLIST[SEC_TOPIC_DCPS_SHAPE].is_key_protected = true;
+
+  ATTRIBUTE_CHECKLIST[SEC_TOPIC_DCPS_SHAPE].plugin_endpoint_attributes =
+      get_plugin_endpoint_security_attributes_mask(true, true, true);
+}
+
+static void suite_get_xxx_sec_attributes_fini(void)
+{
+  ddsrt_free(g_path_to_etc_dir);
+}
+
+static bool plugins_init(void)
+{
+  /* Checking AccessControl, but needing Authentication to setup local identity. */
+  plugins = load_plugins(&access_control, &auth, NULL /* Cryptograpy */);
+  return plugins ? true : false;
+}
+
+static void plugins_fini(void)
+{
+  unload_plugins(plugins);
+}
+
+static bool
+verify_endpoint_attributes(SEC_TOPIC_TYPE topic_type, DDS_Security_EndpointSecurityAttributes *attributes)
+{
+  bool result = true;
+  if (attributes->is_read_protected != ATTRIBUTE_CHECKLIST[topic_type].is_read_protected ||
+      attributes->is_write_protected != ATTRIBUTE_CHECKLIST[topic_type].is_write_protected ||
+      attributes->is_submessage_protected != ATTRIBUTE_CHECKLIST[topic_type].is_submessage_protected ||
+      attributes->is_payload_protected != ATTRIBUTE_CHECKLIST[topic_type].is_payload_protected ||
+      attributes->is_key_protected != ATTRIBUTE_CHECKLIST[topic_type].is_key_protected)
+  {
+
+    result = false;
+  }
+  if (topic_type == SEC_TOPIC_DCPS_KINEMATICS || topic_type == SEC_TOPIC_DCPS_SHAPE)
+  {
+    if (attributes->is_discovery_protected != ATTRIBUTE_CHECKLIST[topic_type].is_discovery_protected ||
+        attributes->is_liveliness_protected != ATTRIBUTE_CHECKLIST[topic_type].is_liveliness_protected ||
+        attributes->plugin_endpoint_attributes != ATTRIBUTE_CHECKLIST[topic_type].plugin_endpoint_attributes)
+    {
+      result = false;
+    }
+  }
+
+  if (!result)
+  {
+    printf("Invalid attribute for Topic: %s\n", TOPIC_NAMES[topic_type]);
+    printf("is_read_protected: EXPECTED: %d ACTUAL: %d\n"
+           "is_write_protected: EXPECTED: %d ACTUAL: %d\n"
+           "is_discovery_protected: EXPECTED: %d ACTUAL: %d\n"
+           "is_liveliness_protected: EXPECTED: %d ACTUAL: %d\n"
+           "is_submessage_protected: EXPECTED: %d ACTUAL: %d\n"
+           "is_payload_protected: EXPECTED: %d ACTUAL: %d\n"
+           "is_key_protected: EXPECTED: %d ACTUAL: %d\n",
+           ATTRIBUTE_CHECKLIST[topic_type].is_read_protected, attributes->is_read_protected,
+           ATTRIBUTE_CHECKLIST[topic_type].is_write_protected, attributes->is_write_protected,
+           ATTRIBUTE_CHECKLIST[topic_type].is_discovery_protected, attributes->is_discovery_protected,
+           ATTRIBUTE_CHECKLIST[topic_type].is_liveliness_protected, attributes->is_liveliness_protected,
+           ATTRIBUTE_CHECKLIST[topic_type].is_submessage_protected, attributes->is_submessage_protected,
+           ATTRIBUTE_CHECKLIST[topic_type].is_payload_protected, attributes->is_payload_protected,
+           ATTRIBUTE_CHECKLIST[topic_type].is_key_protected, attributes->is_key_protected);
+  }
+
+  return result;
+}
+
+static bool verify_topic_attributes(SEC_TOPIC_TYPE topic_type, DDS_Security_TopicSecurityAttributes *attributes)
+{
+  bool result = true;
+  if (attributes->is_read_protected != ATTRIBUTE_CHECKLIST[topic_type].is_read_protected ||
+      attributes->is_write_protected != ATTRIBUTE_CHECKLIST[topic_type].is_write_protected ||
+      attributes->is_discovery_protected != ATTRIBUTE_CHECKLIST[topic_type].is_discovery_protected ||
+      attributes->is_liveliness_protected != ATTRIBUTE_CHECKLIST[topic_type].is_liveliness_protected)
+  {
+    result = false;
+  }
+
+  if (!result)
+  {
+    printf("Invalid attribute for Topic: %s\n", TOPIC_NAMES[topic_type]);
+    printf("is_read_protected: EXPECTED: %d ACTUAL: %d\n"
+           "is_write_protected: EXPECTED: %d ACTUAL: %d\n"
+           "is_discovery_protected: EXPECTED: %d ACTUAL: %d\n"
+           "is_liveliness_protected: EXPECTED: %d ACTUAL: %d\n",
+           ATTRIBUTE_CHECKLIST[topic_type].is_read_protected, attributes->is_read_protected,
+           ATTRIBUTE_CHECKLIST[topic_type].is_write_protected, attributes->is_write_protected,
+           ATTRIBUTE_CHECKLIST[topic_type].is_discovery_protected, attributes->is_discovery_protected,
+           ATTRIBUTE_CHECKLIST[topic_type].is_liveliness_protected, attributes->is_liveliness_protected);
+  }
+
+  return result;
+}
+
+CU_Test(ddssec_builtin_get_xxx_sec_attributes, participant_happy_day, .init = suite_get_xxx_sec_attributes_init, .fini = suite_get_xxx_sec_attributes_fini)
+{
+  DDS_Security_SecurityException exception = {NULL, 0, 0};
+  DDS_Security_ParticipantSecurityAttributes attributes;
+  bool result;
+
+  result = plugins_init();
+  CU_ASSERT_FATAL(result);
+  CU_ASSERT_FATAL(access_control != NULL);
+  CU_ASSERT_FATAL(access_control->get_participant_sec_attributes != NULL);
+
+  result = create_local_identity(0, "Test_Governance_full.p7s");
+  CU_ASSERT_FATAL(result);
+
+  memset(&attributes, 0, sizeof(attributes));
+
+  result = access_control->get_participant_sec_attributes(
+      access_control,
+      local_permissions_handle,
+      &attributes,
+      &exception);
+  CU_ASSERT(result);
+
+  /*
+     * Expect these values based on these options, which is the 1st domain rule
+     * in the Test_Governance_full.p7s (selected because of domain id 0):
+     *
+     *    <allow_unauthenticated_participants>false</allow_unauthenticated_participants>
+     *    <enable_join_access_control>true</enable_join_access_control>
+     *    <discovery_protection_kind>SIGN_WITH_ORIGIN_AUTHENTICATION</discovery_protection_kind>
+     *    <liveliness_protection_kind>ENCRYPT</liveliness_protection_kind>
+     *    <rtps_protection_kind>ENCRYPT_WITH_ORIGIN_AUTHENTICATION</rtps_protection_kind>
+     */
+  CU_ASSERT(attributes.allow_unauthenticated_participants == false);
+  CU_ASSERT(attributes.is_access_protected == true);
+  CU_ASSERT(attributes.is_discovery_protected == true);
+  CU_ASSERT(attributes.is_liveliness_protected == true);
+  CU_ASSERT(attributes.is_rtps_protected == true);
+  CU_ASSERT((attributes.plugin_participant_attributes & DDS_SECURITY_PLUGIN_PARTICIPANT_ATTRIBUTES_FLAG_IS_RTPS_ENCRYPTED) == DDS_SECURITY_PLUGIN_PARTICIPANT_ATTRIBUTES_FLAG_IS_RTPS_ENCRYPTED);
+  CU_ASSERT((attributes.plugin_participant_attributes & DDS_SECURITY_PLUGIN_PARTICIPANT_ATTRIBUTES_FLAG_IS_DISCOVERY_ENCRYPTED) == 0);
+  CU_ASSERT((attributes.plugin_participant_attributes & DDS_SECURITY_PLUGIN_PARTICIPANT_ATTRIBUTES_FLAG_IS_LIVELINESS_ENCRYPTED) == DDS_SECURITY_PLUGIN_PARTICIPANT_ATTRIBUTES_FLAG_IS_LIVELINESS_ENCRYPTED);
+  CU_ASSERT((attributes.plugin_participant_attributes & DDS_SECURITY_PLUGIN_PARTICIPANT_ATTRIBUTES_FLAG_IS_RTPS_AUTHENTICATED) == DDS_SECURITY_PLUGIN_PARTICIPANT_ATTRIBUTES_FLAG_IS_RTPS_AUTHENTICATED);
+  CU_ASSERT((attributes.plugin_participant_attributes & DDS_SECURITY_PLUGIN_PARTICIPANT_ATTRIBUTES_FLAG_IS_DISCOVERY_AUTHENTICATED) == DDS_SECURITY_PLUGIN_PARTICIPANT_ATTRIBUTES_FLAG_IS_DISCOVERY_AUTHENTICATED);
+  CU_ASSERT((attributes.plugin_participant_attributes & DDS_SECURITY_PLUGIN_PARTICIPANT_ATTRIBUTES_FLAG_IS_LIVELINESS_AUTHENTICATED) == 0);
+  CU_ASSERT((attributes.plugin_participant_attributes & DDS_SECURITY_PARTICIPANT_ATTRIBUTES_FLAG_IS_VALID) != 0);
+
+  result = access_control->return_participant_sec_attributes(
+      access_control,
+      &attributes,
+      &exception);
+  CU_ASSERT(result);
+
+  clear_local_identity();
+  plugins_fini();
+}
+
+CU_Test(ddssec_builtin_get_xxx_sec_attributes, datawriter_happy_day, .init = suite_get_xxx_sec_attributes_init, .fini = suite_get_xxx_sec_attributes_fini)
+{
+  DDS_Security_SecurityException exception = {NULL, 0, 0};
+  DDS_Security_PartitionQosPolicy *partition = NULL;
+  DDS_Security_DataTagQosPolicy data_tag;
+  DDS_Security_EndpointSecurityAttributes attributes;
+  bool result;
+  unsigned i;
+
+  result = plugins_init();
+  CU_ASSERT_FATAL(result);
+  CU_ASSERT_FATAL(access_control != NULL);
+  CU_ASSERT_FATAL(access_control->get_datawriter_sec_attributes != NULL);
+
+  result = create_local_identity(0, "Test_Governance_full.p7s");
+  CU_ASSERT_FATAL(result);
+
+  memset(&attributes, 0, sizeof(attributes));
+
+  /*Test for each builtin topics:
+     "DCPSParticipantsSecure", "DCPSPublicationsSecure", "DCPSSubscriptionsSecure"
+     "DCPSParticipantMessageSecure", "DCPSParticipantStatelessMessage", "DCPSParticipantVolatileMessageSecure"
+    and a sample DCPS topic*/
+
+  /* Now call the function. */
+  for (i = SEC_TOPIC_DCPSPARTICIPANTSECURE; i <= SEC_TOPIC_DCPS_SHAPE; ++i)
+  {
+
+    result = access_control->get_datawriter_sec_attributes(
+        access_control,
+        local_permissions_handle,
+        TOPIC_NAMES[i],
+        partition,
+        &data_tag,
+        &attributes,
+        &exception);
+
+    CU_ASSERT_FATAL(result);
+
+    CU_ASSERT_FATAL(exception.code == DDS_SECURITY_ERR_OK_CODE);
+    CU_ASSERT_FATAL(verify_endpoint_attributes(i, &attributes));
+
+    //reset control values
+    memset(&attributes, 0, sizeof(attributes));
+    reset_exception(&exception);
+  }
+
+  plugins_fini();
+}
+
+CU_Test(ddssec_builtin_get_xxx_sec_attributes, datawriter_non_existing_topic, .init = suite_get_xxx_sec_attributes_init, .fini = suite_get_xxx_sec_attributes_fini)
+{
+  DDS_Security_SecurityException exception = {NULL, 0, 0};
+  DDS_Security_PartitionQosPolicy *partition = NULL;
+  DDS_Security_DataTagQosPolicy data_tag;
+  DDS_Security_EndpointSecurityAttributes attributes;
+  bool result;
+
+  result = plugins_init();
+  CU_ASSERT_FATAL(result);
+  CU_ASSERT_FATAL(access_control != NULL);
+  CU_ASSERT_FATAL(access_control->get_datawriter_sec_attributes != NULL);
+
+  /* use a different domain(30) to get non matching topic result */
+  result = create_local_identity(30, "Test_Governance_full.p7s");
+  CU_ASSERT_FATAL(result);
+
+  memset(&attributes, 0, sizeof(attributes));
+
+  /* Now call the function. */
+  result = access_control->get_datawriter_sec_attributes(
+      access_control,
+      local_permissions_handle,
+      TOPIC_NAMES[SEC_TOPIC_DCPS_SHAPE],
+      partition,
+      &data_tag,
+      &attributes,
+      &exception);
+
+  CU_ASSERT_FATAL(!result);
+
+  CU_ASSERT_FATAL(exception.code == DDS_SECURITY_ERR_CAN_NOT_FIND_TOPIC_IN_DOMAIN_CODE);
+
+  //reset control values
+  memset(&attributes, 0, sizeof(attributes));
+  reset_exception(&exception);
+
+  plugins_fini();
+}
+
+CU_Test(ddssec_builtin_get_xxx_sec_attributes, datareader_happy_day, .init = suite_get_xxx_sec_attributes_init, .fini = suite_get_xxx_sec_attributes_fini)
+{
+  DDS_Security_SecurityException exception = {NULL, 0, 0};
+  DDS_Security_PartitionQosPolicy *partition = NULL;
+  DDS_Security_DataTagQosPolicy data_tag;
+  DDS_Security_EndpointSecurityAttributes attributes;
+  bool result;
+  unsigned i;
+
+  result = plugins_init();
+  CU_ASSERT_FATAL(result);
+  CU_ASSERT_FATAL(access_control != NULL);
+  CU_ASSERT_FATAL(access_control->get_datareader_sec_attributes != NULL);
+
+  result = create_local_identity(0, "Test_Governance_full.p7s");
+  CU_ASSERT_FATAL(result);
+
+  memset(&attributes, 0, sizeof(attributes));
+
+  /*Test for each builtin topics:
+     "DCPSParticipantSecure", "DCPSPublicationsSecure", "DCPSSubscriptionsSecure"
+     "DCPSParticipantMessageSecure", "DCPSParticipantStatelessMessage", "DCPSParticipantVolatileMessageSecure"
+     and a sample DCPS topic*/
+
+  /* Now call the function. */
+  for (i = SEC_TOPIC_DCPSPARTICIPANTSECURE; i <= SEC_TOPIC_DCPS_SHAPE; ++i)
+  {
+
+    result = access_control->get_datareader_sec_attributes(
+        access_control,
+        local_permissions_handle,
+        TOPIC_NAMES[i],
+        partition,
+        &data_tag,
+        &attributes,
+        &exception);
+
+    CU_ASSERT_FATAL(result);
+
+    CU_ASSERT_FATAL(exception.code == DDS_SECURITY_ERR_OK_CODE);
+    CU_ASSERT_FATAL(verify_endpoint_attributes(i, &attributes) == true);
+
+    //reset control values
+    memset(&attributes, 0, sizeof(attributes));
+    reset_exception(&exception);
+  }
+
+  plugins_fini();
+}
+
+CU_Test(ddssec_builtin_get_xxx_sec_attributes, datareader_non_existing_topic, .init = suite_get_xxx_sec_attributes_init, .fini = suite_get_xxx_sec_attributes_fini)
+{
+  DDS_Security_SecurityException exception = {NULL, 0, 0};
+  DDS_Security_PartitionQosPolicy *partition = NULL;
+  DDS_Security_DataTagQosPolicy data_tag;
+  DDS_Security_EndpointSecurityAttributes attributes;
+  bool result;
+
+  result = plugins_init();
+  CU_ASSERT_FATAL(result);
+  CU_ASSERT_FATAL(access_control != NULL);
+  CU_ASSERT_FATAL(access_control->get_datawriter_sec_attributes != NULL);
+
+  /* use a different domain (30) to get non matching topic result */
+  result = create_local_identity(30, "Test_Governance_full.p7s");
+  CU_ASSERT_FATAL(result);
+
+  memset(&attributes, 0, sizeof(attributes));
+
+  result = access_control->get_datareader_sec_attributes(
+      access_control,
+      local_permissions_handle,
+      TOPIC_NAMES[SEC_TOPIC_DCPS_SHAPE],
+      partition,
+      &data_tag,
+      &attributes,
+      &exception);
+
+  CU_ASSERT_FATAL(!result);
+
+  CU_ASSERT_FATAL(exception.code == DDS_SECURITY_ERR_CAN_NOT_FIND_TOPIC_IN_DOMAIN_CODE);
+
+  //reset control values
+  memset(&attributes, 0, sizeof(attributes));
+  reset_exception(&exception);
+
+  plugins_fini();
+}
+
+CU_Test(ddssec_builtin_get_xxx_sec_attributes, participant_invalid_param, .init = suite_get_xxx_sec_attributes_init, .fini = suite_get_xxx_sec_attributes_fini)
+{
+  DDS_Security_SecurityException exception = {NULL, 0, 0};
+  DDS_Security_ParticipantSecurityAttributes attributes;
+  bool result;
+
+  memset(&attributes, 0, sizeof(attributes));
+
+  result = plugins_init();
+  CU_ASSERT_FATAL(result);
+  CU_ASSERT_FATAL(access_control != NULL);
+  CU_ASSERT_FATAL(access_control->get_participant_sec_attributes != NULL);
+
+  result = access_control->get_participant_sec_attributes(
+      NULL,
+      local_permissions_handle,
+      &attributes,
+      &exception);
+  CU_ASSERT(!result);
+  CU_ASSERT(exception.code == DDS_SECURITY_ERR_INVALID_PARAMETER_CODE);
+  memset(&attributes, 0, sizeof(attributes));
+  reset_exception(&exception);
+
+  result = access_control->get_participant_sec_attributes(
+      access_control,
+      0,
+      &attributes,
+      &exception);
+  CU_ASSERT(!result);
+  CU_ASSERT(exception.code == DDS_SECURITY_ERR_INVALID_PARAMETER_CODE);
+  memset(&attributes, 0, sizeof(attributes));
+  reset_exception(&exception);
+
+  result = access_control->get_participant_sec_attributes(
+      access_control,
+      local_permissions_handle,
+      NULL,
+      &exception);
+  CU_ASSERT(!result);
+  CU_ASSERT(exception.code == DDS_SECURITY_ERR_INVALID_PARAMETER_CODE);
+  memset(&attributes, 0, sizeof(attributes));
+  reset_exception(&exception);
+
+  result = access_control->get_participant_sec_attributes(
+      access_control,
+      local_permissions_handle + 12345,
+      &attributes,
+      &exception);
+  CU_ASSERT(!result);
+  CU_ASSERT(exception.code == DDS_SECURITY_ERR_INVALID_PARAMETER_CODE);
+  memset(&attributes, 0, sizeof(attributes));
+  reset_exception(&exception);
+
+  plugins_fini();
+}
+
+CU_Test(ddssec_builtin_get_xxx_sec_attributes, datareader_invalid_param, .init = suite_get_xxx_sec_attributes_init, .fini = suite_get_xxx_sec_attributes_fini)
+{
+  DDS_Security_SecurityException exception = {NULL, 0, 0};
+  DDS_Security_PartitionQosPolicy *partition = NULL;
+  DDS_Security_DataTagQosPolicy data_tag;
+  DDS_Security_EndpointSecurityAttributes attributes;
+  bool result;
+
+  result = plugins_init();
+  CU_ASSERT_FATAL(result);
+  CU_ASSERT_FATAL(access_control != NULL);
+  CU_ASSERT_FATAL(access_control->get_datareader_sec_attributes != NULL);
+
+  memset(&attributes, 0, sizeof(attributes));
+
+  /* Now call the function. */
+
+  result = access_control->get_datareader_sec_attributes(
+      access_control,
+      local_permissions_handle,
+      NULL,
+      partition,
+      &data_tag,
+      &attributes,
+      &exception);
+
+  CU_ASSERT_FATAL(!result);
+  CU_ASSERT_FATAL(exception.code == DDS_SECURITY_ERR_INVALID_PARAMETER_CODE);
+
+  //reset control values
+  memset(&attributes, 0, sizeof(attributes));
+  reset_exception(&exception);
+
+  result = access_control->get_datareader_sec_attributes(
+      access_control,
+      local_permissions_handle,
+      "",
+      partition,
+      &data_tag,
+      &attributes,
+      &exception);
+
+  CU_ASSERT_FATAL(!result);
+  CU_ASSERT_FATAL(exception.code == DDS_SECURITY_ERR_INVALID_PARAMETER_CODE);
+
+  //reset control values
+  memset(&attributes, 0, sizeof(attributes));
+  reset_exception(&exception);
+
+  result = access_control->get_datareader_sec_attributes(
+      access_control,
+      local_permissions_handle,
+      "Shape",
+      partition,
+      &data_tag,
+      NULL,
+      &exception);
+
+  CU_ASSERT_FATAL(!result);
+  CU_ASSERT_FATAL(exception.code == DDS_SECURITY_ERR_INVALID_PARAMETER_CODE);
+
+  //reset control values
+  memset(&attributes, 0, sizeof(attributes));
+  reset_exception(&exception);
+
+  result = access_control->get_datareader_sec_attributes(
+      access_control,
+      local_permissions_handle + 12345,
+      "Shape",
+      partition,
+      &data_tag,
+      &attributes,
+      &exception);
+
+  CU_ASSERT_FATAL(!result);
+  CU_ASSERT_FATAL(exception.code == DDS_SECURITY_ERR_INVALID_PARAMETER_CODE);
+
+  //reset control values
+  memset(&attributes, 0, sizeof(attributes));
+  reset_exception(&exception);
+
+  plugins_fini();
+}
+
+CU_Test(ddssec_builtin_get_xxx_sec_attributes, datawriter_invalid_param, .init = suite_get_xxx_sec_attributes_init, .fini = suite_get_xxx_sec_attributes_fini)
+{
+  DDS_Security_SecurityException exception = {NULL, 0, 0};
+  DDS_Security_PartitionQosPolicy *partition = NULL;
+  DDS_Security_DataTagQosPolicy data_tag;
+  DDS_Security_EndpointSecurityAttributes attributes;
+  bool result;
+
+  result = plugins_init();
+  CU_ASSERT_FATAL(result);
+  CU_ASSERT_FATAL(access_control != NULL);
+  CU_ASSERT_FATAL(access_control->get_datawriter_sec_attributes != NULL);
+
+  memset(&attributes, 0, sizeof(attributes));
+
+  /* Now call the function. */
+
+  result = access_control->get_datawriter_sec_attributes(
+      access_control,
+      local_permissions_handle,
+      NULL,
+      partition,
+      &data_tag,
+      &attributes,
+      &exception);
+
+  CU_ASSERT_FATAL(!result);
+  CU_ASSERT_FATAL(exception.code == DDS_SECURITY_ERR_INVALID_PARAMETER_CODE);
+
+  //reset control values
+  memset(&attributes, 0, sizeof(attributes));
+  reset_exception(&exception);
+
+  result = access_control->get_datawriter_sec_attributes(
+      access_control,
+      local_permissions_handle,
+      "",
+      partition,
+      &data_tag,
+      &attributes,
+      &exception);
+
+  CU_ASSERT_FATAL(!result);
+  CU_ASSERT_FATAL(exception.code == DDS_SECURITY_ERR_INVALID_PARAMETER_CODE);
+
+  //reset control values
+  memset(&attributes, 0, sizeof(attributes));
+  reset_exception(&exception);
+
+  result = access_control->get_datawriter_sec_attributes(
+      access_control,
+      local_permissions_handle,
+      "Shape",
+      partition,
+      &data_tag,
+      NULL,
+      &exception);
+
+  CU_ASSERT_FATAL(!result);
+  CU_ASSERT_FATAL(exception.code == DDS_SECURITY_ERR_INVALID_PARAMETER_CODE);
+
+  //reset control values
+  memset(&attributes, 0, sizeof(attributes));
+  reset_exception(&exception);
+
+  result = access_control->get_datawriter_sec_attributes(
+      access_control,
+      local_permissions_handle + 12345,
+      "Shape",
+      partition,
+      &data_tag,
+      &attributes,
+      &exception);
+
+  CU_ASSERT_FATAL(!result);
+  CU_ASSERT_FATAL(exception.code == DDS_SECURITY_ERR_INVALID_PARAMETER_CODE);
+
+  //reset control values
+  memset(&attributes, 0, sizeof(attributes));
+  reset_exception(&exception);
+
+  plugins_fini();
+}
+
+CU_Test(ddssec_builtin_get_xxx_sec_attributes, topic_happy_day, .init = suite_get_xxx_sec_attributes_init, .fini = suite_get_xxx_sec_attributes_fini)
+{
+  DDS_Security_SecurityException exception = {NULL, 0, 0};
+  DDS_Security_TopicSecurityAttributes attributes;
+  bool result;
+  unsigned i;
+
+  result = plugins_init();
+  CU_ASSERT_FATAL(result);
+  CU_ASSERT_FATAL(access_control != NULL);
+  CU_ASSERT_FATAL(access_control->get_topic_sec_attributes != NULL);
+
+  result = create_local_identity(0, "Test_Governance_full.p7s");
+  CU_ASSERT_FATAL(result);
+
+  memset(&attributes, 0, sizeof(attributes));
+
+  /*Test for each builtin topics:
+     "DCPSParticipantsSecure", "DCPSPublicationsSecure", "DCPSSubscriptionsSecure"
+     "DCPSParticipantMessageSecure", "DCPSParticipantStatelessMessage", "DCPSParticipantVolatileMessageSecure"
+    and a sample DCPS topic*/
+
+  /* Now call the function. */
+  for (i = SEC_TOPIC_DCPS_KINEMATICS; i <= SEC_TOPIC_DCPS_SHAPE; ++i)
+  {
+
+    result = access_control->get_topic_sec_attributes(
+        access_control,
+        local_permissions_handle,
+        TOPIC_NAMES[i],
+        &attributes,
+        &exception);
+
+    CU_ASSERT_FATAL(result);
+
+    CU_ASSERT_FATAL(exception.code == DDS_SECURITY_ERR_OK_CODE);
+    CU_ASSERT_FATAL(verify_topic_attributes(i, &attributes));
+
+    //reset control values
+    memset(&attributes, 0, sizeof(attributes));
+    reset_exception(&exception);
+  }
+
+  plugins_fini();
+}
+
+CU_Test(ddssec_builtin_get_xxx_sec_attributes, topic_non_existing_topic, .init = suite_get_xxx_sec_attributes_init, .fini = suite_get_xxx_sec_attributes_fini)
+{
+  DDS_Security_SecurityException exception = {NULL, 0, 0};
+  DDS_Security_TopicSecurityAttributes attributes;
+  bool result;
+
+  result = plugins_init();
+  CU_ASSERT_FATAL(result);
+  CU_ASSERT_FATAL(access_control != NULL);
+  CU_ASSERT_FATAL(access_control->get_topic_sec_attributes != NULL);
+
+  result = create_local_identity(30, "Test_Governance_full.p7s");
+  CU_ASSERT_FATAL(result);
+
+  memset(&attributes, 0, sizeof(attributes));
+
+  /*Test for each builtin topics:
+     "DCPSParticipantsSecure", "DCPSPublicationsSecure", "DCPSSubscriptionsSecure"
+     "DCPSParticipantMessageSecure", "DCPSParticipantStatelessMessage", "DCPSParticipantVolatileMessageSecure"
+    and a sample DCPS topic*/
+
+  /* Now call the function. */
+  result = access_control->get_topic_sec_attributes(
+      access_control,
+      local_permissions_handle,
+      TOPIC_NAMES[SEC_TOPIC_DCPS_SHAPE],
+      &attributes,
+      &exception);
+
+  CU_ASSERT_FATAL(!result);
+
+  CU_ASSERT_FATAL(exception.code == DDS_SECURITY_ERR_CAN_NOT_FIND_TOPIC_IN_DOMAIN_CODE);
+
+  //reset control values
+  memset(&attributes, 0, sizeof(attributes));
+  reset_exception(&exception);
+
+  plugins_fini();
+}
+
+CU_Test(ddssec_builtin_get_xxx_sec_attributes, topic_invalid_param, .init = suite_get_xxx_sec_attributes_init, .fini = suite_get_xxx_sec_attributes_fini)
+{
+  DDS_Security_SecurityException exception = {NULL, 0, 0};
+  DDS_Security_TopicSecurityAttributes attributes;
+  bool result;
+
+  result = plugins_init();
+  CU_ASSERT_FATAL(result);
+  CU_ASSERT_FATAL(access_control != NULL);
+  CU_ASSERT_FATAL(access_control->get_topic_sec_attributes != NULL);
+
+  result = create_local_identity(0, "Test_Governance_full.p7s");
+  CU_ASSERT_FATAL(result);
+
+  memset(&attributes, 0, sizeof(attributes));
+
+  /* Now call the function. */
+
+  result = access_control->get_topic_sec_attributes(
+      access_control,
+      local_permissions_handle,
+      NULL,
+      &attributes,
+      &exception);
+
+  CU_ASSERT_FATAL(!result);
+  CU_ASSERT_FATAL(exception.code == DDS_SECURITY_ERR_INVALID_PARAMETER_CODE);
+
+  //reset control values
+  memset(&attributes, 0, sizeof(attributes));
+  reset_exception(&exception);
+
+  result = access_control->get_topic_sec_attributes(
+      access_control,
+      local_permissions_handle,
+      "",
+      &attributes,
+      &exception);
+
+  CU_ASSERT_FATAL(!result);
+  CU_ASSERT_FATAL(exception.code == DDS_SECURITY_ERR_INVALID_PARAMETER_CODE);
+
+  //reset control values
+  memset(&attributes, 0, sizeof(attributes));
+  reset_exception(&exception);
+
+  result = access_control->get_topic_sec_attributes(
+      access_control,
+      local_permissions_handle,
+      "Shape",
+      NULL,
+      &exception);
+
+  CU_ASSERT_FATAL(!result);
+  CU_ASSERT_FATAL(exception.code == DDS_SECURITY_ERR_INVALID_PARAMETER_CODE);
+
+  //reset control values
+  memset(&attributes, 0, sizeof(attributes));
+  reset_exception(&exception);
+
+  result = access_control->get_topic_sec_attributes(
+      access_control,
+      local_permissions_handle + 12345,
+      "Shape",
+      &attributes,
+      &exception);
+
+  CU_ASSERT_FATAL(!result);
+  CU_ASSERT_FATAL(exception.code == DDS_SECURITY_ERR_INVALID_PARAMETER_CODE);
+
+  //reset control values
+  memset(&attributes, 0, sizeof(attributes));
+  reset_exception(&exception);
+
+  plugins_fini();
+}
+
+CU_Test(ddssec_builtin_get_xxx_sec_attributes, participant_2nd_rule, .init = suite_get_xxx_sec_attributes_init, .fini = suite_get_xxx_sec_attributes_fini)
+{
+  DDS_Security_SecurityException exception = {NULL, 0, 0};
+  DDS_Security_ParticipantSecurityAttributes attributes;
+  bool result;
+
+  result = plugins_init();
+  CU_ASSERT_FATAL(result);
+  CU_ASSERT_FATAL(access_control != NULL);
+  CU_ASSERT_FATAL(access_control->get_participant_sec_attributes != NULL);
+
+  result = create_local_identity(30, "Test_Governance_full.p7s");
+  CU_ASSERT_FATAL(result);
+
+  memset(&attributes, 0, sizeof(attributes));
+
+  result = access_control->get_participant_sec_attributes(
+      access_control,
+      local_permissions_handle,
+      &attributes,
+      &exception);
+  CU_ASSERT(result);
+
+  /*
+     * Expect these values based on these options, which is the 2nd domain rule
+     * in the Test_Governance_full.p7s (selected because of domain id 30):
+     *
+     *    <allow_unauthenticated_participants>1</allow_unauthenticated_participants>
+     *    <enable_join_access_control>0</enable_join_access_control>
+     *    <discovery_protection_kind>SIGN</discovery_protection_kind>
+     *    <liveliness_protection_kind>ENCRYPT</liveliness_protection_kind>
+     *    <rtps_protection_kind>NONE</rtps_protection_kind>
+     */
+  CU_ASSERT(attributes.allow_unauthenticated_participants == true);
+  CU_ASSERT(attributes.is_access_protected == false);
+  CU_ASSERT(attributes.is_discovery_protected == true);
+  CU_ASSERT(attributes.is_liveliness_protected == true);
+  CU_ASSERT(attributes.is_rtps_protected == false);
+  CU_ASSERT((attributes.plugin_participant_attributes & DDS_SECURITY_PLUGIN_PARTICIPANT_ATTRIBUTES_FLAG_IS_RTPS_ENCRYPTED) ==
+            0);
+  CU_ASSERT((attributes.plugin_participant_attributes & DDS_SECURITY_PLUGIN_PARTICIPANT_ATTRIBUTES_FLAG_IS_DISCOVERY_ENCRYPTED) ==
+            0);
+  CU_ASSERT((attributes.plugin_participant_attributes & DDS_SECURITY_PLUGIN_PARTICIPANT_ATTRIBUTES_FLAG_IS_LIVELINESS_ENCRYPTED) ==
+            DDS_SECURITY_PLUGIN_PARTICIPANT_ATTRIBUTES_FLAG_IS_LIVELINESS_ENCRYPTED);
+  CU_ASSERT((attributes.plugin_participant_attributes & DDS_SECURITY_PLUGIN_PARTICIPANT_ATTRIBUTES_FLAG_IS_RTPS_AUTHENTICATED) ==
+            0);
+  CU_ASSERT((attributes.plugin_participant_attributes & DDS_SECURITY_PLUGIN_PARTICIPANT_ATTRIBUTES_FLAG_IS_DISCOVERY_AUTHENTICATED) ==
+            0);
+  CU_ASSERT((attributes.plugin_participant_attributes & DDS_SECURITY_PLUGIN_PARTICIPANT_ATTRIBUTES_FLAG_IS_LIVELINESS_AUTHENTICATED) ==
+            0);
+
+  result = access_control->return_participant_sec_attributes(
+      access_control,
+      &attributes,
+      &exception);
+  CU_ASSERT(result);
+
+  clear_local_identity();
+  plugins_fini();
+}
+
+static void test_liveliness_discovery_participant_attr(
+    DDS_Security_PermissionsHandle hdl,
+    bool liveliness_protected,
+    DDS_Security_unsigned_long liveliness_mask,
+    bool discovery_protected,
+    DDS_Security_unsigned_long discovery_mask)
+{
+  DDS_Security_unsigned_long mask = DDS_SECURITY_PARTICIPANT_ATTRIBUTES_FLAG_IS_VALID |
+                                    liveliness_mask |
+                                    discovery_mask;
+  DDS_Security_SecurityException exception = {NULL, 0, 0};
+  DDS_Security_ParticipantSecurityAttributes attr;
+  bool result;
+
+  CU_ASSERT_FATAL(access_control->get_participant_sec_attributes != NULL);
+
+  memset(&attr, 0, sizeof(attr));
+
+  result = access_control->get_participant_sec_attributes(
+      access_control,
+      hdl,
+      &attr,
+      &exception);
+  CU_ASSERT(result);
+
+  CU_ASSERT(attr.allow_unauthenticated_participants == false);
+  CU_ASSERT(attr.is_access_protected == true);
+  CU_ASSERT(attr.is_discovery_protected == discovery_protected);
+  CU_ASSERT(attr.is_liveliness_protected == liveliness_protected);
+  CU_ASSERT(attr.is_rtps_protected == false);
+  CU_ASSERT(attr.plugin_participant_attributes == mask);
+
+  result = access_control->return_participant_sec_attributes(
+      access_control,
+      &attr,
+      &exception);
+  CU_ASSERT(result);
+}
+
+static void test_liveliness_discovery_writer_attr(
+    const char *topic_name,
+    DDS_Security_PermissionsHandle hdl,
+    bool liveliness_protected,
+    bool discovery_protected,
+    bool submsg_protected,
+    DDS_Security_unsigned_long submsg_mask)
+{
+  DDS_Security_unsigned_long mask = DDS_SECURITY_PARTICIPANT_ATTRIBUTES_FLAG_IS_VALID | submsg_mask;
+  DDS_Security_SecurityException exception = {NULL, 0, 0};
+  DDS_Security_EndpointSecurityAttributes attr;
+  DDS_Security_DataTagQosPolicy data_tag;
+  DDS_Security_PartitionQosPolicy *partition = NULL;
+  bool result;
+
+  CU_ASSERT_FATAL(access_control->get_datawriter_sec_attributes != NULL);
+
+  memset(&attr, 0, sizeof(attr));
+
+  result = access_control->get_datawriter_sec_attributes(
+      access_control,
+      hdl,
+      topic_name,
+      partition,
+      &data_tag,
+      &attr,
+      &exception);
+  CU_ASSERT_FATAL(result);
+
+  CU_ASSERT(attr.is_read_protected == false);
+  CU_ASSERT(attr.is_write_protected == false);
+  CU_ASSERT(attr.is_submessage_protected == submsg_protected);
+  CU_ASSERT(attr.is_payload_protected == false);
+  CU_ASSERT(attr.is_key_protected == false);
+  CU_ASSERT(attr.is_discovery_protected == discovery_protected);
+  CU_ASSERT(attr.is_liveliness_protected == liveliness_protected);
+  CU_ASSERT(attr.plugin_endpoint_attributes == mask);
+
+  result = access_control->return_datawriter_sec_attributes(
+      access_control,
+      &attr,
+      &exception);
+  CU_ASSERT(result);
+}
+
+static void test_liveliness_discovery_reader_attr(
+    const char *topic_name,
+    DDS_Security_PermissionsHandle hdl,
+    bool liveliness_protected,
+    bool discovery_protected,
+    bool submsg_protected,
+    DDS_Security_unsigned_long submsg_mask)
+{
+  DDS_Security_unsigned_long mask = DDS_SECURITY_PARTICIPANT_ATTRIBUTES_FLAG_IS_VALID | submsg_mask;
+  DDS_Security_SecurityException exception = {NULL, 0, 0};
+  DDS_Security_EndpointSecurityAttributes attr;
+  DDS_Security_DataTagQosPolicy data_tag;
+  DDS_Security_PartitionQosPolicy *partition = NULL;
+  bool result;
+  return;
+  CU_ASSERT_FATAL(access_control->get_datareader_sec_attributes != NULL);
+
+  memset(&attr, 0, sizeof(attr));
+
+  result = access_control->get_datareader_sec_attributes(
+      access_control,
+      hdl,
+      topic_name,
+      partition,
+      &data_tag,
+      &attr,
+      &exception);
+  CU_ASSERT_FATAL(result);
+
+  CU_ASSERT(attr.is_read_protected == false);
+  CU_ASSERT(attr.is_write_protected == false);
+  CU_ASSERT(attr.is_submessage_protected == submsg_protected);
+  CU_ASSERT(attr.is_payload_protected == false);
+  CU_ASSERT(attr.is_key_protected == false);
+  CU_ASSERT(attr.is_discovery_protected == discovery_protected);
+  CU_ASSERT(attr.is_liveliness_protected == liveliness_protected);
+  CU_ASSERT(attr.plugin_endpoint_attributes == mask);
+
+  result = access_control->return_datareader_sec_attributes(
+      access_control,
+      &attr,
+      &exception);
+  CU_ASSERT(result);
+}
+
+static void test_liveliness_discovery_attr(
+    const char *governance,
+    bool liveliness_protected,
+    DDS_Security_unsigned_long liveliness_mask,
+    bool discovery_protected,
+    DDS_Security_unsigned_long discovery_mask)
+{
+  DDS_Security_unsigned_long submsg_liveliness_mask = 0;
+  DDS_Security_unsigned_long submsg_discovery_mask = 0;
+  bool result;
+
+  result = plugins_init();
+  CU_ASSERT_FATAL(result);
+  CU_ASSERT_FATAL(access_control != NULL);
+
+  result = create_local_identity(0, governance);
+  CU_ASSERT_FATAL(result);
+
+  /* For some endpoints, the submsg encryption mask depends on either the
+     * discovery or liveliness mask. */
+  if (liveliness_mask & DDS_SECURITY_PLUGIN_PARTICIPANT_ATTRIBUTES_FLAG_IS_LIVELINESS_ENCRYPTED)
+  {
+    submsg_liveliness_mask |= DDS_SECURITY_PLUGIN_ENDPOINT_ATTRIBUTES_FLAG_IS_SUBMESSAGE_ENCRYPTED;
+  }
+  if (liveliness_mask & DDS_SECURITY_PLUGIN_PARTICIPANT_ATTRIBUTES_FLAG_IS_LIVELINESS_AUTHENTICATED)
+  {
+    submsg_liveliness_mask |= DDS_SECURITY_PLUGIN_ENDPOINT_ATTRIBUTES_FLAG_IS_SUBMESSAGE_ORIGIN_AUTHENTICATED;
+  }
+  if (discovery_mask & DDS_SECURITY_PLUGIN_PARTICIPANT_ATTRIBUTES_FLAG_IS_DISCOVERY_ENCRYPTED)
+  {
+    submsg_discovery_mask |= DDS_SECURITY_PLUGIN_ENDPOINT_ATTRIBUTES_FLAG_IS_SUBMESSAGE_ENCRYPTED;
+  }
+  if (discovery_mask & DDS_SECURITY_PLUGIN_PARTICIPANT_ATTRIBUTES_FLAG_IS_DISCOVERY_AUTHENTICATED)
+  {
+    submsg_discovery_mask |= DDS_SECURITY_PLUGIN_ENDPOINT_ATTRIBUTES_FLAG_IS_SUBMESSAGE_ORIGIN_AUTHENTICATED;
+  }
+
+  /* Participant attributes */
+
+  test_liveliness_discovery_participant_attr(
+      local_permissions_handle,
+      liveliness_protected,
+      liveliness_mask,
+      discovery_protected,
+      discovery_mask);
+
+  /* Writer attributes */
+
+  /* User topic. */
+  test_liveliness_discovery_writer_attr(
+      "Kinematics",
+      local_permissions_handle,
+      liveliness_protected,
+      discovery_protected,
+      false /* submsg_protected     */,
+      0 /* submsg_mask          */);
+
+  /* Builtin topic. */
+  test_liveliness_discovery_writer_attr(
+      "DCPSPublication",
+      local_permissions_handle,
+      false /* liveliness_protected */,
+      false /* discovery_protected  */,
+      false /* submsg_protected     */,
+      0 /* submsg_mask          */);
+
+  /* Security (normal) builtin topic. */
+  test_liveliness_discovery_writer_attr(
+      "DCPSPublicationsSecure",
+      local_permissions_handle,
+      false /* liveliness_protected */,
+      false /* discovery_protected  */,
+      discovery_protected /* submsg_protected     */,
+      submsg_discovery_mask /* submsg_mask          */);
+
+  /* Security (liveliness affected) builtin topic. */
+  test_liveliness_discovery_writer_attr(
+      "DCPSParticipantMessageSecure",
+      local_permissions_handle,
+      false /* liveliness_protected */,
+      false /* discovery_protected  */,
+      liveliness_protected /* submsg_protected     */,
+      submsg_liveliness_mask /* submsg_mask          */);
+
+  /* Reader attributes */
+
+  /* User topic. */
+  test_liveliness_discovery_reader_attr(
+      "Kinematics",
+      local_permissions_handle,
+      liveliness_protected,
+      discovery_protected,
+      false /* submsg_protected     */,
+      false /* submsg_mask          */);
+
+  /* Builtin topic. */
+  test_liveliness_discovery_reader_attr(
+      "DCPSPublication",
+      local_permissions_handle,
+      false /* liveliness_protected */,
+      false /* discovery_protected  */,
+      false /* submsg_protected     */,
+      0 /* submsg_mask          */);
+
+  /* Security (normal) builtin topic. */
+  test_liveliness_discovery_reader_attr(
+      "DCPSPublicationsSecure",
+      local_permissions_handle,
+      false /* liveliness_protected */,
+      false /* discovery_protected  */,
+      discovery_protected /* submsg_protected     */,
+      submsg_discovery_mask /* submsg_mask          */);
+
+  /* Security (liveliness affected) builtin topic. */
+  test_liveliness_discovery_reader_attr(
+      "DCPSParticipantMessageSecure",
+      local_permissions_handle,
+      false /* liveliness_protected */,
+      false /* discovery_protected  */,
+      liveliness_protected /* submsg_protected     */,
+      submsg_liveliness_mask /* submsg_mask          */);
+
+  clear_local_identity();
+  plugins_fini();
+}
+
+CU_Test(ddssec_builtin_get_xxx_sec_attributes, liveliness_discovery_clear, .init = suite_get_xxx_sec_attributes_init, .fini = suite_get_xxx_sec_attributes_fini)
+{
+  /*
+     * Expect these values based on these options, which is the 1st domain rule
+     * in the Test_Governance_liveliness_discovery_clear.p7s (selected because of domain id 0):
+     *
+     *   <allow_unauthenticated_participants>false</allow_unauthenticated_participants>
+     *   <enable_join_access_control>true</enable_join_access_control>
+     *   <discovery_protection_kind>NONE</discovery_protection_kind>
+     *   <liveliness_protection_kind>NONE</liveliness_protection_kind>
+     *   <rtps_protection_kind>NONE</rtps_protection_kind>
+     *   <topic_access_rules>
+     *       <topic_rule>
+     *           <topic_expression>*</topic_expression>
+     *           <enable_liveliness_protection>false</enable_liveliness_protection>
+     *           <enable_discovery_protection>false</enable_discovery_protection>
+     *           <enable_read_access_control>false</enable_read_access_control>
+     *           <enable_write_access_control>false</enable_write_access_control>
+     *           <metadata_protection_kind>NONE</metadata_protection_kind>
+     *           <data_protection_kind>NONE</data_protection_kind>
+     *       </topic_rule>
+     *   </topic_access_rules>
+     */
+  test_liveliness_discovery_attr(
+      "Test_Governance_liveliness_discovery_clear.p7s",
+      /* liveliness_protected */
+      false,
+      /* liveliness_mask      */
+      0,
+      /* discovery_protected  */
+      false,
+      /* discovery_mask       */
+      0);
+}
+
+CU_Test(ddssec_builtin_get_xxx_sec_attributes, liveliness_discovery_encrypted, .init = suite_get_xxx_sec_attributes_init, .fini = suite_get_xxx_sec_attributes_fini)
+{
+  /*
+     * Expect these values based on these options, which is the 1st domain rule
+     * in the Test_Governance_liveliness_discovery_clear.p7s (selected because of domain id 0):
+     *
+     *   <allow_unauthenticated_participants>false</allow_unauthenticated_participants>
+     *   <enable_join_access_control>true</enable_join_access_control>
+     *   <discovery_protection_kind>ENCRYPT</discovery_protection_kind>
+     *   <liveliness_protection_kind>ENCRYPT</liveliness_protection_kind>
+     *   <rtps_protection_kind>NONE</rtps_protection_kind>
+     *   <topic_access_rules>
+     *       <topic_rule>
+     *           <topic_expression>*</topic_expression>
+     *           <enable_liveliness_protection>true</enable_liveliness_protection>
+     *           <enable_discovery_protection>true</enable_discovery_protection>
+     *           <enable_read_access_control>false</enable_read_access_control>
+     *           <enable_write_access_control>false</enable_write_access_control>
+     *           <metadata_protection_kind>NONE</metadata_protection_kind>
+     *           <data_protection_kind>NONE</data_protection_kind>
+     *       </topic_rule>
+     *   </topic_access_rules>
+     */
+  test_liveliness_discovery_attr(
+      "Test_Governance_liveliness_discovery_encrypted.p7s",
+      /* liveliness_protected */
+      true,
+      /* liveliness_mask      */
+      DDS_SECURITY_PLUGIN_PARTICIPANT_ATTRIBUTES_FLAG_IS_LIVELINESS_ENCRYPTED,
+      /* discovery_protected  */
+      true,
+      /* discovery_mask       */
+      DDS_SECURITY_PLUGIN_PARTICIPANT_ATTRIBUTES_FLAG_IS_DISCOVERY_ENCRYPTED);
+}
+
+CU_Test(ddssec_builtin_get_xxx_sec_attributes, liveliness_discovery_signed, .init = suite_get_xxx_sec_attributes_init, .fini = suite_get_xxx_sec_attributes_fini)
+{
+  /*
+     * Expect these values based on these options, which is the 1st domain rule
+     * in the Test_Governance_liveliness_discovery_clear.p7s (selected because of domain id 0):
+     *
+     *   <allow_unauthenticated_participants>false</allow_unauthenticated_participants>
+     *   <enable_join_access_control>true</enable_join_access_control>
+     *   <discovery_protection_kind>SIGN</discovery_protection_kind>
+     *   <liveliness_protection_kind>SIGN</liveliness_protection_kind>
+     *   <rtps_protection_kind>NONE</rtps_protection_kind>
+     *   <topic_access_rules>
+     *       <topic_rule>
+     *           <topic_expression>*</topic_expression>
+     *           <enable_liveliness_protection>true</enable_liveliness_protection>
+     *           <enable_discovery_protection>true</enable_discovery_protection>
+     *           <enable_read_access_control>false</enable_read_access_control>
+     *           <enable_write_access_control>false</enable_write_access_control>
+     *           <metadata_protection_kind>NONE</metadata_protection_kind>
+     *           <data_protection_kind>NONE</data_protection_kind>
+     *       </topic_rule>
+     *   </topic_access_rules>
+     */
+  test_liveliness_discovery_attr(
+      "Test_Governance_liveliness_discovery_signed.p7s",
+      /* liveliness_protected */
+      true,
+      /* liveliness_mask      */
+      0,
+      /* discovery_protected  */
+      true,
+      /* discovery_mask       */
+      0);
+}
+
+CU_Test(ddssec_builtin_get_xxx_sec_attributes, liveliness_discovery_encrypted_and_authenticated, .init = suite_get_xxx_sec_attributes_init, .fini = suite_get_xxx_sec_attributes_fini)
+{
+  /*
+     * Expect these values based on these options, which is the 1st domain rule
+     * in the Test_Governance_liveliness_discovery_clear.p7s (selected because of domain id 0):
+     *
+     *   <allow_unauthenticated_participants>false</allow_unauthenticated_participants>
+     *   <enable_join_access_control>true</enable_join_access_control>
+     *   <discovery_protection_kind>ENCRYPT_WITH_ORIGIN_AUTHENTICATION</discovery_protection_kind>
+     *   <liveliness_protection_kind>ENCRYPT_WITH_ORIGIN_AUTHENTICATION</liveliness_protection_kind>
+     *   <rtps_protection_kind>NONE</rtps_protection_kind>
+     *   <topic_access_rules>
+     *       <topic_rule>
+     *           <topic_expression>*</topic_expression>
+     *           <enable_liveliness_protection>true</enable_liveliness_protection>
+     *           <enable_discovery_protection>true</enable_discovery_protection>
+     *           <enable_read_access_control>false</enable_read_access_control>
+     *           <enable_write_access_control>false</enable_write_access_control>
+     *           <metadata_protection_kind>NONE</metadata_protection_kind>
+     *           <data_protection_kind>NONE</data_protection_kind>
+     *       </topic_rule>
+     *   </topic_access_rules>
+     */
+  test_liveliness_discovery_attr(
+      "Test_Governance_liveliness_discovery_encrypted_and_authenticated.p7s",
+      /* liveliness_protected */
+      true,
+      /* liveliness_mask      */
+      DDS_SECURITY_PLUGIN_PARTICIPANT_ATTRIBUTES_FLAG_IS_LIVELINESS_ENCRYPTED |
+          DDS_SECURITY_PLUGIN_PARTICIPANT_ATTRIBUTES_FLAG_IS_LIVELINESS_AUTHENTICATED,
+      /* discovery_protected  */
+      true,
+      /* discovery_mask       */
+      DDS_SECURITY_PLUGIN_PARTICIPANT_ATTRIBUTES_FLAG_IS_DISCOVERY_ENCRYPTED |
+          DDS_SECURITY_PLUGIN_PARTICIPANT_ATTRIBUTES_FLAG_IS_DISCOVERY_AUTHENTICATED);
+}
+
+CU_Test(ddssec_builtin_get_xxx_sec_attributes, liveliness_discovery_signed_and_authenticated, .init = suite_get_xxx_sec_attributes_init, .fini = suite_get_xxx_sec_attributes_fini)
+{
+  /*
+     * Expect these values based on these options, which is the 1st domain rule
+     * in the Test_Governance_liveliness_discovery_clear.p7s (selected because of domain id 0):
+     *
+     *   <allow_unauthenticated_participants>false</allow_unauthenticated_participants>
+     *   <enable_join_access_control>true</enable_join_access_control>
+     *   <discovery_protection_kind>SIGN_WITH_ORIGIN_AUTHENTICATION</discovery_protection_kind>
+     *   <liveliness_protection_kind>SIGN_WITH_ORIGIN_AUTHENTICATION</liveliness_protection_kind>
+     *   <rtps_protection_kind>NONE</rtps_protection_kind>
+     *   <topic_access_rules>
+     *       <topic_rule>
+     *           <topic_expression>*</topic_expression>
+     *           <enable_liveliness_protection>true</enable_liveliness_protection>
+     *           <enable_discovery_protection>true</enable_discovery_protection>
+     *           <enable_read_access_control>false</enable_read_access_control>
+     *           <enable_write_access_control>false</enable_write_access_control>
+     *           <metadata_protection_kind>NONE</metadata_protection_kind>
+     *           <data_protection_kind>NONE</data_protection_kind>
+     *       </topic_rule>
+     *   </topic_access_rules>
+     */
+  test_liveliness_discovery_attr(
+      "Test_Governance_liveliness_discovery_signed_and_authenticated.p7s",
+      /* liveliness_protected */
+      true,
+      /* liveliness_mask      */
+      DDS_SECURITY_PLUGIN_PARTICIPANT_ATTRIBUTES_FLAG_IS_LIVELINESS_AUTHENTICATED,
+      /* discovery_protected  */
+      true,
+      /* discovery_mask       */
+      DDS_SECURITY_PLUGIN_PARTICIPANT_ATTRIBUTES_FLAG_IS_DISCOVERY_AUTHENTICATED);
+}
+
+CU_Test(ddssec_builtin_get_xxx_sec_attributes, liveliness_discovery_different, .init = suite_get_xxx_sec_attributes_init, .fini = suite_get_xxx_sec_attributes_fini)
+{
+  /*
+     * Expect these values based on these options, which is the 1st domain rule
+     * in the Test_Governance_liveliness_discovery_clear.p7s (selected because of domain id 0):
+     *
+     *   <allow_unauthenticated_participants>false</allow_unauthenticated_participants>
+     *   <enable_join_access_control>true</enable_join_access_control>
+     *   <discovery_protection_kind>ENCRYPT</discovery_protection_kind>
+     *   <liveliness_protection_kind>NONE</liveliness_protection_kind>
+     *   <rtps_protection_kind>NONE</rtps_protection_kind>
+     *   <topic_access_rules>
+     *       <topic_rule>
+     *           <topic_expression>*</topic_expression>
+     *           <enable_liveliness_protection>false</enable_liveliness_protection>
+     *           <enable_discovery_protection>true</enable_discovery_protection>
+     *           <enable_read_access_control>false</enable_read_access_control>
+     *           <enable_write_access_control>false</enable_write_access_control>
+     *           <metadata_protection_kind>NONE</metadata_protection_kind>
+     *           <data_protection_kind>NONE</data_protection_kind>
+     *       </topic_rule>
+     *   </topic_access_rules>
+     */
+  test_liveliness_discovery_attr(
+      "Test_Governance_liveliness_discovery_different.p7s",
+      /* liveliness_protected */
+      false,
+      /* liveliness_mask      */
+      0,
+      /* discovery_protected  */
+      true,
+      /* discovery_mask       */
+      DDS_SECURITY_PLUGIN_PARTICIPANT_ATTRIBUTES_FLAG_IS_DISCOVERY_ENCRYPTED);
+}
diff --git a/src/security/builtin_plugins/tests/listeners_access_control/etc/Test_Governance_ok.p7s b/src/security/builtin_plugins/tests/listeners_access_control/etc/Test_Governance_ok.p7s
new file mode 100644
index 0000000..c39903f
--- /dev/null
+++ b/src/security/builtin_plugins/tests/listeners_access_control/etc/Test_Governance_ok.p7s
@@ -0,0 +1,114 @@
+MIME-Version: 1.0
+Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg="sha-256"; boundary="----DB94A190D9780A24156FB0E8F1E76B5F"
+
+This is an S/MIME signed message
+
+------DB94A190D9780A24156FB0E8F1E76B5F
+Content-Type: text/plain
+
+<?xml version="1.0" encoding="utf-8"?>
+<dds xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xsi:noNamespaceSchemaLocation="http://www.omg.org/spec/DDSSecurity/
+20170801/omg_shared_ca_domain_governance.xsd">
+    <domain_access_rules>
+        <domain_rule>
+            <domains>
+                <!-- All domains -->
+                <id_range>
+                    <min>0</min>
+                    <max>230</max>
+                </id_range>
+            </domains>
+
+            <!-- DomainParticipant that cann not authenticate or fail the authentication should be
+                 allowed to join the domain and see any any discovery data that are configured as "unprotected"
+                 and topics that are configured as "unprotected" -->
+            <allow_unauthenticated_participants>false</allow_unauthenticated_participants>
+
+            <!--  Only and any authenticated DomainParticipant should be allowed to join the domain and
+                  see the discovery data without checking access control  -->
+            <enable_join_access_control>true</enable_join_access_control>
+
+            <!-- Discovery information should be protected with encryption followed by MAC (Message Authentication Codes) -->
+            <discovery_protection_kind>ENCRYPT</discovery_protection_kind>
+
+            <!--  Liveliness messages are also encrypted -->
+            <liveliness_protection_kind>ENCRYPT</liveliness_protection_kind>
+
+            <!-- Whole RTPS message is not protected -->
+            <rtps_protection_kind>NONE</rtps_protection_kind>
+
+            <topic_access_rules>
+                <topic_rule>
+                    <!-- All (non-builtin) topics -->
+                    <topic_expression>*</topic_expression>
+
+                    <!-- Liveliness QoS data is protected -->
+                    <enable_liveliness_protection>true</enable_liveliness_protection>
+
+                    <!-- The discovery information on specific Topics should be sent
+                         using the secure (protected) discovery writers -->
+                    <enable_discovery_protection>true</enable_discovery_protection>
+
+                    <!-- The read access to all topics should be open to all. -->
+                    <enable_read_access_control>false</enable_read_access_control>
+
+                    <!-- The write access to all topics should be open to all. -->
+                    <enable_write_access_control>false</enable_write_access_control>
+
+                    <!-- Whole RTPS sub-message is protected. This includes metadata information
+                         like sequence numbers, heartbeats, key hashes, gaps,
+                         acknowledgment messages, etc. It also includes th possible payload. -->
+                    <metadata_protection_kind>ENCRYPT</metadata_protection_kind>
+
+                    <!-- The payload data sent on the Topic (serialized application level data) should be
+                         protected with Encrypt then MAC. -->
+                    <data_protection_kind>ENCRYPT</data_protection_kind>
+                </topic_rule>
+            </topic_access_rules>
+        </domain_rule>
+    </domain_access_rules>
+</dds>
+
+------DB94A190D9780A24156FB0E8F1E76B5F
+Content-Type: application/x-pkcs7-signature; name="smime.p7s"
+Content-Transfer-Encoding: base64
+Content-Disposition: attachment; filename="smime.p7s"
+
+MIIGSAYJKoZIhvcNAQcCoIIGOTCCBjUCAQExDzANBglghkgBZQMEAgEFADALBgkq
+hkiG9w0BBwGgggORMIIDjTCCAnWgAwIBAgIJANsr3sm0NrypMA0GCSqGSIb3DQEB
+CwUAMFwxCzAJBgNVBAYTAk5MMRMwEQYDVQQIDApTb21lLVN0YXRlMR8wHQYDVQQK
+DBZBRExJTksgVGVjaG5vbG9jeSBJbmMuMRcwFQYDVQQDDA5hZGxpbmt0ZWNoLmNv
+bTAgFw0xODA3MzAxMjQ1NTVaGA8yMTE4MDcwNjEyNDU1NVowXDELMAkGA1UEBhMC
+TkwxEzARBgNVBAgMClNvbWUtU3RhdGUxHzAdBgNVBAoMFkFETElOSyBUZWNobm9s
+b2N5IEluYy4xFzAVBgNVBAMMDmFkbGlua3RlY2guY29tMIIBIjANBgkqhkiG9w0B
+AQEFAAOCAQ8AMIIBCgKCAQEAu7jfnJ0wYVuXgG+PgNawdN38+dRpa8jceqi+blID
+ehV6XCxrnGXusTCDuFmo7HMOBVMVNDXlcBWgoGd+u5EultnOEiIeGTgtHc1O6V9w
+icp3BGSpZZax/TcONjMVORaqHCADbQ2J8wsz1FHxuKDwX6BJElYOlK77lb/x3yLs
+DFFC+a0qn2RFh37rcWBRAHy8VEASXKZElT9ZmfKd+KUq34KojhNJ4DepKStTq074
+BRDXVivx+wVD951LFNPiQXq+mgHcLj1k37KlZflTFhdP5oEMtATNsXNJPHlEymiy
+SogRWAmKhysLQudukHfNKN+r0FEQMk/hzpYcFeZSOvbfNQIDAQABo1AwTjAdBgNV
+HQ4EFgQURWMbWvBKZwJvRV1/tyc1R82k0+gwHwYDVR0jBBgwFoAURWMbWvBKZwJv
+RV1/tyc1R82k0+gwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAkPF+
+ysVtvHnk2hpu9yNDLCJ96ZzIoKOyY7uRj4ovzlAHFdpNOJQdcJihTmN8i7Trht9X
+Vh0rGoR/6nHzo3TIeiogRC80RlDtuA3PF2dDQBMVDStlZMTZPb693hfjdAjhyyw9
+yghhKHHqNDvSsAL0KfBqjG4yGfGpJylYXIT5fWuKlo/ln/yyPa5s54T5XDo+CMbt
+lLX3QnwVOmaRyzylPiTcPCDIkdLBdXmlfyJcmW6fWa6kPx+35MOxPsXZbujCo+42
++OyLqcH1rKT6XhcshjXBEf+kdgUfSClrM1pNRWsw2ChIYim0F+nry5JFy0Y+8Hbb
+6SDB340BFmtgDHbFHTGCAnswggJ3AgEBMGkwXDELMAkGA1UEBhMCTkwxEzARBgNV
+BAgMClNvbWUtU3RhdGUxHzAdBgNVBAoMFkFETElOSyBUZWNobm9sb2N5IEluYy4x
+FzAVBgNVBAMMDmFkbGlua3RlY2guY29tAgkA2yveybQ2vKkwDQYJYIZIAWUDBAIB
+BQCggeQwGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAcBgkqhkiG9w0BCQUxDxcN
+MTgwOTEzMDczOTUwWjAvBgkqhkiG9w0BCQQxIgQgXv8DkvlwebXMwHDbNc0/Pc30
+gyG3xWCnwet49TRMWFsweQYJKoZIhvcNAQkPMWwwajALBglghkgBZQMEASowCwYJ
+YIZIAWUDBAEWMAsGCWCGSAFlAwQBAjAKBggqhkiG9w0DBzAOBggqhkiG9w0DAgIC
+AIAwDQYIKoZIhvcNAwICAUAwBwYFKw4DAgcwDQYIKoZIhvcNAwICASgwDQYJKoZI
+hvcNAQEBBQAEggEANy8t0EFmv5j1n0+mMn2ut3Chu8PSJceC8gd34IiKq79uC1O3
+PbL9xgiJ2vz7QiTEEeNL2q+CG77cXOcHGUWa4nvbggr/9CqLfHEKGQxDfyXlJZfM
+8l550xIXRRBOQ7ilOGLD4QJFfbf9XA4rMuRe8WEYN3FleAaYBJag1tMPg1SS6tgA
+BBDM9b1kXHU319zYOk6kZFjlbwHv6XO22SEVRUpXrKudAI8hrGvwksF/+W0S/jS5
+NmYtj/1oMGlCGIaA5rs27H9CkgwrzoMQ3MsR98JlwEUSa4PEe8CClsIziOulQxsp
+MicBlMWL0rzpBPVfPTE4gZ/kP7hGBDEQlRzVTA==
+
+------DB94A190D9780A24156FB0E8F1E76B5F--
+
diff --git a/src/security/builtin_plugins/tests/listeners_access_control/etc/Test_Permissions_ca.pem b/src/security/builtin_plugins/tests/listeners_access_control/etc/Test_Permissions_ca.pem
new file mode 100644
index 0000000..2372ae0
--- /dev/null
+++ b/src/security/builtin_plugins/tests/listeners_access_control/etc/Test_Permissions_ca.pem
@@ -0,0 +1,22 @@
+-----BEGIN CERTIFICATE-----
+MIIDjTCCAnWgAwIBAgIJANsr3sm0NrypMA0GCSqGSIb3DQEBCwUAMFwxCzAJBgNV
+BAYTAk5MMRMwEQYDVQQIDApTb21lLVN0YXRlMR8wHQYDVQQKDBZBRExJTksgVGVj
+aG5vbG9jeSBJbmMuMRcwFQYDVQQDDA5hZGxpbmt0ZWNoLmNvbTAgFw0xODA3MzAx
+MjQ1NTVaGA8yMTE4MDcwNjEyNDU1NVowXDELMAkGA1UEBhMCTkwxEzARBgNVBAgM
+ClNvbWUtU3RhdGUxHzAdBgNVBAoMFkFETElOSyBUZWNobm9sb2N5IEluYy4xFzAV
+BgNVBAMMDmFkbGlua3RlY2guY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB
+CgKCAQEAu7jfnJ0wYVuXgG+PgNawdN38+dRpa8jceqi+blIDehV6XCxrnGXusTCD
+uFmo7HMOBVMVNDXlcBWgoGd+u5EultnOEiIeGTgtHc1O6V9wicp3BGSpZZax/TcO
+NjMVORaqHCADbQ2J8wsz1FHxuKDwX6BJElYOlK77lb/x3yLsDFFC+a0qn2RFh37r
+cWBRAHy8VEASXKZElT9ZmfKd+KUq34KojhNJ4DepKStTq074BRDXVivx+wVD951L
+FNPiQXq+mgHcLj1k37KlZflTFhdP5oEMtATNsXNJPHlEymiySogRWAmKhysLQudu
+kHfNKN+r0FEQMk/hzpYcFeZSOvbfNQIDAQABo1AwTjAdBgNVHQ4EFgQURWMbWvBK
+ZwJvRV1/tyc1R82k0+gwHwYDVR0jBBgwFoAURWMbWvBKZwJvRV1/tyc1R82k0+gw
+DAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAkPF+ysVtvHnk2hpu9yND
+LCJ96ZzIoKOyY7uRj4ovzlAHFdpNOJQdcJihTmN8i7Trht9XVh0rGoR/6nHzo3TI
+eiogRC80RlDtuA3PF2dDQBMVDStlZMTZPb693hfjdAjhyyw9yghhKHHqNDvSsAL0
+KfBqjG4yGfGpJylYXIT5fWuKlo/ln/yyPa5s54T5XDo+CMbtlLX3QnwVOmaRyzyl
+PiTcPCDIkdLBdXmlfyJcmW6fWa6kPx+35MOxPsXZbujCo+42+OyLqcH1rKT6Xhcs
+hjXBEf+kdgUfSClrM1pNRWsw2ChIYim0F+nry5JFy0Y+8Hbb6SDB340BFmtgDHbF
+HQ==
+-----END CERTIFICATE-----
diff --git a/src/security/builtin_plugins/tests/listeners_access_control/etc/Test_Permissions_ca_key.pem b/src/security/builtin_plugins/tests/listeners_access_control/etc/Test_Permissions_ca_key.pem
new file mode 100644
index 0000000..22fac8b
--- /dev/null
+++ b/src/security/builtin_plugins/tests/listeners_access_control/etc/Test_Permissions_ca_key.pem
@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEpAIBAAKCAQEAu7jfnJ0wYVuXgG+PgNawdN38+dRpa8jceqi+blIDehV6XCxr
+nGXusTCDuFmo7HMOBVMVNDXlcBWgoGd+u5EultnOEiIeGTgtHc1O6V9wicp3BGSp
+ZZax/TcONjMVORaqHCADbQ2J8wsz1FHxuKDwX6BJElYOlK77lb/x3yLsDFFC+a0q
+n2RFh37rcWBRAHy8VEASXKZElT9ZmfKd+KUq34KojhNJ4DepKStTq074BRDXVivx
++wVD951LFNPiQXq+mgHcLj1k37KlZflTFhdP5oEMtATNsXNJPHlEymiySogRWAmK
+hysLQudukHfNKN+r0FEQMk/hzpYcFeZSOvbfNQIDAQABAoIBABWqhMSCr+7Mr3O3
+bIymOr+CT4xWI8S47hmKGFCLTrNsfy7cQZ9PdHkm7Ez+rCx+KwQaTrwz7EM/e8aH
+q2zimMn4YXxeS7MFdM+Xvp/Y0BhXMd1j8Nk0x14+WHmQ88YfA4szdrHDekR+6oB6
+5Lc2fAfNbCGdpRksCQWDndrvIOda1swKW1RsGWHPGtSM1qOg09A4CeASqbsxZfdL
+9MgI7aJKYnvJrUhqsNZU3fuOrLDNl7/JvdI08nYLnNkEvbDYbdfH0Q/4laKsSJcp
+0jM6tPrxbHMDmBEwullVPrVqJX+n6Hvz3E8C9QiZq8NWbJUc5FntLx8ynbiJg6Lb
+1w49WxECgYEA8yVky++3v0ZMKZeSeGj3MuKuEJ2q3UdmsKXA+Pyq0rL/hh7r2oUY
+dQDs23BIuaHeIZxAGaMeMjoYQBi+G50XfwHZSMqivxX/yYkXxOJfPQvVLDbqCIWS
+94qU4/xo50IkCNxpvRwfpKG2ce5YG7jrQkfb5I6TfKUWAaXpmaQnbYsCgYEAxaVn
+Hzw3OdY7q6kURSY6a8KqtcuN0lNKeUb68vZemmZ0FNKmyh+xGVFXXlvmJpQgr5Zm
+2W2a1C1oPq2DEdvSKt/aTHVIazG9TtFK1WAXpLxmlXlyqWRv+IvdVkph+p/3dIT0
+Ilaglgbndth4xk0c1zqy3g4VlAgWgKKi5owZ/j8CgYEAndsFGbHEJZZKFCannSzo
+cEzinT7/kzGr5bt3ES9Y5/n2Euk4TmJignPbUowPaxU/1apPo1VXYVx+Kf7mTZ8r
+hfV5T9ze1BhAPGOY3uXo1wU7nLz6LBYsWDHMgEd7A8jZBDe1HmWH1aZ3gHgxE652
+bk2g4T3/WskDBIbmpi0AvAkCgYBKAfFnRMj5IzscwCcS7YmaqD377MiiJQYR+34k
+VBSAhDSbR3Wk4dESxd6NOqQndff3R74jVGNRZ99M+PPHUCSWYVQApToEyY81YDFB
+TMYNrW5MMjm5LB6xVs3+bcPacOPcAZzY7s8a3mL1oYE339AY16X6eBOkZpLmf/+3
+jGZ/SQKBgQDkyxymL4xJGV8HCDontJZiBStD954GH1AgqEAOdQxU5vW4ySQ7yRoT
+ajb8tH052yWW11Mxd0TRW9qbVI0/4/4lR86sODYLFbgrHAMBl7mxJ8Qwi4zdI9Am
+FXGkj5SX2bYrf2f0YvCHNUbELTd4mF6kAH0Eg6kHRXLsSbhtWC7D3Q==
+-----END RSA PRIVATE KEY-----
diff --git a/src/security/builtin_plugins/tests/listeners_access_control/etc/Test_Permissions_listener.p7s b/src/security/builtin_plugins/tests/listeners_access_control/etc/Test_Permissions_listener.p7s
new file mode 100644
index 0000000..08434a9
--- /dev/null
+++ b/src/security/builtin_plugins/tests/listeners_access_control/etc/Test_Permissions_listener.p7s
@@ -0,0 +1,51 @@
+MIME-Version: 1.0
+Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg="sha-256"; boundary="----3900963D3572093F6AEC654A72CAEE5A"
+
+This is an S/MIME signed message
+
+------3900963D3572093F6AEC654A72CAEE5A
+Content-Type: text/plain
+
+<?xml version="1.0" encoding="utf-8"?>                                    <dds xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"                                                                xsi:noNamespaceSchemaLocation="https://www.omg.org/spec/DDS-SECURITY/20170901/omg_shared_ca_permissions.xsd">          <permissions>                                                                                                               <grant name="DEFAULT_PERMISSIONS">                                                                                        <subject_name>/C=NL/ST=Some-State/O=Internet Widgits Pty Ltd/CN=CHAM500 cert</subject_name>                                                                                           <validity>                                                                                                                  <not_before>2015-09-15T01:00:00</not_before>                                                                            <not_after>2019-11-18T11:48:49</not_after>                                                                          </validity>                                                                                                             <deny_rule>                                                                                                                <domains>                                                                                                                   <id_range>                                                                                                                  <min>0</min>                                                                                                            <max>230</max>                                                                                                      </id_range>                                                                                                         </domains>                                                                                                              <publish>                                                                                                                   <topics>                                                                                                                    <topic>*</topic>                                                                                                    </topics>                                                                                                               <partitions/>                                                                                                       </publish>                                                                                                              <subscribe>                                                                                                                 <topics>                                                                                                                    <topic>*</topic>                                                                                                    </topics>                                                                                                               <partitions/>                                                                                                       </subscribe>                                                                                                       </deny_rule>                                                                                                           <default>DENY</default>                                                                                             </grant>                                                                                                            </permissions>                                                                                                      </dds>                                  
+------3900963D3572093F6AEC654A72CAEE5A
+Content-Type: application/x-pkcs7-signature; name="smime.p7s"
+Content-Transfer-Encoding: base64
+Content-Disposition: attachment; filename="smime.p7s"
+
+MIIGSAYJKoZIhvcNAQcCoIIGOTCCBjUCAQExDzANBglghkgBZQMEAgEFADALBgkq
+hkiG9w0BBwGgggORMIIDjTCCAnWgAwIBAgIJANsr3sm0NrypMA0GCSqGSIb3DQEB
+CwUAMFwxCzAJBgNVBAYTAk5MMRMwEQYDVQQIDApTb21lLVN0YXRlMR8wHQYDVQQK
+DBZBRExJTksgVGVjaG5vbG9jeSBJbmMuMRcwFQYDVQQDDA5hZGxpbmt0ZWNoLmNv
+bTAgFw0xODA3MzAxMjQ1NTVaGA8yMTE4MDcwNjEyNDU1NVowXDELMAkGA1UEBhMC
+TkwxEzARBgNVBAgMClNvbWUtU3RhdGUxHzAdBgNVBAoMFkFETElOSyBUZWNobm9s
+b2N5IEluYy4xFzAVBgNVBAMMDmFkbGlua3RlY2guY29tMIIBIjANBgkqhkiG9w0B
+AQEFAAOCAQ8AMIIBCgKCAQEAu7jfnJ0wYVuXgG+PgNawdN38+dRpa8jceqi+blID
+ehV6XCxrnGXusTCDuFmo7HMOBVMVNDXlcBWgoGd+u5EultnOEiIeGTgtHc1O6V9w
+icp3BGSpZZax/TcONjMVORaqHCADbQ2J8wsz1FHxuKDwX6BJElYOlK77lb/x3yLs
+DFFC+a0qn2RFh37rcWBRAHy8VEASXKZElT9ZmfKd+KUq34KojhNJ4DepKStTq074
+BRDXVivx+wVD951LFNPiQXq+mgHcLj1k37KlZflTFhdP5oEMtATNsXNJPHlEymiy
+SogRWAmKhysLQudukHfNKN+r0FEQMk/hzpYcFeZSOvbfNQIDAQABo1AwTjAdBgNV
+HQ4EFgQURWMbWvBKZwJvRV1/tyc1R82k0+gwHwYDVR0jBBgwFoAURWMbWvBKZwJv
+RV1/tyc1R82k0+gwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAkPF+
+ysVtvHnk2hpu9yNDLCJ96ZzIoKOyY7uRj4ovzlAHFdpNOJQdcJihTmN8i7Trht9X
+Vh0rGoR/6nHzo3TIeiogRC80RlDtuA3PF2dDQBMVDStlZMTZPb693hfjdAjhyyw9
+yghhKHHqNDvSsAL0KfBqjG4yGfGpJylYXIT5fWuKlo/ln/yyPa5s54T5XDo+CMbt
+lLX3QnwVOmaRyzylPiTcPCDIkdLBdXmlfyJcmW6fWa6kPx+35MOxPsXZbujCo+42
++OyLqcH1rKT6XhcshjXBEf+kdgUfSClrM1pNRWsw2ChIYim0F+nry5JFy0Y+8Hbb
+6SDB340BFmtgDHbFHTGCAnswggJ3AgEBMGkwXDELMAkGA1UEBhMCTkwxEzARBgNV
+BAgMClNvbWUtU3RhdGUxHzAdBgNVBAoMFkFETElOSyBUZWNobm9sb2N5IEluYy4x
+FzAVBgNVBAMMDmFkbGlua3RlY2guY29tAgkA2yveybQ2vKkwDQYJYIZIAWUDBAIB
+BQCggeQwGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAcBgkqhkiG9w0BCQUxDxcN
+MTkxMTE4MTE0ODQ4WjAvBgkqhkiG9w0BCQQxIgQgaLNNlFwfVR0PrziT9wCAy5bM
+qCZJX9yO3xJgut3/o7EweQYJKoZIhvcNAQkPMWwwajALBglghkgBZQMEASowCwYJ
+YIZIAWUDBAEWMAsGCWCGSAFlAwQBAjAKBggqhkiG9w0DBzAOBggqhkiG9w0DAgIC
+AIAwDQYIKoZIhvcNAwICAUAwBwYFKw4DAgcwDQYIKoZIhvcNAwICASgwDQYJKoZI
+hvcNAQEBBQAEggEAWCFrUIvdYKBeT0lmpkRdmYJuvdmQ/Ro7k9iyreVofpB1/70B
+hVOEeRjrlmhv/TUjSgQyli56wmXFmexcNRzSzpPNycz0gjwP9kX5BMnhAkKd08fC
+4rgoirScmNxvxEkj5+wyq7s7rBEJOgVQ9ofwiZXEBVDMVvW2ENZhVF3FyoNulDQe
+6BjXkuLw/QrJLWjywPy5naSSda2T7V3+Ssdu5/2vEjXPIJMM+xPOCaqGHJsSb72s
+KiP48jZ95Wruvj3QAlpGxDaazWPTgn7tfThYrY3Kgiz5zyZM7FhFyIqxRF/89Ngo
+hbu2mWzcXFF7wBLy+CvK5Foajro9t/PzD8uNuA==
+
+------3900963D3572093F6AEC654A72CAEE5A--
+
diff --git a/src/security/builtin_plugins/tests/listeners_access_control/src/listeners_access_control_utests.c b/src/security/builtin_plugins/tests/listeners_access_control/src/listeners_access_control_utests.c
new file mode 100644
index 0000000..5f32d09
--- /dev/null
+++ b/src/security/builtin_plugins/tests/listeners_access_control/src/listeners_access_control_utests.c
@@ -0,0 +1,671 @@
+/*
+ * Copyright(c) 2006 to 2019 ADLINK Technology Limited and others
+ *
+ * This program and the accompanying materials are made available under the
+ * terms of the Eclipse Public License v. 2.0 which is available at
+ * http://www.eclipse.org/legal/epl-2.0, or the Eclipse Distribution License
+ * v. 1.0 which is available at
+ * http://www.eclipse.org/org/documents/edl-v10.php.
+ *
+ * SPDX-License-Identifier: EPL-2.0 OR BSD-3-Clause
+ */
+#include <assert.h>
+#include <openssl/evp.h>
+#include <openssl/hmac.h>
+#include <openssl/bio.h>
+#include <openssl/err.h>
+#include <openssl/pkcs7.h>
+#include <openssl/pem.h>
+
+#include "dds/ddsrt/environ.h"
+#include "dds/ddsrt/heap.h"
+#include "dds/ddsrt/io.h"
+#include "dds/ddsrt/misc.h"
+#include "dds/ddsrt/string.h"
+#include "dds/ddsrt/types.h"
+#include "dds/security/dds_security_api.h"
+#include "dds/security/core/dds_security_utils.h"
+#include "CUnit/CUnit.h"
+#include "CUnit/Test.h"
+#include "common/src/loader.h"
+#include "config_env.h"
+
+#if OPENSSL_VERSION_NUMBER >= 0x10000000L && OPENSSL_VERSION_NUMBER < 0x10100000L
+#define REMOVE_THREAD_STATE() ERR_remove_thread_state(NULL);
+#elif OPENSSL_VERSION_NUMBER < 0x10000000L
+#define REMOVE_THREAD_STATE() ERR_remove_state(0);
+#else
+#define REMOVE_THREAD_STATE()
+#endif
+
+static const char *ACCESS_PERMISSIONS_TOKEN_ID = "DDS:Access:Permissions:1.0";
+static const char *AUTH_PROTOCOL_CLASS_ID = "DDS:Auth:PKI-DH:1.0";
+
+static const char *PROPERTY_IDENTITY_CA = "dds.sec.auth.identity_ca";
+static const char *PROPERTY_PRIVATE_KEY = "dds.sec.auth.private_key";
+static const char *PROPERTY_IDENTITY_CERT = "dds.sec.auth.identity_certificate";
+static const char *PROPERTY_PERMISSIONS_CA = "dds.sec.access.permissions_ca";
+static const char *PROPERTY_PERMISSIONS = "dds.sec.access.permissions";
+static const char *PROPERTY_GOVERNANCE = "dds.sec.access.governance";
+
+static const char *PROPERTY_PERMISSIONS_CA_SN = "dds.perm_ca.sn";
+static const char *PROPERTY_PERMISSIONS_CA_ALGO = "dds.perm_ca.algo";
+static const char *PROPERTY_C_ID = "c.id";
+static const char *PROPERTY_C_PERM = "c.perm";
+
+static const char *SUBJECT_NAME_PERMISSIONS_CA = "C=NL, ST=Some-State, O=ADLINK Technolocy Inc., CN=adlinktech.com";
+static const char *RSA_2048_ALGORITHM_NAME = "RSA-2048";
+
+static const char *RELATIVE_PATH_TO_ETC_DIR = "/listeners_access_control/etc/";
+static const char *PERMISSIONS_CA_CERT_FILE = "Test_Permissions_ca.pem";
+static const char *PERMISSIONS_CA_KEY_FILE = "Test_Permissions_ca_key.pem";
+static const char *PERMISSIONS_FILE = "Test_Permissions_listener.p7s";
+static dds_security_access_control_listener ac_listener;
+
+static const char *identity_certificate =
+    "data:,-----BEGIN CERTIFICATE-----\n"
+    "MIIEQTCCAymgAwIBAgIINpuaAAnrQZIwDQYJKoZIhvcNAQELBQAwXzELMAkGA1UE\n"
+    "BhMCTkwxEzARBgNVBAgTClNvbWUtU3RhdGUxITAfBgNVBAoTGEludGVybmV0IFdp\n"
+    "ZGdpdHMgUHR5IEx0ZDEYMBYGA1UEAxMPQ0hBTTUwMCByb290IGNhMCAXDTE3MDIy\n"
+    "MjIyMjIwMFoYDzIyMjIwMjIyMjIyMjAwWjBcMQswCQYDVQQGEwJOTDETMBEGA1UE\n"
+    "CBMKU29tZS1TdGF0ZTEhMB8GA1UEChMYSW50ZXJuZXQgV2lkZ2l0cyBQdHkgTHRk\n"
+    "MRUwEwYDVQQDEwxDSEFNNTAwIGNlcnQwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw\n"
+    "ggEKAoIBAQDCpVhivH/wBIyu74rvQncnSZqKyspN6CvD1pmV9wft5PHhVt9jV79v\n"
+    "gSub5LADoRHAgFdv9duYgBr17Ob6uRrIY4B18CcrCjhQcC4gjx8y2jl9PeYm+qYD\n"
+    "3o44FYBrBq0QCnrQgKsb/qX9Z+Mw/VUiw65x68W876LEHQQoEgT4kxSuagwBoVRk\n"
+    "ePD6fYAKmT4XS3x+O0v+rHESTcsKF6yMadgp7h3eH1b8kJTzSx8JV9Zzq++mxjox\n"
+    "qhbBVP5nDze2hhSIeCkCvSrx7efkgKS4AQXa5/Z44GiAu1TfXXUqdic9rxwD0edn\n"
+    "ajNElnZe7sjok/0yuqvH+2hSqpNva/zpAgMBAAGjggEAMIH9MAwGA1UdDwQFAwMH\n"
+    "/4AwgewGA1UdJQSB5DCB4QYIKwYBBQUHAwEGCCsGAQUFBwMCBggrBgEFBQcDAwYI\n"
+    "KwYBBQUHAwQGCCsGAQUFBwMIBgorBgEEAYI3AgEVBgorBgEEAYI3AgEWBgorBgEE\n"
+    "AYI3CgMBBgorBgEEAYI3CgMDBgorBgEEAYI3CgMEBglghkgBhvhCBAEGCysGAQQB\n"
+    "gjcKAwQBBggrBgEFBQcDBQYIKwYBBQUHAwYGCCsGAQUFBwMHBggrBgEFBQgCAgYK\n"
+    "KwYBBAGCNxQCAgYIKwYBBQUHAwkGCCsGAQUFBwMNBggrBgEFBQcDDgYHKwYBBQID\n"
+    "BTANBgkqhkiG9w0BAQsFAAOCAQEAawdHy0Xw7nTK2ltp91Ion6fJ7hqYuj///zr7\n"
+    "Adt6uonpDh/xl3esuwcFimIJrJrHujnGkL0nLddRCikmnzuBMNDWS6yq0/Ckl/YG\n"
+    "yjNr44dlX24wo+MVAgkj3/8CyWDZ3a8kBg9QT3bs2SqbjmhTrXN1DRyf9S5vJysE\n"
+    "I7V1gTN66BeKL64hOrAlRVrEu8Ds6TWL6Q/YH+61ViZkoLTeSaPjH4nknaFr4C35\n"
+    "iji0JhkyfRHRRVPHFnaj25AkxOrSV64qVKoTMjDl5fji5iMGtjm6iJ7q05ml/qDl\n"
+    "nLotHXemZNvYhbwUmRzbt4Dls9EMH4VRbP85I94nM5TAvtHVNA==\n"
+    "-----END CERTIFICATE-----\n";
+
+static const char *identity_ca =
+    "data:,-----BEGIN CERTIFICATE-----\n"
+    "MIIEmTCCA4GgAwIBAgIIZ5gEIUFhO5wwDQYJKoZIhvcNAQELBQAwXzELMAkGA1UE\n"
+    "BhMCTkwxEzARBgNVBAgTClNvbWUtU3RhdGUxITAfBgNVBAoTGEludGVybmV0IFdp\n"
+    "ZGdpdHMgUHR5IEx0ZDEYMBYGA1UEAxMPQ0hBTTUwMCByb290IGNhMCAXDTE4MDIx\n"
+    "MjE1MDUwMFoYDzIyMjIwMjIyMjIyMjAwWjBfMQswCQYDVQQGEwJOTDETMBEGA1UE\n"
+    "CBMKU29tZS1TdGF0ZTEhMB8GA1UEChMYSW50ZXJuZXQgV2lkZ2l0cyBQdHkgTHRk\n"
+    "MRgwFgYDVQQDEw9DSEFNNTAwIHJvb3QgY2EwggEiMA0GCSqGSIb3DQEBAQUAA4IB\n"
+    "DwAwggEKAoIBAQC6Fa3TheL+UrdZCp9GhU/2WbneP2t/avUa3muwDttPxeI2XU9k\n"
+    "ZjBR95mAXme4SPXHk5+YDN319AqIje3oKhzky/ngvKH2GkoJKYxWnuDBfMEHdViz\n"
+    "2Q9/xso2ZvH50ukwWa0pfx2/EVV1wRxeQcRd/UVfq3KTJizG0M88mOYvGEAw3LFf\n"
+    "zef7k1aCuOofQmBvLukUudcYpMzfyHFp7lQqU4CcrrR5RtmfiUfrWfdGLea2iPDB\n"
+    "pJgN8ESOMwEHtOTEBDclYnH9L4t7CHQz+fXXS5IWFsDK9fCMQjnxDsDVeNrNzTYL\n"
+    "FaZrMg9S6IUQCEsQWsnq5weS8omOpVLUm9klAgMBAAGjggFVMIIBUTAMBgNVHRME\n"
+    "BTADAQH/MB0GA1UdDgQWBBQg2FZB/j8uWDVnJhjwXkX278znSTAfBgNVHSMEGDAW\n"
+    "gBQg2FZB/j8uWDVnJhjwXkX278znSTAPBgNVHQ8BAf8EBQMDB/+AMIHvBgNVHSUB\n"
+    "Af8EgeQwgeEGCCsGAQUFBwMBBggrBgEFBQcDAgYIKwYBBQUHAwMGCCsGAQUFBwME\n"
+    "BggrBgEFBQcDCAYKKwYBBAGCNwIBFQYKKwYBBAGCNwIBFgYKKwYBBAGCNwoDAQYK\n"
+    "KwYBBAGCNwoDAwYKKwYBBAGCNwoDBAYJYIZIAYb4QgQBBgsrBgEEAYI3CgMEAQYI\n"
+    "KwYBBQUHAwUGCCsGAQUFBwMGBggrBgEFBQcDBwYIKwYBBQUIAgIGCisGAQQBgjcU\n"
+    "AgIGCCsGAQUFBwMJBggrBgEFBQcDDQYIKwYBBQUHAw4GBysGAQUCAwUwDQYJKoZI\n"
+    "hvcNAQELBQADggEBAKHmwejWRwGE1wf1k2rG8SNRV/neGsZ6Qfqf6co3TpR/Wi1s\n"
+    "iZDvSeT/rbqNBS7z34xnG88NIUwu00y78e8Mfon31ZZbK4Uo7fla9/D3ukdJqPQC\n"
+    "LKdbKJjR2kH+KCukY/1rghjJ8/X+t2egBit0LCOdsFCl07Sfksb9kpGUIZSFcYYm\n"
+    "geqhjhoNwxazzHiw+QWHC5HG9248JIizBmy1aymNWuMnPudhjHAnPcsIlqMVNq3t\n"
+    "Rv9ap7S8JeCxHVRPJvJeCwXWvW3dW/v3xH52Yn/fqRblN1w9Fxz5NhopKx0gj/Jd\n"
+    "sw2N4Fk4gaOWEolFpa0bwNw8nAx7moehZpowzfw=\n"
+    "-----END CERTIFICATE-----\n";
+
+static const char *private_key =
+    "data:,-----BEGIN RSA PRIVATE KEY-----\n"
+    "MIIEogIBAAKCAQEAwqVYYrx/8ASMru+K70J3J0maisrKTegrw9aZlfcH7eTx4Vbf\n"
+    "Y1e/b4Erm+SwA6ERwIBXb/XbmIAa9ezm+rkayGOAdfAnKwo4UHAuII8fMto5fT3m\n"
+    "JvqmA96OOBWAawatEAp60ICrG/6l/WfjMP1VIsOucevFvO+ixB0EKBIE+JMUrmoM\n"
+    "AaFUZHjw+n2ACpk+F0t8fjtL/qxxEk3LChesjGnYKe4d3h9W/JCU80sfCVfWc6vv\n"
+    "psY6MaoWwVT+Zw83toYUiHgpAr0q8e3n5ICkuAEF2uf2eOBogLtU3111KnYnPa8c\n"
+    "A9HnZ2ozRJZ2Xu7I6JP9Mrqrx/toUqqTb2v86QIDAQABAoIBAC1q32DKkx+yMBFx\n"
+    "m32QiLUGG6VfBC2BixS7MkMnzRXZYgcuehl4FBc0kLRjfB6cqsO8LqrVN1QyMBhK\n"
+    "GutN3c38SbE7RChqzhEW2+yE+Mao3Nk4ZEecHLiyaYT0n25ZtHAVwep823BAzwJ+\n"
+    "BykbM45VEpNKbG1VjSktjBa9faNyZiZAEJEjVyla+6R8N4kHV52LbZcLjvJv3IQ2\n"
+    "iPYRrmMyI5C23qTni0vy7yJbAXBo3CqgSlwie9FARBWT7Puu7F4mF1O1c/SnTysw\n"
+    "Tm3e5FzgfHipQbnRVn0w4rDprPMKmPxMnvf/Wkw0zVgNadp1Tc1I6Yj525DEQ07i\n"
+    "2gIn/gECgYEA4jNnY1u2Eu7x3pAQF3dRO0x35boVtuq9iwQk7q+uaZaK4RJRr+0Y\n"
+    "T68S3bPnfer6SHvcxtST89Bvs/j/Ky4SOaX037UYjFh6T7OIzPl+MzO1yb+VOBT6\n"
+    "D6FVGEJGp8ZAITU1OfJPeTYViUeEC8tHFGoKUCk50FbB6jOf1oKtv/ECgYEA3EnB\n"
+    "Y7kSbJJaUuj9ciFUL/pAno86Cim3VjegK1wKgEiyDb610bhoMErovPwfVJbtcttG\n"
+    "eKJNuwizkRcVbj+vpjDvqqaP5eMxLl6/Nd4haPMJYzGo88Z8NJpwFRNF2KEWjOpQ\n"
+    "2NEvoCeRtVulCJyka2Tpljzw8cOXkxhPOe2UhHkCgYBo3entj0QO7QXm56T+LAvV\n"
+    "0PK45xdQEO3EuCwjGAFk5C0IgUSrqeCeeIzniZMltj1IQ1wsNbtNynEu3530t8wt\n"
+    "O7oVyFBUKGSz9IjUdkpClJOPr6kPMfJoMqRPtdIpz+hFPPSrI6IikKdVWHloOlp+\n"
+    "pVaYqTQrWT1XRY2xli3VEQKBgGySmZN6Cx+h/oywswIGdUT0VdcQhq2to+QFpJba\n"
+    "VX6m1cM6hMip2Ag9U3qZ1SNPBBdBBfm9HQybHE3dj713/C2wHuAAGhpXIM1W+20k\n"
+    "X1knuC/AsSH9aQhQOf/ZMOq1crTfZBuI9q0782/sjGmzMsKPySU4QhUWruVb7OiD\n"
+    "NVkZAoGAEvihW7G+8/iOE40vGHyBqUeopAAWLciTAUIEwM/Oi3BYfNWNTWF/FWNc\n"
+    "nMvCZPYigY8C1vO+1iT2Frtd3CIU+f01Q3fJNJoRLlEiKLNZUJRF48OKUqjKSmsi\n"
+    "w6pucFO40z05YW7utApj4L82rZnOS0pd1tUI1yexqvj0i4ThJfk=\n"
+    "-----END RSA PRIVATE KEY-----\n";
+
+static const char *permissions_ca = /*Test_Permissions_ca.pem */
+    "data:,-----BEGIN CERTIFICATE-----\n"
+    "MIIDjTCCAnWgAwIBAgIJANsr3sm0NrypMA0GCSqGSIb3DQEBCwUAMFwxCzAJBgNV\n"
+    "BAYTAk5MMRMwEQYDVQQIDApTb21lLVN0YXRlMR8wHQYDVQQKDBZBRExJTksgVGVj\n"
+    "aG5vbG9jeSBJbmMuMRcwFQYDVQQDDA5hZGxpbmt0ZWNoLmNvbTAgFw0xODA3MzAx\n"
+    "MjQ1NTVaGA8yMTE4MDcwNjEyNDU1NVowXDELMAkGA1UEBhMCTkwxEzARBgNVBAgM\n"
+    "ClNvbWUtU3RhdGUxHzAdBgNVBAoMFkFETElOSyBUZWNobm9sb2N5IEluYy4xFzAV\n"
+    "BgNVBAMMDmFkbGlua3RlY2guY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB\n"
+    "CgKCAQEAu7jfnJ0wYVuXgG+PgNawdN38+dRpa8jceqi+blIDehV6XCxrnGXusTCD\n"
+    "uFmo7HMOBVMVNDXlcBWgoGd+u5EultnOEiIeGTgtHc1O6V9wicp3BGSpZZax/TcO\n"
+    "NjMVORaqHCADbQ2J8wsz1FHxuKDwX6BJElYOlK77lb/x3yLsDFFC+a0qn2RFh37r\n"
+    "cWBRAHy8VEASXKZElT9ZmfKd+KUq34KojhNJ4DepKStTq074BRDXVivx+wVD951L\n"
+    "FNPiQXq+mgHcLj1k37KlZflTFhdP5oEMtATNsXNJPHlEymiySogRWAmKhysLQudu\n"
+    "kHfNKN+r0FEQMk/hzpYcFeZSOvbfNQIDAQABo1AwTjAdBgNVHQ4EFgQURWMbWvBK\n"
+    "ZwJvRV1/tyc1R82k0+gwHwYDVR0jBBgwFoAURWMbWvBKZwJvRV1/tyc1R82k0+gw\n"
+    "DAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAkPF+ysVtvHnk2hpu9yND\n"
+    "LCJ96ZzIoKOyY7uRj4ovzlAHFdpNOJQdcJihTmN8i7Trht9XVh0rGoR/6nHzo3TI\n"
+    "eiogRC80RlDtuA3PF2dDQBMVDStlZMTZPb693hfjdAjhyyw9yghhKHHqNDvSsAL0\n"
+    "KfBqjG4yGfGpJylYXIT5fWuKlo/ln/yyPa5s54T5XDo+CMbtlLX3QnwVOmaRyzyl\n"
+    "PiTcPCDIkdLBdXmlfyJcmW6fWa6kPx+35MOxPsXZbujCo+42+OyLqcH1rKT6Xhcs\n"
+    "hjXBEf+kdgUfSClrM1pNRWsw2ChIYim0F+nry5JFy0Y+8Hbb6SDB340BFmtgDHbF\n"
+    "HQ==\n"
+    "-----END CERTIFICATE-----\n";
+
+#define PERMISSIONS_DOCUMENT "<?xml version=\"1.0\" encoding=\"utf-8\"?>                                    \
+<dds xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\"                                                            \
+    xsi:noNamespaceSchemaLocation=\"https://www.omg.org/spec/DDS-SECURITY/20170901/omg_shared_ca_permissions.xsd\">      \
+    <permissions>                                                                                                       \
+        <grant name=\"DEFAULT_PERMISSIONS\">                                                                            \
+            <subject_name>/C=NL/ST=Some-State/O=Internet Widgits Pty Ltd/CN=CHAM500 cert</subject_name>                                                                               \
+            <validity>                                                                                                  \
+                <not_before>2015-09-15T01:00:00</not_before>                                                            \
+                <not_after>PERMISSION_EXPIRY_DATE</not_after>                                                              \
+            </validity>                                                                                                 \
+            <deny_rule>                                                                                                \
+                <domains>                                                                                               \
+                    <id_range>                                                                                          \
+                        <min>0</min>                                                                                    \
+                        <max>230</max>                                                                                  \
+                    </id_range>                                                                                         \
+                </domains>                                                                                              \
+                <publish>                                                                                               \
+                    <topics>                                                                                            \
+                        <topic>*</topic>                                                                                \
+                    </topics>                                                                                           \
+                    <partitions/>                                                                                       \
+                </publish>                                                                                              \
+                <subscribe>                                                                                             \
+                    <topics>                                                                                            \
+                        <topic>*</topic>                                                                                \
+                    </topics>                                                                                           \
+                    <partitions/>                                                                                       \
+                </subscribe>                                                                                            \
+           </deny_rule>                                                                                                \
+           <default>DENY</default>                                                                                     \
+        </grant>                                                                                                        \
+    </permissions>                                                                                                      \
+</dds>                                  "
+
+static struct plugins_hdl *plugins = NULL;
+static dds_security_authentication *auth = NULL;
+static dds_security_access_control *access_control = NULL;
+static DDS_Security_IdentityHandle local_identity_handle = DDS_SECURITY_HANDLE_NIL;
+static DDS_Security_IdentityHandle remote_identity_handle = DDS_SECURITY_HANDLE_NIL;
+static DDS_Security_PermissionsHandle local_permissions_handle = DDS_SECURITY_HANDLE_NIL;
+static DDS_Security_PermissionsHandle remote_permissions_handle = DDS_SECURITY_HANDLE_NIL;
+static DDS_Security_GUID_t local_participant_guid;
+static char *g_path_to_etc_dir = NULL;
+static DDS_Security_PermissionsHandle permission_handle_for_callback1 = DDS_SECURITY_HANDLE_NIL;
+static DDS_Security_PermissionsHandle permission_handle_for_callback2 = DDS_SECURITY_HANDLE_NIL;
+static dds_time_t local_expiry_date;
+static dds_time_t remote_expiry_date;
+
+static void dds_security_property_init(DDS_Security_PropertySeq *seq, DDS_Security_unsigned_long size)
+{
+  seq->_length = size;
+  seq->_maximum = size;
+  seq->_buffer = ddsrt_malloc(size * sizeof(DDS_Security_Property_t));
+  memset(seq->_buffer, 0, size * sizeof(DDS_Security_Property_t));
+}
+
+static void dds_security_property_deinit(DDS_Security_PropertySeq *seq)
+{
+  uint32_t i;
+
+  for (i = 0; i < seq->_length; i++)
+  {
+    ddsrt_free(seq->_buffer[i].name);
+    ddsrt_free(seq->_buffer[i].value);
+  }
+  ddsrt_free(seq->_buffer);
+}
+
+static void reset_exception(DDS_Security_SecurityException *ex)
+{
+  ex->code = 0;
+  ex->minor_code = 0;
+  ddsrt_free(ex->message);
+  ex->message = NULL;
+}
+
+static void get_future_xsdate(char *str, size_t len, int32_t delta)
+{
+  time_t rawtime;
+  struct tm *future;
+
+  /* Get future time. */
+  rawtime = time(NULL) + delta;
+  future = gmtime(&rawtime);
+
+  /* Put the future time in a xsDate format. */
+  strftime(str, len, "%Y-%m-%dT%H:%M:%S", future);
+}
+
+static int smime_sign(const char *certificate_file, const char *key_file, const char *data, const char *out_file)
+{
+  BIO *in = NULL, *out = NULL, *tbio = NULL, *keybio = NULL;
+  X509 *scert = NULL;
+  EVP_PKEY *skey = NULL;
+  PKCS7 *p7 = NULL;
+  int ret = 1;
+  int flags = PKCS7_DETACHED | PKCS7_STREAM | PKCS7_TEXT;
+
+  /* Read in signer certificate and private key */
+  tbio = BIO_new_file(certificate_file, "r");
+  if (!tbio)
+    goto err;
+  scert = PEM_read_bio_X509(tbio, NULL, 0, NULL);
+
+  keybio = BIO_new_file(key_file, "r");
+  if (!keybio)
+    goto err;
+
+  skey = PEM_read_bio_PrivateKey(keybio, NULL, 0, NULL);
+  if (!scert || !skey)
+    goto err;
+
+  /* Open content being signed */
+  in = BIO_new_mem_buf(data, (int)strlen(data));
+  if (!in)
+    goto err;
+  /* Sign content */
+  p7 = PKCS7_sign(scert, skey, NULL, in, flags);
+  if (!p7)
+    goto err;
+  out = BIO_new_file(out_file, "w");
+  if (!out)
+    goto err;
+
+  //if (!(flags & PKCS7_STREAM))
+  //    BIO_reset(in);
+
+  /* Write out S/MIME message */
+  if (!SMIME_write_PKCS7(out, p7, in, flags))
+    goto err;
+  ret = 0;
+err:
+  if (ret)
+  {
+    fprintf(stderr, "Error Signing Data\n");
+    ERR_print_errors_fp(stderr);
+  }
+  if (p7)
+    PKCS7_free(p7);
+  if (scert)
+    X509_free(scert);
+  if (skey)
+    EVP_PKEY_free(skey);
+  if (in)
+    BIO_free(in);
+  if (keybio)
+    BIO_free(keybio);
+  if (out)
+    BIO_free(out);
+  if (tbio)
+    BIO_free(tbio);
+
+  return ret;
+}
+
+static void fill_participant_qos(DDS_Security_Qos *qos, int32_t permission_expiry, const char *governance_filename)
+{
+  char *permission_uri;
+  char *governance_uri;
+  char *permissions_ca_cert_file;
+  char *permissions_ca_key_file;
+  char *permissions_file;
+  char *permissions_xml_with_expiry;
+  char permission_expiry_date_str[30];
+
+  /*get time in future */
+  get_future_xsdate(permission_expiry_date_str, 30, permission_expiry);
+  local_expiry_date = DDS_Security_parse_xml_date(permission_expiry_date_str);
+
+  permissions_xml_with_expiry = ddsrt_str_replace(PERMISSIONS_DOCUMENT, "PERMISSION_EXPIRY_DATE", permission_expiry_date_str, 1);
+
+  ddsrt_asprintf(&permissions_ca_cert_file, "%s%s", g_path_to_etc_dir, PERMISSIONS_CA_CERT_FILE);
+  ddsrt_asprintf(&permissions_ca_key_file, "%s%s", g_path_to_etc_dir, PERMISSIONS_CA_KEY_FILE);
+  ddsrt_asprintf(&permissions_file, "%s%s", g_path_to_etc_dir, PERMISSIONS_FILE);
+
+  smime_sign(permissions_ca_cert_file, permissions_ca_key_file, permissions_xml_with_expiry, permissions_file);
+
+  //check sign result
+  ddsrt_asprintf(&permission_uri, "file:%s", permissions_file);
+  ddsrt_asprintf(&governance_uri, "file:%s%s", g_path_to_etc_dir, governance_filename);
+
+  memset(qos, 0, sizeof(*qos));
+  dds_security_property_init(&qos->property.value, 6);
+  qos->property.value._buffer[0].name = ddsrt_strdup(PROPERTY_IDENTITY_CERT);
+  qos->property.value._buffer[0].value = ddsrt_strdup(identity_certificate);
+  qos->property.value._buffer[1].name = ddsrt_strdup(PROPERTY_IDENTITY_CA);
+  qos->property.value._buffer[1].value = ddsrt_strdup(identity_ca);
+  qos->property.value._buffer[2].name = ddsrt_strdup(PROPERTY_PRIVATE_KEY);
+  qos->property.value._buffer[2].value = ddsrt_strdup(private_key);
+  qos->property.value._buffer[3].name = ddsrt_strdup(PROPERTY_PERMISSIONS_CA);
+  qos->property.value._buffer[3].value = ddsrt_strdup(permissions_ca);
+  qos->property.value._buffer[4].name = ddsrt_strdup(PROPERTY_PERMISSIONS);
+  qos->property.value._buffer[4].value = ddsrt_strdup(permission_uri);
+  qos->property.value._buffer[5].name = ddsrt_strdup(PROPERTY_GOVERNANCE);
+  qos->property.value._buffer[5].value = ddsrt_strdup(governance_uri);
+
+  ddsrt_free(permission_uri);
+  ddsrt_free(governance_uri);
+  ddsrt_free(permissions_xml_with_expiry);
+  ddsrt_free(permissions_ca_key_file);
+  ddsrt_free(permissions_ca_cert_file);
+  ddsrt_free(permissions_file);
+}
+
+static void fill_permissions_token(DDS_Security_PermissionsToken *token)
+{
+  memset(token, 0, sizeof(DDS_Security_PermissionsToken));
+
+  token->class_id = ddsrt_strdup(ACCESS_PERMISSIONS_TOKEN_ID);
+  token->properties._length = token->properties._maximum = 2;
+  token->properties._buffer = DDS_Security_PropertySeq_allocbuf(2);
+
+  token->properties._buffer[0].name = ddsrt_strdup(PROPERTY_PERMISSIONS_CA_SN);
+  token->properties._buffer[0].value = ddsrt_strdup(SUBJECT_NAME_PERMISSIONS_CA);
+
+  token->properties._buffer[1].name = ddsrt_strdup(PROPERTY_PERMISSIONS_CA_ALGO);
+  token->properties._buffer[1].value = ddsrt_strdup(RSA_2048_ALGORITHM_NAME);
+}
+
+static int fill_peer_credential_token(DDS_Security_AuthenticatedPeerCredentialToken *token, int32_t permission_expiry)
+{
+  int result = 1;
+  char *permission_data;
+
+  char *permissions_ca_cert_file;
+  char *permissions_ca_key_file;
+  char *permissions_file;
+  char *permissions_xml_with_expiry;
+  char permission_expiry_date_str[30];
+
+  /*get time in future */
+  get_future_xsdate(permission_expiry_date_str, 30, permission_expiry);
+  remote_expiry_date = DDS_Security_parse_xml_date(permission_expiry_date_str);
+  permissions_xml_with_expiry = ddsrt_str_replace(PERMISSIONS_DOCUMENT, "PERMISSION_EXPIRY_DATE", permission_expiry_date_str, 1);
+
+  ddsrt_asprintf(permissions_ca_cert_file, "%s%s", g_path_to_etc_dir, PERMISSIONS_CA_CERT_FILE);
+  ddsrt_asprintf(permissions_ca_key_file, "%s%s", g_path_to_etc_dir, PERMISSIONS_CA_KEY_FILE);
+  ddsrt_asprintf(permissions_file, "%s%s", g_path_to_etc_dir, PERMISSIONS_FILE);
+
+  smime_sign(permissions_ca_cert_file, permissions_ca_key_file, permissions_xml_with_expiry, permissions_file);
+
+  memset(token, 0, sizeof(DDS_Security_AuthenticatedPeerCredentialToken));
+
+  permission_data = load_file_contents(permissions_file);
+
+  if (permission_data)
+  {
+    token->class_id = ddsrt_strdup(AUTH_PROTOCOL_CLASS_ID);
+    token->properties._length = token->properties._maximum = 2;
+    token->properties._buffer = DDS_Security_PropertySeq_allocbuf(2);
+
+    token->properties._buffer[0].name = ddsrt_strdup(PROPERTY_C_ID);
+    token->properties._buffer[0].value = ddsrt_strdup(&identity_certificate[6]);
+
+    token->properties._buffer[1].name = ddsrt_strdup(PROPERTY_C_PERM);
+    token->properties._buffer[1].value = permission_data;
+  }
+  else
+  {
+    ddsrt_free(permission_data);
+    result = 0;
+  }
+
+  ddsrt_free(permissions_xml_with_expiry);
+  ddsrt_free(permissions_ca_key_file);
+  ddsrt_free(permissions_ca_cert_file);
+  ddsrt_free(permissions_file);
+  return result;
+}
+
+static DDS_Security_long
+validate_local_identity_and_permissions(int32_t permission_expiry)
+{
+  DDS_Security_long res = DDS_SECURITY_ERR_OK_CODE;
+  DDS_Security_ValidationResult_t result;
+  DDS_Security_DomainId domain_id = 0;
+  DDS_Security_Qos participant_qos;
+  DDS_Security_GUID_t candidate_participant_guid;
+  DDS_Security_SecurityException exception = {NULL, 0, 0};
+  DDS_Security_GuidPrefix_t prefix = {0xb0, 0xb1, 0xb2, 0xb3, 0xb4, 0xb5, 0xb6, 0xb7, 0xb8, 0xb9, 0xba, 0xbb};
+  DDS_Security_EntityId_t entityId = {{0xb0, 0xb1, 0xb2}, 0x1};
+
+  memset(&local_participant_guid, 0, sizeof(local_participant_guid));
+  memcpy(&candidate_participant_guid.prefix, &prefix, sizeof(prefix));
+  memcpy(&candidate_participant_guid.entityId, &entityId, sizeof(entityId));
+
+  fill_participant_qos(&participant_qos, permission_expiry, "Test_Governance_ok.p7s");
+
+  /* Now call the function. */
+  result = auth->validate_local_identity(
+      auth,
+      &local_identity_handle,
+      &local_participant_guid,
+      domain_id,
+      &participant_qos,
+      &candidate_participant_guid,
+      &exception);
+
+  if (result != DDS_SECURITY_VALIDATION_OK)
+  {
+    res = DDS_SECURITY_ERR_UNDEFINED_CODE;
+    printf("validate_local_identity_failed: (%d) %s\n", (int)exception.code, exception.message ? exception.message : "Error message missing");
+  }
+
+  reset_exception(&exception);
+
+  if (res == 0)
+  {
+    local_permissions_handle = access_control->validate_local_permissions(
+        access_control,
+        auth,
+        local_identity_handle,
+        0,
+        &participant_qos,
+        &exception);
+
+    if (local_permissions_handle == DDS_SECURITY_HANDLE_NIL)
+    {
+      printf("validate_local_permissions_failed: (%d) %s\n", (int)exception.code, exception.message ? exception.message : "Error message missing");
+      if (exception.code == DDS_SECURITY_ERR_VALIDITY_PERIOD_EXPIRED_CODE)
+        /* This can happen on very slow platforms or when doing a valgrind run. */
+        res = DDS_SECURITY_ERR_VALIDITY_PERIOD_EXPIRED_CODE;
+      else
+        res = DDS_SECURITY_ERR_UNDEFINED_CODE;
+    }
+  }
+
+  dds_security_property_deinit(&participant_qos.property.value);
+  ddsrt_free(exception.message);
+
+  return res;
+}
+
+static void clear_local_identity_and_permissions(void)
+{
+  DDS_Security_SecurityException exception = {NULL, 0, 0};
+  DDS_Security_boolean success;
+
+  if (local_permissions_handle != DDS_SECURITY_HANDLE_NIL)
+  {
+    success = access_control->return_permissions_handle(access_control, local_permissions_handle, &exception);
+    if (!success)
+      printf("return_permission_handle failed: %s\n", exception.message ? exception.message : "Error message missing");
+    reset_exception(&exception);
+  }
+
+  if (local_identity_handle != DDS_SECURITY_HANDLE_NIL)
+  {
+    success = auth->return_identity_handle(auth, local_identity_handle, &exception);
+    if (!success)
+      printf("return_identity_handle failed: %s\n", exception.message ? exception.message : "Error message missing");
+    reset_exception(&exception);
+  }
+}
+
+static void set_path_to_etc_dir(void)
+{
+  ddsrt_asprintf(&g_path_to_etc_dir, "%s%s", CONFIG_ENV_TESTS_DIR, RELATIVE_PATH_TO_ETC_DIR);
+}
+
+static void suite_listeners_access_control_init(void)
+{
+  plugins = load_plugins(&access_control, &auth, NULL /* Cryptograpy */);
+  CU_ASSERT_FATAL(plugins != NULL);
+  set_path_to_etc_dir();
+  OpenSSL_add_all_algorithms();
+  ERR_load_crypto_strings();
+}
+
+static void suite_listeners_access_control_fini(void)
+{
+  unload_plugins(plugins);
+  ddsrt_free(g_path_to_etc_dir);
+  EVP_cleanup();
+  CRYPTO_cleanup_all_ex_data();
+  REMOVE_THREAD_STATE();
+  ERR_free_strings();
+}
+
+static DDS_Security_boolean on_revoke_permissions_cb(dds_security_access_control_listener *instance, const dds_security_access_control *plugin, const DDS_Security_PermissionsHandle handle)
+{
+  DDSRT_UNUSED_ARG(instance);
+  DDSRT_UNUSED_ARG(plugin);
+  if (permission_handle_for_callback1 == DDS_SECURITY_HANDLE_NIL)
+    permission_handle_for_callback1 = handle;
+  else if (permission_handle_for_callback2 == DDS_SECURITY_HANDLE_NIL)
+    permission_handle_for_callback2 = handle;
+  printf("Listener called for handle: %lld  Local:%ld Remote:%ld\n", (long long)handle, local_permissions_handle, remote_permissions_handle);
+  return true;
+}
+
+CU_Test(ddssec_builtin_listeners_access_control, local_2secs, .init = suite_listeners_access_control_init, .fini = suite_listeners_access_control_fini)
+{
+  DDS_Security_PermissionsHandle result;
+  DDS_Security_PermissionsToken permissions_token;
+  DDS_Security_AuthenticatedPeerCredentialToken credential_token;
+  DDS_Security_SecurityException exception = {NULL, 0, 0};
+  DDS_Security_long valid;
+  int r;
+  dds_duration_t time_left = DDS_MSECS(10000);
+  bool local_expired = false;
+  bool remote_expired = false;
+
+  local_expiry_date = 0;
+  remote_expiry_date = 0;
+
+  ac_listener.on_revoke_permissions = &on_revoke_permissions_cb;
+
+  valid = validate_local_identity_and_permissions(2);
+  if (valid == DDS_SECURITY_ERR_VALIDITY_PERIOD_EXPIRED_CODE)
+  {
+    /* This can happen on very slow platforms or when doing a valgrind run.
+         * Just take our losses and quit, simulating a success. */
+    return;
+  }
+  CU_ASSERT_FATAL(valid == DDS_SECURITY_ERR_OK_CODE);
+
+  /* Check if we actually have validate_remote_permissions function. */
+  CU_ASSERT_FATAL(access_control != NULL);
+  CU_ASSERT_FATAL(local_identity_handle != DDS_SECURITY_HANDLE_NIL);
+  CU_ASSERT_FATAL(access_control->validate_remote_permissions != NULL);
+  CU_ASSERT_FATAL(access_control->return_permissions_handle != NULL);
+
+  fill_permissions_token(&permissions_token);
+  r = fill_peer_credential_token(&credential_token, 1);
+  CU_ASSERT_FATAL(r);
+
+  remote_identity_handle++;
+
+  access_control->set_listener(access_control, &ac_listener, &exception);
+
+  result = access_control->validate_remote_permissions(
+      access_control,
+      auth,
+      local_identity_handle,
+      remote_identity_handle,
+      &permissions_token,
+      &credential_token,
+      &exception);
+
+  if (result == 0)
+  {
+    printf("validate_remote_permissions_failed: %s\n", exception.message ? exception.message : "Error message missing");
+    /* Expiry can happen on very slow platforms or when doing a valgrind run.
+         * Just take our losses and quit, simulating a success. */
+    CU_ASSERT(exception.code == DDS_SECURITY_ERR_VALIDITY_PERIOD_EXPIRED_CODE);
+    goto end;
+  }
+
+  remote_permissions_handle = result;
+
+  reset_exception(&exception);
+
+  while (time_left > 0 && (!local_expired || !remote_expired))
+  {
+    /* Normally, it is expected that the remote expiry is triggered before the
+         * local one. However, that can change on slow platforms. */
+    if (remote_expiry_date < local_expiry_date)
+    {
+      if (permission_handle_for_callback1 == remote_permissions_handle)
+      {
+        remote_expired = true;
+      }
+      if (permission_handle_for_callback2 == local_permissions_handle)
+      {
+        local_expired = true;
+      }
+    }
+    else
+    {
+      if (permission_handle_for_callback2 == remote_permissions_handle)
+      {
+        remote_expired = true;
+      }
+      if (permission_handle_for_callback1 == local_permissions_handle)
+      {
+        local_expired = true;
+      }
+    }
+
+    dds_sleepfor(DDS_MSECS(100));
+    time_left -= DDS_MSECS(100);
+  }
+
+  CU_ASSERT(local_expired);
+  CU_ASSERT(remote_expired);
+
+  access_control->return_permissions_handle(access_control, result, &exception);
+
+end:
+  reset_exception(&exception);
+
+  DDS_Security_DataHolder_deinit((DDS_Security_DataHolder *)&permissions_token);
+  DDS_Security_DataHolder_deinit((DDS_Security_DataHolder *)&credential_token);
+
+  clear_local_identity_and_permissions();
+}
diff --git a/src/security/builtin_plugins/tests/validate_local_permissions/etc/Test_File_empty.txt b/src/security/builtin_plugins/tests/validate_local_permissions/etc/Test_File_empty.txt
new file mode 100644
index 0000000..e69de29
diff --git a/src/security/builtin_plugins/tests/validate_local_permissions/etc/Test_File_text.txt b/src/security/builtin_plugins/tests/validate_local_permissions/etc/Test_File_text.txt
new file mode 100644
index 0000000..c1991b0
--- /dev/null
+++ b/src/security/builtin_plugins/tests/validate_local_permissions/etc/Test_File_text.txt
@@ -0,0 +1,3 @@
+This is just a file to see how the Security Plugin
+reacts when it receives a file that doesn't contain
+expected content, but just some text.
diff --git a/src/security/builtin_plugins/tests/validate_local_permissions/etc/Test_Governance_check_create_participant.p7s b/src/security/builtin_plugins/tests/validate_local_permissions/etc/Test_Governance_check_create_participant.p7s
new file mode 100644
index 0000000..8992b03
--- /dev/null
+++ b/src/security/builtin_plugins/tests/validate_local_permissions/etc/Test_Governance_check_create_participant.p7s
@@ -0,0 +1,199 @@
+MIME-Version: 1.0
+Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg="sha-256"; boundary="----988CFBB47A225358D7A5B33A4CA9AD64"
+
+This is an S/MIME signed message
+
+------988CFBB47A225358D7A5B33A4CA9AD64
+Content-Type: text/plain
+
+<?xml version="1.0" encoding="utf-8"?>
+<dds xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xsi:noNamespaceSchemaLocation="https://www.omg.org/spec/DDS-SECURITY/20170901/omg_shared_ca_governance.xsd">
+    <domain_access_rules>
+        <domain_rule>
+            <!-- No access control by any topic and participant is access protected -->
+            <domains>
+                <id>1</id>
+            </domains>
+            <allow_unauthenticated_participants>1</allow_unauthenticated_participants>
+            <rtps_protection_kind>NONE</rtps_protection_kind>
+            <discovery_protection_kind>SIGN</discovery_protection_kind>
+            <liveliness_protection_kind>ENCRYPT</liveliness_protection_kind>
+            <!--  Only and any authenticated DomainParticipant should be allowed to join the domain and
+                  see the discovery data without checking access control  -->
+            <enable_join_access_control>TRUE</enable_join_access_control>
+
+            <topic_access_rules>
+                <topic_rule>
+                    <enable_liveliness_protection>FALSE</enable_liveliness_protection>
+                    <data_protection_kind>ENCRYPT</data_protection_kind>
+                    <enable_discovery_protection>TRUE</enable_discovery_protection>
+                    <metadata_protection_kind>SIGN</metadata_protection_kind>
+                    <topic_expression>Topic1</topic_expression>
+                    <!-- The read access to all topics should be open to all. -->
+                    <enable_read_access_control>true</enable_read_access_control>
+                    <!-- The write access to all topics should be open to all. -->
+                    <enable_write_access_control>true</enable_write_access_control>
+                </topic_rule>
+                <topic_rule>
+                    <enable_liveliness_protection>FALSE</enable_liveliness_protection>
+                    <data_protection_kind>ENCRYPT</data_protection_kind>
+                    <enable_discovery_protection>TRUE</enable_discovery_protection>
+                    <metadata_protection_kind>SIGN</metadata_protection_kind>
+                    <topic_expression>Topic2</topic_expression>
+                    <!-- The read access to all topics should be open to all. -->
+                    <enable_read_access_control>true</enable_read_access_control>
+                    <!-- The write access to all topics should be open to all. -->
+                    <enable_write_access_control>true</enable_write_access_control>
+                </topic_rule>
+            </topic_access_rules>
+        </domain_rule>
+        <domain_rule>
+            <!-- No write access control by one topic -->
+            <domains>
+                <id>2</id>
+            </domains>
+            <allow_unauthenticated_participants>1</allow_unauthenticated_participants>
+            <rtps_protection_kind>NONE</rtps_protection_kind>
+            <discovery_protection_kind>SIGN</discovery_protection_kind>
+            <liveliness_protection_kind>ENCRYPT</liveliness_protection_kind>
+            <!--  Only and any authenticated DomainParticipant should be allowed to join the domain and
+                  see the discovery data without checking access control  -->
+            <enable_join_access_control>TRUE</enable_join_access_control>
+
+            <topic_access_rules>
+                <topic_rule>
+                    <enable_liveliness_protection>FALSE</enable_liveliness_protection>
+                    <data_protection_kind>ENCRYPT</data_protection_kind>
+                    <enable_discovery_protection>TRUE</enable_discovery_protection>
+                    <metadata_protection_kind>SIGN</metadata_protection_kind>
+                    <topic_expression>Topic1</topic_expression>
+                    <!-- The read access to all topics should be open to all. -->
+                    <enable_read_access_control>true</enable_read_access_control>
+                    <!-- The write access to all topics should be open to all. -->
+                    <enable_write_access_control>false</enable_write_access_control>
+                </topic_rule>
+                <topic_rule>
+                    <enable_liveliness_protection>FALSE</enable_liveliness_protection>
+                    <data_protection_kind>ENCRYPT</data_protection_kind>
+                    <enable_discovery_protection>TRUE</enable_discovery_protection>
+                    <metadata_protection_kind>SIGN</metadata_protection_kind>
+                    <topic_expression>Topic2</topic_expression>
+                    <!-- The read access to all topics should be open to all. -->
+                    <enable_read_access_control>true</enable_read_access_control>
+                    <!-- The write access to all topics should be open to all. -->
+                    <enable_write_access_control>true</enable_write_access_control>
+                </topic_rule>
+            </topic_access_rules>
+        </domain_rule> 
+        <domain_rule>
+            <!-- No write and read access control by all topic -->
+            <domains>
+                <id>3</id>
+            </domains>
+            <allow_unauthenticated_participants>1</allow_unauthenticated_participants>
+            <rtps_protection_kind>NONE</rtps_protection_kind>
+            <discovery_protection_kind>SIGN</discovery_protection_kind>
+            <liveliness_protection_kind>ENCRYPT</liveliness_protection_kind>
+            <!--  Only and any authenticated DomainParticipant should be allowed to join the domain and
+                  see the discovery data without checking access control  -->
+            <enable_join_access_control>TRUE</enable_join_access_control>
+
+            <topic_access_rules>
+                <topic_rule>
+                    <enable_liveliness_protection>FALSE</enable_liveliness_protection>
+                    <data_protection_kind>ENCRYPT</data_protection_kind>
+                    <enable_discovery_protection>TRUE</enable_discovery_protection>
+                    <metadata_protection_kind>SIGN</metadata_protection_kind>
+                    <topic_expression>Topic1</topic_expression>
+                    <!-- The read access to all topics should be open to all. -->
+                    <enable_read_access_control>false</enable_read_access_control>
+                    <!-- The write access to all topics should be open to all. -->
+                    <enable_write_access_control>false</enable_write_access_control>
+                </topic_rule>
+                <topic_rule>
+                    <enable_liveliness_protection>FALSE</enable_liveliness_protection>
+                    <data_protection_kind>ENCRYPT</data_protection_kind>
+                    <enable_discovery_protection>TRUE</enable_discovery_protection>
+                    <metadata_protection_kind>SIGN</metadata_protection_kind>
+                    <topic_expression>Topic2</topic_expression>
+                    <!-- The read access to all topics should be open to all. -->
+                    <enable_read_access_control>false</enable_read_access_control>
+                    <!-- The write access to all topics should be open to all. -->
+                    <enable_write_access_control>false</enable_write_access_control>
+                </topic_rule>
+            </topic_access_rules>
+        </domain_rule>                  
+        <domain_rule>
+            <!-- Participant is access protected -->
+            <domains>
+                <id>4</id>
+            </domains>
+            <allow_unauthenticated_participants>1</allow_unauthenticated_participants>
+            <rtps_protection_kind>NONE</rtps_protection_kind>
+            <discovery_protection_kind>SIGN</discovery_protection_kind>
+            <liveliness_protection_kind>ENCRYPT</liveliness_protection_kind>
+            <!--  Only and any authenticated DomainParticipant should be allowed to join the domain and
+                  see the discovery data without checking access control  -->
+            <enable_join_access_control>FALSE</enable_join_access_control>
+
+            <topic_access_rules>
+                <topic_rule>
+                    <enable_liveliness_protection>FALSE</enable_liveliness_protection>
+                    <data_protection_kind>ENCRYPT</data_protection_kind>
+                    <enable_discovery_protection>TRUE</enable_discovery_protection>
+                    <metadata_protection_kind>SIGN</metadata_protection_kind>
+                    <topic_expression>Topic1</topic_expression>
+                    <!-- The read access to all topics should be open to all. -->
+                    <enable_read_access_control>true</enable_read_access_control>
+                    <!-- The write access to all topics should be open to all. -->
+                    <enable_write_access_control>true</enable_write_access_control>
+                </topic_rule>
+            </topic_access_rules>
+        </domain_rule>
+    </domain_access_rules>
+</dds>
+
+------988CFBB47A225358D7A5B33A4CA9AD64
+Content-Type: application/x-pkcs7-signature; name="smime.p7s"
+Content-Transfer-Encoding: base64
+Content-Disposition: attachment; filename="smime.p7s"
+
+MIIGXgYJKoZIhvcNAQcCoIIGTzCCBksCAQExDzANBglghkgBZQMEAgEFADALBgkq
+hkiG9w0BBwGgggORMIIDjTCCAnWgAwIBAgIJANsr3sm0NrypMA0GCSqGSIb3DQEB
+CwUAMFwxCzAJBgNVBAYTAk5MMRMwEQYDVQQIDApTb21lLVN0YXRlMR8wHQYDVQQK
+DBZBRExJTksgVGVjaG5vbG9jeSBJbmMuMRcwFQYDVQQDDA5hZGxpbmt0ZWNoLmNv
+bTAgFw0xODA3MzAxMjQ1NTVaGA8yMTE4MDcwNjEyNDU1NVowXDELMAkGA1UEBhMC
+TkwxEzARBgNVBAgMClNvbWUtU3RhdGUxHzAdBgNVBAoMFkFETElOSyBUZWNobm9s
+b2N5IEluYy4xFzAVBgNVBAMMDmFkbGlua3RlY2guY29tMIIBIjANBgkqhkiG9w0B
+AQEFAAOCAQ8AMIIBCgKCAQEAu7jfnJ0wYVuXgG+PgNawdN38+dRpa8jceqi+blID
+ehV6XCxrnGXusTCDuFmo7HMOBVMVNDXlcBWgoGd+u5EultnOEiIeGTgtHc1O6V9w
+icp3BGSpZZax/TcONjMVORaqHCADbQ2J8wsz1FHxuKDwX6BJElYOlK77lb/x3yLs
+DFFC+a0qn2RFh37rcWBRAHy8VEASXKZElT9ZmfKd+KUq34KojhNJ4DepKStTq074
+BRDXVivx+wVD951LFNPiQXq+mgHcLj1k37KlZflTFhdP5oEMtATNsXNJPHlEymiy
+SogRWAmKhysLQudukHfNKN+r0FEQMk/hzpYcFeZSOvbfNQIDAQABo1AwTjAdBgNV
+HQ4EFgQURWMbWvBKZwJvRV1/tyc1R82k0+gwHwYDVR0jBBgwFoAURWMbWvBKZwJv
+RV1/tyc1R82k0+gwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAkPF+
+ysVtvHnk2hpu9yNDLCJ96ZzIoKOyY7uRj4ovzlAHFdpNOJQdcJihTmN8i7Trht9X
+Vh0rGoR/6nHzo3TIeiogRC80RlDtuA3PF2dDQBMVDStlZMTZPb693hfjdAjhyyw9
+yghhKHHqNDvSsAL0KfBqjG4yGfGpJylYXIT5fWuKlo/ln/yyPa5s54T5XDo+CMbt
+lLX3QnwVOmaRyzylPiTcPCDIkdLBdXmlfyJcmW6fWa6kPx+35MOxPsXZbujCo+42
++OyLqcH1rKT6XhcshjXBEf+kdgUfSClrM1pNRWsw2ChIYim0F+nry5JFy0Y+8Hbb
+6SDB340BFmtgDHbFHTGCApEwggKNAgEBMGkwXDELMAkGA1UEBhMCTkwxEzARBgNV
+BAgMClNvbWUtU3RhdGUxHzAdBgNVBAoMFkFETElOSyBUZWNobm9sb2N5IEluYy4x
+FzAVBgNVBAMMDmFkbGlua3RlY2guY29tAgkA2yveybQ2vKkwDQYJYIZIAWUDBAIB
+BQCggfowGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAcBgkqhkiG9w0BCQUxDxcN
+MTkwMzI5MTMwODAyWjAvBgkqhkiG9w0BCQQxIgQg9ZheySVcKVr9eNKQTeuBdR0z
+Cbgnm4HbSvO8/V0a7CAwgY4GCSqGSIb3DQEJDzGBgDB+MAsGCWCGSAFlAwQBKjAI
+BgYqhQMCAgkwCAYGKoUDAgIVMAsGCWCGSAFlAwQBFjALBglghkgBZQMEAQIwCgYI
+KoZIhvcNAwcwDgYIKoZIhvcNAwICAgCAMA0GCCqGSIb3DQMCAgFAMAcGBSsOAwIH
+MA0GCCqGSIb3DQMCAgEoMA0GCSqGSIb3DQEBAQUABIIBACn66JQOghwlIQUMDQ0s
+vMCGMl7OcZtxDdNQ2BYajufv+JGaf46xP6TWk4+c+bDq+9XTDFoTr/KY2XP7vKVD
+RSAm9nlqChzzsKF/7yYdzOP8hILF644PT837mP+E5ss4EYPoPByQLVPWr1B52xWB
+N/kixmZcMxe4btXqE8LGlSsPNioniZsDBRlDOcdFjxTL/3Ksgv6fX2gSEJgYVBH/
+xZ+Cpf4TsdtVDrQwUynck1+BogRtcofnkBFuKozqzwvzDQoLfW2fMnct5Jd7KPwM
+6kN/bRvOEMGYTKYRgfJVdM4rZqbfdRlVnCj+pza4dIHmf5BDSOlsbRqWyJPRmQ8S
+JkM=
+
+------988CFBB47A225358D7A5B33A4CA9AD64--
+
diff --git a/src/security/builtin_plugins/tests/validate_local_permissions/etc/Test_Governance_check_create_participant.xml b/src/security/builtin_plugins/tests/validate_local_permissions/etc/Test_Governance_check_create_participant.xml
new file mode 100644
index 0000000..37749a3
--- /dev/null
+++ b/src/security/builtin_plugins/tests/validate_local_permissions/etc/Test_Governance_check_create_participant.xml
@@ -0,0 +1,147 @@
+<?xml version="1.0" encoding="utf-8"?>
+<dds xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xsi:noNamespaceSchemaLocation="https://www.omg.org/spec/DDS-SECURITY/20170901/omg_shared_ca_governance.xsd">
+    <domain_access_rules>
+        <domain_rule>
+            <!-- No access control by any topic and participant is access protected -->
+            <domains>
+                <id>1</id>
+            </domains>
+            <allow_unauthenticated_participants>1</allow_unauthenticated_participants>
+            <rtps_protection_kind>NONE</rtps_protection_kind>
+            <discovery_protection_kind>SIGN</discovery_protection_kind>
+            <liveliness_protection_kind>ENCRYPT</liveliness_protection_kind>
+            <!--  Only and any authenticated DomainParticipant should be allowed to join the domain and
+                  see the discovery data without checking access control  -->
+            <enable_join_access_control>TRUE</enable_join_access_control>
+
+            <topic_access_rules>
+                <topic_rule>
+                    <enable_liveliness_protection>FALSE</enable_liveliness_protection>
+                    <data_protection_kind>ENCRYPT</data_protection_kind>
+                    <enable_discovery_protection>TRUE</enable_discovery_protection>
+                    <metadata_protection_kind>SIGN</metadata_protection_kind>
+                    <topic_expression>Topic1</topic_expression>
+                    <!-- The read access to all topics should be open to all. -->
+                    <enable_read_access_control>true</enable_read_access_control>
+                    <!-- The write access to all topics should be open to all. -->
+                    <enable_write_access_control>true</enable_write_access_control>
+                </topic_rule>
+                <topic_rule>
+                    <enable_liveliness_protection>FALSE</enable_liveliness_protection>
+                    <data_protection_kind>ENCRYPT</data_protection_kind>
+                    <enable_discovery_protection>TRUE</enable_discovery_protection>
+                    <metadata_protection_kind>SIGN</metadata_protection_kind>
+                    <topic_expression>Topic2</topic_expression>
+                    <!-- The read access to all topics should be open to all. -->
+                    <enable_read_access_control>true</enable_read_access_control>
+                    <!-- The write access to all topics should be open to all. -->
+                    <enable_write_access_control>true</enable_write_access_control>
+                </topic_rule>
+            </topic_access_rules>
+        </domain_rule>
+        <domain_rule>
+            <!-- No write access control by one topic -->
+            <domains>
+                <id>2</id>
+            </domains>
+            <allow_unauthenticated_participants>1</allow_unauthenticated_participants>
+            <rtps_protection_kind>NONE</rtps_protection_kind>
+            <discovery_protection_kind>SIGN</discovery_protection_kind>
+            <liveliness_protection_kind>ENCRYPT</liveliness_protection_kind>
+            <!--  Only and any authenticated DomainParticipant should be allowed to join the domain and
+                  see the discovery data without checking access control  -->
+            <enable_join_access_control>TRUE</enable_join_access_control>
+
+            <topic_access_rules>
+                <topic_rule>
+                    <enable_liveliness_protection>FALSE</enable_liveliness_protection>
+                    <data_protection_kind>ENCRYPT</data_protection_kind>
+                    <enable_discovery_protection>TRUE</enable_discovery_protection>
+                    <metadata_protection_kind>SIGN</metadata_protection_kind>
+                    <topic_expression>Topic1</topic_expression>
+                    <!-- The read access to all topics should be open to all. -->
+                    <enable_read_access_control>true</enable_read_access_control>
+                    <!-- The write access to all topics should be open to all. -->
+                    <enable_write_access_control>false</enable_write_access_control>
+                </topic_rule>
+                <topic_rule>
+                    <enable_liveliness_protection>FALSE</enable_liveliness_protection>
+                    <data_protection_kind>ENCRYPT</data_protection_kind>
+                    <enable_discovery_protection>TRUE</enable_discovery_protection>
+                    <metadata_protection_kind>SIGN</metadata_protection_kind>
+                    <topic_expression>Topic2</topic_expression>
+                    <!-- The read access to all topics should be open to all. -->
+                    <enable_read_access_control>true</enable_read_access_control>
+                    <!-- The write access to all topics should be open to all. -->
+                    <enable_write_access_control>true</enable_write_access_control>
+                </topic_rule>
+            </topic_access_rules>
+        </domain_rule> 
+        <domain_rule>
+            <!-- No write and read access control by all topic -->
+            <domains>
+                <id>3</id>
+            </domains>
+            <allow_unauthenticated_participants>1</allow_unauthenticated_participants>
+            <rtps_protection_kind>NONE</rtps_protection_kind>
+            <discovery_protection_kind>SIGN</discovery_protection_kind>
+            <liveliness_protection_kind>ENCRYPT</liveliness_protection_kind>
+            <!--  Only and any authenticated DomainParticipant should be allowed to join the domain and
+                  see the discovery data without checking access control  -->
+            <enable_join_access_control>TRUE</enable_join_access_control>
+
+            <topic_access_rules>
+                <topic_rule>
+                    <enable_liveliness_protection>FALSE</enable_liveliness_protection>
+                    <data_protection_kind>ENCRYPT</data_protection_kind>
+                    <enable_discovery_protection>TRUE</enable_discovery_protection>
+                    <metadata_protection_kind>SIGN</metadata_protection_kind>
+                    <topic_expression>Topic1</topic_expression>
+                    <!-- The read access to all topics should be open to all. -->
+                    <enable_read_access_control>false</enable_read_access_control>
+                    <!-- The write access to all topics should be open to all. -->
+                    <enable_write_access_control>false</enable_write_access_control>
+                </topic_rule>
+                <topic_rule>
+                    <enable_liveliness_protection>FALSE</enable_liveliness_protection>
+                    <data_protection_kind>ENCRYPT</data_protection_kind>
+                    <enable_discovery_protection>TRUE</enable_discovery_protection>
+                    <metadata_protection_kind>SIGN</metadata_protection_kind>
+                    <topic_expression>Topic2</topic_expression>
+                    <!-- The read access to all topics should be open to all. -->
+                    <enable_read_access_control>false</enable_read_access_control>
+                    <!-- The write access to all topics should be open to all. -->
+                    <enable_write_access_control>false</enable_write_access_control>
+                </topic_rule>
+            </topic_access_rules>
+        </domain_rule>                  
+        <domain_rule>
+            <!-- Participant is access protected -->
+            <domains>
+                <id>4</id>
+            </domains>
+            <allow_unauthenticated_participants>1</allow_unauthenticated_participants>
+            <rtps_protection_kind>NONE</rtps_protection_kind>
+            <discovery_protection_kind>SIGN</discovery_protection_kind>
+            <liveliness_protection_kind>ENCRYPT</liveliness_protection_kind>
+            <!--  Only and any authenticated DomainParticipant should be allowed to join the domain and
+                  see the discovery data without checking access control  -->
+            <enable_join_access_control>FALSE</enable_join_access_control>
+
+            <topic_access_rules>
+                <topic_rule>
+                    <enable_liveliness_protection>FALSE</enable_liveliness_protection>
+                    <data_protection_kind>ENCRYPT</data_protection_kind>
+                    <enable_discovery_protection>TRUE</enable_discovery_protection>
+                    <metadata_protection_kind>SIGN</metadata_protection_kind>
+                    <topic_expression>Topic1</topic_expression>
+                    <!-- The read access to all topics should be open to all. -->
+                    <enable_read_access_control>true</enable_read_access_control>
+                    <!-- The write access to all topics should be open to all. -->
+                    <enable_write_access_control>true</enable_write_access_control>
+                </topic_rule>
+            </topic_access_rules>
+        </domain_rule>
+    </domain_access_rules>
+</dds>
diff --git a/src/security/builtin_plugins/tests/validate_local_permissions/etc/Test_Governance_full.p7s b/src/security/builtin_plugins/tests/validate_local_permissions/etc/Test_Governance_full.p7s
new file mode 100644
index 0000000..4ea8fe8
--- /dev/null
+++ b/src/security/builtin_plugins/tests/validate_local_permissions/etc/Test_Governance_full.p7s
@@ -0,0 +1,267 @@
+MIME-Version: 1.0
+Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg="sha-256"; boundary="----05DBD6F6E587875751A79EAC78048D60"
+
+This is an S/MIME signed message
+
+------05DBD6F6E587875751A79EAC78048D60
+Content-Type: text/plain
+
+<?xml version="1.0" encoding="utf-8"?>
+<dds xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xsi:noNamespaceSchemaLocation="https://www.omg.org/spec/DDS-SECURITY/20170901/omg_shared_ca_governance.xsd">
+    <domain_access_rules>
+        <domain_rule>
+            <domains>
+                <!-- All domains -->
+                <id>20</id>
+                <id_range>
+                    <min>0</min>
+                    <max>23</max>
+                </id_range>
+                <id_range>
+                    <min>100</min>
+                    <max>120</max>
+                </id_range>
+                <id>200</id>
+            </domains>
+
+            <!-- DomainParticipant that cann not authenticate or fail the authentication should be
+                 allowed to join the domain and see any any discovery data that are configured as "unprotected"
+                 and topics that are configured as "unprotected" -->
+            <allow_unauthenticated_participants>false</allow_unauthenticated_participants>
+
+            <!--  Only and any authenticated DomainParticipant should be allowed to join the domain and
+                  see the discovery data without checking access control  -->
+            <enable_join_access_control>TRUE</enable_join_access_control>
+
+            <!-- Discovery information should be protected with encryption followed by MAC (Message Authentication Codes) -->
+            <discovery_protection_kind>SIGN_WITH_ORIGIN_AUTHENTICATION</discovery_protection_kind>
+
+            <!--  Liveliness messages are also encrypted -->
+            <liveliness_protection_kind>ENCRYPT</liveliness_protection_kind>
+
+            <!-- Whole RTPS message is not protected -->
+            <rtps_protection_kind>ENCRYPT_WITH_ORIGIN_AUTHENTICATION</rtps_protection_kind>
+
+            <topic_access_rules>
+                                
+                <topic_rule>
+                    <!-- All (non-builtin) topics -->
+                    <topic_expression>OwnShip?ata</topic_expression>
+
+                    <!-- Liveliness QoS data is protected -->
+                    <enable_liveliness_protection>FALSE</enable_liveliness_protection>
+
+                    <!-- The discovery information on specific Topics should be sent
+                         using the secure (protected) discovery writers -->
+                    <enable_discovery_protection>false</enable_discovery_protection>
+
+                    <!-- The read access to all topics should be open to all. -->
+                    <enable_read_access_control>false</enable_read_access_control>
+
+                    <!-- The write access to all topics should be open to all. -->
+                    <enable_write_access_control>true</enable_write_access_control>
+
+                    <!-- Whole RTPS sub-message is protected. This includes metadata information
+                         like sequence numbers, heartbeats, key hashes, gaps,
+                         acknowledgment messages, etc. It also includes th possible payload. -->
+                    <metadata_protection_kind>SIGN</metadata_protection_kind>
+
+                    <!-- The payload data sent on the Topic (serialized application level data) should be
+                         protected with Encrypt then MAC. -->
+                    <data_protection_kind>ENCRYPT</data_protection_kind>
+                </topic_rule>
+                
+                <topic_rule>
+                    <!-- All (non-builtin) topics -->
+                    <topic_expression>Kinematics</topic_expression>
+
+                    <!-- Liveliness QoS data is protected -->
+                    <enable_liveliness_protection>true</enable_liveliness_protection>
+
+                    <!-- The discovery information on specific Topics should be sent
+                         using the secure (protected) discovery writers -->
+                    <enable_discovery_protection>true</enable_discovery_protection>
+
+                    <!-- The read access to all topics should be open to all. -->
+                    <enable_read_access_control>true</enable_read_access_control>
+
+                    <!-- The write access to all topics should be open to all. -->
+                    <enable_write_access_control>false</enable_write_access_control>
+
+                    <!-- Whole RTPS sub-message is protected. This includes metadata information
+                         like sequence numbers, heartbeats, key hashes, gaps,
+                         acknowledgment messages, etc. It also includes th possible payload. -->
+                    <metadata_protection_kind>NONE</metadata_protection_kind>
+
+                    <!-- The payload data sent on the Topic (serialized application level data) should be
+                         protected with Encrypt then MAC. -->
+                    <data_protection_kind>NONE</data_protection_kind>
+                </topic_rule>
+
+                <topic_rule>
+                    <!-- All (non-builtin) topics -->
+                    <topic_expression>*other</topic_expression>
+
+                    <!-- Liveliness QoS data is protected -->
+                    <enable_liveliness_protection>true</enable_liveliness_protection>
+
+                    <!-- The discovery information on specific Topics should be sent
+                         using the secure (protected) discovery writers -->
+                    <enable_discovery_protection>true</enable_discovery_protection>
+
+                    <!-- The read access to all topics should be open to all. -->
+                    <enable_read_access_control>true</enable_read_access_control>
+
+                    <!-- The write access to all topics should be open to all. -->
+                    <enable_write_access_control>true</enable_write_access_control>
+
+                    <!-- Whole RTPS sub-message is protected. This includes metadata information
+                         like sequence numbers, heartbeats, key hashes, gaps,
+                         acknowledgment messages, etc. It also includes th possible payload. -->
+                    <metadata_protection_kind>NONE</metadata_protection_kind>
+
+                    <!-- The payload data sent on the Topic (serialized application level data) should be
+                         protected with Encrypt then MAC. -->
+                    <data_protection_kind>NONE</data_protection_kind>
+                </topic_rule>
+
+                <topic_rule>
+                    <!-- All (non-builtin) topics -->
+                    <topic_expression>*</topic_expression>
+
+                    <!-- Liveliness QoS data is protected -->
+                    <enable_liveliness_protection>true</enable_liveliness_protection>
+
+                    <!-- The discovery information on specific Topics should be sent
+                         using the secure (protected) discovery writers -->
+                    <enable_discovery_protection>true</enable_discovery_protection>
+
+                    <!-- The read access to all topics should be open to all. -->
+                    <enable_read_access_control>false</enable_read_access_control>
+
+                    <!-- The write access to all topics should be open to all. -->
+                    <enable_write_access_control>false</enable_write_access_control>
+
+                    <!-- Whole RTPS sub-message is protected. This includes metadata information
+                         like sequence numbers, heartbeats, key hashes, gaps,
+                         acknowledgment messages, etc. It also includes th possible payload. -->
+                    <metadata_protection_kind>ENCRYPT_WITH_ORIGIN_AUTHENTICATION</metadata_protection_kind>
+
+                    <!-- The payload data sent on the Topic (serialized application level data) should be
+                         protected with Encrypt then MAC. -->
+                    <data_protection_kind>ENCRYPT</data_protection_kind>
+                </topic_rule>
+            </topic_access_rules>
+        </domain_rule>
+        <domain_rule>
+            <domains>
+                <!-- All domains -->
+                <id_range>
+                    <min>100</min>
+                    <max>120</max>
+                </id_range>
+                <id>20</id>
+                <id_range>
+                    <min>0</min>
+                    <max>23</max>
+                </id_range>                
+                <id>200</id>
+                <id>30</id>
+            </domains>
+
+            <!-- DomainParticipant that cann not authenticate or fail the authentication should be
+                 allowed to join the domain and see any any discovery data that are configured as "unprotected"
+                 and topics that are configured as "unprotected" -->
+            <allow_unauthenticated_participants>1</allow_unauthenticated_participants>
+
+            <!--  Only and any authenticated DomainParticipant should be allowed to join the domain and
+                  see the discovery data without checking access control  -->
+            <enable_join_access_control>0</enable_join_access_control>
+
+            <!-- Discovery information should be protected with encryption followed by MAC (Message Authentication Codes) -->
+            <discovery_protection_kind>SIGN</discovery_protection_kind>
+
+            <!--  Liveliness messages are also encrypted -->
+            <liveliness_protection_kind>ENCRYPT</liveliness_protection_kind>
+
+            <!-- Whole RTPS message is not protected -->
+            <rtps_protection_kind>NONE</rtps_protection_kind>
+
+            <topic_access_rules>
+                <topic_rule>
+                    <!-- All (non-builtin) topics -->
+                    <topic_expression>OwnShipData</topic_expression>
+
+                    <!-- Liveliness QoS data is protected -->
+                    <enable_liveliness_protection>true</enable_liveliness_protection>
+
+                    <!-- The discovery information on specific Topics should be sent
+                         using the secure (protected) discovery writers -->
+                    <enable_discovery_protection>true</enable_discovery_protection>
+
+                    <!-- The read access to all topics should be open to all. -->
+                    <enable_read_access_control>false</enable_read_access_control>
+
+                    <!-- The write access to all topics should be open to all. -->
+                    <enable_write_access_control>false</enable_write_access_control>
+
+                    <!-- Whole RTPS sub-message is protected. This includes metadata information
+                         like sequence numbers, heartbeats, key hashes, gaps,
+                         acknowledgment messages, etc. It also includes th possible payload. -->
+                    <metadata_protection_kind>ENCRYPT_WITH_ORIGIN_AUTHENTICATION</metadata_protection_kind>
+
+                    <!-- The payload data sent on the Topic (serialized application level data) should be
+                         protected with Encrypt then MAC. -->
+                    <data_protection_kind>ENCRYPT</data_protection_kind>
+                </topic_rule>
+                
+           
+            </topic_access_rules>
+        </domain_rule>
+    </domain_access_rules>
+</dds>
+
+------05DBD6F6E587875751A79EAC78048D60
+Content-Type: application/x-pkcs7-signature; name="smime.p7s"
+Content-Transfer-Encoding: base64
+Content-Disposition: attachment; filename="smime.p7s"
+
+MIIGXgYJKoZIhvcNAQcCoIIGTzCCBksCAQExDzANBglghkgBZQMEAgEFADALBgkq
+hkiG9w0BBwGgggORMIIDjTCCAnWgAwIBAgIJANsr3sm0NrypMA0GCSqGSIb3DQEB
+CwUAMFwxCzAJBgNVBAYTAk5MMRMwEQYDVQQIDApTb21lLVN0YXRlMR8wHQYDVQQK
+DBZBRExJTksgVGVjaG5vbG9jeSBJbmMuMRcwFQYDVQQDDA5hZGxpbmt0ZWNoLmNv
+bTAgFw0xODA3MzAxMjQ1NTVaGA8yMTE4MDcwNjEyNDU1NVowXDELMAkGA1UEBhMC
+TkwxEzARBgNVBAgMClNvbWUtU3RhdGUxHzAdBgNVBAoMFkFETElOSyBUZWNobm9s
+b2N5IEluYy4xFzAVBgNVBAMMDmFkbGlua3RlY2guY29tMIIBIjANBgkqhkiG9w0B
+AQEFAAOCAQ8AMIIBCgKCAQEAu7jfnJ0wYVuXgG+PgNawdN38+dRpa8jceqi+blID
+ehV6XCxrnGXusTCDuFmo7HMOBVMVNDXlcBWgoGd+u5EultnOEiIeGTgtHc1O6V9w
+icp3BGSpZZax/TcONjMVORaqHCADbQ2J8wsz1FHxuKDwX6BJElYOlK77lb/x3yLs
+DFFC+a0qn2RFh37rcWBRAHy8VEASXKZElT9ZmfKd+KUq34KojhNJ4DepKStTq074
+BRDXVivx+wVD951LFNPiQXq+mgHcLj1k37KlZflTFhdP5oEMtATNsXNJPHlEymiy
+SogRWAmKhysLQudukHfNKN+r0FEQMk/hzpYcFeZSOvbfNQIDAQABo1AwTjAdBgNV
+HQ4EFgQURWMbWvBKZwJvRV1/tyc1R82k0+gwHwYDVR0jBBgwFoAURWMbWvBKZwJv
+RV1/tyc1R82k0+gwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAkPF+
+ysVtvHnk2hpu9yNDLCJ96ZzIoKOyY7uRj4ovzlAHFdpNOJQdcJihTmN8i7Trht9X
+Vh0rGoR/6nHzo3TIeiogRC80RlDtuA3PF2dDQBMVDStlZMTZPb693hfjdAjhyyw9
+yghhKHHqNDvSsAL0KfBqjG4yGfGpJylYXIT5fWuKlo/ln/yyPa5s54T5XDo+CMbt
+lLX3QnwVOmaRyzylPiTcPCDIkdLBdXmlfyJcmW6fWa6kPx+35MOxPsXZbujCo+42
++OyLqcH1rKT6XhcshjXBEf+kdgUfSClrM1pNRWsw2ChIYim0F+nry5JFy0Y+8Hbb
+6SDB340BFmtgDHbFHTGCApEwggKNAgEBMGkwXDELMAkGA1UEBhMCTkwxEzARBgNV
+BAgMClNvbWUtU3RhdGUxHzAdBgNVBAoMFkFETElOSyBUZWNobm9sb2N5IEluYy4x
+FzAVBgNVBAMMDmFkbGlua3RlY2guY29tAgkA2yveybQ2vKkwDQYJYIZIAWUDBAIB
+BQCggfowGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAcBgkqhkiG9w0BCQUxDxcN
+MTkwMzI5MTMwODAzWjAvBgkqhkiG9w0BCQQxIgQg0GyBZYdNlmQT2Nv1CHrUEB6+
+C0U0yXvpmj5+mlGojPAwgY4GCSqGSIb3DQEJDzGBgDB+MAsGCWCGSAFlAwQBKjAI
+BgYqhQMCAgkwCAYGKoUDAgIVMAsGCWCGSAFlAwQBFjALBglghkgBZQMEAQIwCgYI
+KoZIhvcNAwcwDgYIKoZIhvcNAwICAgCAMA0GCCqGSIb3DQMCAgFAMAcGBSsOAwIH
+MA0GCCqGSIb3DQMCAgEoMA0GCSqGSIb3DQEBAQUABIIBAJXrVHO7KdgYM20uGGNL
+P4VRPmYVWoWIkl5/OEzZ8uirs+oGJR7tYLiFl1wzXUzPBB/03qsANmlshDpFgbmV
+thTV7AGRg3SXUDa/cG4N9PupE5VRZaVdbcbdH1DfoIZCLLp4HK3HgqUXkH9vnC92
+tdtgzxZOCrQ4A6WbGiBkWr5LtMWg2lnwPp55vrfRoh6u0qVEumD+VQi+Lroo9M1E
+659LB2dwEcNb1g1HyoodpKlUSsbGsY/JA7bbNrw/KIGVYcoXfmpgWmtzUjfpkPDj
+zVPImqr6jdxP4quGmGWRmrLHPrEYJscJqCwjNTi6naXnAvaE4nxQ4HBgveEodTuP
+8tM=
+
+------05DBD6F6E587875751A79EAC78048D60--
+
diff --git a/src/security/builtin_plugins/tests/validate_local_permissions/etc/Test_Governance_full.xml b/src/security/builtin_plugins/tests/validate_local_permissions/etc/Test_Governance_full.xml
new file mode 100644
index 0000000..4ff15ab
--- /dev/null
+++ b/src/security/builtin_plugins/tests/validate_local_permissions/etc/Test_Governance_full.xml
@@ -0,0 +1,215 @@
+<?xml version="1.0" encoding="utf-8"?>
+<dds xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xsi:noNamespaceSchemaLocation="https://www.omg.org/spec/DDS-SECURITY/20170901/omg_shared_ca_governance.xsd">
+    <domain_access_rules>
+        <domain_rule>
+            <domains>
+                <!-- All domains -->
+                <id>20</id>
+                <id_range>
+                    <min>0</min>
+                    <max>23</max>
+                </id_range>
+                <id_range>
+                    <min>100</min>
+                    <max>120</max>
+                </id_range>
+                <id>200</id>
+            </domains>
+
+            <!-- DomainParticipant that cann not authenticate or fail the authentication should be
+                 allowed to join the domain and see any any discovery data that are configured as "unprotected"
+                 and topics that are configured as "unprotected" -->
+            <allow_unauthenticated_participants>false</allow_unauthenticated_participants>
+
+            <!--  Only and any authenticated DomainParticipant should be allowed to join the domain and
+                  see the discovery data without checking access control  -->
+            <enable_join_access_control>TRUE</enable_join_access_control>
+
+            <!-- Discovery information should be protected with encryption followed by MAC (Message Authentication Codes) -->
+            <discovery_protection_kind>SIGN_WITH_ORIGIN_AUTHENTICATION</discovery_protection_kind>
+
+            <!--  Liveliness messages are also encrypted -->
+            <liveliness_protection_kind>ENCRYPT</liveliness_protection_kind>
+
+            <!-- Whole RTPS message is not protected -->
+            <rtps_protection_kind>ENCRYPT_WITH_ORIGIN_AUTHENTICATION</rtps_protection_kind>
+
+            <topic_access_rules>
+                                
+                <topic_rule>
+                    <!-- All (non-builtin) topics -->
+                    <topic_expression>OwnShip?ata</topic_expression>
+
+                    <!-- Liveliness QoS data is protected -->
+                    <enable_liveliness_protection>FALSE</enable_liveliness_protection>
+
+                    <!-- The discovery information on specific Topics should be sent
+                         using the secure (protected) discovery writers -->
+                    <enable_discovery_protection>false</enable_discovery_protection>
+
+                    <!-- The read access to all topics should be open to all. -->
+                    <enable_read_access_control>false</enable_read_access_control>
+
+                    <!-- The write access to all topics should be open to all. -->
+                    <enable_write_access_control>true</enable_write_access_control>
+
+                    <!-- Whole RTPS sub-message is protected. This includes metadata information
+                         like sequence numbers, heartbeats, key hashes, gaps,
+                         acknowledgment messages, etc. It also includes th possible payload. -->
+                    <metadata_protection_kind>SIGN</metadata_protection_kind>
+
+                    <!-- The payload data sent on the Topic (serialized application level data) should be
+                         protected with Encrypt then MAC. -->
+                    <data_protection_kind>ENCRYPT</data_protection_kind>
+                </topic_rule>
+                
+                <topic_rule>
+                    <!-- All (non-builtin) topics -->
+                    <topic_expression>Kinematics</topic_expression>
+
+                    <!-- Liveliness QoS data is protected -->
+                    <enable_liveliness_protection>true</enable_liveliness_protection>
+
+                    <!-- The discovery information on specific Topics should be sent
+                         using the secure (protected) discovery writers -->
+                    <enable_discovery_protection>true</enable_discovery_protection>
+
+                    <!-- The read access to all topics should be open to all. -->
+                    <enable_read_access_control>true</enable_read_access_control>
+
+                    <!-- The write access to all topics should be open to all. -->
+                    <enable_write_access_control>false</enable_write_access_control>
+
+                    <!-- Whole RTPS sub-message is protected. This includes metadata information
+                         like sequence numbers, heartbeats, key hashes, gaps,
+                         acknowledgment messages, etc. It also includes th possible payload. -->
+                    <metadata_protection_kind>NONE</metadata_protection_kind>
+
+                    <!-- The payload data sent on the Topic (serialized application level data) should be
+                         protected with Encrypt then MAC. -->
+                    <data_protection_kind>NONE</data_protection_kind>
+                </topic_rule>
+
+                <topic_rule>
+                    <!-- All (non-builtin) topics -->
+                    <topic_expression>*other</topic_expression>
+
+                    <!-- Liveliness QoS data is protected -->
+                    <enable_liveliness_protection>true</enable_liveliness_protection>
+
+                    <!-- The discovery information on specific Topics should be sent
+                         using the secure (protected) discovery writers -->
+                    <enable_discovery_protection>true</enable_discovery_protection>
+
+                    <!-- The read access to all topics should be open to all. -->
+                    <enable_read_access_control>true</enable_read_access_control>
+
+                    <!-- The write access to all topics should be open to all. -->
+                    <enable_write_access_control>true</enable_write_access_control>
+
+                    <!-- Whole RTPS sub-message is protected. This includes metadata information
+                         like sequence numbers, heartbeats, key hashes, gaps,
+                         acknowledgment messages, etc. It also includes th possible payload. -->
+                    <metadata_protection_kind>NONE</metadata_protection_kind>
+
+                    <!-- The payload data sent on the Topic (serialized application level data) should be
+                         protected with Encrypt then MAC. -->
+                    <data_protection_kind>NONE</data_protection_kind>
+                </topic_rule>
+
+                <topic_rule>
+                    <!-- All (non-builtin) topics -->
+                    <topic_expression>*</topic_expression>
+
+                    <!-- Liveliness QoS data is protected -->
+                    <enable_liveliness_protection>true</enable_liveliness_protection>
+
+                    <!-- The discovery information on specific Topics should be sent
+                         using the secure (protected) discovery writers -->
+                    <enable_discovery_protection>true</enable_discovery_protection>
+
+                    <!-- The read access to all topics should be open to all. -->
+                    <enable_read_access_control>false</enable_read_access_control>
+
+                    <!-- The write access to all topics should be open to all. -->
+                    <enable_write_access_control>false</enable_write_access_control>
+
+                    <!-- Whole RTPS sub-message is protected. This includes metadata information
+                         like sequence numbers, heartbeats, key hashes, gaps,
+                         acknowledgment messages, etc. It also includes th possible payload. -->
+                    <metadata_protection_kind>ENCRYPT_WITH_ORIGIN_AUTHENTICATION</metadata_protection_kind>
+
+                    <!-- The payload data sent on the Topic (serialized application level data) should be
+                         protected with Encrypt then MAC. -->
+                    <data_protection_kind>ENCRYPT</data_protection_kind>
+                </topic_rule>
+            </topic_access_rules>
+        </domain_rule>
+        <domain_rule>
+            <domains>
+                <!-- All domains -->
+                <id_range>
+                    <min>100</min>
+                    <max>120</max>
+                </id_range>
+                <id>20</id>
+                <id_range>
+                    <min>0</min>
+                    <max>23</max>
+                </id_range>                
+                <id>200</id>
+                <id>30</id>
+            </domains>
+
+            <!-- DomainParticipant that cann not authenticate or fail the authentication should be
+                 allowed to join the domain and see any any discovery data that are configured as "unprotected"
+                 and topics that are configured as "unprotected" -->
+            <allow_unauthenticated_participants>1</allow_unauthenticated_participants>
+
+            <!--  Only and any authenticated DomainParticipant should be allowed to join the domain and
+                  see the discovery data without checking access control  -->
+            <enable_join_access_control>0</enable_join_access_control>
+
+            <!-- Discovery information should be protected with encryption followed by MAC (Message Authentication Codes) -->
+            <discovery_protection_kind>SIGN</discovery_protection_kind>
+
+            <!--  Liveliness messages are also encrypted -->
+            <liveliness_protection_kind>ENCRYPT</liveliness_protection_kind>
+
+            <!-- Whole RTPS message is not protected -->
+            <rtps_protection_kind>NONE</rtps_protection_kind>
+
+            <topic_access_rules>
+                <topic_rule>
+                    <!-- All (non-builtin) topics -->
+                    <topic_expression>OwnShipData</topic_expression>
+
+                    <!-- Liveliness QoS data is protected -->
+                    <enable_liveliness_protection>true</enable_liveliness_protection>
+
+                    <!-- The discovery information on specific Topics should be sent
+                         using the secure (protected) discovery writers -->
+                    <enable_discovery_protection>true</enable_discovery_protection>
+
+                    <!-- The read access to all topics should be open to all. -->
+                    <enable_read_access_control>false</enable_read_access_control>
+
+                    <!-- The write access to all topics should be open to all. -->
+                    <enable_write_access_control>false</enable_write_access_control>
+
+                    <!-- Whole RTPS sub-message is protected. This includes metadata information
+                         like sequence numbers, heartbeats, key hashes, gaps,
+                         acknowledgment messages, etc. It also includes th possible payload. -->
+                    <metadata_protection_kind>ENCRYPT_WITH_ORIGIN_AUTHENTICATION</metadata_protection_kind>
+
+                    <!-- The payload data sent on the Topic (serialized application level data) should be
+                         protected with Encrypt then MAC. -->
+                    <data_protection_kind>ENCRYPT</data_protection_kind>
+                </topic_rule>
+                
+           
+            </topic_access_rules>
+        </domain_rule>
+    </domain_access_rules>
+</dds>
diff --git a/src/security/builtin_plugins/tests/validate_local_permissions/etc/Test_Governance_invalid_data.p7s b/src/security/builtin_plugins/tests/validate_local_permissions/etc/Test_Governance_invalid_data.p7s
new file mode 100644
index 0000000..ba75bfe
--- /dev/null
+++ b/src/security/builtin_plugins/tests/validate_local_permissions/etc/Test_Governance_invalid_data.p7s
@@ -0,0 +1,175 @@
+MIME-Version: 1.0
+Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg="sha-256"; boundary="----1A6607CDB3CA97628720C3874B28523D"
+
+This is an S/MIME signed message
+
+------1A6607CDB3CA97628720C3874B28523D
+Content-Type: text/plain
+
+<?xml version="1.0" encoding="utf-8"?>
+<dds xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xsi:noNamespaceSchemaLocation="https://www.omg.org/spec/DDS-SECURITY/20170901/omg_shared_ca_governance.xsd">
+    <domain_access_rules>
+        <domain_rule>
+            <domains>
+                <!-- All domains -->
+                <id>20</id>
+                <id>30</id>
+                <id_range>
+                    <min>0</min>
+                    <max>23</max>
+                </id_range>
+                <id_range>
+                    <min>100</min>
+                    <max>120</max>
+                </id_range>
+                <id>200</id>
+            </domains>
+
+            <!-- DomainParticipant that cann not authenticate or fail the authentication should be
+                 allowed to join the domain and see any any discovery data that are configured as "unprotected"
+                 and topics that are configured as "unprotected" -->
+            <allow_unauthenticated_participants>false</allow_unauthenticated_participants>
+
+            <!--  Only and any authenticated DomainParticipant should be allowed to join the domain and
+                  see the discovery data without checking access control  -->
+            <enable_join_access_control>TRUE</enable_join_access_control>
+
+            <!-- Discovery information should be protected with encryption followed by MAC (Message Authentication Codes) -->
+            <discovery_protection_kind>SIGN_WITH_ORIGIN_AUTHENTICATION</discovery_protection_kind>
+
+            <!--  Liveliness messages are also encrypted -->
+            <liveliness_protection_kind>ENCRYPT</liveliness_protection_kind>
+
+            <!-- Whole RTPS message is not protected -->
+            <rtps_protection_kind>ENCRYPT_WITH_ORIGIN_AUTHENTICATION</rtps_protection_kind>
+
+            <topic_access_rules>
+                <topic_rule>
+                    <!-- All (non-builtin) topics -->
+                    <topic_expression>*</topic_expression>
+
+                    <!-- Liveliness QoS data is protected -->
+                    <enable_liveliness_protection>true</enable_liveliness_protection>
+
+                    <!-- The discovery information on specific Topics should be sent
+                         using the secure (protected) discovery writers -->
+                    <enable_discovery_protection>true</enable_discovery_protection>
+
+                    <!-- The read access to all topics should be open to all. -->
+                    <enable_read_access_control>false</enable_read_access_control>
+
+                    <!-- The write access to all topics should be open to all. -->
+                    <enable_write_access_control>false</enable_write_access_control>
+
+                    <!-- Whole RTPS sub-message is protected. This includes metadata information
+                         like sequence numbers, heartbeats, key hashes, gaps,
+                         acknowledgment messages, etc. It also includes th possible payload. -->
+                    <metadata_protection_kind>ENCRYPT_WITH_</metadata_protection_kind>
+
+                    <!-- The payload data sent on the Topic (serialized application level data) should be
+                         protected with Encrypt then MAC. -->
+                    <data_protection_kind>ENCRYPT</data_protection_kind>
+                </topic_rule>
+                
+                <topic_rule>
+                    <!-- All (non-builtin) topics -->
+                    <topic_expression>OwnShip?ata</topic_expression>
+
+                    <!-- Liveliness QoS data is protected -->
+                    <enable_liveliness_protection>FALSE</enable_liveliness_protection>
+
+                    <!-- The discovery information on specific Topics should be sent
+                         using the secure (protected) discovery writers -->
+                    <enable_discovery_protection>false</enable_discovery_protection>
+
+                    <!-- The read access to all topics should be open to all. -->
+                    <enable_read_access_control>false</enable_read_access_control>
+
+                    <!-- The write access to all topics should be open to all. -->
+                    <enable_write_access_control>true</enable_write_access_control>
+
+                    <!-- Whole RTPS sub-message is protected. This includes metadata information
+                         like sequence numbers, heartbeats, key hashes, gaps,
+                         acknowledgment messages, etc. It also includes th possible payload. -->
+                    <metadata_protection_kind>SIGN</metadata_protection_kind>
+
+                    <!-- The payload data sent on the Topic (serialized application level data) should be
+                         protected with Encrypt then MAC. -->
+                    <data_protection_kind>ENCRYPT</data_protection_kind>
+                </topic_rule>
+                
+                <topic_rule>
+                    <!-- All (non-builtin) topics -->
+                    <topic_expression>Kinematics</topic_expression>
+
+                    <!-- Liveliness QoS data is protected -->
+                    <enable_liveliness_protection>true</enable_liveliness_protection>
+
+                    <!-- The discovery information on specific Topics should be sent
+                         using the secure (protected) discovery writers -->
+                    <enable_discovery_protection>true</enable_discovery_protection>
+
+                    <!-- The read access to all topics should be open to all. -->
+                    <enable_read_access_control>true</enable_read_access_control>
+
+                    <!-- The write access to all topics should be open to all. -->
+                    <enable_write_access_control>false</enable_write_access_control>
+
+                    <!-- Whole RTPS sub-message is protected. This includes metadata information
+                         like sequence numbers, heartbeats, key hashes, gaps,
+                         acknowledgment messages, etc. It also includes th possible payload. -->
+                    <metadata_protection_kind>NONE</metadata_protection_kind>
+
+                    <!-- The payload data sent on the Topic (serialized application level data) should be
+                         protected with Encrypt then MAC. -->
+                    <data_protection_kind>NONE</data_protection_kind>
+                </topic_rule>
+            </topic_access_rules>
+        </domain_rule>
+    </domain_access_rules>
+</dds>
+
+------1A6607CDB3CA97628720C3874B28523D
+Content-Type: application/x-pkcs7-signature; name="smime.p7s"
+Content-Transfer-Encoding: base64
+Content-Disposition: attachment; filename="smime.p7s"
+
+MIIGXgYJKoZIhvcNAQcCoIIGTzCCBksCAQExDzANBglghkgBZQMEAgEFADALBgkq
+hkiG9w0BBwGgggORMIIDjTCCAnWgAwIBAgIJANsr3sm0NrypMA0GCSqGSIb3DQEB
+CwUAMFwxCzAJBgNVBAYTAk5MMRMwEQYDVQQIDApTb21lLVN0YXRlMR8wHQYDVQQK
+DBZBRExJTksgVGVjaG5vbG9jeSBJbmMuMRcwFQYDVQQDDA5hZGxpbmt0ZWNoLmNv
+bTAgFw0xODA3MzAxMjQ1NTVaGA8yMTE4MDcwNjEyNDU1NVowXDELMAkGA1UEBhMC
+TkwxEzARBgNVBAgMClNvbWUtU3RhdGUxHzAdBgNVBAoMFkFETElOSyBUZWNobm9s
+b2N5IEluYy4xFzAVBgNVBAMMDmFkbGlua3RlY2guY29tMIIBIjANBgkqhkiG9w0B
+AQEFAAOCAQ8AMIIBCgKCAQEAu7jfnJ0wYVuXgG+PgNawdN38+dRpa8jceqi+blID
+ehV6XCxrnGXusTCDuFmo7HMOBVMVNDXlcBWgoGd+u5EultnOEiIeGTgtHc1O6V9w
+icp3BGSpZZax/TcONjMVORaqHCADbQ2J8wsz1FHxuKDwX6BJElYOlK77lb/x3yLs
+DFFC+a0qn2RFh37rcWBRAHy8VEASXKZElT9ZmfKd+KUq34KojhNJ4DepKStTq074
+BRDXVivx+wVD951LFNPiQXq+mgHcLj1k37KlZflTFhdP5oEMtATNsXNJPHlEymiy
+SogRWAmKhysLQudukHfNKN+r0FEQMk/hzpYcFeZSOvbfNQIDAQABo1AwTjAdBgNV
+HQ4EFgQURWMbWvBKZwJvRV1/tyc1R82k0+gwHwYDVR0jBBgwFoAURWMbWvBKZwJv
+RV1/tyc1R82k0+gwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAkPF+
+ysVtvHnk2hpu9yNDLCJ96ZzIoKOyY7uRj4ovzlAHFdpNOJQdcJihTmN8i7Trht9X
+Vh0rGoR/6nHzo3TIeiogRC80RlDtuA3PF2dDQBMVDStlZMTZPb693hfjdAjhyyw9
+yghhKHHqNDvSsAL0KfBqjG4yGfGpJylYXIT5fWuKlo/ln/yyPa5s54T5XDo+CMbt
+lLX3QnwVOmaRyzylPiTcPCDIkdLBdXmlfyJcmW6fWa6kPx+35MOxPsXZbujCo+42
++OyLqcH1rKT6XhcshjXBEf+kdgUfSClrM1pNRWsw2ChIYim0F+nry5JFy0Y+8Hbb
+6SDB340BFmtgDHbFHTGCApEwggKNAgEBMGkwXDELMAkGA1UEBhMCTkwxEzARBgNV
+BAgMClNvbWUtU3RhdGUxHzAdBgNVBAoMFkFETElOSyBUZWNobm9sb2N5IEluYy4x
+FzAVBgNVBAMMDmFkbGlua3RlY2guY29tAgkA2yveybQ2vKkwDQYJYIZIAWUDBAIB
+BQCggfowGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAcBgkqhkiG9w0BCQUxDxcN
+MTkwMzI5MTMwODAzWjAvBgkqhkiG9w0BCQQxIgQg16RVkhnhbWczLVFXDHVD6lPy
+G5w7StRkpXgPtz/r+5MwgY4GCSqGSIb3DQEJDzGBgDB+MAsGCWCGSAFlAwQBKjAI
+BgYqhQMCAgkwCAYGKoUDAgIVMAsGCWCGSAFlAwQBFjALBglghkgBZQMEAQIwCgYI
+KoZIhvcNAwcwDgYIKoZIhvcNAwICAgCAMA0GCCqGSIb3DQMCAgFAMAcGBSsOAwIH
+MA0GCCqGSIb3DQMCAgEoMA0GCSqGSIb3DQEBAQUABIIBAJsBPV85r3vm0jr/YWKo
+J1j054f+gdqnrfH9kv6dvhg/IAK67mfWDHYUUah6D/1HFJve5KMR8tBu2j770M42
+rDjUBVQADqwWc+9ymiGcIjav9r1+YVTzOCHZnASJyqWPakCwwrdMthb2bB//ASmL
+rHOxsJZs68r0ci8ZC4bPbe0m8gAC8lkAvfhIr0/WLO4zhdhVaSrKNKptEjTVGRan
+KcjoHAiNOhxWZfwZ+OVEp6Rnax4xcpGK3oyCcg9v8zGKj9rDX917K3VfW9Guo+Px
+fZ1u+ukL2GgvzPMdJuU0Uw6mPbWMPeAKbIFwLR9P8iXtKuj2HHqteFVbcyIQXZSE
+nRM=
+
+------1A6607CDB3CA97628720C3874B28523D--
+
diff --git a/src/security/builtin_plugins/tests/validate_local_permissions/etc/Test_Governance_invalid_data.xml b/src/security/builtin_plugins/tests/validate_local_permissions/etc/Test_Governance_invalid_data.xml
new file mode 100644
index 0000000..d445705
--- /dev/null
+++ b/src/security/builtin_plugins/tests/validate_local_permissions/etc/Test_Governance_invalid_data.xml
@@ -0,0 +1,123 @@
+<?xml version="1.0" encoding="utf-8"?>
+<dds xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xsi:noNamespaceSchemaLocation="https://www.omg.org/spec/DDS-SECURITY/20170901/omg_shared_ca_governance.xsd">
+    <domain_access_rules>
+        <domain_rule>
+            <domains>
+                <!-- All domains -->
+                <id>20</id>
+                <id>30</id>
+                <id_range>
+                    <min>0</min>
+                    <max>23</max>
+                </id_range>
+                <id_range>
+                    <min>100</min>
+                    <max>120</max>
+                </id_range>
+                <id>200</id>
+            </domains>
+
+            <!-- DomainParticipant that cann not authenticate or fail the authentication should be
+                 allowed to join the domain and see any any discovery data that are configured as "unprotected"
+                 and topics that are configured as "unprotected" -->
+            <allow_unauthenticated_participants>false</allow_unauthenticated_participants>
+
+            <!--  Only and any authenticated DomainParticipant should be allowed to join the domain and
+                  see the discovery data without checking access control  -->
+            <enable_join_access_control>TRUE</enable_join_access_control>
+
+            <!-- Discovery information should be protected with encryption followed by MAC (Message Authentication Codes) -->
+            <discovery_protection_kind>SIGN_WITH_ORIGIN_AUTHENTICATION</discovery_protection_kind>
+
+            <!--  Liveliness messages are also encrypted -->
+            <liveliness_protection_kind>ENCRYPT</liveliness_protection_kind>
+
+            <!-- Whole RTPS message is not protected -->
+            <rtps_protection_kind>ENCRYPT_WITH_ORIGIN_AUTHENTICATION</rtps_protection_kind>
+
+            <topic_access_rules>
+                <topic_rule>
+                    <!-- All (non-builtin) topics -->
+                    <topic_expression>*</topic_expression>
+
+                    <!-- Liveliness QoS data is protected -->
+                    <enable_liveliness_protection>true</enable_liveliness_protection>
+
+                    <!-- The discovery information on specific Topics should be sent
+                         using the secure (protected) discovery writers -->
+                    <enable_discovery_protection>true</enable_discovery_protection>
+
+                    <!-- The read access to all topics should be open to all. -->
+                    <enable_read_access_control>false</enable_read_access_control>
+
+                    <!-- The write access to all topics should be open to all. -->
+                    <enable_write_access_control>false</enable_write_access_control>
+
+                    <!-- Whole RTPS sub-message is protected. This includes metadata information
+                         like sequence numbers, heartbeats, key hashes, gaps,
+                         acknowledgment messages, etc. It also includes th possible payload. -->
+                    <metadata_protection_kind>ENCRYPT_WITH_</metadata_protection_kind>
+
+                    <!-- The payload data sent on the Topic (serialized application level data) should be
+                         protected with Encrypt then MAC. -->
+                    <data_protection_kind>ENCRYPT</data_protection_kind>
+                </topic_rule>
+                
+                <topic_rule>
+                    <!-- All (non-builtin) topics -->
+                    <topic_expression>OwnShip?ata</topic_expression>
+
+                    <!-- Liveliness QoS data is protected -->
+                    <enable_liveliness_protection>FALSE</enable_liveliness_protection>
+
+                    <!-- The discovery information on specific Topics should be sent
+                         using the secure (protected) discovery writers -->
+                    <enable_discovery_protection>false</enable_discovery_protection>
+
+                    <!-- The read access to all topics should be open to all. -->
+                    <enable_read_access_control>false</enable_read_access_control>
+
+                    <!-- The write access to all topics should be open to all. -->
+                    <enable_write_access_control>true</enable_write_access_control>
+
+                    <!-- Whole RTPS sub-message is protected. This includes metadata information
+                         like sequence numbers, heartbeats, key hashes, gaps,
+                         acknowledgment messages, etc. It also includes th possible payload. -->
+                    <metadata_protection_kind>SIGN</metadata_protection_kind>
+
+                    <!-- The payload data sent on the Topic (serialized application level data) should be
+                         protected with Encrypt then MAC. -->
+                    <data_protection_kind>ENCRYPT</data_protection_kind>
+                </topic_rule>
+                
+                <topic_rule>
+                    <!-- All (non-builtin) topics -->
+                    <topic_expression>Kinematics</topic_expression>
+
+                    <!-- Liveliness QoS data is protected -->
+                    <enable_liveliness_protection>true</enable_liveliness_protection>
+
+                    <!-- The discovery information on specific Topics should be sent
+                         using the secure (protected) discovery writers -->
+                    <enable_discovery_protection>true</enable_discovery_protection>
+
+                    <!-- The read access to all topics should be open to all. -->
+                    <enable_read_access_control>true</enable_read_access_control>
+
+                    <!-- The write access to all topics should be open to all. -->
+                    <enable_write_access_control>false</enable_write_access_control>
+
+                    <!-- Whole RTPS sub-message is protected. This includes metadata information
+                         like sequence numbers, heartbeats, key hashes, gaps,
+                         acknowledgment messages, etc. It also includes th possible payload. -->
+                    <metadata_protection_kind>NONE</metadata_protection_kind>
+
+                    <!-- The payload data sent on the Topic (serialized application level data) should be
+                         protected with Encrypt then MAC. -->
+                    <data_protection_kind>NONE</data_protection_kind>
+                </topic_rule>
+            </topic_access_rules>
+        </domain_rule>
+    </domain_access_rules>
+</dds>
diff --git a/src/security/builtin_plugins/tests/validate_local_permissions/etc/Test_Governance_invalid_element.p7s b/src/security/builtin_plugins/tests/validate_local_permissions/etc/Test_Governance_invalid_element.p7s
new file mode 100644
index 0000000..9a51a3f
--- /dev/null
+++ b/src/security/builtin_plugins/tests/validate_local_permissions/etc/Test_Governance_invalid_element.p7s
@@ -0,0 +1,178 @@
+MIME-Version: 1.0
+Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg="sha-256"; boundary="----4B1AFE4A648D807454B86C7DDD6F392C"
+
+This is an S/MIME signed message
+
+------4B1AFE4A648D807454B86C7DDD6F392C
+Content-Type: text/plain
+
+<?xml version="1.0" encoding="utf-8"?>
+<dds xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xsi:noNamespaceSchemaLocation="https://www.omg.org/spec/DDS-SECURITY/20170901/omg_shared_ca_governance.xsd">
+    <domain_access_rules>
+        <domain_rule>
+            <domains>
+                <!-- All domains -->
+                <id>20</id>
+                <id>30</id>
+                <id_range>
+                    <min>0</min>
+                    <max>23</max>
+                </id_range>
+                <id_range>
+                    <min>100</min>
+                    <max>120</max>
+                </id_range>
+                <id>200</id>
+            </domains>
+
+            <!-- DomainParticipant that cann not authenticate or fail the authentication should be
+                 allowed to join the domain and see any any discovery data that are configured as "unprotected"
+                 and topics that are configured as "unprotected" -->
+            <allow_unauthenticated_participants>false</allow_unauthenticated_participants>
+
+            <!--  Only and any authenticated DomainParticipant should be allowed to join the domain and
+                  see the discovery data without checking access control  -->
+            <enable_join_access_control>TRUE</enable_join_access_control>
+
+            <!-- Discovery information should be protected with encryption followed by MAC (Message Authentication Codes) -->
+            <discovery_protection_kind>SIGN_WITH_ORIGIN_AUTHENTICATION</discovery_protection_kind>
+
+            <!--  Liveliness messages are also encrypted -->
+            <liveliness_protection_kind>ENCRYPT</liveliness_protection_kind>
+
+            <ufo>Unidentified Flying Object</ufo>
+
+
+            <!-- Whole RTPS message is not protected -->
+            <rtps_protection_kind>ENCRYPT_WITH_ORIGIN_AUTHENTICATION</rtps_protection_kind>
+
+            <topic_access_rules>
+                <topic_rule>
+                    <!-- All (non-builtin) topics -->
+                    <topic_expression>*</topic_expression>
+
+                    <!-- Liveliness QoS data is protected -->
+                    <enable_liveliness_protection>true</enable_liveliness_protection>
+
+                    <!-- The discovery information on specific Topics should be sent
+                         using the secure (protected) discovery writers -->
+                    <enable_discovery_protection>true</enable_discovery_protection>
+
+                    <!-- The read access to all topics should be open to all. -->
+                    <enable_read_access_control>false</enable_read_access_control>
+
+                    <!-- The write access to all topics should be open to all. -->
+                    <enable_write_access_control>false</enable_write_access_control>
+
+                    <!-- Whole RTPS sub-message is protected. This includes metadata information
+                         like sequence numbers, heartbeats, key hashes, gaps,
+                         acknowledgment messages, etc. It also includes th possible payload. -->
+                    <metadata_protection_kind>ENCRYPT_WITH_ORIGIN_AUTHENTICATION</metadata_protection_kind>
+
+                    <!-- The payload data sent on the Topic (serialized application level data) should be
+                         protected with Encrypt then MAC. -->
+                    <data_protection_kind>ENCRYPT</data_protection_kind>
+                </topic_rule>
+                
+                <topic_rule>
+                    <!-- All (non-builtin) topics -->
+                    <topic_expression>OwnShip?ata</topic_expression>
+
+                    <!-- Liveliness QoS data is protected -->
+                    <enable_liveliness_protection>FALSE</enable_liveliness_protection>
+
+                    <!-- The discovery information on specific Topics should be sent
+                         using the secure (protected) discovery writers -->
+                    <enable_discovery_protection>false</enable_discovery_protection>
+
+                    <!-- The read access to all topics should be open to all. -->
+                    <enable_read_access_control>false</enable_read_access_control>
+
+                    <!-- The write access to all topics should be open to all. -->
+                    <enable_write_access_control>true</enable_write_access_control>
+
+                    <!-- Whole RTPS sub-message is protected. This includes metadata information
+                         like sequence numbers, heartbeats, key hashes, gaps,
+                         acknowledgment messages, etc. It also includes th possible payload. -->
+                    <metadata_protection_kind>SIGN</metadata_protection_kind>
+
+                    <!-- The payload data sent on the Topic (serialized application level data) should be
+                         protected with Encrypt then MAC. -->
+                    <data_protection_kind>ENCRYPT</data_protection_kind>
+                </topic_rule>
+                
+                <topic_rule>
+                    <!-- All (non-builtin) topics -->
+                    <topic_expression>Kinematics</topic_expression>
+
+                    <!-- Liveliness QoS data is protected -->
+                    <enable_liveliness_protection>true</enable_liveliness_protection>
+
+                    <!-- The discovery information on specific Topics should be sent
+                         using the secure (protected) discovery writers -->
+                    <enable_discovery_protection>true</enable_discovery_protection>
+
+                    <!-- The read access to all topics should be open to all. -->
+                    <enable_read_access_control>true</enable_read_access_control>
+
+                    <!-- The write access to all topics should be open to all. -->
+                    <enable_write_access_control>false</enable_write_access_control>
+
+                    <!-- Whole RTPS sub-message is protected. This includes metadata information
+                         like sequence numbers, heartbeats, key hashes, gaps,
+                         acknowledgment messages, etc. It also includes th possible payload. -->
+                    <metadata_protection_kind>NONE</metadata_protection_kind>
+
+                    <!-- The payload data sent on the Topic (serialized application level data) should be
+                         protected with Encrypt then MAC. -->
+                    <data_protection_kind>NONE</data_protection_kind>
+                </topic_rule>
+            </topic_access_rules>
+        </domain_rule>
+    </domain_access_rules>
+</dds>
+
+------4B1AFE4A648D807454B86C7DDD6F392C
+Content-Type: application/x-pkcs7-signature; name="smime.p7s"
+Content-Transfer-Encoding: base64
+Content-Disposition: attachment; filename="smime.p7s"
+
+MIIGXgYJKoZIhvcNAQcCoIIGTzCCBksCAQExDzANBglghkgBZQMEAgEFADALBgkq
+hkiG9w0BBwGgggORMIIDjTCCAnWgAwIBAgIJANsr3sm0NrypMA0GCSqGSIb3DQEB
+CwUAMFwxCzAJBgNVBAYTAk5MMRMwEQYDVQQIDApTb21lLVN0YXRlMR8wHQYDVQQK
+DBZBRExJTksgVGVjaG5vbG9jeSBJbmMuMRcwFQYDVQQDDA5hZGxpbmt0ZWNoLmNv
+bTAgFw0xODA3MzAxMjQ1NTVaGA8yMTE4MDcwNjEyNDU1NVowXDELMAkGA1UEBhMC
+TkwxEzARBgNVBAgMClNvbWUtU3RhdGUxHzAdBgNVBAoMFkFETElOSyBUZWNobm9s
+b2N5IEluYy4xFzAVBgNVBAMMDmFkbGlua3RlY2guY29tMIIBIjANBgkqhkiG9w0B
+AQEFAAOCAQ8AMIIBCgKCAQEAu7jfnJ0wYVuXgG+PgNawdN38+dRpa8jceqi+blID
+ehV6XCxrnGXusTCDuFmo7HMOBVMVNDXlcBWgoGd+u5EultnOEiIeGTgtHc1O6V9w
+icp3BGSpZZax/TcONjMVORaqHCADbQ2J8wsz1FHxuKDwX6BJElYOlK77lb/x3yLs
+DFFC+a0qn2RFh37rcWBRAHy8VEASXKZElT9ZmfKd+KUq34KojhNJ4DepKStTq074
+BRDXVivx+wVD951LFNPiQXq+mgHcLj1k37KlZflTFhdP5oEMtATNsXNJPHlEymiy
+SogRWAmKhysLQudukHfNKN+r0FEQMk/hzpYcFeZSOvbfNQIDAQABo1AwTjAdBgNV
+HQ4EFgQURWMbWvBKZwJvRV1/tyc1R82k0+gwHwYDVR0jBBgwFoAURWMbWvBKZwJv
+RV1/tyc1R82k0+gwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAkPF+
+ysVtvHnk2hpu9yNDLCJ96ZzIoKOyY7uRj4ovzlAHFdpNOJQdcJihTmN8i7Trht9X
+Vh0rGoR/6nHzo3TIeiogRC80RlDtuA3PF2dDQBMVDStlZMTZPb693hfjdAjhyyw9
+yghhKHHqNDvSsAL0KfBqjG4yGfGpJylYXIT5fWuKlo/ln/yyPa5s54T5XDo+CMbt
+lLX3QnwVOmaRyzylPiTcPCDIkdLBdXmlfyJcmW6fWa6kPx+35MOxPsXZbujCo+42
++OyLqcH1rKT6XhcshjXBEf+kdgUfSClrM1pNRWsw2ChIYim0F+nry5JFy0Y+8Hbb
+6SDB340BFmtgDHbFHTGCApEwggKNAgEBMGkwXDELMAkGA1UEBhMCTkwxEzARBgNV
+BAgMClNvbWUtU3RhdGUxHzAdBgNVBAoMFkFETElOSyBUZWNobm9sb2N5IEluYy4x
+FzAVBgNVBAMMDmFkbGlua3RlY2guY29tAgkA2yveybQ2vKkwDQYJYIZIAWUDBAIB
+BQCggfowGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAcBgkqhkiG9w0BCQUxDxcN
+MTkwMzI5MTMwODAzWjAvBgkqhkiG9w0BCQQxIgQgLhPNfJcKb6QszZuyFWmmLGOQ
+ZDTY0NBpcqMym1+AijAwgY4GCSqGSIb3DQEJDzGBgDB+MAsGCWCGSAFlAwQBKjAI
+BgYqhQMCAgkwCAYGKoUDAgIVMAsGCWCGSAFlAwQBFjALBglghkgBZQMEAQIwCgYI
+KoZIhvcNAwcwDgYIKoZIhvcNAwICAgCAMA0GCCqGSIb3DQMCAgFAMAcGBSsOAwIH
+MA0GCCqGSIb3DQMCAgEoMA0GCSqGSIb3DQEBAQUABIIBABwNsFseYbpH+mGslN/g
+UY1RNq8f9pFOhTn89NAu94xJgZ2wu5izmSsaEK8K8nrPnxTouD7b5P5w5JQnEVU5
+m2yDD62ZdrlNm51u6VS1JoleHleTEyseagVYlLk+R2FYIH8xfjT0e6jc93qIlm+f
+XehwwbCsVUUdy3ViV9APoFP6b5YB+bXe6AtMMTobhEzplqs7GzOFzzC4YuhHSvi2
+sVFXmlHFwOKKIS7he8467breo+SYunv5IttcyqypltydmEcOndCQ2uAWiPvsJIat
+DyIkewjrWFL/0l/uTDmk3EUcTmmugVkhykmkfb9subqMHXKbDkcXgZgggR57/9+n
+eOU=
+
+------4B1AFE4A648D807454B86C7DDD6F392C--
+
diff --git a/src/security/builtin_plugins/tests/validate_local_permissions/etc/Test_Governance_invalid_element.xml b/src/security/builtin_plugins/tests/validate_local_permissions/etc/Test_Governance_invalid_element.xml
new file mode 100644
index 0000000..81f5ea6
--- /dev/null
+++ b/src/security/builtin_plugins/tests/validate_local_permissions/etc/Test_Governance_invalid_element.xml
@@ -0,0 +1,126 @@
+<?xml version="1.0" encoding="utf-8"?>
+<dds xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xsi:noNamespaceSchemaLocation="https://www.omg.org/spec/DDS-SECURITY/20170901/omg_shared_ca_governance.xsd">
+    <domain_access_rules>
+        <domain_rule>
+            <domains>
+                <!-- All domains -->
+                <id>20</id>
+                <id>30</id>
+                <id_range>
+                    <min>0</min>
+                    <max>23</max>
+                </id_range>
+                <id_range>
+                    <min>100</min>
+                    <max>120</max>
+                </id_range>
+                <id>200</id>
+            </domains>
+
+            <!-- DomainParticipant that cann not authenticate or fail the authentication should be
+                 allowed to join the domain and see any any discovery data that are configured as "unprotected"
+                 and topics that are configured as "unprotected" -->
+            <allow_unauthenticated_participants>false</allow_unauthenticated_participants>
+
+            <!--  Only and any authenticated DomainParticipant should be allowed to join the domain and
+                  see the discovery data without checking access control  -->
+            <enable_join_access_control>TRUE</enable_join_access_control>
+
+            <!-- Discovery information should be protected with encryption followed by MAC (Message Authentication Codes) -->
+            <discovery_protection_kind>SIGN_WITH_ORIGIN_AUTHENTICATION</discovery_protection_kind>
+
+            <!--  Liveliness messages are also encrypted -->
+            <liveliness_protection_kind>ENCRYPT</liveliness_protection_kind>
+
+            <ufo>Unidentified Flying Object</ufo>
+
+
+            <!-- Whole RTPS message is not protected -->
+            <rtps_protection_kind>ENCRYPT_WITH_ORIGIN_AUTHENTICATION</rtps_protection_kind>
+
+            <topic_access_rules>
+                <topic_rule>
+                    <!-- All (non-builtin) topics -->
+                    <topic_expression>*</topic_expression>
+
+                    <!-- Liveliness QoS data is protected -->
+                    <enable_liveliness_protection>true</enable_liveliness_protection>
+
+                    <!-- The discovery information on specific Topics should be sent
+                         using the secure (protected) discovery writers -->
+                    <enable_discovery_protection>true</enable_discovery_protection>
+
+                    <!-- The read access to all topics should be open to all. -->
+                    <enable_read_access_control>false</enable_read_access_control>
+
+                    <!-- The write access to all topics should be open to all. -->
+                    <enable_write_access_control>false</enable_write_access_control>
+
+                    <!-- Whole RTPS sub-message is protected. This includes metadata information
+                         like sequence numbers, heartbeats, key hashes, gaps,
+                         acknowledgment messages, etc. It also includes th possible payload. -->
+                    <metadata_protection_kind>ENCRYPT_WITH_ORIGIN_AUTHENTICATION</metadata_protection_kind>
+
+                    <!-- The payload data sent on the Topic (serialized application level data) should be
+                         protected with Encrypt then MAC. -->
+                    <data_protection_kind>ENCRYPT</data_protection_kind>
+                </topic_rule>
+                
+                <topic_rule>
+                    <!-- All (non-builtin) topics -->
+                    <topic_expression>OwnShip?ata</topic_expression>
+
+                    <!-- Liveliness QoS data is protected -->
+                    <enable_liveliness_protection>FALSE</enable_liveliness_protection>
+
+                    <!-- The discovery information on specific Topics should be sent
+                         using the secure (protected) discovery writers -->
+                    <enable_discovery_protection>false</enable_discovery_protection>
+
+                    <!-- The read access to all topics should be open to all. -->
+                    <enable_read_access_control>false</enable_read_access_control>
+
+                    <!-- The write access to all topics should be open to all. -->
+                    <enable_write_access_control>true</enable_write_access_control>
+
+                    <!-- Whole RTPS sub-message is protected. This includes metadata information
+                         like sequence numbers, heartbeats, key hashes, gaps,
+                         acknowledgment messages, etc. It also includes th possible payload. -->
+                    <metadata_protection_kind>SIGN</metadata_protection_kind>
+
+                    <!-- The payload data sent on the Topic (serialized application level data) should be
+                         protected with Encrypt then MAC. -->
+                    <data_protection_kind>ENCRYPT</data_protection_kind>
+                </topic_rule>
+                
+                <topic_rule>
+                    <!-- All (non-builtin) topics -->
+                    <topic_expression>Kinematics</topic_expression>
+
+                    <!-- Liveliness QoS data is protected -->
+                    <enable_liveliness_protection>true</enable_liveliness_protection>
+
+                    <!-- The discovery information on specific Topics should be sent
+                         using the secure (protected) discovery writers -->
+                    <enable_discovery_protection>true</enable_discovery_protection>
+
+                    <!-- The read access to all topics should be open to all. -->
+                    <enable_read_access_control>true</enable_read_access_control>
+
+                    <!-- The write access to all topics should be open to all. -->
+                    <enable_write_access_control>false</enable_write_access_control>
+
+                    <!-- Whole RTPS sub-message is protected. This includes metadata information
+                         like sequence numbers, heartbeats, key hashes, gaps,
+                         acknowledgment messages, etc. It also includes th possible payload. -->
+                    <metadata_protection_kind>NONE</metadata_protection_kind>
+
+                    <!-- The payload data sent on the Topic (serialized application level data) should be
+                         protected with Encrypt then MAC. -->
+                    <data_protection_kind>NONE</data_protection_kind>
+                </topic_rule>
+            </topic_access_rules>
+        </domain_rule>
+    </domain_access_rules>
+</dds>
diff --git a/src/security/builtin_plugins/tests/validate_local_permissions/etc/Test_Governance_not_signed.p7s b/src/security/builtin_plugins/tests/validate_local_permissions/etc/Test_Governance_not_signed.p7s
new file mode 100644
index 0000000..30fa20a
--- /dev/null
+++ b/src/security/builtin_plugins/tests/validate_local_permissions/etc/Test_Governance_not_signed.p7s
@@ -0,0 +1,62 @@
+<?xml version="1.0" encoding="utf-8"?>
+<dds xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xsi:noNamespaceSchemaLocation="https://www.omg.org/spec/DDS-SECURITY/20170901/omg_shared_ca_governance.xsd">
+    <domain_access_rules>
+        <domain_rule>
+            <domains>
+                <!-- All domains -->
+                <id_range>
+                    <min>0</min>
+                    <max>230</max>
+                </id_range>
+            </domains>
+
+            <!-- DomainParticipant that cann not authenticate or fail the authentication should be
+                 allowed to join the domain and see any any discovery data that are configured as "unprotected"
+                 and topics that are configured as "unprotected" -->
+            <allow_unauthenticated_participants>false</allow_unauthenticated_participants>
+
+            <!--  Only and any authenticated DomainParticipant should be allowed to join the domain and
+                  see the discovery data without checking access control  -->
+            <enable_join_access_control>true</enable_join_access_control>
+
+            <!-- Discovery information should be protected with encryption followed by MAC (Message Authentication Codes) -->
+            <discovery_protection_kind>ENCRYPT</discovery_protection_kind>
+
+            <!--  Liveliness messages are also encrypted -->
+            <liveliness_protection_kind>ENCRYPT</liveliness_protection_kind>
+
+            <!-- Whole RTPS message is not protected -->
+            <rtps_protection_kind>NONE</rtps_protection_kind>
+
+            <topic_access_rules>
+                <topic_rule>
+                    <!-- All (non-builtin) topics -->
+                    <topic_expression>*</topic_expression>
+
+                    <!-- Liveliness QoS data is protected -->
+                    <enable_liveliness_protection>true</enable_liveliness_protection>
+
+                    <!-- The discovery information on specific Topics should be sent
+                         using the secure (protected) discovery writers -->
+                    <enable_discovery_protection>true</enable_discovery_protection>
+
+                    <!-- The read access to all topics should be open to all. -->
+                    <enable_read_access_control>false</enable_read_access_control>
+
+                    <!-- The write access to all topics should be open to all. -->
+                    <enable_write_access_control>false</enable_write_access_control>
+
+                    <!-- Whole RTPS sub-message is protected. This includes metadata information
+                         like sequence numbers, heartbeats, key hashes, gaps,
+                         acknowledgment messages, etc. It also includes th possible payload. -->
+                    <metadata_protection_kind>ENCRYPT</metadata_protection_kind>
+
+                    <!-- The payload data sent on the Topic (serialized application level data) should be
+                         protected with Encrypt then MAC. -->
+                    <data_protection_kind>ENCRYPT</data_protection_kind>
+                </topic_rule>
+            </topic_access_rules>
+        </domain_rule>
+    </domain_access_rules>
+</dds>
diff --git a/src/security/builtin_plugins/tests/validate_local_permissions/etc/Test_Governance_ok.p7s b/src/security/builtin_plugins/tests/validate_local_permissions/etc/Test_Governance_ok.p7s
new file mode 100644
index 0000000..c39903f
--- /dev/null
+++ b/src/security/builtin_plugins/tests/validate_local_permissions/etc/Test_Governance_ok.p7s
@@ -0,0 +1,114 @@
+MIME-Version: 1.0
+Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg="sha-256"; boundary="----DB94A190D9780A24156FB0E8F1E76B5F"
+
+This is an S/MIME signed message
+
+------DB94A190D9780A24156FB0E8F1E76B5F
+Content-Type: text/plain
+
+<?xml version="1.0" encoding="utf-8"?>
+<dds xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xsi:noNamespaceSchemaLocation="http://www.omg.org/spec/DDSSecurity/
+20170801/omg_shared_ca_domain_governance.xsd">
+    <domain_access_rules>
+        <domain_rule>
+            <domains>
+                <!-- All domains -->
+                <id_range>
+                    <min>0</min>
+                    <max>230</max>
+                </id_range>
+            </domains>
+
+            <!-- DomainParticipant that cann not authenticate or fail the authentication should be
+                 allowed to join the domain and see any any discovery data that are configured as "unprotected"
+                 and topics that are configured as "unprotected" -->
+            <allow_unauthenticated_participants>false</allow_unauthenticated_participants>
+
+            <!--  Only and any authenticated DomainParticipant should be allowed to join the domain and
+                  see the discovery data without checking access control  -->
+            <enable_join_access_control>true</enable_join_access_control>
+
+            <!-- Discovery information should be protected with encryption followed by MAC (Message Authentication Codes) -->
+            <discovery_protection_kind>ENCRYPT</discovery_protection_kind>
+
+            <!--  Liveliness messages are also encrypted -->
+            <liveliness_protection_kind>ENCRYPT</liveliness_protection_kind>
+
+            <!-- Whole RTPS message is not protected -->
+            <rtps_protection_kind>NONE</rtps_protection_kind>
+
+            <topic_access_rules>
+                <topic_rule>
+                    <!-- All (non-builtin) topics -->
+                    <topic_expression>*</topic_expression>
+
+                    <!-- Liveliness QoS data is protected -->
+                    <enable_liveliness_protection>true</enable_liveliness_protection>
+
+                    <!-- The discovery information on specific Topics should be sent
+                         using the secure (protected) discovery writers -->
+                    <enable_discovery_protection>true</enable_discovery_protection>
+
+                    <!-- The read access to all topics should be open to all. -->
+                    <enable_read_access_control>false</enable_read_access_control>
+
+                    <!-- The write access to all topics should be open to all. -->
+                    <enable_write_access_control>false</enable_write_access_control>
+
+                    <!-- Whole RTPS sub-message is protected. This includes metadata information
+                         like sequence numbers, heartbeats, key hashes, gaps,
+                         acknowledgment messages, etc. It also includes th possible payload. -->
+                    <metadata_protection_kind>ENCRYPT</metadata_protection_kind>
+
+                    <!-- The payload data sent on the Topic (serialized application level data) should be
+                         protected with Encrypt then MAC. -->
+                    <data_protection_kind>ENCRYPT</data_protection_kind>
+                </topic_rule>
+            </topic_access_rules>
+        </domain_rule>
+    </domain_access_rules>
+</dds>
+
+------DB94A190D9780A24156FB0E8F1E76B5F
+Content-Type: application/x-pkcs7-signature; name="smime.p7s"
+Content-Transfer-Encoding: base64
+Content-Disposition: attachment; filename="smime.p7s"
+
+MIIGSAYJKoZIhvcNAQcCoIIGOTCCBjUCAQExDzANBglghkgBZQMEAgEFADALBgkq
+hkiG9w0BBwGgggORMIIDjTCCAnWgAwIBAgIJANsr3sm0NrypMA0GCSqGSIb3DQEB
+CwUAMFwxCzAJBgNVBAYTAk5MMRMwEQYDVQQIDApTb21lLVN0YXRlMR8wHQYDVQQK
+DBZBRExJTksgVGVjaG5vbG9jeSBJbmMuMRcwFQYDVQQDDA5hZGxpbmt0ZWNoLmNv
+bTAgFw0xODA3MzAxMjQ1NTVaGA8yMTE4MDcwNjEyNDU1NVowXDELMAkGA1UEBhMC
+TkwxEzARBgNVBAgMClNvbWUtU3RhdGUxHzAdBgNVBAoMFkFETElOSyBUZWNobm9s
+b2N5IEluYy4xFzAVBgNVBAMMDmFkbGlua3RlY2guY29tMIIBIjANBgkqhkiG9w0B
+AQEFAAOCAQ8AMIIBCgKCAQEAu7jfnJ0wYVuXgG+PgNawdN38+dRpa8jceqi+blID
+ehV6XCxrnGXusTCDuFmo7HMOBVMVNDXlcBWgoGd+u5EultnOEiIeGTgtHc1O6V9w
+icp3BGSpZZax/TcONjMVORaqHCADbQ2J8wsz1FHxuKDwX6BJElYOlK77lb/x3yLs
+DFFC+a0qn2RFh37rcWBRAHy8VEASXKZElT9ZmfKd+KUq34KojhNJ4DepKStTq074
+BRDXVivx+wVD951LFNPiQXq+mgHcLj1k37KlZflTFhdP5oEMtATNsXNJPHlEymiy
+SogRWAmKhysLQudukHfNKN+r0FEQMk/hzpYcFeZSOvbfNQIDAQABo1AwTjAdBgNV
+HQ4EFgQURWMbWvBKZwJvRV1/tyc1R82k0+gwHwYDVR0jBBgwFoAURWMbWvBKZwJv
+RV1/tyc1R82k0+gwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAkPF+
+ysVtvHnk2hpu9yNDLCJ96ZzIoKOyY7uRj4ovzlAHFdpNOJQdcJihTmN8i7Trht9X
+Vh0rGoR/6nHzo3TIeiogRC80RlDtuA3PF2dDQBMVDStlZMTZPb693hfjdAjhyyw9
+yghhKHHqNDvSsAL0KfBqjG4yGfGpJylYXIT5fWuKlo/ln/yyPa5s54T5XDo+CMbt
+lLX3QnwVOmaRyzylPiTcPCDIkdLBdXmlfyJcmW6fWa6kPx+35MOxPsXZbujCo+42
++OyLqcH1rKT6XhcshjXBEf+kdgUfSClrM1pNRWsw2ChIYim0F+nry5JFy0Y+8Hbb
+6SDB340BFmtgDHbFHTGCAnswggJ3AgEBMGkwXDELMAkGA1UEBhMCTkwxEzARBgNV
+BAgMClNvbWUtU3RhdGUxHzAdBgNVBAoMFkFETElOSyBUZWNobm9sb2N5IEluYy4x
+FzAVBgNVBAMMDmFkbGlua3RlY2guY29tAgkA2yveybQ2vKkwDQYJYIZIAWUDBAIB
+BQCggeQwGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAcBgkqhkiG9w0BCQUxDxcN
+MTgwOTEzMDczOTUwWjAvBgkqhkiG9w0BCQQxIgQgXv8DkvlwebXMwHDbNc0/Pc30
+gyG3xWCnwet49TRMWFsweQYJKoZIhvcNAQkPMWwwajALBglghkgBZQMEASowCwYJ
+YIZIAWUDBAEWMAsGCWCGSAFlAwQBAjAKBggqhkiG9w0DBzAOBggqhkiG9w0DAgIC
+AIAwDQYIKoZIhvcNAwICAUAwBwYFKw4DAgcwDQYIKoZIhvcNAwICASgwDQYJKoZI
+hvcNAQEBBQAEggEANy8t0EFmv5j1n0+mMn2ut3Chu8PSJceC8gd34IiKq79uC1O3
+PbL9xgiJ2vz7QiTEEeNL2q+CG77cXOcHGUWa4nvbggr/9CqLfHEKGQxDfyXlJZfM
+8l550xIXRRBOQ7ilOGLD4QJFfbf9XA4rMuRe8WEYN3FleAaYBJag1tMPg1SS6tgA
+BBDM9b1kXHU319zYOk6kZFjlbwHv6XO22SEVRUpXrKudAI8hrGvwksF/+W0S/jS5
+NmYtj/1oMGlCGIaA5rs27H9CkgwrzoMQ3MsR98JlwEUSa4PEe8CClsIziOulQxsp
+MicBlMWL0rzpBPVfPTE4gZ/kP7hGBDEQlRzVTA==
+
+------DB94A190D9780A24156FB0E8F1E76B5F--
+
diff --git a/src/security/builtin_plugins/tests/validate_local_permissions/etc/Test_Governance_unknown_ca.p7s b/src/security/builtin_plugins/tests/validate_local_permissions/etc/Test_Governance_unknown_ca.p7s
new file mode 100644
index 0000000..9f07e40
--- /dev/null
+++ b/src/security/builtin_plugins/tests/validate_local_permissions/etc/Test_Governance_unknown_ca.p7s
@@ -0,0 +1,117 @@
+MIME-Version: 1.0
+Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg="sha-256"; boundary="----F38FD3F34A584E774726CA12090D0B48"
+
+This is an S/MIME signed message
+
+------F38FD3F34A584E774726CA12090D0B48
+Content-Type: text/plain
+
+<?xml version="1.0" encoding="utf-8"?>
+<dds xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xsi:noNamespaceSchemaLocation="http://www.omg.org/spec/DDSSecurity/
+20170801/omg_shared_ca_domain_governance.xsd">
+    <domain_access_rules>
+        <domain_rule>
+            <domains>
+                <!-- All domains -->
+                <id_range>
+                    <min>0</min>
+                    <max>230</max>
+                </id_range>
+            </domains>
+
+            <!-- DomainParticipant that cann not authenticate or fail the authentication should be
+                 allowed to join the domain and see any any discovery data that are configured as "unprotected"
+                 and topics that are configured as "unprotected" -->
+            <allow_unauthenticated_participants>false</allow_unauthenticated_participants>
+
+            <!--  Only and any authenticated DomainParticipant should be allowed to join the domain and
+                  see the discovery data without checking access control  -->
+            <enable_join_access_control>true</enable_join_access_control>
+
+            <!-- Discovery information should be protected with encryption followed by MAC (Message Authentication Codes) -->
+            <discovery_protection_kind>ENCRYPT</discovery_protection_kind>
+
+            <!--  Liveliness messages are also encrypted -->
+            <liveliness_protection_kind>ENCRYPT</liveliness_protection_kind>
+
+            <!-- Whole RTPS message is not protected -->
+            <rtps_protection_kind>NONE</rtps_protection_kind>
+
+            <topic_access_rules>
+                <topic_rule>
+                    <!-- All (non-builtin) topics -->
+                    <topic_expression>*</topic_expression>
+
+                    <!-- Liveliness QoS data is protected -->
+                    <enable_liveliness_protection>true</enable_liveliness_protection>
+
+                    <!-- The discovery information on specific Topics should be sent
+                         using the secure (protected) discovery writers -->
+                    <enable_discovery_protection>true</enable_discovery_protection>
+
+                    <!-- The read access to all topics should be open to all. -->
+                    <enable_read_access_control>false</enable_read_access_control>
+
+                    <!-- The write access to all topics should be open to all. -->
+                    <enable_write_access_control>false</enable_write_access_control>
+
+                    <!-- Whole RTPS sub-message is protected. This includes metadata information
+                         like sequence numbers, heartbeats, key hashes, gaps,
+                         acknowledgment messages, etc. It also includes th possible payload. -->
+                    <metadata_protection_kind>ENCRYPT</metadata_protection_kind>
+
+                    <!-- The payload data sent on the Topic (serialized application level data) should be
+                         protected with Encrypt then MAC. -->
+                    <data_protection_kind>ENCRYPT</data_protection_kind>
+                </topic_rule>
+            </topic_access_rules>
+        </domain_rule>
+    </domain_access_rules>
+</dds>
+
+------F38FD3F34A584E774726CA12090D0B48
+Content-Type: application/x-pkcs7-signature; name="smime.p7s"
+Content-Transfer-Encoding: base64
+Content-Disposition: attachment; filename="smime.p7s"
+
+MIIGywYJKoZIhvcNAQcCoIIGvDCCBrgCAQExDzANBglghkgBZQMEAgEFADALBgkq
+hkiG9w0BBwGgggPKMIIDxjCCAq4CCQCBuTktP0h8BDANBgkqhkiG9w0BAQsFADCB
+pDEWMBQGA1UEBwwNTG9jYWxpdHkgTmFtZTEhMB8GA1UECwwYT3JnYW5pemF0aW9u
+YWwgVW5pdCBOYW1lMRwwGgYJKoZIhvcNAQkBFg1FbWFpbCBBZGRyZXNzMQswCQYD
+VQQGEwJVUzELMAkGA1UECAwCTkoxGjAYBgNVBAoMEUV4YW1wbGUgU2lnbmVyIENB
+MRMwEQYDVQQDDApFeGFtcGxlIENBMB4XDTE4MDgxNTA4NTE0MVoXDTQzMDgwOTA4
+NTE0MVowgaQxFjAUBgNVBAcMDUxvY2FsaXR5IE5hbWUxITAfBgNVBAsMGE9yZ2Fu
+aXphdGlvbmFsIFVuaXQgTmFtZTEcMBoGCSqGSIb3DQEJARYNRW1haWwgQWRkcmVz
+czELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAk5KMRowGAYDVQQKDBFFeGFtcGxlIFNp
+Z25lciBDQTETMBEGA1UEAwwKRXhhbXBsZSBDQTCCASIwDQYJKoZIhvcNAQEBBQAD
+ggEPADCCAQoCggEBALStAQ0yjM2qAWwsOXdX3hiyoZ6DDHWOTNI5LoCZGaN9rUZe
+MY0waSxWNQ0ruURgZISeOFkdQTAE81Em+UaZI+MZvfYcEcSlVtF6yve/WnIzRYWu
+f917moMCAInktfch4E6mskr4h7n+9sEz+3GsQS8SQRtwUe+PiXzjZrqHSbLC4Kn3
+/b8Mt+Ww3a4FyjHDZQJZsGSvrScr0Gq3xeKfMwb+KYNEnmh0o4os0gEGA4KUR+/1
+YDl1NmxQnm/AIMqwJzeaezBoMn0Nsi+OlAms85imGURNj9BCEJZBWwuuNL5ECDAq
+WLOM3AKUsApVgtGd8/OLWW1RwYkW8uqTtkIR87MCAwEAATANBgkqhkiG9w0BAQsF
+AAOCAQEAokKC77/kvxlObLSwkT5+7+S+DeznLBRiGVEh8+9PQw1q91sjiOZWf0e3
+T3XPH7CR/NDYoQJkrsqzIwKYrj41z/1jAs+HkH45NpTFiGlUFXNs5iwNh4RUqgf4
+e78Mge4q7pHMFzWTEwEn4DJMGcDDjLW1kN8GobGwHR7O0MpAJKrqcBSo+SPomnQv
+TgiEMQ+Vlz0EJx6JPsq8c7HrxlSdeDAAWIOww/wcGyzlpYEoyz6voSSfdhMt5iy5
+k5BvhBJnTiJTasCHy9KRuis/6qpTZKEj0d7J7LAqpGh8oRIphMwCbFYQT0QBgV6p
+gM8Ufss/RZ6CshMNxz7KtIYpvmxPPTGCAsUwggLBAgEBMIGyMIGkMRYwFAYDVQQH
+DA1Mb2NhbGl0eSBOYW1lMSEwHwYDVQQLDBhPcmdhbml6YXRpb25hbCBVbml0IE5h
+bWUxHDAaBgkqhkiG9w0BCQEWDUVtYWlsIEFkZHJlc3MxCzAJBgNVBAYTAlVTMQsw
+CQYDVQQIDAJOSjEaMBgGA1UECgwRRXhhbXBsZSBTaWduZXIgQ0ExEzARBgNVBAMM
+CkV4YW1wbGUgQ0ECCQCBuTktP0h8BDANBglghkgBZQMEAgEFAKCB5DAYBgkqhkiG
+9w0BCQMxCwYJKoZIhvcNAQcBMBwGCSqGSIb3DQEJBTEPFw0xODA5MTMwOTIyMzha
+MC8GCSqGSIb3DQEJBDEiBCBe/wOS+XB5tczAcNs1zT89zfSDIbfFYKfB63j1NExY
+WzB5BgkqhkiG9w0BCQ8xbDBqMAsGCWCGSAFlAwQBKjALBglghkgBZQMEARYwCwYJ
+YIZIAWUDBAECMAoGCCqGSIb3DQMHMA4GCCqGSIb3DQMCAgIAgDANBggqhkiG9w0D
+AgIBQDAHBgUrDgMCBzANBggqhkiG9w0DAgIBKDANBgkqhkiG9w0BAQEFAASCAQAy
+baJVxRJcZ3wYtb/TfQUDKNmaz7pYWNoKNxkPyKUerMOAZ9n0yvySNJUpzG+kJJNi
+Ib792GXdmP4hdz4qC4Zx3S7H26OAYcOsTwd6+O/xcv8H7PQoPD+3fplhIvLtpIlS
+//9ghpBXbUowdgzeDrYBpzRLqUth58IxsHd9cJQCCboKZIv8+6eP9fn1OD/CLGV3
+BNMvmeP88LU8UgtiivmmEJZ0fRtDVAGRIWykT1AvTfl69Pv9VKDuUW3qkuMwz7lW
+Dv0c624BYPbQWdU7W5//iy4kSfwrtXtag7aovUbcwkmb2qb5v5c5ZqNoLPUvUpIG
+KZUh0/aBuBovjwHZMcgl
+
+------F38FD3F34A584E774726CA12090D0B48--
+
diff --git a/src/security/builtin_plugins/tests/validate_local_permissions/etc/Test_Permissions_ca.pem b/src/security/builtin_plugins/tests/validate_local_permissions/etc/Test_Permissions_ca.pem
new file mode 100644
index 0000000..2372ae0
--- /dev/null
+++ b/src/security/builtin_plugins/tests/validate_local_permissions/etc/Test_Permissions_ca.pem
@@ -0,0 +1,22 @@
+-----BEGIN CERTIFICATE-----
+MIIDjTCCAnWgAwIBAgIJANsr3sm0NrypMA0GCSqGSIb3DQEBCwUAMFwxCzAJBgNV
+BAYTAk5MMRMwEQYDVQQIDApTb21lLVN0YXRlMR8wHQYDVQQKDBZBRExJTksgVGVj
+aG5vbG9jeSBJbmMuMRcwFQYDVQQDDA5hZGxpbmt0ZWNoLmNvbTAgFw0xODA3MzAx
+MjQ1NTVaGA8yMTE4MDcwNjEyNDU1NVowXDELMAkGA1UEBhMCTkwxEzARBgNVBAgM
+ClNvbWUtU3RhdGUxHzAdBgNVBAoMFkFETElOSyBUZWNobm9sb2N5IEluYy4xFzAV
+BgNVBAMMDmFkbGlua3RlY2guY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB
+CgKCAQEAu7jfnJ0wYVuXgG+PgNawdN38+dRpa8jceqi+blIDehV6XCxrnGXusTCD
+uFmo7HMOBVMVNDXlcBWgoGd+u5EultnOEiIeGTgtHc1O6V9wicp3BGSpZZax/TcO
+NjMVORaqHCADbQ2J8wsz1FHxuKDwX6BJElYOlK77lb/x3yLsDFFC+a0qn2RFh37r
+cWBRAHy8VEASXKZElT9ZmfKd+KUq34KojhNJ4DepKStTq074BRDXVivx+wVD951L
+FNPiQXq+mgHcLj1k37KlZflTFhdP5oEMtATNsXNJPHlEymiySogRWAmKhysLQudu
+kHfNKN+r0FEQMk/hzpYcFeZSOvbfNQIDAQABo1AwTjAdBgNVHQ4EFgQURWMbWvBK
+ZwJvRV1/tyc1R82k0+gwHwYDVR0jBBgwFoAURWMbWvBKZwJvRV1/tyc1R82k0+gw
+DAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAkPF+ysVtvHnk2hpu9yND
+LCJ96ZzIoKOyY7uRj4ovzlAHFdpNOJQdcJihTmN8i7Trht9XVh0rGoR/6nHzo3TI
+eiogRC80RlDtuA3PF2dDQBMVDStlZMTZPb693hfjdAjhyyw9yghhKHHqNDvSsAL0
+KfBqjG4yGfGpJylYXIT5fWuKlo/ln/yyPa5s54T5XDo+CMbtlLX3QnwVOmaRyzyl
+PiTcPCDIkdLBdXmlfyJcmW6fWa6kPx+35MOxPsXZbujCo+42+OyLqcH1rKT6Xhcs
+hjXBEf+kdgUfSClrM1pNRWsw2ChIYim0F+nry5JFy0Y+8Hbb6SDB340BFmtgDHbF
+HQ==
+-----END CERTIFICATE-----
diff --git a/src/security/builtin_plugins/tests/validate_local_permissions/etc/Test_Permissions_ca_key.pem b/src/security/builtin_plugins/tests/validate_local_permissions/etc/Test_Permissions_ca_key.pem
new file mode 100644
index 0000000..22fac8b
--- /dev/null
+++ b/src/security/builtin_plugins/tests/validate_local_permissions/etc/Test_Permissions_ca_key.pem
@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEpAIBAAKCAQEAu7jfnJ0wYVuXgG+PgNawdN38+dRpa8jceqi+blIDehV6XCxr
+nGXusTCDuFmo7HMOBVMVNDXlcBWgoGd+u5EultnOEiIeGTgtHc1O6V9wicp3BGSp
+ZZax/TcONjMVORaqHCADbQ2J8wsz1FHxuKDwX6BJElYOlK77lb/x3yLsDFFC+a0q
+n2RFh37rcWBRAHy8VEASXKZElT9ZmfKd+KUq34KojhNJ4DepKStTq074BRDXVivx
++wVD951LFNPiQXq+mgHcLj1k37KlZflTFhdP5oEMtATNsXNJPHlEymiySogRWAmK
+hysLQudukHfNKN+r0FEQMk/hzpYcFeZSOvbfNQIDAQABAoIBABWqhMSCr+7Mr3O3
+bIymOr+CT4xWI8S47hmKGFCLTrNsfy7cQZ9PdHkm7Ez+rCx+KwQaTrwz7EM/e8aH
+q2zimMn4YXxeS7MFdM+Xvp/Y0BhXMd1j8Nk0x14+WHmQ88YfA4szdrHDekR+6oB6
+5Lc2fAfNbCGdpRksCQWDndrvIOda1swKW1RsGWHPGtSM1qOg09A4CeASqbsxZfdL
+9MgI7aJKYnvJrUhqsNZU3fuOrLDNl7/JvdI08nYLnNkEvbDYbdfH0Q/4laKsSJcp
+0jM6tPrxbHMDmBEwullVPrVqJX+n6Hvz3E8C9QiZq8NWbJUc5FntLx8ynbiJg6Lb
+1w49WxECgYEA8yVky++3v0ZMKZeSeGj3MuKuEJ2q3UdmsKXA+Pyq0rL/hh7r2oUY
+dQDs23BIuaHeIZxAGaMeMjoYQBi+G50XfwHZSMqivxX/yYkXxOJfPQvVLDbqCIWS
+94qU4/xo50IkCNxpvRwfpKG2ce5YG7jrQkfb5I6TfKUWAaXpmaQnbYsCgYEAxaVn
+Hzw3OdY7q6kURSY6a8KqtcuN0lNKeUb68vZemmZ0FNKmyh+xGVFXXlvmJpQgr5Zm
+2W2a1C1oPq2DEdvSKt/aTHVIazG9TtFK1WAXpLxmlXlyqWRv+IvdVkph+p/3dIT0
+Ilaglgbndth4xk0c1zqy3g4VlAgWgKKi5owZ/j8CgYEAndsFGbHEJZZKFCannSzo
+cEzinT7/kzGr5bt3ES9Y5/n2Euk4TmJignPbUowPaxU/1apPo1VXYVx+Kf7mTZ8r
+hfV5T9ze1BhAPGOY3uXo1wU7nLz6LBYsWDHMgEd7A8jZBDe1HmWH1aZ3gHgxE652
+bk2g4T3/WskDBIbmpi0AvAkCgYBKAfFnRMj5IzscwCcS7YmaqD377MiiJQYR+34k
+VBSAhDSbR3Wk4dESxd6NOqQndff3R74jVGNRZ99M+PPHUCSWYVQApToEyY81YDFB
+TMYNrW5MMjm5LB6xVs3+bcPacOPcAZzY7s8a3mL1oYE339AY16X6eBOkZpLmf/+3
+jGZ/SQKBgQDkyxymL4xJGV8HCDontJZiBStD954GH1AgqEAOdQxU5vW4ySQ7yRoT
+ajb8tH052yWW11Mxd0TRW9qbVI0/4/4lR86sODYLFbgrHAMBl7mxJ8Qwi4zdI9Am
+FXGkj5SX2bYrf2f0YvCHNUbELTd4mF6kAH0Eg6kHRXLsSbhtWC7D3Q==
+-----END RSA PRIVATE KEY-----
diff --git a/src/security/builtin_plugins/tests/validate_local_permissions/etc/Test_Permissions_expired.p7s b/src/security/builtin_plugins/tests/validate_local_permissions/etc/Test_Permissions_expired.p7s
new file mode 100644
index 0000000..bf35bf7
--- /dev/null
+++ b/src/security/builtin_plugins/tests/validate_local_permissions/etc/Test_Permissions_expired.p7s
@@ -0,0 +1,243 @@
+MIME-Version: 1.0
+Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg="sha-256"; boundary="----11798C99B4C31493D0479BB8A2064C72"
+
+This is an S/MIME signed message
+
+------11798C99B4C31493D0479BB8A2064C72
+Content-Type: text/plain
+
+<?xml version="1.0" encoding="utf-8"?>
+<dds xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xsi:noNamespaceSchemaLocation="https://www.omg.org/spec/DDS-SECURITY/20170901/omg_shared_ca_permissions.xsd">
+    <permissions>
+        <grant name="OpenSplicePermissions">
+            <subject_name>CN=CHAM500 cert,O=Internet Widgits Pty Ltd,ST=Some-State,C=NL</subject_name>
+            <validity>
+                <!-- Format is CCYY-MM-DDThh:mm:ss[Z|(+|-)hh:mm] in GMT -->
+                <not_before>2015-09-15T01:00:00</not_before>
+                <not_after>2016-09-15T01:00:00</not_after>
+            </validity>
+            <allow_rule>
+                <domains>
+                    <id_range>
+                        <min>0</min>
+                        <max>230</max>
+                    </id_range>
+                </domains>
+                <publish>
+                    <topics>
+                        <topic>K*</topic>
+                        <topic>*OldMessage</topic>
+                        <topic>OldMessanger</topic>
+                        <topic>NewMessage</topic>
+                    </topics>
+        <partitions>
+      <partition>Apart</partition>
+      <partition>Bpa?t*</partition>
+        </partitions>
+                </publish>
+                <subscribe>
+                    <topics>
+                        <topic>K*</topic>
+                        <topic>*OldMessage</topic>
+                        <topic>OldMessanger</topic>
+                        <topic>NewMessage</topic>
+                    </topics>
+        <partitions>
+      <partition>Apart</partition>
+      <partition>Bpa?t*</partition>
+        </partitions>
+                </subscribe>
+            </allow_rule>
+            <deny_rule>
+                <domains>
+                    <id_range>
+                        <min>0</min>
+                        <max>230</max>
+                    </id_range>
+                </domains>
+                <publish>
+                    <topics>
+                        <topic>P*</topic>
+                        <topic>*WrongMessage</topic>
+                        <topic>FakeMessanger</topic>
+                        <topic>ChangedMessage</topic>
+                    </topics>
+        <partitions>
+      <partition>Apart</partition>
+      <partition>Bpa?t*</partition>
+        </partitions>
+                </publish>
+                <subscribe>
+                    <topics>
+                        <topic>P*</topic>
+                        <topic>*WrongMessage</topic>
+                        <topic>FakeMessanger</topic>
+                        <topic>ChangedMessage</topic>
+                    </topics>
+        <partitions>
+      <partition>Apart</partition>
+      <partition>Bpa?t*</partition>
+        </partitions>
+                </subscribe>
+            </deny_rule>
+
+            <default>DENY</default>
+        </grant>
+        <grant name="SpareNodeOpenSplicePermissions">
+            <subject_name>CN=Spare cert,O=Internet Widgits Pty Ltd,ST=Some-State,C=NL</subject_name>
+            <validity>
+                <!-- Format is CCYY-MM-DDThh:mm:ss[Z|(+|-)hh:mm] in GMT -->
+                <not_before>2015-09-15T01:00:00</not_before>
+                <not_after>2115-09-15T01:00:00</not_after>
+            </validity>
+            <allow_rule>
+                <domains>
+                <!-- All domains -->
+                 <id>20</id>
+                 <id>30</id>
+                 <id_range>
+                     <min>0</min>
+                     <max>23</max>
+                 </id_range>
+                 <id_range>
+                     <min>100</min>
+                     <max>120</max>
+                 </id_range>
+                 <id>200</id>
+               </domains>
+                <publish>
+                    <topics>
+                        <topic>K*</topic>
+                        <topic>*OldMessage</topic>
+                        <topic>OldMessanger</topic>
+                        <topic>NewMessage</topic>
+                    </topics>
+        <partitions>
+      <partition>Apart</partition>
+      <partition>Bpa?t*</partition>
+        </partitions>
+                </publish>
+                <subscribe>
+                    <topics>
+                        <topic>K*</topic>
+                        <topic>*OldMessage</topic>
+                        <topic>OldMessanger</topic>
+                        <topic>NewMessage</topic>
+                    </topics>
+        <partitions>
+      <partition>Apart</partition>
+      <partition>Bpa?t*</partition>
+        </partitions>
+                </subscribe>
+            </allow_rule>
+            <deny_rule>
+                <domains>
+                 <id_range>
+                     <min>0</min>
+                     <max>23</max>
+                 </id_range>
+                 <id_range>
+                     <min>100</min>
+                     <max>120</max>
+                 </id_range>
+                 <id>200</id>
+                </domains>
+                <publish>
+                    <topics>
+                        <topic>P*</topic>
+                        <topic>*WrongMessage</topic>
+                        <topic>FakeMessanger</topic>
+                        <topic>ChangedMessage</topic>
+                    </topics>
+                    <partitions>
+                      <partition>Apart</partition>
+                      <partition>Bpa?t*</partition>
+                    </partitions>
+                </publish>
+                <subscribe>
+                    <topics>
+                        <topic>P*</topic>
+                        <topic>*WrongMessage</topic>
+                        <topic>FakeMessanger</topic>
+                        <topic>ChangedMessage</topic>
+                    </topics>
+                    <partitions>
+                      <partition>Apart</partition>
+                      <partition>Bpa?t*</partition>
+                    </partitions>
+                    <data_tags>
+                      <tag>
+                        <name>aTagName1</name>
+                        <value>aTagValue1</value>
+                      </tag>
+                    </data_tags>
+                </subscribe>
+                <relay>
+                  <topics>
+                        <topic>P*</topic>
+                        <topic>*WrongMessage</topic>
+                        <topic>FakeMessanger</topic>
+                        <topic>ChangedMessage</topic>
+                    </topics>
+                    <partitions>
+                      <partition>Apart</partition>
+                      <partition>Bpa?t*</partition>
+                    </partitions>
+                    <data_tags>
+                      <tag>
+                        <name>aTagName1</name>
+                        <value>aTagValue1</value>
+                      </tag>
+                    </data_tags>
+                </relay>
+            </deny_rule>
+
+            <default>ALLOW</default>
+        </grant>
+    </permissions>
+</dds>
+
+------11798C99B4C31493D0479BB8A2064C72
+Content-Type: application/x-pkcs7-signature; name="smime.p7s"
+Content-Transfer-Encoding: base64
+Content-Disposition: attachment; filename="smime.p7s"
+
+MIIGXgYJKoZIhvcNAQcCoIIGTzCCBksCAQExDzANBglghkgBZQMEAgEFADALBgkq
+hkiG9w0BBwGgggORMIIDjTCCAnWgAwIBAgIJANsr3sm0NrypMA0GCSqGSIb3DQEB
+CwUAMFwxCzAJBgNVBAYTAk5MMRMwEQYDVQQIDApTb21lLVN0YXRlMR8wHQYDVQQK
+DBZBRExJTksgVGVjaG5vbG9jeSBJbmMuMRcwFQYDVQQDDA5hZGxpbmt0ZWNoLmNv
+bTAgFw0xODA3MzAxMjQ1NTVaGA8yMTE4MDcwNjEyNDU1NVowXDELMAkGA1UEBhMC
+TkwxEzARBgNVBAgMClNvbWUtU3RhdGUxHzAdBgNVBAoMFkFETElOSyBUZWNobm9s
+b2N5IEluYy4xFzAVBgNVBAMMDmFkbGlua3RlY2guY29tMIIBIjANBgkqhkiG9w0B
+AQEFAAOCAQ8AMIIBCgKCAQEAu7jfnJ0wYVuXgG+PgNawdN38+dRpa8jceqi+blID
+ehV6XCxrnGXusTCDuFmo7HMOBVMVNDXlcBWgoGd+u5EultnOEiIeGTgtHc1O6V9w
+icp3BGSpZZax/TcONjMVORaqHCADbQ2J8wsz1FHxuKDwX6BJElYOlK77lb/x3yLs
+DFFC+a0qn2RFh37rcWBRAHy8VEASXKZElT9ZmfKd+KUq34KojhNJ4DepKStTq074
+BRDXVivx+wVD951LFNPiQXq+mgHcLj1k37KlZflTFhdP5oEMtATNsXNJPHlEymiy
+SogRWAmKhysLQudukHfNKN+r0FEQMk/hzpYcFeZSOvbfNQIDAQABo1AwTjAdBgNV
+HQ4EFgQURWMbWvBKZwJvRV1/tyc1R82k0+gwHwYDVR0jBBgwFoAURWMbWvBKZwJv
+RV1/tyc1R82k0+gwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAkPF+
+ysVtvHnk2hpu9yNDLCJ96ZzIoKOyY7uRj4ovzlAHFdpNOJQdcJihTmN8i7Trht9X
+Vh0rGoR/6nHzo3TIeiogRC80RlDtuA3PF2dDQBMVDStlZMTZPb693hfjdAjhyyw9
+yghhKHHqNDvSsAL0KfBqjG4yGfGpJylYXIT5fWuKlo/ln/yyPa5s54T5XDo+CMbt
+lLX3QnwVOmaRyzylPiTcPCDIkdLBdXmlfyJcmW6fWa6kPx+35MOxPsXZbujCo+42
++OyLqcH1rKT6XhcshjXBEf+kdgUfSClrM1pNRWsw2ChIYim0F+nry5JFy0Y+8Hbb
+6SDB340BFmtgDHbFHTGCApEwggKNAgEBMGkwXDELMAkGA1UEBhMCTkwxEzARBgNV
+BAgMClNvbWUtU3RhdGUxHzAdBgNVBAoMFkFETElOSyBUZWNobm9sb2N5IEluYy4x
+FzAVBgNVBAMMDmFkbGlua3RlY2guY29tAgkA2yveybQ2vKkwDQYJYIZIAWUDBAIB
+BQCggfowGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAcBgkqhkiG9w0BCQUxDxcN
+MTkwMzI5MTMwODAzWjAvBgkqhkiG9w0BCQQxIgQgXPEkUvQgZwRMdZgxT8k/mrsJ
+delB0E3RjpayHUkKYzowgY4GCSqGSIb3DQEJDzGBgDB+MAsGCWCGSAFlAwQBKjAI
+BgYqhQMCAgkwCAYGKoUDAgIVMAsGCWCGSAFlAwQBFjALBglghkgBZQMEAQIwCgYI
+KoZIhvcNAwcwDgYIKoZIhvcNAwICAgCAMA0GCCqGSIb3DQMCAgFAMAcGBSsOAwIH
+MA0GCCqGSIb3DQMCAgEoMA0GCSqGSIb3DQEBAQUABIIBAA/TNULF62fO5mfjXm1L
+Yk4Dg/5ZxAF/grDAjamo5v2fxGn6B1rrkj8YtyB1FEA0moM/cL31kNXNMqLvFdhY
+lHCmX8x5PHkKzLihTIMx6diSCupBvvqUACeA7Ir1A3tMqW5tYYMg6sZ/YolgLLFG
+8XmhttpEibtZm90MN3Xpsa4TiW5PlEWHC5ai3tyeyd/RCVoeQJVA0pAytmjdf2Mw
+C3W/28tUxVCAjdlqXYap6jWZlNv/43P5HED837bF5iqoa1dTvDirca6WPanNjp28
+GQDi4bnD1kAk8wAKIm14qwS+fzxM3SKxJtdQuUCx+s/tPma4bLCqt843ok35SoWo
+QKM=
+
+------11798C99B4C31493D0479BB8A2064C72--
+
diff --git a/src/security/builtin_plugins/tests/validate_local_permissions/etc/Test_Permissions_expired.xml b/src/security/builtin_plugins/tests/validate_local_permissions/etc/Test_Permissions_expired.xml
new file mode 100644
index 0000000..f408942
--- /dev/null
+++ b/src/security/builtin_plugins/tests/validate_local_permissions/etc/Test_Permissions_expired.xml
@@ -0,0 +1,191 @@
+<?xml version="1.0" encoding="utf-8"?>
+<dds xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xsi:noNamespaceSchemaLocation="https://www.omg.org/spec/DDS-SECURITY/20170901/omg_shared_ca_permissions.xsd">
+    <permissions>
+        <grant name="OpenSplicePermissions">
+            <subject_name>CN=CHAM500 cert,O=Internet Widgits Pty Ltd,ST=Some-State,C=NL</subject_name>
+            <validity>
+                <!-- Format is CCYY-MM-DDThh:mm:ss[Z|(+|-)hh:mm] in GMT -->
+                <not_before>2015-09-15T01:00:00</not_before>
+                <not_after>2016-09-15T01:00:00</not_after>
+            </validity>
+            <allow_rule>
+                <domains>
+                    <id_range>
+                        <min>0</min>
+                        <max>230</max>
+                    </id_range>
+                </domains>
+                <publish>
+                    <topics>
+                        <topic>K*</topic>
+                        <topic>*OldMessage</topic>
+                        <topic>OldMessanger</topic>
+                        <topic>NewMessage</topic>
+                    </topics>
+        <partitions>
+      <partition>Apart</partition>
+      <partition>Bpa?t*</partition>
+        </partitions>
+                </publish>
+                <subscribe>
+                    <topics>
+                        <topic>K*</topic>
+                        <topic>*OldMessage</topic>
+                        <topic>OldMessanger</topic>
+                        <topic>NewMessage</topic>
+                    </topics>
+        <partitions>
+      <partition>Apart</partition>
+      <partition>Bpa?t*</partition>
+        </partitions>
+                </subscribe>
+            </allow_rule>
+            <deny_rule>
+                <domains>
+                    <id_range>
+                        <min>0</min>
+                        <max>230</max>
+                    </id_range>
+                </domains>
+                <publish>
+                    <topics>
+                        <topic>P*</topic>
+                        <topic>*WrongMessage</topic>
+                        <topic>FakeMessanger</topic>
+                        <topic>ChangedMessage</topic>
+                    </topics>
+        <partitions>
+      <partition>Apart</partition>
+      <partition>Bpa?t*</partition>
+        </partitions>
+                </publish>
+                <subscribe>
+                    <topics>
+                        <topic>P*</topic>
+                        <topic>*WrongMessage</topic>
+                        <topic>FakeMessanger</topic>
+                        <topic>ChangedMessage</topic>
+                    </topics>
+        <partitions>
+      <partition>Apart</partition>
+      <partition>Bpa?t*</partition>
+        </partitions>
+                </subscribe>
+            </deny_rule>
+
+            <default>DENY</default>
+        </grant>
+        <grant name="SpareNodeOpenSplicePermissions">
+            <subject_name>CN=Spare cert,O=Internet Widgits Pty Ltd,ST=Some-State,C=NL</subject_name>
+            <validity>
+                <!-- Format is CCYY-MM-DDThh:mm:ss[Z|(+|-)hh:mm] in GMT -->
+                <not_before>2015-09-15T01:00:00</not_before>
+                <not_after>2115-09-15T01:00:00</not_after>
+            </validity>
+            <allow_rule>
+                <domains>
+                <!-- All domains -->
+                 <id>20</id>
+                 <id>30</id>
+                 <id_range>
+                     <min>0</min>
+                     <max>23</max>
+                 </id_range>
+                 <id_range>
+                     <min>100</min>
+                     <max>120</max>
+                 </id_range>
+                 <id>200</id>
+               </domains>
+                <publish>
+                    <topics>
+                        <topic>K*</topic>
+                        <topic>*OldMessage</topic>
+                        <topic>OldMessanger</topic>
+                        <topic>NewMessage</topic>
+                    </topics>
+        <partitions>
+      <partition>Apart</partition>
+      <partition>Bpa?t*</partition>
+        </partitions>
+                </publish>
+                <subscribe>
+                    <topics>
+                        <topic>K*</topic>
+                        <topic>*OldMessage</topic>
+                        <topic>OldMessanger</topic>
+                        <topic>NewMessage</topic>
+                    </topics>
+        <partitions>
+      <partition>Apart</partition>
+      <partition>Bpa?t*</partition>
+        </partitions>
+                </subscribe>
+            </allow_rule>
+            <deny_rule>
+                <domains>
+                 <id_range>
+                     <min>0</min>
+                     <max>23</max>
+                 </id_range>
+                 <id_range>
+                     <min>100</min>
+                     <max>120</max>
+                 </id_range>
+                 <id>200</id>
+                </domains>
+                <publish>
+                    <topics>
+                        <topic>P*</topic>
+                        <topic>*WrongMessage</topic>
+                        <topic>FakeMessanger</topic>
+                        <topic>ChangedMessage</topic>
+                    </topics>
+                    <partitions>
+                      <partition>Apart</partition>
+                      <partition>Bpa?t*</partition>
+                    </partitions>
+                </publish>
+                <subscribe>
+                    <topics>
+                        <topic>P*</topic>
+                        <topic>*WrongMessage</topic>
+                        <topic>FakeMessanger</topic>
+                        <topic>ChangedMessage</topic>
+                    </topics>
+                    <partitions>
+                      <partition>Apart</partition>
+                      <partition>Bpa?t*</partition>
+                    </partitions>
+                    <data_tags>
+                      <tag>
+                        <name>aTagName1</name>
+                        <value>aTagValue1</value>
+                      </tag>
+                    </data_tags>
+                </subscribe>
+                <relay>
+                  <topics>
+                        <topic>P*</topic>
+                        <topic>*WrongMessage</topic>
+                        <topic>FakeMessanger</topic>
+                        <topic>ChangedMessage</topic>
+                    </topics>
+                    <partitions>
+                      <partition>Apart</partition>
+                      <partition>Bpa?t*</partition>
+                    </partitions>
+                    <data_tags>
+                      <tag>
+                        <name>aTagName1</name>
+                        <value>aTagValue1</value>
+                      </tag>
+                    </data_tags>
+                </relay>
+            </deny_rule>
+
+            <default>ALLOW</default>
+        </grant>
+    </permissions>
+</dds>
diff --git a/src/security/builtin_plugins/tests/validate_local_permissions/etc/Test_Permissions_full.p7s b/src/security/builtin_plugins/tests/validate_local_permissions/etc/Test_Permissions_full.p7s
new file mode 100644
index 0000000..a8e71c1
--- /dev/null
+++ b/src/security/builtin_plugins/tests/validate_local_permissions/etc/Test_Permissions_full.p7s
@@ -0,0 +1,243 @@
+MIME-Version: 1.0
+Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg="sha-256"; boundary="----D2957343698C311655D075C56A04A68D"
+
+This is an S/MIME signed message
+
+------D2957343698C311655D075C56A04A68D
+Content-Type: text/plain
+
+<?xml version="1.0" encoding="utf-8"?>
+<dds xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xsi:noNamespaceSchemaLocation="https://www.omg.org/spec/DDS-SECURITY/20170901/omg_shared_ca_permissions.xsd">
+    <permissions>
+        <grant name="OpenSplicePermissions">
+            <subject_name>CN=CHAM500 cert,O=Internet Widgits Pty Ltd,ST=Some-State,C=NL</subject_name>
+            <validity>
+                <!-- Format is CCYY-MM-DDThh:mm:ss[Z|(+|-)hh:mm] in GMT -->
+                <not_before>2015-09-15T01:00:00</not_before>
+                <not_after>2115-09-15T01:00:00</not_after>
+            </validity>
+            <allow_rule>
+                <domains>
+                    <id_range>
+                        <min>0</min>
+                        <max>230</max>
+                    </id_range>
+                </domains>
+                <publish>
+                    <topics>
+                        <topic>K*</topic>
+                        <topic>*OldMessage</topic>
+                        <topic>OldMessanger</topic>
+                        <topic>NewMessage</topic>
+                    </topics>
+        <partitions>
+      <partition>Apart</partition>
+      <partition>Bpa?t*</partition>
+        </partitions>
+                </publish>
+                <subscribe>
+                    <topics>
+                        <topic>K*</topic>
+                        <topic>*OldMessage</topic>
+                        <topic>OldMessanger</topic>
+                        <topic>NewMessage</topic>
+                    </topics>
+        <partitions>
+      <partition>Apart</partition>
+      <partition>Bpa?t*</partition>
+        </partitions>
+                </subscribe>
+            </allow_rule>
+            <deny_rule>
+                <domains>
+                    <id_range>
+                        <min>0</min>
+                        <max>230</max>
+                    </id_range>
+                </domains>
+                <publish>
+                    <topics>
+                        <topic>P*</topic>
+                        <topic>*WrongMessage</topic>
+                        <topic>FakeMessanger</topic>
+                        <topic>ChangedMessage</topic>
+                    </topics>
+        <partitions>
+      <partition>Apart</partition>
+      <partition>Bpa?t*</partition>
+        </partitions>
+                </publish>
+                <subscribe>
+                    <topics>
+                        <topic>P*</topic>
+                        <topic>*WrongMessage</topic>
+                        <topic>FakeMessanger</topic>
+                        <topic>ChangedMessage</topic>
+                    </topics>
+        <partitions>
+      <partition>Apart</partition>
+      <partition>Bpa?t*</partition>
+        </partitions>
+                </subscribe>
+            </deny_rule>
+
+            <default>DENY</default>
+        </grant>
+        <grant name="SpareNodeOpenSplicePermissions">
+            <subject_name>CN=Spare cert,O=Internet Widgits Pty Ltd,ST=Some-State,C=NL</subject_name>
+            <validity>
+                <!-- Format is CCYY-MM-DDThh:mm:ss[Z|(+|-)hh:mm] in GMT -->
+                <not_before>2015-09-15T01:00:00</not_before>
+                <not_after>2115-09-15T01:00:00</not_after>
+            </validity>
+            <allow_rule>
+                <domains>
+                <!-- All domains -->
+                 <id>20</id>
+                 <id>30</id>
+                 <id_range>
+                     <min>0</min>
+                     <max>23</max>
+                 </id_range>
+                 <id_range>
+                     <min>100</min>
+                     <max>120</max>
+                 </id_range>
+                 <id>200</id>
+               </domains>
+                <publish>
+                    <topics>
+                        <topic>K*</topic>
+                        <topic>*OldMessage</topic>
+                        <topic>OldMessanger</topic>
+                        <topic>NewMessage</topic>
+                    </topics>
+        <partitions>
+      <partition>Apart</partition>
+      <partition>Bpa?t*</partition>
+        </partitions>
+                </publish>
+                <subscribe>
+                    <topics>
+                        <topic>K*</topic>
+                        <topic>*OldMessage</topic>
+                        <topic>OldMessanger</topic>
+                        <topic>NewMessage</topic>
+                    </topics>
+        <partitions>
+      <partition>Apart</partition>
+      <partition>Bpa?t*</partition>
+        </partitions>
+                </subscribe>
+            </allow_rule>
+            <deny_rule>
+                <domains>
+                 <id_range>
+                     <min>0</min>
+                     <max>23</max>
+                 </id_range>
+                 <id_range>
+                     <min>100</min>
+                     <max>120</max>
+                 </id_range>
+                 <id>200</id>
+                </domains>
+                <publish>
+                    <topics>
+                        <topic>P*</topic>
+                        <topic>*WrongMessage</topic>
+                        <topic>FakeMessanger</topic>
+                        <topic>ChangedMessage</topic>
+                    </topics>
+                    <partitions>
+                      <partition>Apart</partition>
+                      <partition>Bpa?t*</partition>
+                    </partitions>
+                </publish>
+                <subscribe>
+                    <topics>
+                        <topic>P*</topic>
+                        <topic>*WrongMessage</topic>
+                        <topic>FakeMessanger</topic>
+                        <topic>ChangedMessage</topic>
+                    </topics>
+                    <partitions>
+                      <partition>Apart</partition>
+                      <partition>Bpa?t*</partition>
+                    </partitions>
+                    <data_tags>
+                      <tag>
+                        <name>aTagName1</name>
+                        <value>aTagValue1</value>
+                      </tag>
+                    </data_tags>
+                </subscribe>
+                <relay>
+                  <topics>
+                        <topic>P*</topic>
+                        <topic>*WrongMessage</topic>
+                        <topic>FakeMessanger</topic>
+                        <topic>ChangedMessage</topic>
+                    </topics>
+                    <partitions>
+                      <partition>Apart</partition>
+                      <partition>Bpa?t*</partition>
+                    </partitions>
+                    <data_tags>
+                      <tag>
+                        <name>aTagName1</name>
+                        <value>aTagValue1</value>
+                      </tag>
+                    </data_tags>
+                </relay>
+            </deny_rule>
+
+            <default>ALLOW</default>
+        </grant>
+    </permissions>
+</dds>
+
+------D2957343698C311655D075C56A04A68D
+Content-Type: application/x-pkcs7-signature; name="smime.p7s"
+Content-Transfer-Encoding: base64
+Content-Disposition: attachment; filename="smime.p7s"
+
+MIIGXgYJKoZIhvcNAQcCoIIGTzCCBksCAQExDzANBglghkgBZQMEAgEFADALBgkq
+hkiG9w0BBwGgggORMIIDjTCCAnWgAwIBAgIJANsr3sm0NrypMA0GCSqGSIb3DQEB
+CwUAMFwxCzAJBgNVBAYTAk5MMRMwEQYDVQQIDApTb21lLVN0YXRlMR8wHQYDVQQK
+DBZBRExJTksgVGVjaG5vbG9jeSBJbmMuMRcwFQYDVQQDDA5hZGxpbmt0ZWNoLmNv
+bTAgFw0xODA3MzAxMjQ1NTVaGA8yMTE4MDcwNjEyNDU1NVowXDELMAkGA1UEBhMC
+TkwxEzARBgNVBAgMClNvbWUtU3RhdGUxHzAdBgNVBAoMFkFETElOSyBUZWNobm9s
+b2N5IEluYy4xFzAVBgNVBAMMDmFkbGlua3RlY2guY29tMIIBIjANBgkqhkiG9w0B
+AQEFAAOCAQ8AMIIBCgKCAQEAu7jfnJ0wYVuXgG+PgNawdN38+dRpa8jceqi+blID
+ehV6XCxrnGXusTCDuFmo7HMOBVMVNDXlcBWgoGd+u5EultnOEiIeGTgtHc1O6V9w
+icp3BGSpZZax/TcONjMVORaqHCADbQ2J8wsz1FHxuKDwX6BJElYOlK77lb/x3yLs
+DFFC+a0qn2RFh37rcWBRAHy8VEASXKZElT9ZmfKd+KUq34KojhNJ4DepKStTq074
+BRDXVivx+wVD951LFNPiQXq+mgHcLj1k37KlZflTFhdP5oEMtATNsXNJPHlEymiy
+SogRWAmKhysLQudukHfNKN+r0FEQMk/hzpYcFeZSOvbfNQIDAQABo1AwTjAdBgNV
+HQ4EFgQURWMbWvBKZwJvRV1/tyc1R82k0+gwHwYDVR0jBBgwFoAURWMbWvBKZwJv
+RV1/tyc1R82k0+gwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAkPF+
+ysVtvHnk2hpu9yNDLCJ96ZzIoKOyY7uRj4ovzlAHFdpNOJQdcJihTmN8i7Trht9X
+Vh0rGoR/6nHzo3TIeiogRC80RlDtuA3PF2dDQBMVDStlZMTZPb693hfjdAjhyyw9
+yghhKHHqNDvSsAL0KfBqjG4yGfGpJylYXIT5fWuKlo/ln/yyPa5s54T5XDo+CMbt
+lLX3QnwVOmaRyzylPiTcPCDIkdLBdXmlfyJcmW6fWa6kPx+35MOxPsXZbujCo+42
++OyLqcH1rKT6XhcshjXBEf+kdgUfSClrM1pNRWsw2ChIYim0F+nry5JFy0Y+8Hbb
+6SDB340BFmtgDHbFHTGCApEwggKNAgEBMGkwXDELMAkGA1UEBhMCTkwxEzARBgNV
+BAgMClNvbWUtU3RhdGUxHzAdBgNVBAoMFkFETElOSyBUZWNobm9sb2N5IEluYy4x
+FzAVBgNVBAMMDmFkbGlua3RlY2guY29tAgkA2yveybQ2vKkwDQYJYIZIAWUDBAIB
+BQCggfowGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAcBgkqhkiG9w0BCQUxDxcN
+MTkwMzI5MTMwODAzWjAvBgkqhkiG9w0BCQQxIgQgcYMSlCRiboSPUqMbBIKL7lBv
+QJlEFiHrJ5t/aOJZbi0wgY4GCSqGSIb3DQEJDzGBgDB+MAsGCWCGSAFlAwQBKjAI
+BgYqhQMCAgkwCAYGKoUDAgIVMAsGCWCGSAFlAwQBFjALBglghkgBZQMEAQIwCgYI
+KoZIhvcNAwcwDgYIKoZIhvcNAwICAgCAMA0GCCqGSIb3DQMCAgFAMAcGBSsOAwIH
+MA0GCCqGSIb3DQMCAgEoMA0GCSqGSIb3DQEBAQUABIIBAJsR4q4Eeorhd4sQaw+D
+PErzkTuI1PEDzv2oYy3U/w4ZdGF2TJQqZ/OqiKEtmwqVAKfuPb9XQLPSENtn2uZC
+wz9ZcvMJ4/GOOMWezN6J65pfuAeEWa0oGCcAASl7tuk+QpAK3MY8L5hxCPb6sfr9
+jslfMqJ+WYgrOVuqWMAYZoXwIgJ1GdREXOXoCnyEkwy6Prk6NhSDO6Jl91PxcZWG
+ZITu7y/mklX8cSx09MNyOfefFhCIfNnXGJu0HUTYluTFd1LgRan6f0uyPR2zBLlE
+qzuaetvpNlUclf8dywlazI8oRjfrusYo3tiKG+hHkjrXc7WHOh+I08Tqeyue+0tg
+cjw=
+
+------D2957343698C311655D075C56A04A68D--
+
diff --git a/src/security/builtin_plugins/tests/validate_local_permissions/etc/Test_Permissions_full.xml b/src/security/builtin_plugins/tests/validate_local_permissions/etc/Test_Permissions_full.xml
new file mode 100644
index 0000000..0be3fa2
--- /dev/null
+++ b/src/security/builtin_plugins/tests/validate_local_permissions/etc/Test_Permissions_full.xml
@@ -0,0 +1,191 @@
+<?xml version="1.0" encoding="utf-8"?>
+<dds xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xsi:noNamespaceSchemaLocation="https://www.omg.org/spec/DDS-SECURITY/20170901/omg_shared_ca_permissions.xsd">
+    <permissions>
+        <grant name="OpenSplicePermissions">
+            <subject_name>CN=CHAM500 cert,O=Internet Widgits Pty Ltd,ST=Some-State,C=NL</subject_name>
+            <validity>
+                <!-- Format is CCYY-MM-DDThh:mm:ss[Z|(+|-)hh:mm] in GMT -->
+                <not_before>2015-09-15T01:00:00</not_before>
+                <not_after>2115-09-15T01:00:00</not_after>
+            </validity>
+            <allow_rule>
+                <domains>
+                    <id_range>
+                        <min>0</min>
+                        <max>230</max>
+                    </id_range>
+                </domains>
+                <publish>
+                    <topics>
+                        <topic>K*</topic>
+                        <topic>*OldMessage</topic>
+                        <topic>OldMessanger</topic>
+                        <topic>NewMessage</topic>
+                    </topics>
+        <partitions>
+      <partition>Apart</partition>
+      <partition>Bpa?t*</partition>
+        </partitions>
+                </publish>
+                <subscribe>
+                    <topics>
+                        <topic>K*</topic>
+                        <topic>*OldMessage</topic>
+                        <topic>OldMessanger</topic>
+                        <topic>NewMessage</topic>
+                    </topics>
+        <partitions>
+      <partition>Apart</partition>
+      <partition>Bpa?t*</partition>
+        </partitions>
+                </subscribe>
+            </allow_rule>
+            <deny_rule>
+                <domains>
+                    <id_range>
+                        <min>0</min>
+                        <max>230</max>
+                    </id_range>
+                </domains>
+                <publish>
+                    <topics>
+                        <topic>P*</topic>
+                        <topic>*WrongMessage</topic>
+                        <topic>FakeMessanger</topic>
+                        <topic>ChangedMessage</topic>
+                    </topics>
+        <partitions>
+      <partition>Apart</partition>
+      <partition>Bpa?t*</partition>
+        </partitions>
+                </publish>
+                <subscribe>
+                    <topics>
+                        <topic>P*</topic>
+                        <topic>*WrongMessage</topic>
+                        <topic>FakeMessanger</topic>
+                        <topic>ChangedMessage</topic>
+                    </topics>
+        <partitions>
+      <partition>Apart</partition>
+      <partition>Bpa?t*</partition>
+        </partitions>
+                </subscribe>
+            </deny_rule>
+
+            <default>DENY</default>
+        </grant>
+        <grant name="SpareNodeOpenSplicePermissions">
+            <subject_name>CN=Spare cert,O=Internet Widgits Pty Ltd,ST=Some-State,C=NL</subject_name>
+            <validity>
+                <!-- Format is CCYY-MM-DDThh:mm:ss[Z|(+|-)hh:mm] in GMT -->
+                <not_before>2015-09-15T01:00:00</not_before>
+                <not_after>2115-09-15T01:00:00</not_after>
+            </validity>
+            <allow_rule>
+                <domains>
+                <!-- All domains -->
+                 <id>20</id>
+                 <id>30</id>
+                 <id_range>
+                     <min>0</min>
+                     <max>23</max>
+                 </id_range>
+                 <id_range>
+                     <min>100</min>
+                     <max>120</max>
+                 </id_range>
+                 <id>200</id>
+               </domains>
+                <publish>
+                    <topics>
+                        <topic>K*</topic>
+                        <topic>*OldMessage</topic>
+                        <topic>OldMessanger</topic>
+                        <topic>NewMessage</topic>
+                    </topics>
+        <partitions>
+      <partition>Apart</partition>
+      <partition>Bpa?t*</partition>
+        </partitions>
+                </publish>
+                <subscribe>
+                    <topics>
+                        <topic>K*</topic>
+                        <topic>*OldMessage</topic>
+                        <topic>OldMessanger</topic>
+                        <topic>NewMessage</topic>
+                    </topics>
+        <partitions>
+      <partition>Apart</partition>
+      <partition>Bpa?t*</partition>
+        </partitions>
+                </subscribe>
+            </allow_rule>
+            <deny_rule>
+                <domains>
+                 <id_range>
+                     <min>0</min>
+                     <max>23</max>
+                 </id_range>
+                 <id_range>
+                     <min>100</min>
+                     <max>120</max>
+                 </id_range>
+                 <id>200</id>
+                </domains>
+                <publish>
+                    <topics>
+                        <topic>P*</topic>
+                        <topic>*WrongMessage</topic>
+                        <topic>FakeMessanger</topic>
+                        <topic>ChangedMessage</topic>
+                    </topics>
+                    <partitions>
+                      <partition>Apart</partition>
+                      <partition>Bpa?t*</partition>
+                    </partitions>
+                </publish>
+                <subscribe>
+                    <topics>
+                        <topic>P*</topic>
+                        <topic>*WrongMessage</topic>
+                        <topic>FakeMessanger</topic>
+                        <topic>ChangedMessage</topic>
+                    </topics>
+                    <partitions>
+                      <partition>Apart</partition>
+                      <partition>Bpa?t*</partition>
+                    </partitions>
+                    <data_tags>
+                      <tag>
+                        <name>aTagName1</name>
+                        <value>aTagValue1</value>
+                      </tag>
+                    </data_tags>
+                </subscribe>
+                <relay>
+                  <topics>
+                        <topic>P*</topic>
+                        <topic>*WrongMessage</topic>
+                        <topic>FakeMessanger</topic>
+                        <topic>ChangedMessage</topic>
+                    </topics>
+                    <partitions>
+                      <partition>Apart</partition>
+                      <partition>Bpa?t*</partition>
+                    </partitions>
+                    <data_tags>
+                      <tag>
+                        <name>aTagName1</name>
+                        <value>aTagValue1</value>
+                      </tag>
+                    </data_tags>
+                </relay>
+            </deny_rule>
+
+            <default>ALLOW</default>
+        </grant>
+    </permissions>
+</dds>
diff --git a/src/security/builtin_plugins/tests/validate_local_permissions/etc/Test_Permissions_invalid_data.p7s b/src/security/builtin_plugins/tests/validate_local_permissions/etc/Test_Permissions_invalid_data.p7s
new file mode 100644
index 0000000..b3b969e
--- /dev/null
+++ b/src/security/builtin_plugins/tests/validate_local_permissions/etc/Test_Permissions_invalid_data.p7s
@@ -0,0 +1,219 @@
+MIME-Version: 1.0
+Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg="sha-256"; boundary="----62BE4CE8CF1FCB0420A2F2884B1618E6"
+
+This is an S/MIME signed message
+
+------62BE4CE8CF1FCB0420A2F2884B1618E6
+Content-Type: text/plain
+
+<?xml version="1.0" encoding="utf-8"?>
+<dds xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xsi:noNamespaceSchemaLocation="https://www.omg.org/spec/DDS-SECURITY/20170901/omg_shared_ca_permissions.xsd">
+    <permissions>
+        <grant name="OpenSplicePermissions">
+            <subject_name>CN=CHAM500 cert,O=Internet Widgits Pty Ltd,ST=Some-State,C=NL</subject_name>
+            <validity>
+                <!-- Format is CCYY-MM-DDThh:mm:ss[Z|(+|-)hh:mm] in GMT -->
+                <not_before>2015-09-15T01:00:00</not_before>
+                <not_after>2115-09-15T01:00:00</not_after>
+            </validity>
+            <allow_rule>
+                <domains>
+                    <id_range>
+                        <min>0</min>
+                        <max>430</max>
+                    </id_range>
+                </domains>
+                <publish>
+                    <topics>
+                        <topic>K*</topic>
+                        <topic>*OldMessage</topic>
+                        <topic>OldMessanger</topic>
+                        <topic>NewMessage</topic>
+                    </topics>
+		    <partitions>
+			<partition>Apart</partition>
+			<partition>Bpa?t*</partition>
+		    </partitions>
+                </publish>
+                <subscribe>
+                    <topics>
+                        <topic>K*</topic>
+                        <topic>*OldMessage</topic>
+                        <topic>OldMessanger</topic>
+                        <topic>NewMessage</topic>
+                    </topics>
+		    <partitions>
+			<partition>Apart</partition>
+			<partition>Bpa?t*</partition>
+		    </partitions>
+                </subscribe>
+            </allow_rule>
+            <deny_rule>
+                <domains>
+                    <id_range>
+                        <min>0</min>
+                        <max>230</max>
+                    </id_range>
+                </domains>
+                <publish>
+                    <topics>
+                        <topic>P*</topic>
+                        <topic>*WrongMessage</topic>
+                        <topic>FakeMessanger</topic>
+                        <topic>ChangedMessage</topic>
+                    </topics>
+		    <partitions>
+			<partition>Apart</partition>
+			<partition>Bpa?t*</partition>
+		    </partitions>
+                </publish>
+                <subscribe>
+                    <topics>
+                        <topic>P*</topic>
+                        <topic>*WrongMessage</topic>
+                        <topic>FakeMessanger</topic>
+                        <topic>ChangedMessage</topic>
+                    </topics>
+		    <partitions>
+			<partition>Apart</partition>
+			<partition>Bpa?t*</partition>
+		    </partitions>
+                </subscribe>
+            </deny_rule>
+
+            <default>DENY</default>
+        </grant>
+        <grant name="SpareNodeOpenSplicePermissions">
+            <subject_name>CN=CHAM500 cert,O=Internet Widgits Pty Ltd,ST=Some-State,C=NL</subject_name>
+            <validity>
+                <!-- Format is CCYY-MM-DDThh:mm:ss[Z|(+|-)hh:mm] in GMT -->
+                <not_before>2015-09-15T01:00:00</not_before>
+                <not_after>2115-09-15T01:00:00</not_after>
+            </validity>
+            <allow_rule>
+                <domains>
+                <!-- All domains -->
+                 <id>20</id>
+                 <id>30</id>
+                 <id_range>
+                     <min>0</min>
+                     <max>23</max>
+                 </id_range>
+                 <id_range>
+                     <min>100</min>
+                     <max>120</max>
+                 </id_range>
+                 <id>200</id>
+               </domains>
+                <publish>
+                    <topics>
+                        <topic>K*</topic>
+                        <topic>*OldMessage</topic>
+                        <topic>OldMessanger</topic>
+                        <topic>NewMessage</topic>
+                    </topics>
+		    <partitions>
+			<partition>Apart</partition>
+			<partition>Bpa?t*</partition>
+		    </partitions>
+                </publish>
+                <subscribe>
+                    <topics>
+                        <topic>K*</topic>
+                        <topic>*OldMessage</topic>
+                        <topic>OldMessanger</topic>
+                        <topic>NewMessage</topic>
+                    </topics>
+		    <partitions>
+			<partition>Apart</partition>
+			<partition>Bpa?t*</partition>
+		    </partitions>
+                </subscribe>
+            </allow_rule>
+            <deny_rule>
+                <domains>
+                 <id_range>
+                     <min>0</min>
+                     <max>23</max>
+                 </id_range>
+                 <id_range>
+                     <min>100</min>
+                     <max>120</max>
+                 </id_range>
+                 <id>200</id>
+                </domains>
+                <publish>
+                    <topics>
+                        <topic>P*</topic>
+                        <topic>*WrongMessage</topic>
+                        <topic>FakeMessanger</topic>
+                        <topic>ChangedMessage</topic>
+                    </topics>
+		    <partitions>
+			<partition>Apart</partition>
+			<partition>Bpa?t*</partition>
+		    </partitions>
+                </publish>
+                <subscribe>
+                    <topics>
+                        <topic>P*</topic>
+                        <topic>*WrongMessage</topic>
+                        <topic>FakeMessanger</topic>
+                        <topic>ChangedMessage</topic>
+                    </topics>
+		    <partitions>
+			<partition>Apart</partition>
+			<partition>Bpa?t*</partition>
+		    </partitions>
+                </subscribe>
+            </deny_rule>
+
+            <default>DENY</default>
+        </grant>
+    </permissions>
+</dds>
+
+------62BE4CE8CF1FCB0420A2F2884B1618E6
+Content-Type: application/x-pkcs7-signature; name="smime.p7s"
+Content-Transfer-Encoding: base64
+Content-Disposition: attachment; filename="smime.p7s"
+
+MIIGXgYJKoZIhvcNAQcCoIIGTzCCBksCAQExDzANBglghkgBZQMEAgEFADALBgkq
+hkiG9w0BBwGgggORMIIDjTCCAnWgAwIBAgIJANsr3sm0NrypMA0GCSqGSIb3DQEB
+CwUAMFwxCzAJBgNVBAYTAk5MMRMwEQYDVQQIDApTb21lLVN0YXRlMR8wHQYDVQQK
+DBZBRExJTksgVGVjaG5vbG9jeSBJbmMuMRcwFQYDVQQDDA5hZGxpbmt0ZWNoLmNv
+bTAgFw0xODA3MzAxMjQ1NTVaGA8yMTE4MDcwNjEyNDU1NVowXDELMAkGA1UEBhMC
+TkwxEzARBgNVBAgMClNvbWUtU3RhdGUxHzAdBgNVBAoMFkFETElOSyBUZWNobm9s
+b2N5IEluYy4xFzAVBgNVBAMMDmFkbGlua3RlY2guY29tMIIBIjANBgkqhkiG9w0B
+AQEFAAOCAQ8AMIIBCgKCAQEAu7jfnJ0wYVuXgG+PgNawdN38+dRpa8jceqi+blID
+ehV6XCxrnGXusTCDuFmo7HMOBVMVNDXlcBWgoGd+u5EultnOEiIeGTgtHc1O6V9w
+icp3BGSpZZax/TcONjMVORaqHCADbQ2J8wsz1FHxuKDwX6BJElYOlK77lb/x3yLs
+DFFC+a0qn2RFh37rcWBRAHy8VEASXKZElT9ZmfKd+KUq34KojhNJ4DepKStTq074
+BRDXVivx+wVD951LFNPiQXq+mgHcLj1k37KlZflTFhdP5oEMtATNsXNJPHlEymiy
+SogRWAmKhysLQudukHfNKN+r0FEQMk/hzpYcFeZSOvbfNQIDAQABo1AwTjAdBgNV
+HQ4EFgQURWMbWvBKZwJvRV1/tyc1R82k0+gwHwYDVR0jBBgwFoAURWMbWvBKZwJv
+RV1/tyc1R82k0+gwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAkPF+
+ysVtvHnk2hpu9yNDLCJ96ZzIoKOyY7uRj4ovzlAHFdpNOJQdcJihTmN8i7Trht9X
+Vh0rGoR/6nHzo3TIeiogRC80RlDtuA3PF2dDQBMVDStlZMTZPb693hfjdAjhyyw9
+yghhKHHqNDvSsAL0KfBqjG4yGfGpJylYXIT5fWuKlo/ln/yyPa5s54T5XDo+CMbt
+lLX3QnwVOmaRyzylPiTcPCDIkdLBdXmlfyJcmW6fWa6kPx+35MOxPsXZbujCo+42
++OyLqcH1rKT6XhcshjXBEf+kdgUfSClrM1pNRWsw2ChIYim0F+nry5JFy0Y+8Hbb
+6SDB340BFmtgDHbFHTGCApEwggKNAgEBMGkwXDELMAkGA1UEBhMCTkwxEzARBgNV
+BAgMClNvbWUtU3RhdGUxHzAdBgNVBAoMFkFETElOSyBUZWNobm9sb2N5IEluYy4x
+FzAVBgNVBAMMDmFkbGlua3RlY2guY29tAgkA2yveybQ2vKkwDQYJYIZIAWUDBAIB
+BQCggfowGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAcBgkqhkiG9w0BCQUxDxcN
+MTkwMzI5MTMwODAzWjAvBgkqhkiG9w0BCQQxIgQghoicue+FOmdIHF9rpsNCfmjP
++ZyN+t9kCdmR68JCJU0wgY4GCSqGSIb3DQEJDzGBgDB+MAsGCWCGSAFlAwQBKjAI
+BgYqhQMCAgkwCAYGKoUDAgIVMAsGCWCGSAFlAwQBFjALBglghkgBZQMEAQIwCgYI
+KoZIhvcNAwcwDgYIKoZIhvcNAwICAgCAMA0GCCqGSIb3DQMCAgFAMAcGBSsOAwIH
+MA0GCCqGSIb3DQMCAgEoMA0GCSqGSIb3DQEBAQUABIIBAI0BX2tu2DbQjvuzKG35
+myNBcOC9ZzRDqJEtmQhcY/2hAJzurlnclJVTEXFyXdpV4ywtA+lQvbtToh11AvnY
+IY1QWNVm19mfO1J6m6PFu18tizd30sG7p1TZKxGB3zDeVVqmedZ+o7QJHv9/ixzz
+Pyo2B9tG5Su94+ADc0LQNyGICjeMr7L6dhFDsm7fXBi8pMBKy/zEAynTA3r1ibsn
+5zlizPMlad2HCaYv44x7Xksg9FSbzJwJpTiprbQbZSUPYk4WlfVz0l4plzRKu4AP
+lCOsdRE6C6GQFnK5bLyndu3Ycp10niwfkfobruCDyigu+gjZtmmF/T7A8Xkk1uvx
+fAM=
+
+------62BE4CE8CF1FCB0420A2F2884B1618E6--
+
diff --git a/src/security/builtin_plugins/tests/validate_local_permissions/etc/Test_Permissions_invalid_data.xml b/src/security/builtin_plugins/tests/validate_local_permissions/etc/Test_Permissions_invalid_data.xml
new file mode 100644
index 0000000..5ebb397
--- /dev/null
+++ b/src/security/builtin_plugins/tests/validate_local_permissions/etc/Test_Permissions_invalid_data.xml
@@ -0,0 +1,167 @@
+<?xml version="1.0" encoding="utf-8"?>
+<dds xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xsi:noNamespaceSchemaLocation="https://www.omg.org/spec/DDS-SECURITY/20170901/omg_shared_ca_permissions.xsd">
+    <permissions>
+        <grant name="OpenSplicePermissions">
+            <subject_name>CN=CHAM500 cert,O=Internet Widgits Pty Ltd,ST=Some-State,C=NL</subject_name>
+            <validity>
+                <!-- Format is CCYY-MM-DDThh:mm:ss[Z|(+|-)hh:mm] in GMT -->
+                <not_before>2015-09-15T01:00:00</not_before>
+                <not_after>2115-09-15T01:00:00</not_after>
+            </validity>
+            <allow_rule>
+                <domains>
+                    <id_range>
+                        <min>0</min>
+                        <max>430</max>
+                    </id_range>
+                </domains>
+                <publish>
+                    <topics>
+                        <topic>K*</topic>
+                        <topic>*OldMessage</topic>
+                        <topic>OldMessanger</topic>
+                        <topic>NewMessage</topic>
+                    </topics>
+		    <partitions>
+			<partition>Apart</partition>
+			<partition>Bpa?t*</partition>
+		    </partitions>
+                </publish>
+                <subscribe>
+                    <topics>
+                        <topic>K*</topic>
+                        <topic>*OldMessage</topic>
+                        <topic>OldMessanger</topic>
+                        <topic>NewMessage</topic>
+                    </topics>
+		    <partitions>
+			<partition>Apart</partition>
+			<partition>Bpa?t*</partition>
+		    </partitions>
+                </subscribe>
+            </allow_rule>
+            <deny_rule>
+                <domains>
+                    <id_range>
+                        <min>0</min>
+                        <max>230</max>
+                    </id_range>
+                </domains>
+                <publish>
+                    <topics>
+                        <topic>P*</topic>
+                        <topic>*WrongMessage</topic>
+                        <topic>FakeMessanger</topic>
+                        <topic>ChangedMessage</topic>
+                    </topics>
+		    <partitions>
+			<partition>Apart</partition>
+			<partition>Bpa?t*</partition>
+		    </partitions>
+                </publish>
+                <subscribe>
+                    <topics>
+                        <topic>P*</topic>
+                        <topic>*WrongMessage</topic>
+                        <topic>FakeMessanger</topic>
+                        <topic>ChangedMessage</topic>
+                    </topics>
+		    <partitions>
+			<partition>Apart</partition>
+			<partition>Bpa?t*</partition>
+		    </partitions>
+                </subscribe>
+            </deny_rule>
+
+            <default>DENY</default>
+        </grant>
+        <grant name="SpareNodeOpenSplicePermissions">
+            <subject_name>CN=CHAM500 cert,O=Internet Widgits Pty Ltd,ST=Some-State,C=NL</subject_name>
+            <validity>
+                <!-- Format is CCYY-MM-DDThh:mm:ss[Z|(+|-)hh:mm] in GMT -->
+                <not_before>2015-09-15T01:00:00</not_before>
+                <not_after>2115-09-15T01:00:00</not_after>
+            </validity>
+            <allow_rule>
+                <domains>
+                <!-- All domains -->
+                 <id>20</id>
+                 <id>30</id>
+                 <id_range>
+                     <min>0</min>
+                     <max>23</max>
+                 </id_range>
+                 <id_range>
+                     <min>100</min>
+                     <max>120</max>
+                 </id_range>
+                 <id>200</id>
+               </domains>
+                <publish>
+                    <topics>
+                        <topic>K*</topic>
+                        <topic>*OldMessage</topic>
+                        <topic>OldMessanger</topic>
+                        <topic>NewMessage</topic>
+                    </topics>
+		    <partitions>
+			<partition>Apart</partition>
+			<partition>Bpa?t*</partition>
+		    </partitions>
+                </publish>
+                <subscribe>
+                    <topics>
+                        <topic>K*</topic>
+                        <topic>*OldMessage</topic>
+                        <topic>OldMessanger</topic>
+                        <topic>NewMessage</topic>
+                    </topics>
+		    <partitions>
+			<partition>Apart</partition>
+			<partition>Bpa?t*</partition>
+		    </partitions>
+                </subscribe>
+            </allow_rule>
+            <deny_rule>
+                <domains>
+                 <id_range>
+                     <min>0</min>
+                     <max>23</max>
+                 </id_range>
+                 <id_range>
+                     <min>100</min>
+                     <max>120</max>
+                 </id_range>
+                 <id>200</id>
+                </domains>
+                <publish>
+                    <topics>
+                        <topic>P*</topic>
+                        <topic>*WrongMessage</topic>
+                        <topic>FakeMessanger</topic>
+                        <topic>ChangedMessage</topic>
+                    </topics>
+		    <partitions>
+			<partition>Apart</partition>
+			<partition>Bpa?t*</partition>
+		    </partitions>
+                </publish>
+                <subscribe>
+                    <topics>
+                        <topic>P*</topic>
+                        <topic>*WrongMessage</topic>
+                        <topic>FakeMessanger</topic>
+                        <topic>ChangedMessage</topic>
+                    </topics>
+		    <partitions>
+			<partition>Apart</partition>
+			<partition>Bpa?t*</partition>
+		    </partitions>
+                </subscribe>
+            </deny_rule>
+
+            <default>DENY</default>
+        </grant>
+    </permissions>
+</dds>
diff --git a/src/security/builtin_plugins/tests/validate_local_permissions/etc/Test_Permissions_invalid_element.p7s b/src/security/builtin_plugins/tests/validate_local_permissions/etc/Test_Permissions_invalid_element.p7s
new file mode 100644
index 0000000..521f4cf
--- /dev/null
+++ b/src/security/builtin_plugins/tests/validate_local_permissions/etc/Test_Permissions_invalid_element.p7s
@@ -0,0 +1,219 @@
+MIME-Version: 1.0
+Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg="sha-256"; boundary="----3EE420429594FF1492D49B1EEBFBAF0E"
+
+This is an S/MIME signed message
+
+------3EE420429594FF1492D49B1EEBFBAF0E
+Content-Type: text/plain
+
+<?xml version="1.0" encoding="utf-8"?>
+<dds xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xsi:noNamespaceSchemaLocation="https://www.omg.org/spec/DDS-SECURITY/20170901/omg_shared_ca_permissions.xsd">
+    <permissions>
+        <grant name="OpenSplicePermissions">
+            <subject_name>CN=CHAM500 cert,O=Internet Widgits Pty Ltd,ST=Some-State,C=NL</subject_name>
+            <validity>
+                <!-- Format is CCYY-MM-DDThh:mm:ss[Z|(+|-)hh:mm] in GMT -->
+                <not_before>2015-09-15T01:00:00</not_before>
+                <not_after>2115-09-15T01:00:00</not_after>
+            </validity>
+            <allow_rule>
+                <domains>
+                    <id_range>
+                        <min>0</min>
+                        <max>230</max>
+                    </id_range>
+                </domains>
+                <ufo>
+                    <topics>
+                        <topic>K*</topic>
+                        <topic>*OldMessage</topic>
+                        <topic>OldMessanger</topic>
+                        <topic>NewMessage</topic>
+                    </topics>
+		    <partitions>
+			<partition>Apart</partition>
+			<partition>Bpa?t*</partition>
+		    </partitions>
+                </ufo>
+                <subscribe>
+                    <topics>
+                        <topic>K*</topic>
+                        <topic>*OldMessage</topic>
+                        <topic>OldMessanger</topic>
+                        <topic>NewMessage</topic>
+                    </topics>
+		    <partitions>
+			<partition>Apart</partition>
+			<partition>Bpa?t*</partition>
+		    </partitions>
+                </subscribe>
+            </allow_rule>
+            <deny_rule>
+                <domains>
+                    <id_range>
+                        <min>0</min>
+                        <max>230</max>
+                    </id_range>
+                </domains>
+                <publish>
+                    <topics>
+                        <topic>P*</topic>
+                        <topic>*WrongMessage</topic>
+                        <topic>FakeMessanger</topic>
+                        <topic>ChangedMessage</topic>
+                    </topics>
+		    <partitions>
+			<partition>Apart</partition>
+			<partition>Bpa?t*</partition>
+		    </partitions>
+                </publish>
+                <subscribe>
+                    <topics>
+                        <topic>P*</topic>
+                        <topic>*WrongMessage</topic>
+                        <topic>FakeMessanger</topic>
+                        <topic>ChangedMessage</topic>
+                    </topics>
+		    <partitions>
+			<partition>Apart</partition>
+			<partition>Bpa?t*</partition>
+		    </partitions>
+                </subscribe>
+            </deny_rule>
+
+            <default>DENY</default>
+        </grant>
+        <grant name="SpareNodeOpenSplicePermissions">
+            <subject_name>CN=CHAM500 cert,O=Internet Widgits Pty Ltd,ST=Some-State,C=NL</subject_name>
+            <validity>
+                <!-- Format is CCYY-MM-DDThh:mm:ss[Z|(+|-)hh:mm] in GMT -->
+                <not_before>2015-09-15T01:00:00</not_before>
+                <not_after>2115-09-15T01:00:00</not_after>
+            </validity>
+            <allow_rule>
+                <domains>
+                <!-- All domains -->
+                 <id>20</id>
+                 <id>30</id>
+                 <id_range>
+                     <min>0</min>
+                     <max>23</max>
+                 </id_range>
+                 <id_range>
+                     <min>100</min>
+                     <max>120</max>
+                 </id_range>
+                 <id>200</id>
+               </domains>
+                <publish>
+                    <topics>
+                        <topic>K*</topic>
+                        <topic>*OldMessage</topic>
+                        <topic>OldMessanger</topic>
+                        <topic>NewMessage</topic>
+                    </topics>
+		    <partitions>
+			<partition>Apart</partition>
+			<partition>Bpa?t*</partition>
+		    </partitions>
+                </publish>
+                <subscribe>
+                    <topics>
+                        <topic>K*</topic>
+                        <topic>*OldMessage</topic>
+                        <topic>OldMessanger</topic>
+                        <topic>NewMessage</topic>
+                    </topics>
+		    <partitions>
+			<partition>Apart</partition>
+			<partition>Bpa?t*</partition>
+		    </partitions>
+                </subscribe>
+            </allow_rule>
+            <deny_rule>
+                <domains>
+                 <id_range>
+                     <min>0</min>
+                     <max>23</max>
+                 </id_range>
+                 <id_range>
+                     <min>100</min>
+                     <max>120</max>
+                 </id_range>
+                 <id>200</id>
+                </domains>
+                <publish>
+                    <topics>
+                        <topic>P*</topic>
+                        <topic>*WrongMessage</topic>
+                        <topic>FakeMessanger</topic>
+                        <topic>ChangedMessage</topic>
+                    </topics>
+		    <partitions>
+			<partition>Apart</partition>
+			<partition>Bpa?t*</partition>
+		    </partitions>
+                </publish>
+                <subscribe>
+                    <topics>
+                        <topic>P*</topic>
+                        <topic>*WrongMessage</topic>
+                        <topic>FakeMessanger</topic>
+                        <topic>ChangedMessage</topic>
+                    </topics>
+		    <partitions>
+			<partition>Apart</partition>
+			<partition>Bpa?t*</partition>
+		    </partitions>
+                </subscribe>
+            </deny_rule>
+
+            <default>DENY</default>
+        </grant>
+    </permissions>
+</dds>
+
+------3EE420429594FF1492D49B1EEBFBAF0E
+Content-Type: application/x-pkcs7-signature; name="smime.p7s"
+Content-Transfer-Encoding: base64
+Content-Disposition: attachment; filename="smime.p7s"
+
+MIIGXgYJKoZIhvcNAQcCoIIGTzCCBksCAQExDzANBglghkgBZQMEAgEFADALBgkq
+hkiG9w0BBwGgggORMIIDjTCCAnWgAwIBAgIJANsr3sm0NrypMA0GCSqGSIb3DQEB
+CwUAMFwxCzAJBgNVBAYTAk5MMRMwEQYDVQQIDApTb21lLVN0YXRlMR8wHQYDVQQK
+DBZBRExJTksgVGVjaG5vbG9jeSBJbmMuMRcwFQYDVQQDDA5hZGxpbmt0ZWNoLmNv
+bTAgFw0xODA3MzAxMjQ1NTVaGA8yMTE4MDcwNjEyNDU1NVowXDELMAkGA1UEBhMC
+TkwxEzARBgNVBAgMClNvbWUtU3RhdGUxHzAdBgNVBAoMFkFETElOSyBUZWNobm9s
+b2N5IEluYy4xFzAVBgNVBAMMDmFkbGlua3RlY2guY29tMIIBIjANBgkqhkiG9w0B
+AQEFAAOCAQ8AMIIBCgKCAQEAu7jfnJ0wYVuXgG+PgNawdN38+dRpa8jceqi+blID
+ehV6XCxrnGXusTCDuFmo7HMOBVMVNDXlcBWgoGd+u5EultnOEiIeGTgtHc1O6V9w
+icp3BGSpZZax/TcONjMVORaqHCADbQ2J8wsz1FHxuKDwX6BJElYOlK77lb/x3yLs
+DFFC+a0qn2RFh37rcWBRAHy8VEASXKZElT9ZmfKd+KUq34KojhNJ4DepKStTq074
+BRDXVivx+wVD951LFNPiQXq+mgHcLj1k37KlZflTFhdP5oEMtATNsXNJPHlEymiy
+SogRWAmKhysLQudukHfNKN+r0FEQMk/hzpYcFeZSOvbfNQIDAQABo1AwTjAdBgNV
+HQ4EFgQURWMbWvBKZwJvRV1/tyc1R82k0+gwHwYDVR0jBBgwFoAURWMbWvBKZwJv
+RV1/tyc1R82k0+gwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAkPF+
+ysVtvHnk2hpu9yNDLCJ96ZzIoKOyY7uRj4ovzlAHFdpNOJQdcJihTmN8i7Trht9X
+Vh0rGoR/6nHzo3TIeiogRC80RlDtuA3PF2dDQBMVDStlZMTZPb693hfjdAjhyyw9
+yghhKHHqNDvSsAL0KfBqjG4yGfGpJylYXIT5fWuKlo/ln/yyPa5s54T5XDo+CMbt
+lLX3QnwVOmaRyzylPiTcPCDIkdLBdXmlfyJcmW6fWa6kPx+35MOxPsXZbujCo+42
++OyLqcH1rKT6XhcshjXBEf+kdgUfSClrM1pNRWsw2ChIYim0F+nry5JFy0Y+8Hbb
+6SDB340BFmtgDHbFHTGCApEwggKNAgEBMGkwXDELMAkGA1UEBhMCTkwxEzARBgNV
+BAgMClNvbWUtU3RhdGUxHzAdBgNVBAoMFkFETElOSyBUZWNobm9sb2N5IEluYy4x
+FzAVBgNVBAMMDmFkbGlua3RlY2guY29tAgkA2yveybQ2vKkwDQYJYIZIAWUDBAIB
+BQCggfowGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAcBgkqhkiG9w0BCQUxDxcN
+MTkwMzI5MTMwODAzWjAvBgkqhkiG9w0BCQQxIgQgk4Y6Rw4+DVfETNs8Ddv6rnhK
+w7EwwZ9nE7SiujxSsDEwgY4GCSqGSIb3DQEJDzGBgDB+MAsGCWCGSAFlAwQBKjAI
+BgYqhQMCAgkwCAYGKoUDAgIVMAsGCWCGSAFlAwQBFjALBglghkgBZQMEAQIwCgYI
+KoZIhvcNAwcwDgYIKoZIhvcNAwICAgCAMA0GCCqGSIb3DQMCAgFAMAcGBSsOAwIH
+MA0GCCqGSIb3DQMCAgEoMA0GCSqGSIb3DQEBAQUABIIBAGkiiP+V49XZIwqbpqwN
+RHv0tn06/BAuRGNybse1GkVzlNmuwbGObUUpKtKh4VxN8XuTfH5uuLEqftN2LvGG
+zEiyosHX0gjsX6hihqoIcbfdsKpxd/OPCr/iNdOKWCSyV0aqaP3fc9Y2L1xVdXfn
+avjfd8wief+ERfwKlsbHYsgh6/zwhVeMt2mzr8T0c+ICC99+XXmSvpnGJ89amYub
+NnQwdxTp4PBQhudXixG3LrZ1CZafoLRz+x9vEIVF9oFyy7kMkeFtjd7aXc346Ama
+djOu1LtzvWZKOMeGYVaSiQMl4HhpOh/embx+AClH/Hf1o7AA+ivF8vZgUDAAK2GD
+rx8=
+
+------3EE420429594FF1492D49B1EEBFBAF0E--
+
diff --git a/src/security/builtin_plugins/tests/validate_local_permissions/etc/Test_Permissions_invalid_element.xml b/src/security/builtin_plugins/tests/validate_local_permissions/etc/Test_Permissions_invalid_element.xml
new file mode 100644
index 0000000..6f38953
--- /dev/null
+++ b/src/security/builtin_plugins/tests/validate_local_permissions/etc/Test_Permissions_invalid_element.xml
@@ -0,0 +1,167 @@
+<?xml version="1.0" encoding="utf-8"?>
+<dds xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xsi:noNamespaceSchemaLocation="https://www.omg.org/spec/DDS-SECURITY/20170901/omg_shared_ca_permissions.xsd">
+    <permissions>
+        <grant name="OpenSplicePermissions">
+            <subject_name>CN=CHAM500 cert,O=Internet Widgits Pty Ltd,ST=Some-State,C=NL</subject_name>
+            <validity>
+                <!-- Format is CCYY-MM-DDThh:mm:ss[Z|(+|-)hh:mm] in GMT -->
+                <not_before>2015-09-15T01:00:00</not_before>
+                <not_after>2115-09-15T01:00:00</not_after>
+            </validity>
+            <allow_rule>
+                <domains>
+                    <id_range>
+                        <min>0</min>
+                        <max>230</max>
+                    </id_range>
+                </domains>
+                <ufo>
+                    <topics>
+                        <topic>K*</topic>
+                        <topic>*OldMessage</topic>
+                        <topic>OldMessanger</topic>
+                        <topic>NewMessage</topic>
+                    </topics>
+		    <partitions>
+			<partition>Apart</partition>
+			<partition>Bpa?t*</partition>
+		    </partitions>
+                </ufo>
+                <subscribe>
+                    <topics>
+                        <topic>K*</topic>
+                        <topic>*OldMessage</topic>
+                        <topic>OldMessanger</topic>
+                        <topic>NewMessage</topic>
+                    </topics>
+		    <partitions>
+			<partition>Apart</partition>
+			<partition>Bpa?t*</partition>
+		    </partitions>
+                </subscribe>
+            </allow_rule>
+            <deny_rule>
+                <domains>
+                    <id_range>
+                        <min>0</min>
+                        <max>230</max>
+                    </id_range>
+                </domains>
+                <publish>
+                    <topics>
+                        <topic>P*</topic>
+                        <topic>*WrongMessage</topic>
+                        <topic>FakeMessanger</topic>
+                        <topic>ChangedMessage</topic>
+                    </topics>
+		    <partitions>
+			<partition>Apart</partition>
+			<partition>Bpa?t*</partition>
+		    </partitions>
+                </publish>
+                <subscribe>
+                    <topics>
+                        <topic>P*</topic>
+                        <topic>*WrongMessage</topic>
+                        <topic>FakeMessanger</topic>
+                        <topic>ChangedMessage</topic>
+                    </topics>
+		    <partitions>
+			<partition>Apart</partition>
+			<partition>Bpa?t*</partition>
+		    </partitions>
+                </subscribe>
+            </deny_rule>
+
+            <default>DENY</default>
+        </grant>
+        <grant name="SpareNodeOpenSplicePermissions">
+            <subject_name>CN=CHAM500 cert,O=Internet Widgits Pty Ltd,ST=Some-State,C=NL</subject_name>
+            <validity>
+                <!-- Format is CCYY-MM-DDThh:mm:ss[Z|(+|-)hh:mm] in GMT -->
+                <not_before>2015-09-15T01:00:00</not_before>
+                <not_after>2115-09-15T01:00:00</not_after>
+            </validity>
+            <allow_rule>
+                <domains>
+                <!-- All domains -->
+                 <id>20</id>
+                 <id>30</id>
+                 <id_range>
+                     <min>0</min>
+                     <max>23</max>
+                 </id_range>
+                 <id_range>
+                     <min>100</min>
+                     <max>120</max>
+                 </id_range>
+                 <id>200</id>
+               </domains>
+                <publish>
+                    <topics>
+                        <topic>K*</topic>
+                        <topic>*OldMessage</topic>
+                        <topic>OldMessanger</topic>
+                        <topic>NewMessage</topic>
+                    </topics>
+		    <partitions>
+			<partition>Apart</partition>
+			<partition>Bpa?t*</partition>
+		    </partitions>
+                </publish>
+                <subscribe>
+                    <topics>
+                        <topic>K*</topic>
+                        <topic>*OldMessage</topic>
+                        <topic>OldMessanger</topic>
+                        <topic>NewMessage</topic>
+                    </topics>
+		    <partitions>
+			<partition>Apart</partition>
+			<partition>Bpa?t*</partition>
+		    </partitions>
+                </subscribe>
+            </allow_rule>
+            <deny_rule>
+                <domains>
+                 <id_range>
+                     <min>0</min>
+                     <max>23</max>
+                 </id_range>
+                 <id_range>
+                     <min>100</min>
+                     <max>120</max>
+                 </id_range>
+                 <id>200</id>
+                </domains>
+                <publish>
+                    <topics>
+                        <topic>P*</topic>
+                        <topic>*WrongMessage</topic>
+                        <topic>FakeMessanger</topic>
+                        <topic>ChangedMessage</topic>
+                    </topics>
+		    <partitions>
+			<partition>Apart</partition>
+			<partition>Bpa?t*</partition>
+		    </partitions>
+                </publish>
+                <subscribe>
+                    <topics>
+                        <topic>P*</topic>
+                        <topic>*WrongMessage</topic>
+                        <topic>FakeMessanger</topic>
+                        <topic>ChangedMessage</topic>
+                    </topics>
+		    <partitions>
+			<partition>Apart</partition>
+			<partition>Bpa?t*</partition>
+		    </partitions>
+                </subscribe>
+            </deny_rule>
+
+            <default>DENY</default>
+        </grant>
+    </permissions>
+</dds>
diff --git a/src/security/builtin_plugins/tests/validate_local_permissions/etc/Test_Permissions_lack_of_not_after.p7s b/src/security/builtin_plugins/tests/validate_local_permissions/etc/Test_Permissions_lack_of_not_after.p7s
new file mode 100644
index 0000000..804f556
--- /dev/null
+++ b/src/security/builtin_plugins/tests/validate_local_permissions/etc/Test_Permissions_lack_of_not_after.p7s
@@ -0,0 +1,95 @@
+MIME-Version: 1.0
+Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg="sha-256"; boundary="----E9994989EF5BC12DCCE6563CF088037D"
+
+This is an S/MIME signed message
+
+------E9994989EF5BC12DCCE6563CF088037D
+Content-Type: text/plain
+
+<?xml version="1.0" encoding="utf-8"?>
+<dds xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xsi:noNamespaceSchemaLocation="https://www.omg.org/spec/DDS-SECURITY/20170901/omg_shared_ca_permissions.xsd">
+    <permissions>
+        <grant name="OpenSplicePermissions">
+            <subject_name>/O=Internet Widgits Pty Ltd/ST=Some-State/C=NL/CN=CHAM500 cert</subject_name>
+            <validity>
+                <!-- Format is CCYY-MM-DDThh:mm:ss[Z|(+|-)hh:mm] in GMT -->
+                <not_before>2015-09-15T01:00:00</not_before>
+            </validity>
+            <allow_rule>
+                <domains>
+                    <id_range>
+                        <min>0</min>
+                        <max>230</max>
+                    </id_range>
+                </domains>
+                <publish>
+                    <topics>
+                        <topic>K*</topic>
+                        <topic>*OldMessage</topic>
+                        <topic>OldMessanger</topic>
+                        <topic>NewMessage</topic>
+                    </topics>
+        <partitions>
+      <partition>Apart</partition>
+      <partition>Bpa?t*</partition>
+        </partitions>
+                </publish>
+                <subscribe>
+                    <topics>
+                        <topic>K*</topic>
+                        <topic>*OldMessage</topic>
+                        <topic>OldMessanger</topic>
+                        <topic>NewMessage</topic>
+                    </topics>
+                </subscribe>
+            </allow_rule>
+
+            <default>ALLOW</default>
+        </grant>
+    </permissions>
+</dds>
+
+------E9994989EF5BC12DCCE6563CF088037D
+Content-Type: application/x-pkcs7-signature; name="smime.p7s"
+Content-Transfer-Encoding: base64
+Content-Disposition: attachment; filename="smime.p7s"
+
+MIIGXgYJKoZIhvcNAQcCoIIGTzCCBksCAQExDzANBglghkgBZQMEAgEFADALBgkq
+hkiG9w0BBwGgggORMIIDjTCCAnWgAwIBAgIJANsr3sm0NrypMA0GCSqGSIb3DQEB
+CwUAMFwxCzAJBgNVBAYTAk5MMRMwEQYDVQQIDApTb21lLVN0YXRlMR8wHQYDVQQK
+DBZBRExJTksgVGVjaG5vbG9jeSBJbmMuMRcwFQYDVQQDDA5hZGxpbmt0ZWNoLmNv
+bTAgFw0xODA3MzAxMjQ1NTVaGA8yMTE4MDcwNjEyNDU1NVowXDELMAkGA1UEBhMC
+TkwxEzARBgNVBAgMClNvbWUtU3RhdGUxHzAdBgNVBAoMFkFETElOSyBUZWNobm9s
+b2N5IEluYy4xFzAVBgNVBAMMDmFkbGlua3RlY2guY29tMIIBIjANBgkqhkiG9w0B
+AQEFAAOCAQ8AMIIBCgKCAQEAu7jfnJ0wYVuXgG+PgNawdN38+dRpa8jceqi+blID
+ehV6XCxrnGXusTCDuFmo7HMOBVMVNDXlcBWgoGd+u5EultnOEiIeGTgtHc1O6V9w
+icp3BGSpZZax/TcONjMVORaqHCADbQ2J8wsz1FHxuKDwX6BJElYOlK77lb/x3yLs
+DFFC+a0qn2RFh37rcWBRAHy8VEASXKZElT9ZmfKd+KUq34KojhNJ4DepKStTq074
+BRDXVivx+wVD951LFNPiQXq+mgHcLj1k37KlZflTFhdP5oEMtATNsXNJPHlEymiy
+SogRWAmKhysLQudukHfNKN+r0FEQMk/hzpYcFeZSOvbfNQIDAQABo1AwTjAdBgNV
+HQ4EFgQURWMbWvBKZwJvRV1/tyc1R82k0+gwHwYDVR0jBBgwFoAURWMbWvBKZwJv
+RV1/tyc1R82k0+gwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAkPF+
+ysVtvHnk2hpu9yNDLCJ96ZzIoKOyY7uRj4ovzlAHFdpNOJQdcJihTmN8i7Trht9X
+Vh0rGoR/6nHzo3TIeiogRC80RlDtuA3PF2dDQBMVDStlZMTZPb693hfjdAjhyyw9
+yghhKHHqNDvSsAL0KfBqjG4yGfGpJylYXIT5fWuKlo/ln/yyPa5s54T5XDo+CMbt
+lLX3QnwVOmaRyzylPiTcPCDIkdLBdXmlfyJcmW6fWa6kPx+35MOxPsXZbujCo+42
++OyLqcH1rKT6XhcshjXBEf+kdgUfSClrM1pNRWsw2ChIYim0F+nry5JFy0Y+8Hbb
+6SDB340BFmtgDHbFHTGCApEwggKNAgEBMGkwXDELMAkGA1UEBhMCTkwxEzARBgNV
+BAgMClNvbWUtU3RhdGUxHzAdBgNVBAoMFkFETElOSyBUZWNobm9sb2N5IEluYy4x
+FzAVBgNVBAMMDmFkbGlua3RlY2guY29tAgkA2yveybQ2vKkwDQYJYIZIAWUDBAIB
+BQCggfowGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAcBgkqhkiG9w0BCQUxDxcN
+MTkwMzI5MTMwODAzWjAvBgkqhkiG9w0BCQQxIgQgVn6yZWB0OOqW+6/ubhU1M4pT
+tL+lh8qj9izsf/c3gKMwgY4GCSqGSIb3DQEJDzGBgDB+MAsGCWCGSAFlAwQBKjAI
+BgYqhQMCAgkwCAYGKoUDAgIVMAsGCWCGSAFlAwQBFjALBglghkgBZQMEAQIwCgYI
+KoZIhvcNAwcwDgYIKoZIhvcNAwICAgCAMA0GCCqGSIb3DQMCAgFAMAcGBSsOAwIH
+MA0GCCqGSIb3DQMCAgEoMA0GCSqGSIb3DQEBAQUABIIBAKhwx+Ew2m6lHQxL0I0K
+Z0fdN8+19XGKYPWNuGwDR5MYpMX5jin/w/FgzeG5gSHqB51PRLJjH81incNVcRCf
+bRKvwOv8b4J8D14ZG28SoNCsKejbXccFuA967ir+GHYrh0V9ikM/TwPuhosxclM5
+hZQuvRKig6Fum+PmGO7sLNyIPB1ODE8gbz0IiY9l6Zlp0xEe/+4YYpBL+GKamnlS
+boRrfgGaTaWWi9EnjZWmJkFBO9vC08XZQ1akCubC0G8Kki0X3ZXJVXkX3AxjvZJY
+XDdstpKWbfqlWzkYlJSI/I96BO2ZXY7nnsQU+8tvPV/6k6BaC80m0FhoTQJfDdLR
+WnA=
+
+------E9994989EF5BC12DCCE6563CF088037D--
+
diff --git a/src/security/builtin_plugins/tests/validate_local_permissions/etc/Test_Permissions_lack_of_not_after.xml b/src/security/builtin_plugins/tests/validate_local_permissions/etc/Test_Permissions_lack_of_not_after.xml
new file mode 100644
index 0000000..27e5fb9
--- /dev/null
+++ b/src/security/builtin_plugins/tests/validate_local_permissions/etc/Test_Permissions_lack_of_not_after.xml
@@ -0,0 +1,43 @@
+<?xml version="1.0" encoding="utf-8"?>
+<dds xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xsi:noNamespaceSchemaLocation="https://www.omg.org/spec/DDS-SECURITY/20170901/omg_shared_ca_permissions.xsd">
+    <permissions>
+        <grant name="OpenSplicePermissions">
+            <subject_name>/O=Internet Widgits Pty Ltd/ST=Some-State/C=NL/CN=CHAM500 cert</subject_name>
+            <validity>
+                <!-- Format is CCYY-MM-DDThh:mm:ss[Z|(+|-)hh:mm] in GMT -->
+                <not_before>2015-09-15T01:00:00</not_before>
+            </validity>
+            <allow_rule>
+                <domains>
+                    <id_range>
+                        <min>0</min>
+                        <max>230</max>
+                    </id_range>
+                </domains>
+                <publish>
+                    <topics>
+                        <topic>K*</topic>
+                        <topic>*OldMessage</topic>
+                        <topic>OldMessanger</topic>
+                        <topic>NewMessage</topic>
+                    </topics>
+        <partitions>
+      <partition>Apart</partition>
+      <partition>Bpa?t*</partition>
+        </partitions>
+                </publish>
+                <subscribe>
+                    <topics>
+                        <topic>K*</topic>
+                        <topic>*OldMessage</topic>
+                        <topic>OldMessanger</topic>
+                        <topic>NewMessage</topic>
+                    </topics>
+                </subscribe>
+            </allow_rule>
+
+            <default>ALLOW</default>
+        </grant>
+    </permissions>
+</dds>
diff --git a/src/security/builtin_plugins/tests/validate_local_permissions/etc/Test_Permissions_lack_of_not_before.p7s b/src/security/builtin_plugins/tests/validate_local_permissions/etc/Test_Permissions_lack_of_not_before.p7s
new file mode 100644
index 0000000..a21bac6
--- /dev/null
+++ b/src/security/builtin_plugins/tests/validate_local_permissions/etc/Test_Permissions_lack_of_not_before.p7s
@@ -0,0 +1,95 @@
+MIME-Version: 1.0
+Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg="sha-256"; boundary="----E0088C6C0B487BC746E35E87718DA89E"
+
+This is an S/MIME signed message
+
+------E0088C6C0B487BC746E35E87718DA89E
+Content-Type: text/plain
+
+<?xml version="1.0" encoding="utf-8"?>
+<dds xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xsi:noNamespaceSchemaLocation="https://www.omg.org/spec/DDS-SECURITY/20170901/omg_shared_ca_permissions.xsd">
+    <permissions>
+        <grant name="OpenSplicePermissions">
+            <subject_name>/O=Internet Widgits Pty Ltd/ST=Some-State/C=NL/CN=CHAM500 cert</subject_name>
+            <validity>
+                <!-- Format is CCYY-MM-DDThh:mm:ss[Z|(+|-)hh:mm] in GMT -->
+                <not_after>2115-09-15T01:00:00</not_after>
+            </validity>
+            <allow_rule>
+                <domains>
+                    <id_range>
+                        <min>0</min>
+                        <max>230</max>
+                    </id_range>
+                </domains>
+                <publish>
+                    <topics>
+                        <topic>K*</topic>
+                        <topic>*OldMessage</topic>
+                        <topic>OldMessanger</topic>
+                        <topic>NewMessage</topic>
+                    </topics>
+        <partitions>
+      <partition>Apart</partition>
+      <partition>Bpa?t*</partition>
+        </partitions>
+                </publish>
+                <subscribe>
+                    <topics>
+                        <topic>K*</topic>
+                        <topic>*OldMessage</topic>
+                        <topic>OldMessanger</topic>
+                        <topic>NewMessage</topic>
+                    </topics>
+                </subscribe>
+            </allow_rule>
+
+            <default>ALLOW</default>
+        </grant>
+    </permissions>
+</dds>
+
+------E0088C6C0B487BC746E35E87718DA89E
+Content-Type: application/x-pkcs7-signature; name="smime.p7s"
+Content-Transfer-Encoding: base64
+Content-Disposition: attachment; filename="smime.p7s"
+
+MIIGXgYJKoZIhvcNAQcCoIIGTzCCBksCAQExDzANBglghkgBZQMEAgEFADALBgkq
+hkiG9w0BBwGgggORMIIDjTCCAnWgAwIBAgIJANsr3sm0NrypMA0GCSqGSIb3DQEB
+CwUAMFwxCzAJBgNVBAYTAk5MMRMwEQYDVQQIDApTb21lLVN0YXRlMR8wHQYDVQQK
+DBZBRExJTksgVGVjaG5vbG9jeSBJbmMuMRcwFQYDVQQDDA5hZGxpbmt0ZWNoLmNv
+bTAgFw0xODA3MzAxMjQ1NTVaGA8yMTE4MDcwNjEyNDU1NVowXDELMAkGA1UEBhMC
+TkwxEzARBgNVBAgMClNvbWUtU3RhdGUxHzAdBgNVBAoMFkFETElOSyBUZWNobm9s
+b2N5IEluYy4xFzAVBgNVBAMMDmFkbGlua3RlY2guY29tMIIBIjANBgkqhkiG9w0B
+AQEFAAOCAQ8AMIIBCgKCAQEAu7jfnJ0wYVuXgG+PgNawdN38+dRpa8jceqi+blID
+ehV6XCxrnGXusTCDuFmo7HMOBVMVNDXlcBWgoGd+u5EultnOEiIeGTgtHc1O6V9w
+icp3BGSpZZax/TcONjMVORaqHCADbQ2J8wsz1FHxuKDwX6BJElYOlK77lb/x3yLs
+DFFC+a0qn2RFh37rcWBRAHy8VEASXKZElT9ZmfKd+KUq34KojhNJ4DepKStTq074
+BRDXVivx+wVD951LFNPiQXq+mgHcLj1k37KlZflTFhdP5oEMtATNsXNJPHlEymiy
+SogRWAmKhysLQudukHfNKN+r0FEQMk/hzpYcFeZSOvbfNQIDAQABo1AwTjAdBgNV
+HQ4EFgQURWMbWvBKZwJvRV1/tyc1R82k0+gwHwYDVR0jBBgwFoAURWMbWvBKZwJv
+RV1/tyc1R82k0+gwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAkPF+
+ysVtvHnk2hpu9yNDLCJ96ZzIoKOyY7uRj4ovzlAHFdpNOJQdcJihTmN8i7Trht9X
+Vh0rGoR/6nHzo3TIeiogRC80RlDtuA3PF2dDQBMVDStlZMTZPb693hfjdAjhyyw9
+yghhKHHqNDvSsAL0KfBqjG4yGfGpJylYXIT5fWuKlo/ln/yyPa5s54T5XDo+CMbt
+lLX3QnwVOmaRyzylPiTcPCDIkdLBdXmlfyJcmW6fWa6kPx+35MOxPsXZbujCo+42
++OyLqcH1rKT6XhcshjXBEf+kdgUfSClrM1pNRWsw2ChIYim0F+nry5JFy0Y+8Hbb
+6SDB340BFmtgDHbFHTGCApEwggKNAgEBMGkwXDELMAkGA1UEBhMCTkwxEzARBgNV
+BAgMClNvbWUtU3RhdGUxHzAdBgNVBAoMFkFETElOSyBUZWNobm9sb2N5IEluYy4x
+FzAVBgNVBAMMDmFkbGlua3RlY2guY29tAgkA2yveybQ2vKkwDQYJYIZIAWUDBAIB
+BQCggfowGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAcBgkqhkiG9w0BCQUxDxcN
+MTkwMzI5MTMwODAzWjAvBgkqhkiG9w0BCQQxIgQgOCgkm0Mu6pRSDhlMd5/7OGhr
+3TedLdpw5DQNC60vDgYwgY4GCSqGSIb3DQEJDzGBgDB+MAsGCWCGSAFlAwQBKjAI
+BgYqhQMCAgkwCAYGKoUDAgIVMAsGCWCGSAFlAwQBFjALBglghkgBZQMEAQIwCgYI
+KoZIhvcNAwcwDgYIKoZIhvcNAwICAgCAMA0GCCqGSIb3DQMCAgFAMAcGBSsOAwIH
+MA0GCCqGSIb3DQMCAgEoMA0GCSqGSIb3DQEBAQUABIIBALYwxGivvBYfCdRADnYd
+ysgBOITPhEY+TqqqEtiX4cIyeEdZGMFxcciMxbXVB1qy7js7PM+tbZ/+ICutyA7J
+dkU9cNO9hLM/LYASv9B9zpgxMecYcA9rx7OEpM3Sr2eXOTbu2j3gUoCun7y8f+yv
+iiYUORa0cX8oFnq++rQXHE/0rOVd17tboLvsy97Tro8o1e7WFA2gkJsCyo4QF+Lg
+yz8IKdKMIRLpEl07bGIcIq4gvarQnN3qT1KuOMrDQD29CFZMwCO/TSGVeZYRHdW9
+s1hhmrTlkmlhPyXG9yxm9PH9UHZyfhkbrhIXZtN6M/7SO8VfTMfotyTbFtuatzzL
+fz4=
+
+------E0088C6C0B487BC746E35E87718DA89E--
+
diff --git a/src/security/builtin_plugins/tests/validate_local_permissions/etc/Test_Permissions_lack_of_not_before.xml b/src/security/builtin_plugins/tests/validate_local_permissions/etc/Test_Permissions_lack_of_not_before.xml
new file mode 100644
index 0000000..6c3f892
--- /dev/null
+++ b/src/security/builtin_plugins/tests/validate_local_permissions/etc/Test_Permissions_lack_of_not_before.xml
@@ -0,0 +1,43 @@
+<?xml version="1.0" encoding="utf-8"?>
+<dds xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xsi:noNamespaceSchemaLocation="https://www.omg.org/spec/DDS-SECURITY/20170901/omg_shared_ca_permissions.xsd">
+    <permissions>
+        <grant name="OpenSplicePermissions">
+            <subject_name>/O=Internet Widgits Pty Ltd/ST=Some-State/C=NL/CN=CHAM500 cert</subject_name>
+            <validity>
+                <!-- Format is CCYY-MM-DDThh:mm:ss[Z|(+|-)hh:mm] in GMT -->
+                <not_after>2115-09-15T01:00:00</not_after>
+            </validity>
+            <allow_rule>
+                <domains>
+                    <id_range>
+                        <min>0</min>
+                        <max>230</max>
+                    </id_range>
+                </domains>
+                <publish>
+                    <topics>
+                        <topic>K*</topic>
+                        <topic>*OldMessage</topic>
+                        <topic>OldMessanger</topic>
+                        <topic>NewMessage</topic>
+                    </topics>
+        <partitions>
+      <partition>Apart</partition>
+      <partition>Bpa?t*</partition>
+        </partitions>
+                </publish>
+                <subscribe>
+                    <topics>
+                        <topic>K*</topic>
+                        <topic>*OldMessage</topic>
+                        <topic>OldMessanger</topic>
+                        <topic>NewMessage</topic>
+                    </topics>
+                </subscribe>
+            </allow_rule>
+
+            <default>ALLOW</default>
+        </grant>
+    </permissions>
+</dds>
diff --git a/src/security/builtin_plugins/tests/validate_local_permissions/etc/Test_Permissions_not_signed.p7s b/src/security/builtin_plugins/tests/validate_local_permissions/etc/Test_Permissions_not_signed.p7s
new file mode 100644
index 0000000..8759d91
--- /dev/null
+++ b/src/security/builtin_plugins/tests/validate_local_permissions/etc/Test_Permissions_not_signed.p7s
@@ -0,0 +1,33 @@
+<?xml version="1.0" encoding="utf-8"?>
+<dds xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xsi:noNamespaceSchemaLocation="https://www.omg.org/spec/DDS-SECURITY/20170901/omg_shared_ca_permissions.xsd">
+    <permissions>
+        <grant name="OpenSplicePermissions">
+            <subject_name>CN=CHAM500 cert,O=Internet Widgits Pty Ltd,ST=Some-State,C=NL</subject_name>
+            <validity>
+                <!-- Format is CCYY-MM-DDThh:mm:ss[Z|(+|-)hh:mm] in GMT -->
+                <not_before>2015-09-15T01:00:00</not_before>
+                <not_after>2115-09-15T01:00:00</not_after>
+            </validity>
+            <allow_rule>
+                <domains>
+                    <id_range>
+                        <min>0</min>
+                        <max>230</max>
+                    </id_range>
+                </domains>
+                <publish>
+                    <topics>
+                        <topic>*</topic>
+                    </topics>
+                </publish>
+                <subscribe>
+                    <topics>
+                        <topic>*</topic>
+                    </topics>
+                </subscribe>
+            </allow_rule>
+            <default>DENY</default>
+        </grant>
+    </permissions>
+</dds>
diff --git a/src/security/builtin_plugins/tests/validate_local_permissions/etc/Test_Permissions_notyet.p7s b/src/security/builtin_plugins/tests/validate_local_permissions/etc/Test_Permissions_notyet.p7s
new file mode 100644
index 0000000..7fd4098
--- /dev/null
+++ b/src/security/builtin_plugins/tests/validate_local_permissions/etc/Test_Permissions_notyet.p7s
@@ -0,0 +1,243 @@
+MIME-Version: 1.0
+Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg="sha-256"; boundary="----F87E07CA6CCEAB50B03A143AC2354EB4"
+
+This is an S/MIME signed message
+
+------F87E07CA6CCEAB50B03A143AC2354EB4
+Content-Type: text/plain
+
+<?xml version="1.0" encoding="utf-8"?>
+<dds xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xsi:noNamespaceSchemaLocation="https://www.omg.org/spec/DDS-SECURITY/20170901/omg_shared_ca_permissions.xsd">
+    <permissions>
+        <grant name="OpenSplicePermissions">
+            <subject_name>CN=CHAM500 cert,O=Internet Widgits Pty Ltd,ST=Some-State,C=NL</subject_name>
+            <validity>
+                <!-- Format is CCYY-MM-DDThh:mm:ss[Z|(+|-)hh:mm] in GMT -->
+                <not_before>2035-09-15T01:00:00</not_before>
+                <not_after>2046-09-15T01:00:00</not_after>
+            </validity>
+            <allow_rule>
+                <domains>
+                    <id_range>
+                        <min>0</min>
+                        <max>230</max>
+                    </id_range>
+                </domains>
+                <publish>
+                    <topics>
+                        <topic>K*</topic>
+                        <topic>*OldMessage</topic>
+                        <topic>OldMessanger</topic>
+                        <topic>NewMessage</topic>
+                    </topics>
+        <partitions>
+      <partition>Apart</partition>
+      <partition>Bpa?t*</partition>
+        </partitions>
+                </publish>
+                <subscribe>
+                    <topics>
+                        <topic>K*</topic>
+                        <topic>*OldMessage</topic>
+                        <topic>OldMessanger</topic>
+                        <topic>NewMessage</topic>
+                    </topics>
+        <partitions>
+      <partition>Apart</partition>
+      <partition>Bpa?t*</partition>
+        </partitions>
+                </subscribe>
+            </allow_rule>
+            <deny_rule>
+                <domains>
+                    <id_range>
+                        <min>0</min>
+                        <max>230</max>
+                    </id_range>
+                </domains>
+                <publish>
+                    <topics>
+                        <topic>P*</topic>
+                        <topic>*WrongMessage</topic>
+                        <topic>FakeMessanger</topic>
+                        <topic>ChangedMessage</topic>
+                    </topics>
+        <partitions>
+      <partition>Apart</partition>
+      <partition>Bpa?t*</partition>
+        </partitions>
+                </publish>
+                <subscribe>
+                    <topics>
+                        <topic>P*</topic>
+                        <topic>*WrongMessage</topic>
+                        <topic>FakeMessanger</topic>
+                        <topic>ChangedMessage</topic>
+                    </topics>
+        <partitions>
+      <partition>Apart</partition>
+      <partition>Bpa?t*</partition>
+        </partitions>
+                </subscribe>
+            </deny_rule>
+
+            <default>DENY</default>
+        </grant>
+        <grant name="SpareNodeOpenSplicePermissions">
+            <subject_name>CN=Spare cert,O=Internet Widgits Pty Ltd,ST=Some-State,C=NL</subject_name>
+            <validity>
+                <!-- Format is CCYY-MM-DDThh:mm:ss[Z|(+|-)hh:mm] in GMT -->
+                <not_before>2015-09-15T01:00:00</not_before>
+                <not_after>2115-09-15T01:00:00</not_after>
+            </validity>
+            <allow_rule>
+                <domains>
+                <!-- All domains -->
+                 <id>20</id>
+                 <id>30</id>
+                 <id_range>
+                     <min>0</min>
+                     <max>23</max>
+                 </id_range>
+                 <id_range>
+                     <min>100</min>
+                     <max>120</max>
+                 </id_range>
+                 <id>200</id>
+               </domains>
+                <publish>
+                    <topics>
+                        <topic>K*</topic>
+                        <topic>*OldMessage</topic>
+                        <topic>OldMessanger</topic>
+                        <topic>NewMessage</topic>
+                    </topics>
+        <partitions>
+      <partition>Apart</partition>
+      <partition>Bpa?t*</partition>
+        </partitions>
+                </publish>
+                <subscribe>
+                    <topics>
+                        <topic>K*</topic>
+                        <topic>*OldMessage</topic>
+                        <topic>OldMessanger</topic>
+                        <topic>NewMessage</topic>
+                    </topics>
+        <partitions>
+      <partition>Apart</partition>
+      <partition>Bpa?t*</partition>
+        </partitions>
+                </subscribe>
+            </allow_rule>
+            <deny_rule>
+                <domains>
+                 <id_range>
+                     <min>0</min>
+                     <max>23</max>
+                 </id_range>
+                 <id_range>
+                     <min>100</min>
+                     <max>120</max>
+                 </id_range>
+                 <id>200</id>
+                </domains>
+                <publish>
+                    <topics>
+                        <topic>P*</topic>
+                        <topic>*WrongMessage</topic>
+                        <topic>FakeMessanger</topic>
+                        <topic>ChangedMessage</topic>
+                    </topics>
+                    <partitions>
+                      <partition>Apart</partition>
+                      <partition>Bpa?t*</partition>
+                    </partitions>
+                </publish>
+                <subscribe>
+                    <topics>
+                        <topic>P*</topic>
+                        <topic>*WrongMessage</topic>
+                        <topic>FakeMessanger</topic>
+                        <topic>ChangedMessage</topic>
+                    </topics>
+                    <partitions>
+                      <partition>Apart</partition>
+                      <partition>Bpa?t*</partition>
+                    </partitions>
+                    <data_tags>
+                      <tag>
+                        <name>aTagName1</name>
+                        <value>aTagValue1</value>
+                      </tag>
+                    </data_tags>
+                </subscribe>
+                <relay>
+                  <topics>
+                        <topic>P*</topic>
+                        <topic>*WrongMessage</topic>
+                        <topic>FakeMessanger</topic>
+                        <topic>ChangedMessage</topic>
+                    </topics>
+                    <partitions>
+                      <partition>Apart</partition>
+                      <partition>Bpa?t*</partition>
+                    </partitions>
+                    <data_tags>
+                      <tag>
+                        <name>aTagName1</name>
+                        <value>aTagValue1</value>
+                      </tag>
+                    </data_tags>
+                </relay>
+            </deny_rule>
+
+            <default>ALLOW</default>
+        </grant>
+    </permissions>
+</dds>
+
+------F87E07CA6CCEAB50B03A143AC2354EB4
+Content-Type: application/x-pkcs7-signature; name="smime.p7s"
+Content-Transfer-Encoding: base64
+Content-Disposition: attachment; filename="smime.p7s"
+
+MIIGXgYJKoZIhvcNAQcCoIIGTzCCBksCAQExDzANBglghkgBZQMEAgEFADALBgkq
+hkiG9w0BBwGgggORMIIDjTCCAnWgAwIBAgIJANsr3sm0NrypMA0GCSqGSIb3DQEB
+CwUAMFwxCzAJBgNVBAYTAk5MMRMwEQYDVQQIDApTb21lLVN0YXRlMR8wHQYDVQQK
+DBZBRExJTksgVGVjaG5vbG9jeSBJbmMuMRcwFQYDVQQDDA5hZGxpbmt0ZWNoLmNv
+bTAgFw0xODA3MzAxMjQ1NTVaGA8yMTE4MDcwNjEyNDU1NVowXDELMAkGA1UEBhMC
+TkwxEzARBgNVBAgMClNvbWUtU3RhdGUxHzAdBgNVBAoMFkFETElOSyBUZWNobm9s
+b2N5IEluYy4xFzAVBgNVBAMMDmFkbGlua3RlY2guY29tMIIBIjANBgkqhkiG9w0B
+AQEFAAOCAQ8AMIIBCgKCAQEAu7jfnJ0wYVuXgG+PgNawdN38+dRpa8jceqi+blID
+ehV6XCxrnGXusTCDuFmo7HMOBVMVNDXlcBWgoGd+u5EultnOEiIeGTgtHc1O6V9w
+icp3BGSpZZax/TcONjMVORaqHCADbQ2J8wsz1FHxuKDwX6BJElYOlK77lb/x3yLs
+DFFC+a0qn2RFh37rcWBRAHy8VEASXKZElT9ZmfKd+KUq34KojhNJ4DepKStTq074
+BRDXVivx+wVD951LFNPiQXq+mgHcLj1k37KlZflTFhdP5oEMtATNsXNJPHlEymiy
+SogRWAmKhysLQudukHfNKN+r0FEQMk/hzpYcFeZSOvbfNQIDAQABo1AwTjAdBgNV
+HQ4EFgQURWMbWvBKZwJvRV1/tyc1R82k0+gwHwYDVR0jBBgwFoAURWMbWvBKZwJv
+RV1/tyc1R82k0+gwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAkPF+
+ysVtvHnk2hpu9yNDLCJ96ZzIoKOyY7uRj4ovzlAHFdpNOJQdcJihTmN8i7Trht9X
+Vh0rGoR/6nHzo3TIeiogRC80RlDtuA3PF2dDQBMVDStlZMTZPb693hfjdAjhyyw9
+yghhKHHqNDvSsAL0KfBqjG4yGfGpJylYXIT5fWuKlo/ln/yyPa5s54T5XDo+CMbt
+lLX3QnwVOmaRyzylPiTcPCDIkdLBdXmlfyJcmW6fWa6kPx+35MOxPsXZbujCo+42
++OyLqcH1rKT6XhcshjXBEf+kdgUfSClrM1pNRWsw2ChIYim0F+nry5JFy0Y+8Hbb
+6SDB340BFmtgDHbFHTGCApEwggKNAgEBMGkwXDELMAkGA1UEBhMCTkwxEzARBgNV
+BAgMClNvbWUtU3RhdGUxHzAdBgNVBAoMFkFETElOSyBUZWNobm9sb2N5IEluYy4x
+FzAVBgNVBAMMDmFkbGlua3RlY2guY29tAgkA2yveybQ2vKkwDQYJYIZIAWUDBAIB
+BQCggfowGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAcBgkqhkiG9w0BCQUxDxcN
+MTkwMzI5MTMwODAzWjAvBgkqhkiG9w0BCQQxIgQg0GGu1gWhHWhfWnmg55AIr4tv
+zMK0kIxNfJYQbb7LpJ8wgY4GCSqGSIb3DQEJDzGBgDB+MAsGCWCGSAFlAwQBKjAI
+BgYqhQMCAgkwCAYGKoUDAgIVMAsGCWCGSAFlAwQBFjALBglghkgBZQMEAQIwCgYI
+KoZIhvcNAwcwDgYIKoZIhvcNAwICAgCAMA0GCCqGSIb3DQMCAgFAMAcGBSsOAwIH
+MA0GCCqGSIb3DQMCAgEoMA0GCSqGSIb3DQEBAQUABIIBALsPI2+b0w+iUPJGJeMd
+VdrY7s/GZYm6M8qOA5fmh3144bY1rZRjdHjXtLdaNDNN1Z5buRCiQcklAilf6O14
+7u6a5HR12N4LTbg3OYQplwz4ed/wBsL726htmkAK3JogGk5OVLqmmdrz3UOD8IaZ
+wAfx2tpj3VJOVuW0XsqOrzQpnOjGWcPeOw6NAxRH1gLsxBP9HDz5+wrsKXjV/zG8
+dFTaZ0bKnBXTp5ccc9jB4qbcllC9nlJkJszGqvwOP7zWBAOXeU+joUGM4Bt+8Pmt
+pKsVAmEqMpc368RMayDBWtTqUWpUKvDh4HSkuOGD4Hj5ViAoLFjisROhIK2d98XI
+cRQ=
+
+------F87E07CA6CCEAB50B03A143AC2354EB4--
+
diff --git a/src/security/builtin_plugins/tests/validate_local_permissions/etc/Test_Permissions_notyet.xml b/src/security/builtin_plugins/tests/validate_local_permissions/etc/Test_Permissions_notyet.xml
new file mode 100644
index 0000000..99fec50
--- /dev/null
+++ b/src/security/builtin_plugins/tests/validate_local_permissions/etc/Test_Permissions_notyet.xml
@@ -0,0 +1,191 @@
+<?xml version="1.0" encoding="utf-8"?>
+<dds xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xsi:noNamespaceSchemaLocation="https://www.omg.org/spec/DDS-SECURITY/20170901/omg_shared_ca_permissions.xsd">
+    <permissions>
+        <grant name="OpenSplicePermissions">
+            <subject_name>CN=CHAM500 cert,O=Internet Widgits Pty Ltd,ST=Some-State,C=NL</subject_name>
+            <validity>
+                <!-- Format is CCYY-MM-DDThh:mm:ss[Z|(+|-)hh:mm] in GMT -->
+                <not_before>2035-09-15T01:00:00</not_before>
+                <not_after>2046-09-15T01:00:00</not_after>
+            </validity>
+            <allow_rule>
+                <domains>
+                    <id_range>
+                        <min>0</min>
+                        <max>230</max>
+                    </id_range>
+                </domains>
+                <publish>
+                    <topics>
+                        <topic>K*</topic>
+                        <topic>*OldMessage</topic>
+                        <topic>OldMessanger</topic>
+                        <topic>NewMessage</topic>
+                    </topics>
+        <partitions>
+      <partition>Apart</partition>
+      <partition>Bpa?t*</partition>
+        </partitions>
+                </publish>
+                <subscribe>
+                    <topics>
+                        <topic>K*</topic>
+                        <topic>*OldMessage</topic>
+                        <topic>OldMessanger</topic>
+                        <topic>NewMessage</topic>
+                    </topics>
+        <partitions>
+      <partition>Apart</partition>
+      <partition>Bpa?t*</partition>
+        </partitions>
+                </subscribe>
+            </allow_rule>
+            <deny_rule>
+                <domains>
+                    <id_range>
+                        <min>0</min>
+                        <max>230</max>
+                    </id_range>
+                </domains>
+                <publish>
+                    <topics>
+                        <topic>P*</topic>
+                        <topic>*WrongMessage</topic>
+                        <topic>FakeMessanger</topic>
+                        <topic>ChangedMessage</topic>
+                    </topics>
+        <partitions>
+      <partition>Apart</partition>
+      <partition>Bpa?t*</partition>
+        </partitions>
+                </publish>
+                <subscribe>
+                    <topics>
+                        <topic>P*</topic>
+                        <topic>*WrongMessage</topic>
+                        <topic>FakeMessanger</topic>
+                        <topic>ChangedMessage</topic>
+                    </topics>
+        <partitions>
+      <partition>Apart</partition>
+      <partition>Bpa?t*</partition>
+        </partitions>
+                </subscribe>
+            </deny_rule>
+
+            <default>DENY</default>
+        </grant>
+        <grant name="SpareNodeOpenSplicePermissions">
+            <subject_name>CN=Spare cert,O=Internet Widgits Pty Ltd,ST=Some-State,C=NL</subject_name>
+            <validity>
+                <!-- Format is CCYY-MM-DDThh:mm:ss[Z|(+|-)hh:mm] in GMT -->
+                <not_before>2015-09-15T01:00:00</not_before>
+                <not_after>2115-09-15T01:00:00</not_after>
+            </validity>
+            <allow_rule>
+                <domains>
+                <!-- All domains -->
+                 <id>20</id>
+                 <id>30</id>
+                 <id_range>
+                     <min>0</min>
+                     <max>23</max>
+                 </id_range>
+                 <id_range>
+                     <min>100</min>
+                     <max>120</max>
+                 </id_range>
+                 <id>200</id>
+               </domains>
+                <publish>
+                    <topics>
+                        <topic>K*</topic>
+                        <topic>*OldMessage</topic>
+                        <topic>OldMessanger</topic>
+                        <topic>NewMessage</topic>
+                    </topics>
+        <partitions>
+      <partition>Apart</partition>
+      <partition>Bpa?t*</partition>
+        </partitions>
+                </publish>
+                <subscribe>
+                    <topics>
+                        <topic>K*</topic>
+                        <topic>*OldMessage</topic>
+                        <topic>OldMessanger</topic>
+                        <topic>NewMessage</topic>
+                    </topics>
+        <partitions>
+      <partition>Apart</partition>
+      <partition>Bpa?t*</partition>
+        </partitions>
+                </subscribe>
+            </allow_rule>
+            <deny_rule>
+                <domains>
+                 <id_range>
+                     <min>0</min>
+                     <max>23</max>
+                 </id_range>
+                 <id_range>
+                     <min>100</min>
+                     <max>120</max>
+                 </id_range>
+                 <id>200</id>
+                </domains>
+                <publish>
+                    <topics>
+                        <topic>P*</topic>
+                        <topic>*WrongMessage</topic>
+                        <topic>FakeMessanger</topic>
+                        <topic>ChangedMessage</topic>
+                    </topics>
+                    <partitions>
+                      <partition>Apart</partition>
+                      <partition>Bpa?t*</partition>
+                    </partitions>
+                </publish>
+                <subscribe>
+                    <topics>
+                        <topic>P*</topic>
+                        <topic>*WrongMessage</topic>
+                        <topic>FakeMessanger</topic>
+                        <topic>ChangedMessage</topic>
+                    </topics>
+                    <partitions>
+                      <partition>Apart</partition>
+                      <partition>Bpa?t*</partition>
+                    </partitions>
+                    <data_tags>
+                      <tag>
+                        <name>aTagName1</name>
+                        <value>aTagValue1</value>
+                      </tag>
+                    </data_tags>
+                </subscribe>
+                <relay>
+                  <topics>
+                        <topic>P*</topic>
+                        <topic>*WrongMessage</topic>
+                        <topic>FakeMessanger</topic>
+                        <topic>ChangedMessage</topic>
+                    </topics>
+                    <partitions>
+                      <partition>Apart</partition>
+                      <partition>Bpa?t*</partition>
+                    </partitions>
+                    <data_tags>
+                      <tag>
+                        <name>aTagName1</name>
+                        <value>aTagValue1</value>
+                      </tag>
+                    </data_tags>
+                </relay>
+            </deny_rule>
+
+            <default>ALLOW</default>
+        </grant>
+    </permissions>
+</dds>
diff --git a/src/security/builtin_plugins/tests/validate_local_permissions/etc/Test_Permissions_ok.p7s b/src/security/builtin_plugins/tests/validate_local_permissions/etc/Test_Permissions_ok.p7s
new file mode 100644
index 0000000..052075b
--- /dev/null
+++ b/src/security/builtin_plugins/tests/validate_local_permissions/etc/Test_Permissions_ok.p7s
@@ -0,0 +1,85 @@
+MIME-Version: 1.0
+Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg="sha-256"; boundary="----6B91005B007BBA8EDE10CD1CE487DB27"
+
+This is an S/MIME signed message
+
+------6B91005B007BBA8EDE10CD1CE487DB27
+Content-Type: text/plain
+
+<?xml version="1.0" encoding="utf-8"?>
+<dds xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xsi:noNamespaceSchemaLocation="https://www.omg.org/spec/DDS-SECURITY/20170901/omg_shared_ca_permissions.xsd">
+    <permissions>
+        <grant name="OpenSplicePermissions">
+            <subject_name>CN=CHAM500 cert,O=Internet Widgits Pty Ltd,ST=Some-State,C=NL</subject_name>
+            <validity>
+                <!-- Format is CCYY-MM-DDThh:mm:ss[Z|(+|-)hh:mm] in GMT -->
+                <not_before>2015-09-15T01:00:00</not_before>
+                <not_after>2115-09-15T01:00:00</not_after>
+            </validity>
+            <allow_rule>
+                <domains>
+                    <id_range>
+                        <min>0</min>
+                        <max>230</max>
+                    </id_range>
+                </domains>
+                <publish>
+                    <topics>
+                        <topic>*</topic>
+                    </topics>
+                </publish>
+                <subscribe>
+                    <topics>
+                        <topic>*</topic>
+                    </topics>
+                </subscribe>
+            </allow_rule>
+            <default>DENY</default>
+        </grant>
+    </permissions>
+</dds>
+
+------6B91005B007BBA8EDE10CD1CE487DB27
+Content-Type: application/x-pkcs7-signature; name="smime.p7s"
+Content-Transfer-Encoding: base64
+Content-Disposition: attachment; filename="smime.p7s"
+
+MIIGXgYJKoZIhvcNAQcCoIIGTzCCBksCAQExDzANBglghkgBZQMEAgEFADALBgkq
+hkiG9w0BBwGgggORMIIDjTCCAnWgAwIBAgIJANsr3sm0NrypMA0GCSqGSIb3DQEB
+CwUAMFwxCzAJBgNVBAYTAk5MMRMwEQYDVQQIDApTb21lLVN0YXRlMR8wHQYDVQQK
+DBZBRExJTksgVGVjaG5vbG9jeSBJbmMuMRcwFQYDVQQDDA5hZGxpbmt0ZWNoLmNv
+bTAgFw0xODA3MzAxMjQ1NTVaGA8yMTE4MDcwNjEyNDU1NVowXDELMAkGA1UEBhMC
+TkwxEzARBgNVBAgMClNvbWUtU3RhdGUxHzAdBgNVBAoMFkFETElOSyBUZWNobm9s
+b2N5IEluYy4xFzAVBgNVBAMMDmFkbGlua3RlY2guY29tMIIBIjANBgkqhkiG9w0B
+AQEFAAOCAQ8AMIIBCgKCAQEAu7jfnJ0wYVuXgG+PgNawdN38+dRpa8jceqi+blID
+ehV6XCxrnGXusTCDuFmo7HMOBVMVNDXlcBWgoGd+u5EultnOEiIeGTgtHc1O6V9w
+icp3BGSpZZax/TcONjMVORaqHCADbQ2J8wsz1FHxuKDwX6BJElYOlK77lb/x3yLs
+DFFC+a0qn2RFh37rcWBRAHy8VEASXKZElT9ZmfKd+KUq34KojhNJ4DepKStTq074
+BRDXVivx+wVD951LFNPiQXq+mgHcLj1k37KlZflTFhdP5oEMtATNsXNJPHlEymiy
+SogRWAmKhysLQudukHfNKN+r0FEQMk/hzpYcFeZSOvbfNQIDAQABo1AwTjAdBgNV
+HQ4EFgQURWMbWvBKZwJvRV1/tyc1R82k0+gwHwYDVR0jBBgwFoAURWMbWvBKZwJv
+RV1/tyc1R82k0+gwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAkPF+
+ysVtvHnk2hpu9yNDLCJ96ZzIoKOyY7uRj4ovzlAHFdpNOJQdcJihTmN8i7Trht9X
+Vh0rGoR/6nHzo3TIeiogRC80RlDtuA3PF2dDQBMVDStlZMTZPb693hfjdAjhyyw9
+yghhKHHqNDvSsAL0KfBqjG4yGfGpJylYXIT5fWuKlo/ln/yyPa5s54T5XDo+CMbt
+lLX3QnwVOmaRyzylPiTcPCDIkdLBdXmlfyJcmW6fWa6kPx+35MOxPsXZbujCo+42
++OyLqcH1rKT6XhcshjXBEf+kdgUfSClrM1pNRWsw2ChIYim0F+nry5JFy0Y+8Hbb
+6SDB340BFmtgDHbFHTGCApEwggKNAgEBMGkwXDELMAkGA1UEBhMCTkwxEzARBgNV
+BAgMClNvbWUtU3RhdGUxHzAdBgNVBAoMFkFETElOSyBUZWNobm9sb2N5IEluYy4x
+FzAVBgNVBAMMDmFkbGlua3RlY2guY29tAgkA2yveybQ2vKkwDQYJYIZIAWUDBAIB
+BQCggfowGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAcBgkqhkiG9w0BCQUxDxcN
+MTkwMzI5MTMwODAzWjAvBgkqhkiG9w0BCQQxIgQgl3LfUhn9L0vG/3QRPVYptcYw
+/NH5HMN99aMe9JAT+LAwgY4GCSqGSIb3DQEJDzGBgDB+MAsGCWCGSAFlAwQBKjAI
+BgYqhQMCAgkwCAYGKoUDAgIVMAsGCWCGSAFlAwQBFjALBglghkgBZQMEAQIwCgYI
+KoZIhvcNAwcwDgYIKoZIhvcNAwICAgCAMA0GCCqGSIb3DQMCAgFAMAcGBSsOAwIH
+MA0GCCqGSIb3DQMCAgEoMA0GCSqGSIb3DQEBAQUABIIBAHe9vakfXPvbpgMeqlhG
+SW6Z3uVA3Yri9bgQDpJ9daIUsM0/TLBSQVs85twTMXvqUSntKbfSGehxDQ9F+yje
+mOEPMIwxOqcVyc2jpqoYsUWqpwiiZyk49DHUFrOfWJUx+rKdBftZWkxD05Wkovhk
+2d4hGS/65Haoho4Z0AZwcyH+F52FZMiqw7I9FKrPlhxvJfQXmhIjOKtnvWnQ+Ar7
+YYiSrBEHMCy82LF1aKzz0nkL1SYWQHuQX475qoU4LMYY1J8WsD3rSBeq4GYZrl2K
+X/JcOquMYqjfJLMYZY4fsc3FgEBkKNqJz1tDZ3ir24VMl+WsbEjVK8oXe/wt4V0U
+aNQ=
+
+------6B91005B007BBA8EDE10CD1CE487DB27--
+
diff --git a/src/security/builtin_plugins/tests/validate_local_permissions/etc/Test_Permissions_ok.xml b/src/security/builtin_plugins/tests/validate_local_permissions/etc/Test_Permissions_ok.xml
new file mode 100644
index 0000000..8759d91
--- /dev/null
+++ b/src/security/builtin_plugins/tests/validate_local_permissions/etc/Test_Permissions_ok.xml
@@ -0,0 +1,33 @@
+<?xml version="1.0" encoding="utf-8"?>
+<dds xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xsi:noNamespaceSchemaLocation="https://www.omg.org/spec/DDS-SECURITY/20170901/omg_shared_ca_permissions.xsd">
+    <permissions>
+        <grant name="OpenSplicePermissions">
+            <subject_name>CN=CHAM500 cert,O=Internet Widgits Pty Ltd,ST=Some-State,C=NL</subject_name>
+            <validity>
+                <!-- Format is CCYY-MM-DDThh:mm:ss[Z|(+|-)hh:mm] in GMT -->
+                <not_before>2015-09-15T01:00:00</not_before>
+                <not_after>2115-09-15T01:00:00</not_after>
+            </validity>
+            <allow_rule>
+                <domains>
+                    <id_range>
+                        <min>0</min>
+                        <max>230</max>
+                    </id_range>
+                </domains>
+                <publish>
+                    <topics>
+                        <topic>*</topic>
+                    </topics>
+                </publish>
+                <subscribe>
+                    <topics>
+                        <topic>*</topic>
+                    </topics>
+                </subscribe>
+            </allow_rule>
+            <default>DENY</default>
+        </grant>
+    </permissions>
+</dds>
diff --git a/src/security/builtin_plugins/tests/validate_local_permissions/etc/Test_Permissions_unknown_ca.p7s b/src/security/builtin_plugins/tests/validate_local_permissions/etc/Test_Permissions_unknown_ca.p7s
new file mode 100644
index 0000000..6a2905a
--- /dev/null
+++ b/src/security/builtin_plugins/tests/validate_local_permissions/etc/Test_Permissions_unknown_ca.p7s
@@ -0,0 +1,87 @@
+MIME-Version: 1.0
+Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg="sha-256"; boundary="----7FBACED8776E5A4CF7612C83F9C33E17"
+
+This is an S/MIME signed message
+
+------7FBACED8776E5A4CF7612C83F9C33E17
+Content-Type: text/plain
+
+<?xml version="1.0" encoding="utf-8"?>
+<dds xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xsi:noNamespaceSchemaLocation="https://www.omg.org/spec/DDS-SECURITY/20170901/omg_shared_ca_permissions.xsd">
+    <permissions>
+        <grant name="OpenSplicePermissions">
+            <subject_name>/C=NL/ST=Some-State/O=ADLINK Technolocy Inc./CN=adlinktech.com</subject_name>
+            <validity>
+                <!-- Format is CCYY-MM-DDThh:mm:ss[Z|(+|-)hh:mm] in GMT -->
+                <not_before>2015-09-15T01:00:00</not_before>
+                <not_after>2115-09-15T01:00:00</not_after>
+            </validity>
+            <allow_rule>
+                <domains>
+                    <id_range>
+                        <min>0</min>
+                        <max>230</max>
+                    </id_range>
+                </domains>
+                <publish>
+                    <topics>
+                        <topic>*</topic>
+                    </topics>
+                </publish>
+                <subscribe>
+                    <topics>
+                        <topic>*</topic>
+                    </topics>
+                </subscribe>
+            </allow_rule>
+            <default>DENY</default>
+        </grant>
+    </permissions>
+</dds>
+
+------7FBACED8776E5A4CF7612C83F9C33E17
+Content-Type: application/x-pkcs7-signature; name="smime.p7s"
+Content-Transfer-Encoding: base64
+Content-Disposition: attachment; filename="smime.p7s"
+
+MIIGywYJKoZIhvcNAQcCoIIGvDCCBrgCAQExDzANBglghkgBZQMEAgEFADALBgkq
+hkiG9w0BBwGgggPKMIIDxjCCAq4CCQCBuTktP0h8BDANBgkqhkiG9w0BAQsFADCB
+pDEWMBQGA1UEBwwNTG9jYWxpdHkgTmFtZTEhMB8GA1UECwwYT3JnYW5pemF0aW9u
+YWwgVW5pdCBOYW1lMRwwGgYJKoZIhvcNAQkBFg1FbWFpbCBBZGRyZXNzMQswCQYD
+VQQGEwJVUzELMAkGA1UECAwCTkoxGjAYBgNVBAoMEUV4YW1wbGUgU2lnbmVyIENB
+MRMwEQYDVQQDDApFeGFtcGxlIENBMB4XDTE4MDgxNTA4NTE0MVoXDTQzMDgwOTA4
+NTE0MVowgaQxFjAUBgNVBAcMDUxvY2FsaXR5IE5hbWUxITAfBgNVBAsMGE9yZ2Fu
+aXphdGlvbmFsIFVuaXQgTmFtZTEcMBoGCSqGSIb3DQEJARYNRW1haWwgQWRkcmVz
+czELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAk5KMRowGAYDVQQKDBFFeGFtcGxlIFNp
+Z25lciBDQTETMBEGA1UEAwwKRXhhbXBsZSBDQTCCASIwDQYJKoZIhvcNAQEBBQAD
+ggEPADCCAQoCggEBALStAQ0yjM2qAWwsOXdX3hiyoZ6DDHWOTNI5LoCZGaN9rUZe
+MY0waSxWNQ0ruURgZISeOFkdQTAE81Em+UaZI+MZvfYcEcSlVtF6yve/WnIzRYWu
+f917moMCAInktfch4E6mskr4h7n+9sEz+3GsQS8SQRtwUe+PiXzjZrqHSbLC4Kn3
+/b8Mt+Ww3a4FyjHDZQJZsGSvrScr0Gq3xeKfMwb+KYNEnmh0o4os0gEGA4KUR+/1
+YDl1NmxQnm/AIMqwJzeaezBoMn0Nsi+OlAms85imGURNj9BCEJZBWwuuNL5ECDAq
+WLOM3AKUsApVgtGd8/OLWW1RwYkW8uqTtkIR87MCAwEAATANBgkqhkiG9w0BAQsF
+AAOCAQEAokKC77/kvxlObLSwkT5+7+S+DeznLBRiGVEh8+9PQw1q91sjiOZWf0e3
+T3XPH7CR/NDYoQJkrsqzIwKYrj41z/1jAs+HkH45NpTFiGlUFXNs5iwNh4RUqgf4
+e78Mge4q7pHMFzWTEwEn4DJMGcDDjLW1kN8GobGwHR7O0MpAJKrqcBSo+SPomnQv
+TgiEMQ+Vlz0EJx6JPsq8c7HrxlSdeDAAWIOww/wcGyzlpYEoyz6voSSfdhMt5iy5
+k5BvhBJnTiJTasCHy9KRuis/6qpTZKEj0d7J7LAqpGh8oRIphMwCbFYQT0QBgV6p
+gM8Ufss/RZ6CshMNxz7KtIYpvmxPPTGCAsUwggLBAgEBMIGyMIGkMRYwFAYDVQQH
+DA1Mb2NhbGl0eSBOYW1lMSEwHwYDVQQLDBhPcmdhbml6YXRpb25hbCBVbml0IE5h
+bWUxHDAaBgkqhkiG9w0BCQEWDUVtYWlsIEFkZHJlc3MxCzAJBgNVBAYTAlVTMQsw
+CQYDVQQIDAJOSjEaMBgGA1UECgwRRXhhbXBsZSBTaWduZXIgQ0ExEzARBgNVBAMM
+CkV4YW1wbGUgQ0ECCQCBuTktP0h8BDANBglghkgBZQMEAgEFAKCB5DAYBgkqhkiG
+9w0BCQMxCwYJKoZIhvcNAQcBMBwGCSqGSIb3DQEJBTEPFw0xODA5MTMwOTIzMDNa
+MC8GCSqGSIb3DQEJBDEiBCCvP08gFBO7651mPPDFQ2suhL+eprGCGuRLXmiBmdvx
+ITB5BgkqhkiG9w0BCQ8xbDBqMAsGCWCGSAFlAwQBKjALBglghkgBZQMEARYwCwYJ
+YIZIAWUDBAECMAoGCCqGSIb3DQMHMA4GCCqGSIb3DQMCAgIAgDANBggqhkiG9w0D
+AgIBQDAHBgUrDgMCBzANBggqhkiG9w0DAgIBKDANBgkqhkiG9w0BAQEFAASCAQB/
+4EQel+0LsmiNFCUjWM68u4ZvPtFBpeDe456DJuG6QR0LIzW42U7N4P2ZTIqjpGZx
+YekBCNdkiVy6ER5IA4WfcKd6zXZEuXVxkMrGpJlqGdd+IdZpTsrBygGZJS4vMUfD
+/6ty6OycET88RmJIu4V/TM3yLVKzHuj6TxCXb4OIYx8g3mdXUwUrp6DGgqggRSPJ
+tatbpnqGZGcvty8MusXVnjnEwUWnJ/jojypY3MyL4MTbjufjv0K6NKQ3RzoLssot
+SLq0YDLwvX/s9sLXDCedAwFXBS/6Qv56v0M2x4o8e3Eul7gGTMuCd/dJ0BhF8CW+
+IGxR5I3xXssh/AuWRRtV
+
+------7FBACED8776E5A4CF7612C83F9C33E17--
+
diff --git a/src/security/builtin_plugins/tests/validate_local_permissions/etc/Test_Permissions_unknown_subject.p7s b/src/security/builtin_plugins/tests/validate_local_permissions/etc/Test_Permissions_unknown_subject.p7s
new file mode 100644
index 0000000..fb488c7
--- /dev/null
+++ b/src/security/builtin_plugins/tests/validate_local_permissions/etc/Test_Permissions_unknown_subject.p7s
@@ -0,0 +1,85 @@
+MIME-Version: 1.0
+Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg="sha-256"; boundary="----7B161F9203F175A7F82A389A3E044741"
+
+This is an S/MIME signed message
+
+------7B161F9203F175A7F82A389A3E044741
+Content-Type: text/plain
+
+<?xml version="1.0" encoding="utf-8"?>
+<dds xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xsi:noNamespaceSchemaLocation="https://www.omg.org/spec/DDS-SECURITY/20170901/omg_shared_ca_permissions.xsd">
+    <permissions>
+        <grant name="OpenSplicePermissions">
+            <subject_name>gibberish</subject_name>
+            <validity>
+                <!-- Format is CCYY-MM-DDThh:mm:ss[Z|(+|-)hh:mm] in GMT -->
+                <not_before>2015-09-15T01:00:00</not_before>
+                <not_after>2115-09-15T01:00:00</not_after>
+            </validity>
+            <allow_rule>
+                <domains>
+                    <id_range>
+                        <min>0</min>
+                        <max>230</max>
+                    </id_range>
+                </domains>
+                <publish>
+                    <topics>
+                        <topic>*</topic>
+                    </topics>
+                </publish>
+                <subscribe>
+                    <topics>
+                        <topic>*</topic>
+                    </topics>
+                </subscribe>
+            </allow_rule>
+            <default>DENY</default>
+        </grant>
+    </permissions>
+</dds>
+
+------7B161F9203F175A7F82A389A3E044741
+Content-Type: application/x-pkcs7-signature; name="smime.p7s"
+Content-Transfer-Encoding: base64
+Content-Disposition: attachment; filename="smime.p7s"
+
+MIIGXgYJKoZIhvcNAQcCoIIGTzCCBksCAQExDzANBglghkgBZQMEAgEFADALBgkq
+hkiG9w0BBwGgggORMIIDjTCCAnWgAwIBAgIJANsr3sm0NrypMA0GCSqGSIb3DQEB
+CwUAMFwxCzAJBgNVBAYTAk5MMRMwEQYDVQQIDApTb21lLVN0YXRlMR8wHQYDVQQK
+DBZBRExJTksgVGVjaG5vbG9jeSBJbmMuMRcwFQYDVQQDDA5hZGxpbmt0ZWNoLmNv
+bTAgFw0xODA3MzAxMjQ1NTVaGA8yMTE4MDcwNjEyNDU1NVowXDELMAkGA1UEBhMC
+TkwxEzARBgNVBAgMClNvbWUtU3RhdGUxHzAdBgNVBAoMFkFETElOSyBUZWNobm9s
+b2N5IEluYy4xFzAVBgNVBAMMDmFkbGlua3RlY2guY29tMIIBIjANBgkqhkiG9w0B
+AQEFAAOCAQ8AMIIBCgKCAQEAu7jfnJ0wYVuXgG+PgNawdN38+dRpa8jceqi+blID
+ehV6XCxrnGXusTCDuFmo7HMOBVMVNDXlcBWgoGd+u5EultnOEiIeGTgtHc1O6V9w
+icp3BGSpZZax/TcONjMVORaqHCADbQ2J8wsz1FHxuKDwX6BJElYOlK77lb/x3yLs
+DFFC+a0qn2RFh37rcWBRAHy8VEASXKZElT9ZmfKd+KUq34KojhNJ4DepKStTq074
+BRDXVivx+wVD951LFNPiQXq+mgHcLj1k37KlZflTFhdP5oEMtATNsXNJPHlEymiy
+SogRWAmKhysLQudukHfNKN+r0FEQMk/hzpYcFeZSOvbfNQIDAQABo1AwTjAdBgNV
+HQ4EFgQURWMbWvBKZwJvRV1/tyc1R82k0+gwHwYDVR0jBBgwFoAURWMbWvBKZwJv
+RV1/tyc1R82k0+gwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAkPF+
+ysVtvHnk2hpu9yNDLCJ96ZzIoKOyY7uRj4ovzlAHFdpNOJQdcJihTmN8i7Trht9X
+Vh0rGoR/6nHzo3TIeiogRC80RlDtuA3PF2dDQBMVDStlZMTZPb693hfjdAjhyyw9
+yghhKHHqNDvSsAL0KfBqjG4yGfGpJylYXIT5fWuKlo/ln/yyPa5s54T5XDo+CMbt
+lLX3QnwVOmaRyzylPiTcPCDIkdLBdXmlfyJcmW6fWa6kPx+35MOxPsXZbujCo+42
++OyLqcH1rKT6XhcshjXBEf+kdgUfSClrM1pNRWsw2ChIYim0F+nry5JFy0Y+8Hbb
+6SDB340BFmtgDHbFHTGCApEwggKNAgEBMGkwXDELMAkGA1UEBhMCTkwxEzARBgNV
+BAgMClNvbWUtU3RhdGUxHzAdBgNVBAoMFkFETElOSyBUZWNobm9sb2N5IEluYy4x
+FzAVBgNVBAMMDmFkbGlua3RlY2guY29tAgkA2yveybQ2vKkwDQYJYIZIAWUDBAIB
+BQCggfowGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAcBgkqhkiG9w0BCQUxDxcN
+MTkwMzI5MTMwODAzWjAvBgkqhkiG9w0BCQQxIgQg44QSCYJrKGm9hdPbOKQjrnQ8
+LXMSbo0mve1cRKvrm3gwgY4GCSqGSIb3DQEJDzGBgDB+MAsGCWCGSAFlAwQBKjAI
+BgYqhQMCAgkwCAYGKoUDAgIVMAsGCWCGSAFlAwQBFjALBglghkgBZQMEAQIwCgYI
+KoZIhvcNAwcwDgYIKoZIhvcNAwICAgCAMA0GCCqGSIb3DQMCAgFAMAcGBSsOAwIH
+MA0GCCqGSIb3DQMCAgEoMA0GCSqGSIb3DQEBAQUABIIBAH/fJ90OwloC73faPAGC
+VRZrhW/gSsy/1VnprvWdDAU1ZZK+srIISFZAy19LcApTis0Vy9yz2PG8pue49R+y
+UF6mCDSuN/l9SRBdUN+CXQdQ8sGq5SHXNhGzSX/nbR20ol4cSUMpKlEGx66E0KUW
+tkk8HzYw7aHMiwK2E2Y0sbm/M/rdmAbgEoywYfvc25V4FHP66TstfCLBjN9Hz3bH
+WcrCZuPjZo6vBd/rIJQSlgH81aCWn5RfCIccbc3iogwzIhYxAr6d+4do3LNa6H80
+W6CMgl0AnWFfa4QwnXFUzb1/W2rFjHp453w1Cbqk4Ll4ZlVJr4fzIuyuJMQlMrmK
+1P0=
+
+------7B161F9203F175A7F82A389A3E044741--
+
diff --git a/src/security/builtin_plugins/tests/validate_local_permissions/etc/Test_Permissions_unknown_subject.xml b/src/security/builtin_plugins/tests/validate_local_permissions/etc/Test_Permissions_unknown_subject.xml
new file mode 100644
index 0000000..8a55faf
--- /dev/null
+++ b/src/security/builtin_plugins/tests/validate_local_permissions/etc/Test_Permissions_unknown_subject.xml
@@ -0,0 +1,33 @@
+<?xml version="1.0" encoding="utf-8"?>
+<dds xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xsi:noNamespaceSchemaLocation="https://www.omg.org/spec/DDS-SECURITY/20170901/omg_shared_ca_permissions.xsd">
+    <permissions>
+        <grant name="OpenSplicePermissions">
+            <subject_name>gibberish</subject_name>
+            <validity>
+                <!-- Format is CCYY-MM-DDThh:mm:ss[Z|(+|-)hh:mm] in GMT -->
+                <not_before>2015-09-15T01:00:00</not_before>
+                <not_after>2115-09-15T01:00:00</not_after>
+            </validity>
+            <allow_rule>
+                <domains>
+                    <id_range>
+                        <min>0</min>
+                        <max>230</max>
+                    </id_range>
+                </domains>
+                <publish>
+                    <topics>
+                        <topic>*</topic>
+                    </topics>
+                </publish>
+                <subscribe>
+                    <topics>
+                        <topic>*</topic>
+                    </topics>
+                </subscribe>
+            </allow_rule>
+            <default>DENY</default>
+        </grant>
+    </permissions>
+</dds>
diff --git a/src/security/builtin_plugins/tests/validate_local_permissions/src/validate_local_permissions_utests.c b/src/security/builtin_plugins/tests/validate_local_permissions/src/validate_local_permissions_utests.c
new file mode 100644
index 0000000..b690fdb
--- /dev/null
+++ b/src/security/builtin_plugins/tests/validate_local_permissions/src/validate_local_permissions_utests.c
@@ -0,0 +1,1020 @@
+/*
+ * Copyright(c) 2006 to 2019 ADLINK Technology Limited and others
+ *
+ * This program and the accompanying materials are made available under the
+ * terms of the Eclipse Public License v. 2.0 which is available at
+ * http://www.eclipse.org/legal/epl-2.0, or the Eclipse Distribution License
+ * v. 1.0 which is available at
+ * http://www.eclipse.org/org/documents/edl-v10.php.
+ *
+ * SPDX-License-Identifier: EPL-2.0 OR BSD-3-Clause
+ */
+#include <assert.h>
+#include <openssl/evp.h>
+#include <openssl/hmac.h>
+#include <openssl/bio.h>
+#include <openssl/err.h>
+
+#include "dds/ddsrt/environ.h"
+#include "dds/ddsrt/heap.h"
+#include "dds/ddsrt/io.h"
+#include "dds/ddsrt/string.h"
+#include "dds/ddsrt/types.h"
+#include "dds/security/dds_security_api.h"
+#include "dds/security/core/dds_security_utils.h"
+#include "CUnit/CUnit.h"
+#include "CUnit/Test.h"
+#include "common/src/loader.h"
+#include "config_env.h"
+
+static const char *PROPERTY_IDENTITY_CA = "dds.sec.auth.identity_ca";
+static const char *PROPERTY_PRIVATE_KEY = "dds.sec.auth.private_key";
+static const char *PROPERTY_IDENTITY_CERT = "dds.sec.auth.identity_certificate";
+static const char *PROPERTY_PERMISSIONS_CA = "dds.sec.access.permissions_ca";
+static const char *PROPERTY_PERMISSIONS = "dds.sec.access.permissions";
+static const char *PROPERTY_GOVERNANCE = "dds.sec.access.governance";
+
+static const char *RELATIVE_PATH_TO_ETC_DIR = "/validate_local_permissions/etc/";
+
+static const char *AUTH_IDENTITY_CERT =
+    "data:,-----BEGIN CERTIFICATE-----\n"
+    "MIIEQTCCAymgAwIBAgIINpuaAAnrQZIwDQYJKoZIhvcNAQELBQAwXzELMAkGA1UE\n"
+    "BhMCTkwxEzARBgNVBAgTClNvbWUtU3RhdGUxITAfBgNVBAoTGEludGVybmV0IFdp\n"
+    "ZGdpdHMgUHR5IEx0ZDEYMBYGA1UEAxMPQ0hBTTUwMCByb290IGNhMCAXDTE3MDIy\n"
+    "MjIyMjIwMFoYDzIyMjIwMjIyMjIyMjAwWjBcMQswCQYDVQQGEwJOTDETMBEGA1UE\n"
+    "CBMKU29tZS1TdGF0ZTEhMB8GA1UEChMYSW50ZXJuZXQgV2lkZ2l0cyBQdHkgTHRk\n"
+    "MRUwEwYDVQQDEwxDSEFNNTAwIGNlcnQwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw\n"
+    "ggEKAoIBAQDCpVhivH/wBIyu74rvQncnSZqKyspN6CvD1pmV9wft5PHhVt9jV79v\n"
+    "gSub5LADoRHAgFdv9duYgBr17Ob6uRrIY4B18CcrCjhQcC4gjx8y2jl9PeYm+qYD\n"
+    "3o44FYBrBq0QCnrQgKsb/qX9Z+Mw/VUiw65x68W876LEHQQoEgT4kxSuagwBoVRk\n"
+    "ePD6fYAKmT4XS3x+O0v+rHESTcsKF6yMadgp7h3eH1b8kJTzSx8JV9Zzq++mxjox\n"
+    "qhbBVP5nDze2hhSIeCkCvSrx7efkgKS4AQXa5/Z44GiAu1TfXXUqdic9rxwD0edn\n"
+    "ajNElnZe7sjok/0yuqvH+2hSqpNva/zpAgMBAAGjggEAMIH9MAwGA1UdDwQFAwMH\n"
+    "/4AwgewGA1UdJQSB5DCB4QYIKwYBBQUHAwEGCCsGAQUFBwMCBggrBgEFBQcDAwYI\n"
+    "KwYBBQUHAwQGCCsGAQUFBwMIBgorBgEEAYI3AgEVBgorBgEEAYI3AgEWBgorBgEE\n"
+    "AYI3CgMBBgorBgEEAYI3CgMDBgorBgEEAYI3CgMEBglghkgBhvhCBAEGCysGAQQB\n"
+    "gjcKAwQBBggrBgEFBQcDBQYIKwYBBQUHAwYGCCsGAQUFBwMHBggrBgEFBQgCAgYK\n"
+    "KwYBBAGCNxQCAgYIKwYBBQUHAwkGCCsGAQUFBwMNBggrBgEFBQcDDgYHKwYBBQID\n"
+    "BTANBgkqhkiG9w0BAQsFAAOCAQEAawdHy0Xw7nTK2ltp91Ion6fJ7hqYuj///zr7\n"
+    "Adt6uonpDh/xl3esuwcFimIJrJrHujnGkL0nLddRCikmnzuBMNDWS6yq0/Ckl/YG\n"
+    "yjNr44dlX24wo+MVAgkj3/8CyWDZ3a8kBg9QT3bs2SqbjmhTrXN1DRyf9S5vJysE\n"
+    "I7V1gTN66BeKL64hOrAlRVrEu8Ds6TWL6Q/YH+61ViZkoLTeSaPjH4nknaFr4C35\n"
+    "iji0JhkyfRHRRVPHFnaj25AkxOrSV64qVKoTMjDl5fji5iMGtjm6iJ7q05ml/qDl\n"
+    "nLotHXemZNvYhbwUmRzbt4Dls9EMH4VRbP85I94nM5TAvtHVNA==\n"
+    "-----END CERTIFICATE-----\n";
+
+static const char *AUTH_IDENTITY_CA =
+    "data:,-----BEGIN CERTIFICATE-----\n"
+    "MIIEmTCCA4GgAwIBAgIIZ5gEIUFhO5wwDQYJKoZIhvcNAQELBQAwXzELMAkGA1UE\n"
+    "BhMCTkwxEzARBgNVBAgTClNvbWUtU3RhdGUxITAfBgNVBAoTGEludGVybmV0IFdp\n"
+    "ZGdpdHMgUHR5IEx0ZDEYMBYGA1UEAxMPQ0hBTTUwMCByb290IGNhMCAXDTE4MDIx\n"
+    "MjE1MDUwMFoYDzIyMjIwMjIyMjIyMjAwWjBfMQswCQYDVQQGEwJOTDETMBEGA1UE\n"
+    "CBMKU29tZS1TdGF0ZTEhMB8GA1UEChMYSW50ZXJuZXQgV2lkZ2l0cyBQdHkgTHRk\n"
+    "MRgwFgYDVQQDEw9DSEFNNTAwIHJvb3QgY2EwggEiMA0GCSqGSIb3DQEBAQUAA4IB\n"
+    "DwAwggEKAoIBAQC6Fa3TheL+UrdZCp9GhU/2WbneP2t/avUa3muwDttPxeI2XU9k\n"
+    "ZjBR95mAXme4SPXHk5+YDN319AqIje3oKhzky/ngvKH2GkoJKYxWnuDBfMEHdViz\n"
+    "2Q9/xso2ZvH50ukwWa0pfx2/EVV1wRxeQcRd/UVfq3KTJizG0M88mOYvGEAw3LFf\n"
+    "zef7k1aCuOofQmBvLukUudcYpMzfyHFp7lQqU4CcrrR5RtmfiUfrWfdGLea2iPDB\n"
+    "pJgN8ESOMwEHtOTEBDclYnH9L4t7CHQz+fXXS5IWFsDK9fCMQjnxDsDVeNrNzTYL\n"
+    "FaZrMg9S6IUQCEsQWsnq5weS8omOpVLUm9klAgMBAAGjggFVMIIBUTAMBgNVHRME\n"
+    "BTADAQH/MB0GA1UdDgQWBBQg2FZB/j8uWDVnJhjwXkX278znSTAfBgNVHSMEGDAW\n"
+    "gBQg2FZB/j8uWDVnJhjwXkX278znSTAPBgNVHQ8BAf8EBQMDB/+AMIHvBgNVHSUB\n"
+    "Af8EgeQwgeEGCCsGAQUFBwMBBggrBgEFBQcDAgYIKwYBBQUHAwMGCCsGAQUFBwME\n"
+    "BggrBgEFBQcDCAYKKwYBBAGCNwIBFQYKKwYBBAGCNwIBFgYKKwYBBAGCNwoDAQYK\n"
+    "KwYBBAGCNwoDAwYKKwYBBAGCNwoDBAYJYIZIAYb4QgQBBgsrBgEEAYI3CgMEAQYI\n"
+    "KwYBBQUHAwUGCCsGAQUFBwMGBggrBgEFBQcDBwYIKwYBBQUIAgIGCisGAQQBgjcU\n"
+    "AgIGCCsGAQUFBwMJBggrBgEFBQcDDQYIKwYBBQUHAw4GBysGAQUCAwUwDQYJKoZI\n"
+    "hvcNAQELBQADggEBAKHmwejWRwGE1wf1k2rG8SNRV/neGsZ6Qfqf6co3TpR/Wi1s\n"
+    "iZDvSeT/rbqNBS7z34xnG88NIUwu00y78e8Mfon31ZZbK4Uo7fla9/D3ukdJqPQC\n"
+    "LKdbKJjR2kH+KCukY/1rghjJ8/X+t2egBit0LCOdsFCl07Sfksb9kpGUIZSFcYYm\n"
+    "geqhjhoNwxazzHiw+QWHC5HG9248JIizBmy1aymNWuMnPudhjHAnPcsIlqMVNq3t\n"
+    "Rv9ap7S8JeCxHVRPJvJeCwXWvW3dW/v3xH52Yn/fqRblN1w9Fxz5NhopKx0gj/Jd\n"
+    "sw2N4Fk4gaOWEolFpa0bwNw8nAx7moehZpowzfw=\n"
+    "-----END CERTIFICATE-----\n";
+
+static const char *AUTH_PRIVATE_KEY =
+    "data:,-----BEGIN RSA PRIVATE KEY-----\n"
+    "MIIEogIBAAKCAQEAwqVYYrx/8ASMru+K70J3J0maisrKTegrw9aZlfcH7eTx4Vbf\n"
+    "Y1e/b4Erm+SwA6ERwIBXb/XbmIAa9ezm+rkayGOAdfAnKwo4UHAuII8fMto5fT3m\n"
+    "JvqmA96OOBWAawatEAp60ICrG/6l/WfjMP1VIsOucevFvO+ixB0EKBIE+JMUrmoM\n"
+    "AaFUZHjw+n2ACpk+F0t8fjtL/qxxEk3LChesjGnYKe4d3h9W/JCU80sfCVfWc6vv\n"
+    "psY6MaoWwVT+Zw83toYUiHgpAr0q8e3n5ICkuAEF2uf2eOBogLtU3111KnYnPa8c\n"
+    "A9HnZ2ozRJZ2Xu7I6JP9Mrqrx/toUqqTb2v86QIDAQABAoIBAC1q32DKkx+yMBFx\n"
+    "m32QiLUGG6VfBC2BixS7MkMnzRXZYgcuehl4FBc0kLRjfB6cqsO8LqrVN1QyMBhK\n"
+    "GutN3c38SbE7RChqzhEW2+yE+Mao3Nk4ZEecHLiyaYT0n25ZtHAVwep823BAzwJ+\n"
+    "BykbM45VEpNKbG1VjSktjBa9faNyZiZAEJEjVyla+6R8N4kHV52LbZcLjvJv3IQ2\n"
+    "iPYRrmMyI5C23qTni0vy7yJbAXBo3CqgSlwie9FARBWT7Puu7F4mF1O1c/SnTysw\n"
+    "Tm3e5FzgfHipQbnRVn0w4rDprPMKmPxMnvf/Wkw0zVgNadp1Tc1I6Yj525DEQ07i\n"
+    "2gIn/gECgYEA4jNnY1u2Eu7x3pAQF3dRO0x35boVtuq9iwQk7q+uaZaK4RJRr+0Y\n"
+    "T68S3bPnfer6SHvcxtST89Bvs/j/Ky4SOaX037UYjFh6T7OIzPl+MzO1yb+VOBT6\n"
+    "D6FVGEJGp8ZAITU1OfJPeTYViUeEC8tHFGoKUCk50FbB6jOf1oKtv/ECgYEA3EnB\n"
+    "Y7kSbJJaUuj9ciFUL/pAno86Cim3VjegK1wKgEiyDb610bhoMErovPwfVJbtcttG\n"
+    "eKJNuwizkRcVbj+vpjDvqqaP5eMxLl6/Nd4haPMJYzGo88Z8NJpwFRNF2KEWjOpQ\n"
+    "2NEvoCeRtVulCJyka2Tpljzw8cOXkxhPOe2UhHkCgYBo3entj0QO7QXm56T+LAvV\n"
+    "0PK45xdQEO3EuCwjGAFk5C0IgUSrqeCeeIzniZMltj1IQ1wsNbtNynEu3530t8wt\n"
+    "O7oVyFBUKGSz9IjUdkpClJOPr6kPMfJoMqRPtdIpz+hFPPSrI6IikKdVWHloOlp+\n"
+    "pVaYqTQrWT1XRY2xli3VEQKBgGySmZN6Cx+h/oywswIGdUT0VdcQhq2to+QFpJba\n"
+    "VX6m1cM6hMip2Ag9U3qZ1SNPBBdBBfm9HQybHE3dj713/C2wHuAAGhpXIM1W+20k\n"
+    "X1knuC/AsSH9aQhQOf/ZMOq1crTfZBuI9q0782/sjGmzMsKPySU4QhUWruVb7OiD\n"
+    "NVkZAoGAEvihW7G+8/iOE40vGHyBqUeopAAWLciTAUIEwM/Oi3BYfNWNTWF/FWNc\n"
+    "nMvCZPYigY8C1vO+1iT2Frtd3CIU+f01Q3fJNJoRLlEiKLNZUJRF48OKUqjKSmsi\n"
+    "w6pucFO40z05YW7utApj4L82rZnOS0pd1tUI1yexqvj0i4ThJfk=\n"
+    "-----END RSA PRIVATE KEY-----\n";
+
+static struct plugins_hdl *g_plugins = NULL;
+static dds_security_authentication *g_auth = NULL;
+static dds_security_access_control *g_access_control = NULL;
+static char *g_path_to_etc_dir = NULL;
+
+/* Prepare a property sequence. */
+static void dds_security_property_init(DDS_Security_PropertySeq *seq, DDS_Security_unsigned_long size)
+{
+  seq->_length = size;
+  seq->_maximum = size;
+  seq->_buffer = ddsrt_malloc(size * sizeof(DDS_Security_Property_t));
+  memset(seq->_buffer, 0, size * sizeof(DDS_Security_Property_t));
+}
+
+/* Cleanup a property sequence.*/
+static void dds_security_property_deinit(DDS_Security_PropertySeq *seq)
+{
+  uint32_t i;
+
+  for (i = 0; i < seq->_length; i++)
+  {
+    ddsrt_free(seq->_buffer[i].name);
+    ddsrt_free(seq->_buffer[i].value);
+  }
+  ddsrt_free(seq->_buffer);
+}
+
+/* Find a property within a sequence.*/
+static DDS_Security_Property_t *dds_security_property_find(DDS_Security_PropertySeq *seq, const char *name)
+{
+  DDS_Security_Property_t *prop = NULL;
+  uint32_t i;
+  for (i = 0; (i < seq->_length) && (prop == NULL); i++)
+  {
+    if (strcmp(seq->_buffer[i].name, name) == 0)
+    {
+      prop = &(seq->_buffer[i]);
+    }
+  }
+  return prop;
+}
+
+/* Cleanup exception contents.*/
+static void reset_exception(DDS_Security_SecurityException *ex)
+{
+  ex->code = 0;
+  ex->minor_code = 0;
+  ddsrt_free(ex->message);
+  ex->message = NULL;
+}
+
+/* Glue two strings together */
+static char *combine_strings(const char *prefix, const char *postfix)
+{
+  char *str;
+  ddsrt_asprintf(&str, "%s%s", prefix, postfix);
+  return str;
+}
+
+/* Use the given file to create a proper file uri (with directory).*/
+static char *create_uri_file(const char *file)
+{
+  char *uri;
+  char *dir;
+  if (file)
+  {
+    dir = combine_strings("file:", g_path_to_etc_dir);
+    uri = combine_strings(dir, file);
+    ddsrt_free(dir);
+  }
+  else
+  {
+    uri = ddsrt_strdup("file:");
+  }
+  return uri;
+}
+
+/* Read the given file contents and transform it into a data uri.*/
+static char *create_uri_data(const char *file)
+{
+  char *data = NULL;
+  char *location;
+  char *contents;
+
+  if (file)
+  {
+    location = combine_strings(g_path_to_etc_dir, file);
+    if (location)
+    {
+      contents = load_file_contents(location);
+      if (contents)
+      {
+        data = combine_strings("data:,", contents);
+        ddsrt_free(contents);
+      }
+      ddsrt_free(location);
+    }
+  }
+  else
+  {
+    data = ddsrt_strdup("data:,");
+  }
+
+  return data;
+}
+
+/* Fill the security properties of a participant QoS with the
+ * authorization and access_control values. */
+static void fill_property_policy(DDS_Security_PropertyQosPolicy *property, const char *permission_ca, const char *permission_uri, const char *governance_uri)
+{
+  dds_security_property_init(&property->value, 6);
+  /* Authentication properties. */
+  property->value._buffer[0].name = ddsrt_strdup(PROPERTY_IDENTITY_CERT);
+  property->value._buffer[0].value = ddsrt_strdup(AUTH_IDENTITY_CERT);
+  property->value._buffer[1].name = ddsrt_strdup(PROPERTY_IDENTITY_CA);
+  property->value._buffer[1].value = ddsrt_strdup(AUTH_IDENTITY_CA);
+  property->value._buffer[2].name = ddsrt_strdup(PROPERTY_PRIVATE_KEY);
+  property->value._buffer[2].value = ddsrt_strdup(AUTH_PRIVATE_KEY);
+  /* AccessControl properties. */
+  property->value._buffer[3].name = ddsrt_strdup(PROPERTY_PERMISSIONS_CA);
+  property->value._buffer[3].value = permission_ca ? ddsrt_strdup(permission_ca) : NULL;
+  property->value._buffer[4].name = ddsrt_strdup(PROPERTY_PERMISSIONS);
+  property->value._buffer[4].value = permission_uri ? ddsrt_strdup(permission_uri) : NULL;
+  property->value._buffer[5].name = ddsrt_strdup(PROPERTY_GOVERNANCE);
+  property->value._buffer[5].value = governance_uri ? ddsrt_strdup(governance_uri) : NULL;
+}
+
+/* Open a local identity by calling the authorization plugin with
+ * properly created dummy values and the given participant QoS.*/
+static DDS_Security_IdentityHandle create_local_identity(DDS_Security_Qos *participant_qos)
+{
+  DDS_Security_IdentityHandle local_id_hdl = DDS_SECURITY_HANDLE_NIL;
+  DDS_Security_ValidationResult_t result;
+  DDS_Security_DomainId domain_id = 0;
+  DDS_Security_GUID_t local_participant_guid;
+  DDS_Security_GUID_t candidate_participant_guid;
+  DDS_Security_SecurityException exception = {NULL, 0, 0};
+  DDS_Security_GuidPrefix_t prefix = {0xb0, 0xb1, 0xb2, 0xb3, 0xb4, 0xb5, 0xb6, 0xb7, 0xb8, 0xb9, 0xba, 0xbb};
+  DDS_Security_EntityId_t entityId = {{0xb0, 0xb1, 0xb2}, 0x1};
+
+  CU_ASSERT_FATAL(g_auth->validate_local_identity != NULL);
+
+  memset(&local_participant_guid, 0, sizeof(local_participant_guid));
+  memcpy(&candidate_participant_guid.prefix, &prefix, sizeof(prefix));
+  memcpy(&candidate_participant_guid.entityId, &entityId, sizeof(entityId));
+
+  /* Now call the function. */
+  result = g_auth->validate_local_identity(
+      g_auth,
+      &local_id_hdl,
+      &local_participant_guid,
+      domain_id,
+      participant_qos,
+      &candidate_participant_guid,
+      &exception);
+
+  if (result != DDS_SECURITY_VALIDATION_OK)
+  {
+    printf("validate_local_identity_failed: %s\n", exception.message ? exception.message : "Error message missing");
+  }
+
+  reset_exception(&exception);
+
+  return local_id_hdl;
+}
+
+/* Close the given local identity by returning its handle to the
+ * authorization plugin.*/
+static void clear_local_identity(DDS_Security_IdentityHandle local_id_hdl)
+{
+  DDS_Security_SecurityException exception = {NULL, 0, 0};
+  DDS_Security_boolean success;
+
+  if (local_id_hdl != DDS_SECURITY_HANDLE_NIL)
+  {
+    success = g_auth->return_identity_handle(g_auth, local_id_hdl, &exception);
+    if (!success)
+    {
+      printf("return_identity_handle failed: %s\n", exception.message ? exception.message : "Error message missing");
+    }
+    reset_exception(&exception);
+  }
+}
+
+/* Prepare the global link to the test's "etc" directory.*/
+static void set_path_to_etc_dir(void)
+{
+  ddsrt_asprintf(&g_path_to_etc_dir, "%s%s", CONFIG_ENV_TESTS_DIR, RELATIVE_PATH_TO_ETC_DIR);
+}
+
+/* Initialize the participant QoS with security related properties.
+ * It will transform the given files into proper uri's.
+ * A NULL will result in a file uri without actual link.*/
+static void qos_init_file(DDS_Security_Qos *participant_qos, const char *certificate_filename, const char *permission_filename, const char *governance_filename)
+{
+  char *permission_ca;
+  char *permission_uri;
+  char *governance_uri;
+
+  permission_ca = create_uri_file(certificate_filename);
+  permission_uri = create_uri_file(permission_filename);
+  governance_uri = create_uri_file(governance_filename);
+
+  memset(participant_qos, 0, sizeof(*participant_qos));
+  fill_property_policy(&(participant_qos->property),
+                       permission_ca,
+                       permission_uri,
+                       governance_uri);
+
+  ddsrt_free(permission_ca);
+  ddsrt_free(permission_uri);
+  ddsrt_free(governance_uri);
+}
+
+/* Initialize the participant QoS with security related properties.
+ * It will transform the given files into data uri's.
+ * A NULL will result in a data uri without actual data.*/
+static void qos_init_data(DDS_Security_Qos *participant_qos, const char *certificate_filename, const char *permission_filename, const char *governance_filename)
+{
+  char *permission_ca;
+  char *permission_uri;
+  char *governance_uri;
+
+  permission_ca = create_uri_data(certificate_filename);
+  permission_uri = create_uri_data(permission_filename);
+  governance_uri = create_uri_data(governance_filename);
+  CU_ASSERT_FATAL(permission_ca != NULL);
+  CU_ASSERT_FATAL(permission_uri != NULL);
+  CU_ASSERT_FATAL(governance_uri != NULL);
+
+  memset(participant_qos, 0, sizeof(*participant_qos));
+  fill_property_policy(&(participant_qos->property),
+                       permission_ca,
+                       permission_uri,
+                       governance_uri);
+
+  ddsrt_free(permission_ca);
+  ddsrt_free(permission_uri);
+  ddsrt_free(governance_uri);
+}
+
+/* Initialize the participant QoS with security related properties.
+ * A NULL will result in an uri with an unknown type.*/
+static void qos_init_type(DDS_Security_Qos *participant_qos, const char *certificate_filename, const char *permission_filename, const char *governance_filename)
+{
+  char *permission_ca;
+  char *permission_uri;
+  char *governance_uri;
+
+  if (certificate_filename)
+    permission_ca = create_uri_file(certificate_filename);
+  else
+    permission_ca = ddsrt_strdup("unknown_type:,just some data");
+  if (permission_filename)
+    permission_uri = create_uri_file(permission_filename);
+  else
+    permission_uri = ddsrt_strdup("unknown_type:,just some data");
+  if (governance_filename)
+    governance_uri = create_uri_file(governance_filename);
+  else
+    governance_uri = ddsrt_strdup("unknown_type:,just some data");
+
+  memset(participant_qos, 0, sizeof(*participant_qos));
+  fill_property_policy(&(participant_qos->property),
+                       permission_ca,
+                       permission_uri,
+                       governance_uri);
+
+  ddsrt_free(permission_ca);
+  ddsrt_free(permission_uri);
+  ddsrt_free(governance_uri);
+}
+
+/* Initialize the participant QoS with security related properties.
+ * Allow NULL as property value.*/
+static void qos_init_null(DDS_Security_Qos *participant_qos, const char *certificate_filename, const char *permission_filename, const char *governance_filename)
+{
+  char *permission_ca = NULL;
+  char *permission_uri = NULL;
+  char *governance_uri = NULL;
+
+  if (certificate_filename)
+    permission_ca = create_uri_file(certificate_filename);
+  if (permission_filename)
+    permission_uri = create_uri_file(permission_filename);
+  if (governance_filename)
+    governance_uri = create_uri_file(governance_filename);
+
+  memset(participant_qos, 0, sizeof(*participant_qos));
+  fill_property_policy(&(participant_qos->property),
+                       permission_ca,
+                       permission_uri,
+                       governance_uri);
+
+  ddsrt_free(permission_ca);
+  ddsrt_free(permission_uri);
+  ddsrt_free(governance_uri);
+}
+
+/* Cleanup the participant QoS.*/
+static void qos_deinit(DDS_Security_Qos *participant_qos)
+{
+  dds_security_property_deinit(&(participant_qos->property.value));
+}
+
+/* Setup the testing environment by loading the plugins and
+ * creating a local identity.*/
+static DDS_Security_IdentityHandle test_setup(DDS_Security_Qos *participant_qos)
+{
+  DDS_Security_IdentityHandle local_id_hdl = DDS_SECURITY_HANDLE_NIL;
+
+  g_plugins = load_plugins(&g_access_control /* Access Control */,
+                           &g_auth /* Authentication */,
+                           NULL /* Cryptograpy    */);
+  if (g_plugins)
+  {
+    CU_ASSERT_FATAL(g_auth != NULL);
+    CU_ASSERT_FATAL(g_access_control != NULL);
+    CU_ASSERT_FATAL(g_access_control->validate_local_permissions != NULL);
+    CU_ASSERT_FATAL(g_access_control->return_permissions_handle != NULL);
+
+    local_id_hdl = create_local_identity(participant_qos);
+  }
+
+  return local_id_hdl;
+}
+
+/* Teardown the testing environment by clearing the local identity
+ * and closing the plugins.*/
+static int test_teardown(DDS_Security_IdentityHandle local_id_hdl)
+{
+  clear_local_identity(local_id_hdl);
+  unload_plugins(g_plugins);
+  g_plugins = NULL;
+  g_access_control = NULL;
+  g_auth = NULL;
+  return 0;
+}
+
+/* The AccessControl related properties in the participant_qos will
+ * have some kind of problem that should force a failure when
+ * checking the local permissions.*/
+static DDS_Security_long test_failure_scenario(DDS_Security_Qos *participant_qos)
+{
+  DDS_Security_long code = DDS_SECURITY_ERR_OK_CODE;
+  DDS_Security_IdentityHandle local_id_hdl = DDS_SECURITY_HANDLE_NIL;
+  DDS_Security_PermissionsHandle result;
+  DDS_Security_SecurityException exception = {NULL, 0, 0};
+
+  /* Prepare testing environment. */
+  local_id_hdl = test_setup(participant_qos);
+  CU_ASSERT_FATAL(local_id_hdl != DDS_SECURITY_HANDLE_NIL);
+
+  /* Call the plugin with the invalid property. */
+  result = g_access_control->validate_local_permissions(
+      g_access_control,
+      g_auth,
+      local_id_hdl,
+      0,
+      participant_qos,
+      &exception);
+
+  /* Be sure the plugin returned a failure. */
+  CU_ASSERT(result == 0);
+  if (result == 0)
+  {
+    code = exception.code;
+    CU_ASSERT(exception.message != NULL);
+    printf("validate_local_permissions failed: (%d) %s\n", (int)exception.code, exception.message ? exception.message : "Error message missing");
+  }
+  else
+  {
+    reset_exception(&exception);
+    g_access_control->return_permissions_handle(g_access_control, result, &exception);
+  }
+  reset_exception(&exception);
+
+  /* Cleanup the testing environment. */
+  test_teardown(local_id_hdl);
+
+  return code;
+}
+
+/* Use with invalid file link for certificate, permission or
+ * governance. The local permissions check should fail.*/
+static DDS_Security_long test_invalid_file_uri(const char *certificate_filename, const char *permission_filename, const char *governance_filename)
+{
+  DDS_Security_long code = DDS_SECURITY_ERR_OK_CODE;
+  DDS_Security_Qos participant_qos;
+
+  qos_init_file(&participant_qos,
+                certificate_filename,
+                permission_filename,
+                governance_filename);
+
+  code = test_failure_scenario(&participant_qos);
+
+  qos_deinit(&participant_qos);
+
+  return code;
+}
+
+/* Use with invalid data for certificate, permission or governance.
+ * The local permissions check should fail.*/
+static DDS_Security_long test_invalid_data_uri(const char *certificate_filename, const char *permission_filename, const char *governance_filename)
+{
+  DDS_Security_long code = DDS_SECURITY_ERR_OK_CODE;
+  DDS_Security_Qos participant_qos;
+
+  qos_init_data(&participant_qos,
+                certificate_filename,
+                permission_filename,
+                governance_filename);
+
+  code = test_failure_scenario(&participant_qos);
+
+  qos_deinit(&participant_qos);
+
+  return code;
+}
+
+/* Generate uri's with invalid types for certificate, permission
+ * or governance. The local permissions check should fail.*/
+static DDS_Security_long test_invalid_type_uri(const char *certificate_filename, const char *permission_filename, const char *governance_filename)
+{
+  DDS_Security_long code = DDS_SECURITY_ERR_OK_CODE;
+  DDS_Security_Qos participant_qos;
+
+  qos_init_type(&participant_qos,
+                certificate_filename,
+                permission_filename,
+                governance_filename);
+
+  code = test_failure_scenario(&participant_qos);
+  qos_deinit(&participant_qos);
+  return code;
+}
+
+/* Create properties in the QoS without actual values (NULL).
+ * The local permissions check should fail.*/
+static DDS_Security_long test_null_uri(const char *certificate_filename, const char *permission_filename, const char *governance_filename)
+{
+  DDS_Security_long code = DDS_SECURITY_ERR_OK_CODE;
+  DDS_Security_Qos participant_qos;
+
+  qos_init_null(&participant_qos,
+                certificate_filename,
+                permission_filename,
+                governance_filename);
+
+  code = test_failure_scenario(&participant_qos);
+
+  qos_deinit(&participant_qos);
+
+  return code;
+}
+
+/* Get valid documents, but corrupt the signatures.
+ * The local permissions check should fail.*/
+static DDS_Security_long test_corrupted_signature(bool corrupt_permissions, bool corrupt_governance)
+{
+  DDS_Security_long code = DDS_SECURITY_ERR_OK_CODE;
+  DDS_Security_Property_t *prop = NULL;
+  DDS_Security_Qos participant_qos;
+  size_t len;
+
+  /* Get data with valid signatures. */
+  qos_init_data(&participant_qos,
+                "Test_Permissions_ca.pem",
+                "Test_Permissions_full.p7s",
+                "Test_Governance_full.p7s");
+
+  /* Only allow one signature to be corrupted. */
+  CU_ASSERT_FATAL(corrupt_permissions != corrupt_governance);
+
+  /* Corrupt the signature. */
+  if (corrupt_permissions)
+    prop = dds_security_property_find(&(participant_qos.property.value), PROPERTY_PERMISSIONS);
+  if (corrupt_governance)
+    prop = dds_security_property_find(&(participant_qos.property.value), PROPERTY_GOVERNANCE);
+
+  /* Just some (hardcoded) sanity checks. */
+  CU_ASSERT_FATAL(prop != NULL);
+  CU_ASSERT_FATAL(prop->value != NULL);
+  len = strlen(prop->value);
+  CU_ASSERT_FATAL(len > 2250);
+
+  /* Corrupt a byte somewhere in the signature. */
+  prop->value[len - 75]--;
+
+  code = test_failure_scenario(&participant_qos);
+  qos_deinit(&participant_qos);
+  return code;
+}
+
+static void suite_validate_local_permissions_init(void)
+{
+  set_path_to_etc_dir();
+}
+
+static void suite_validate_local_permissions_fini(void)
+{
+  ddsrt_free(g_path_to_etc_dir);
+}
+
+/* Supplying proper files should pass the local permissions check */
+CU_Test(ddssec_builtin_validate_local_permissions, valid_file, .init = suite_validate_local_permissions_init, .fini = suite_validate_local_permissions_fini)
+{
+  DDS_Security_IdentityHandle local_id_hdl = DDS_SECURITY_HANDLE_NIL;
+  DDS_Security_PermissionsHandle result;
+  DDS_Security_Qos participant_qos;
+  DDS_Security_SecurityException exception = {NULL, 0, 0};
+
+  qos_init_file(&participant_qos,
+                "Test_Permissions_ca.pem",
+                "Test_Permissions_full.p7s",
+                "Test_Governance_full.p7s");
+  local_id_hdl = test_setup(&participant_qos);
+  CU_ASSERT_FATAL(local_id_hdl != DDS_SECURITY_HANDLE_NIL);
+
+  result = g_access_control->validate_local_permissions(
+      g_access_control,
+      g_auth,
+      local_id_hdl,
+      0,
+      &participant_qos,
+      &exception);
+
+  CU_ASSERT(result != 0);
+  if (result == 0)
+  {
+    printf("validate_local_permissions_failed: %s\n", exception.message ? exception.message : "Error message missing");
+  }
+  else
+  {
+    g_access_control->return_permissions_handle(g_access_control, result, &exception);
+  }
+  reset_exception(&exception);
+
+  test_teardown(local_id_hdl);
+  qos_deinit(&participant_qos);
+}
+
+/* Supplying proper data should pass the local permissions check */
+CU_Test(ddssec_builtin_validate_local_permissions, valid_data, .init = suite_validate_local_permissions_init, .fini = suite_validate_local_permissions_fini)
+{
+  DDS_Security_IdentityHandle local_id_hdl = DDS_SECURITY_HANDLE_NIL;
+  DDS_Security_PermissionsHandle result;
+  DDS_Security_Qos participant_qos;
+  DDS_Security_SecurityException exception = {NULL, 0, 0};
+
+  qos_init_data(&participant_qos,
+                "Test_Permissions_ca.pem",
+                "Test_Permissions_full.p7s",
+                "Test_Governance_full.p7s");
+  local_id_hdl = test_setup(&participant_qos);
+  CU_ASSERT(local_id_hdl != DDS_SECURITY_HANDLE_NIL);
+
+  result = g_access_control->validate_local_permissions(
+      g_access_control,
+      g_auth,
+      local_id_hdl,
+      0,
+      &participant_qos,
+      &exception);
+
+  CU_ASSERT(result != 0);
+  if (result == 0)
+  {
+    printf("validate_local_permissions_failed: %s\n", exception.message ? exception.message : "Error message missing");
+  }
+  else
+  {
+    g_access_control->return_permissions_handle(g_access_control, result, &exception);
+  }
+  reset_exception(&exception);
+
+  test_teardown(local_id_hdl);
+  qos_deinit(&participant_qos);
+}
+
+/* Supplying no files but directories should fail the local permissions check. */
+CU_Test(ddssec_builtin_validate_local_permissions, uri_directories, .init = suite_validate_local_permissions_init, .fini = suite_validate_local_permissions_fini)
+{
+  DDS_Security_long code;
+
+  /* Certificate points to a valid directory.*/
+  code = test_invalid_file_uri("",
+                               "Test_Permissions_full.p7s",
+                               "Test_Governance_full.p7s");
+  CU_ASSERT(code == DDS_SECURITY_ERR_INVALID_FILE_PATH_CODE);
+
+  /* Permission points to a valid directory. */
+  code = test_invalid_file_uri("Test_Permissions_ca.pem",
+                               "",
+                               "Test_Governance_full.p7s");
+  CU_ASSERT(code == DDS_SECURITY_ERR_INVALID_FILE_PATH_CODE);
+
+  /* Governance points to a valid directory.*/
+  code = test_invalid_file_uri("Test_Permissions_ca.pem",
+                               "Test_Permissions_full.p7s",
+                               "");
+  CU_ASSERT(code == DDS_SECURITY_ERR_INVALID_FILE_PATH_CODE);
+}
+
+/* Supplying empty files should fail the local permissions check. */
+CU_Test(ddssec_builtin_validate_local_permissions, uri_empty_files, .init = suite_validate_local_permissions_init, .fini = suite_validate_local_permissions_fini)
+{
+  DDS_Security_long code;
+
+  /* Certificate points to an empty file. */
+  code = test_invalid_file_uri("Test_File_empty.txt",
+                               "Test_Permissions_full.p7s",
+                               "Test_Governance_full.p7s");
+  CU_ASSERT(code == DDS_SECURITY_ERR_INVALID_FILE_PATH_CODE);
+
+  /* Permission points to an empty file. */
+  code = test_invalid_file_uri("Test_Permissions_ca.pem",
+                               "Test_File_empty.txt",
+                               "Test_Governance_full.p7s");
+  CU_ASSERT(code == DDS_SECURITY_ERR_INVALID_FILE_PATH_CODE);
+
+  /* Governance points to an empty file. */
+  code = test_invalid_file_uri("Test_Permissions_ca.pem",
+                               "Test_Permissions_full.p7s",
+                               "Test_File_empty.txt");
+  CU_ASSERT(code == DDS_SECURITY_ERR_INVALID_FILE_PATH_CODE);
+}
+
+/* Supplying text files should fail the local permissions check. */
+CU_Test(ddssec_builtin_validate_local_permissions, uri_text_files, .init = suite_validate_local_permissions_init, .fini = suite_validate_local_permissions_fini)
+{
+  DDS_Security_long code;
+
+  /* Certificate points to a file with only text. */
+  code = test_invalid_file_uri("Test_File_text.txt",
+                               "Test_Permissions_full.p7s",
+                               "Test_Governance_full.p7s");
+  CU_ASSERT(code == DDS_SECURITY_ERR_INVALID_CERTIFICATE_CODE);
+
+  /* Permission points to a file with only text. */
+  code = test_invalid_file_uri("Test_Permissions_ca.pem",
+                               "Test_File_text.txt",
+                               "Test_Governance_full.p7s");
+  CU_ASSERT(code == DDS_SECURITY_ERR_INVALID_SMIME_DOCUMENT_CODE);
+
+  /* Governance points to a file with only text. */
+  code = test_invalid_file_uri("Test_Permissions_ca.pem",
+                               "Test_Permissions_full.p7s",
+                               "Test_File_text.txt");
+  CU_ASSERT(code == DDS_SECURITY_ERR_INVALID_SMIME_DOCUMENT_CODE);
+}
+
+/* Not supplying files should fail the local permissions check. */
+CU_Test(ddssec_builtin_validate_local_permissions, uri_absent_files, .init = suite_validate_local_permissions_init, .fini = suite_validate_local_permissions_fini)
+{
+  DDS_Security_long code;
+
+  /* Certificate points to a non-existing file.*/
+  code = test_invalid_file_uri("Test_File_absent.txt",
+                               "Test_Permissions_full.p7s",
+                               "Test_Governance_full.p7s");
+  CU_ASSERT(code == DDS_SECURITY_ERR_INVALID_FILE_PATH_CODE);
+
+  /* Permission points to a non-existing file.*/
+  code = test_invalid_file_uri("Test_Permissions_ca.pem",
+                               "Test_File_absent.txt",
+                               "Test_Governance_full.p7s");
+  CU_ASSERT(code == DDS_SECURITY_ERR_INVALID_FILE_PATH_CODE);
+
+  /* Governance points to a non-existing file.*/
+  code = test_invalid_file_uri("Test_Permissions_ca.pem",
+                               "Test_Permissions_full.p7s",
+                               "Test_File_absent.txt");
+  CU_ASSERT(code == DDS_SECURITY_ERR_INVALID_FILE_PATH_CODE);
+}
+
+/* Not supplying file uris should fail the local permissions check. */
+CU_Test(ddssec_builtin_validate_local_permissions, uri_no_files, .init = suite_validate_local_permissions_init, .fini = suite_validate_local_permissions_fini)
+{
+  DDS_Security_long code;
+
+  /* Certificate file uri doesn't point to anything.*/
+  code = test_invalid_file_uri(NULL,
+                               "Test_Permissions_full.p7s",
+                               "Test_Governance_full.p7s");
+  CU_ASSERT(code == DDS_SECURITY_ERR_INVALID_FILE_PATH_CODE);
+
+  /* Permission file uri doesn't point to anything.*/
+  code = test_invalid_file_uri("Test_Permissions_ca.pem",
+                               NULL,
+                               "Test_Governance_full.p7s");
+  CU_ASSERT(code == DDS_SECURITY_ERR_INVALID_FILE_PATH_CODE);
+
+  /* Governance file uri doesn't point to anything.*/
+  code = test_invalid_file_uri("Test_Permissions_ca.pem",
+                               "Test_Permissions_full.p7s",
+                               NULL);
+  CU_ASSERT(code == DDS_SECURITY_ERR_INVALID_FILE_PATH_CODE);
+}
+
+/* Supplying empty data should fail the local permissions check. */
+CU_Test(ddssec_builtin_validate_local_permissions, uri_empty_data, .init = suite_validate_local_permissions_init, .fini = suite_validate_local_permissions_fini)
+{
+  DDS_Security_long code;
+
+  /* Certificate is empty data.*/
+  code = test_invalid_data_uri(NULL,
+                               "Test_Permissions_full.p7s",
+                               "Test_Governance_full.p7s");
+  CU_ASSERT(code == DDS_SECURITY_ERR_INVALID_CERTIFICATE_CODE);
+
+  /* Permission is empty data.*/
+  code = test_invalid_data_uri("Test_Permissions_ca.pem",
+                               NULL,
+                               "Test_Governance_full.p7s");
+  CU_ASSERT(code == DDS_SECURITY_ERR_INVALID_PERMISSION_DOCUMENT_PROPERTY_CODE);
+
+  /* Governance is empty data.*/
+  code = test_invalid_data_uri("Test_Permissions_ca.pem",
+                               "Test_Permissions_full.p7s",
+                               NULL);
+  CU_ASSERT(code == DDS_SECURITY_ERR_INVALID_GOVERNANCE_DOCUMENT_PROPERTY_CODE);
+}
+
+/* Supplying uris with invalid types should fail the local permissions check. */
+CU_Test(ddssec_builtin_validate_local_permissions, uri_invalid_types, .init = suite_validate_local_permissions_init, .fini = suite_validate_local_permissions_fini)
+{
+  DDS_Security_long code;
+
+  /* Certificate doesn't point to anything: results in invalid type.*/
+  code = test_invalid_type_uri(NULL,
+                               "Test_Permissions_full.p7s",
+                               "Test_Governance_full.p7s");
+  CU_ASSERT(code == DDS_SECURITY_ERR_CERTIFICATE_TYPE_NOT_SUPPORTED_CODE);
+
+  /* Permission doesn't point to anything: results in invalid type.*/
+  code = test_invalid_type_uri("Test_Permissions_ca.pem",
+                               NULL,
+                               "Test_Governance_full.p7s");
+  CU_ASSERT(code == DDS_SECURITY_ERR_URI_TYPE_NOT_SUPPORTED_CODE);
+
+  /* Governance doesn't point to anything: results in invalid type*/
+  code = test_invalid_type_uri("Test_Permissions_ca.pem",
+                               "Test_Permissions_full.p7s",
+                               NULL);
+  CU_ASSERT(code == DDS_SECURITY_ERR_URI_TYPE_NOT_SUPPORTED_CODE);
+}
+
+/* Not supplying actual uris should fail the local permissions check. */
+CU_Test(ddssec_builtin_validate_local_permissions, uri_null, .init = suite_validate_local_permissions_init, .fini = suite_validate_local_permissions_fini)
+{
+  DDS_Security_long code;
+
+  /* Certificate doesn't point to anything.*/
+  code = test_null_uri(NULL,
+                       "Test_Permissions_full.p7s",
+                       "Test_Governance_full.p7s");
+  CU_ASSERT(code == DDS_SECURITY_ERR_MISSING_PROPERTY_CODE);
+
+  /* Permission doesn't point to anything.*/
+  code = test_null_uri("Test_Permissions_ca.pem",
+                       NULL,
+                       "Test_Governance_full.p7s");
+  CU_ASSERT(code == DDS_SECURITY_ERR_MISSING_PROPERTY_CODE);
+
+  /* Governance doesn't point to anything.*/
+  code = test_null_uri("Test_Permissions_ca.pem",
+                       "Test_Permissions_full.p7s",
+                       NULL);
+  CU_ASSERT(code == DDS_SECURITY_ERR_MISSING_PROPERTY_CODE);
+}
+
+/* Corrupted signatures should fail the local permissions check. */
+CU_Test(ddssec_builtin_validate_local_permissions, corrupted_signatures, .init = suite_validate_local_permissions_init, .fini = suite_validate_local_permissions_fini)
+{
+  DDS_Security_long code;
+
+  /* Corrupt permission signature.*/
+  code = test_corrupted_signature(true /* Corrupt permissions? Yes. */,
+                                  false /* Corrupt governance?  No.  */);
+  CU_ASSERT(code == DDS_SECURITY_ERR_INVALID_SMIME_DOCUMENT_CODE);
+
+  /* Corrupt governance signature.*/
+  code = test_corrupted_signature(false /* Corrupt permissions? No.  */,
+                                  true /* Corrupt governance?  Yes. */);
+  CU_ASSERT(code == DDS_SECURITY_ERR_INVALID_SMIME_DOCUMENT_CODE);
+}
+
+/* Unknown signatures should fail the local permissions check. */
+CU_Test(ddssec_builtin_validate_local_permissions, unknown_ca, .init = suite_validate_local_permissions_init, .fini = suite_validate_local_permissions_fini)
+{
+  DDS_Security_long code;
+
+  /* Permission with unknown CA.*/
+  code = test_invalid_file_uri("Test_Permissions_ca.pem",
+                               "Test_Permissions_unknown_ca.p7s",
+                               "Test_Governance_full.p7s");
+  CU_ASSERT(code == DDS_SECURITY_ERR_INVALID_SMIME_DOCUMENT_CODE);
+
+  /* Governance with unknown CA.*/
+  code = test_invalid_file_uri("Test_Permissions_ca.pem",
+                               "Test_Permissions_full.p7s",
+                               "Test_Governance_unknown_ca.p7s");
+  CU_ASSERT(code == DDS_SECURITY_ERR_INVALID_SMIME_DOCUMENT_CODE);
+}
+
+/* Un-available signatures should fail the local permissions check. */
+CU_Test(ddssec_builtin_validate_local_permissions, not_signed, .init = suite_validate_local_permissions_init, .fini = suite_validate_local_permissions_fini)
+{
+  DDS_Security_long code;
+
+  /* Permission not signed.*/
+  code = test_invalid_file_uri("Test_Permissions_ca.pem",
+                               "Test_Permissions_not_signed.p7s",
+                               "Test_Governance_full.p7s");
+  CU_ASSERT(code == DDS_SECURITY_ERR_INVALID_SMIME_DOCUMENT_CODE);
+
+  /* Governance not signed.*/
+  code = test_invalid_file_uri("Test_Permissions_ca.pem",
+                               "Test_Permissions_full.p7s",
+                               "Test_Governance_not_signed.p7s");
+  CU_ASSERT(code == DDS_SECURITY_ERR_INVALID_SMIME_DOCUMENT_CODE);
+}
+
+/* Permissions outside the validity data should fail the local */
+CU_Test(ddssec_builtin_validate_local_permissions, validity, .init = suite_validate_local_permissions_init, .fini = suite_validate_local_permissions_fini)
+{
+  DDS_Security_long code;
+
+  /* Permission already expired.*/
+  code = test_invalid_file_uri("Test_Permissions_ca.pem",
+                               "Test_Permissions_expired.p7s",
+                               "Test_Governance_full.p7s");
+  CU_ASSERT(code == DDS_SECURITY_ERR_VALIDITY_PERIOD_EXPIRED_CODE);
+
+  /* Permission not yet valid.*/
+  code = test_invalid_file_uri("Test_Permissions_ca.pem",
+                               "Test_Permissions_notyet.p7s",
+                               "Test_Governance_full.p7s");
+  CU_ASSERT(code == DDS_SECURITY_ERR_VALIDITY_PERIOD_NOT_STARTED_CODE);
+}
+
+/* Permissions document does not contain a proper subject_name,
+ * which should fail the local permissions check. */
+CU_Test(ddssec_builtin_validate_local_permissions, subject_name, .init = suite_validate_local_permissions_init, .fini = suite_validate_local_permissions_fini)
+{
+  DDS_Security_long code;
+
+  /* Permission document with unknown subject. */
+  code = test_invalid_file_uri("Test_Permissions_ca.pem",
+                               "Test_Permissions_unknown_subject.p7s",
+                               "Test_Governance_check_create_participant.p7s");
+  CU_ASSERT(code == DDS_SECURITY_ERR_INVALID_SUBJECT_NAME_CODE);
+}
+
+/* Documents with invalid xml should fail the local permissions check. */
+CU_Test(ddssec_builtin_validate_local_permissions, xml_invalid, .init = suite_validate_local_permissions_init, .fini = suite_validate_local_permissions_fini)
+{
+  DDS_Security_long code;
+
+  /* Permission XML contains invalid domain id. */
+  code = test_invalid_file_uri("Test_Permissions_ca.pem",
+                               "Test_Permissions_invalid_data.p7s",
+                               "Test_Governance_ok.p7s");
+  CU_ASSERT(code == DDS_SECURITY_ERR_CAN_NOT_PARSE_PERMISSIONS_CODE);
+
+  /* Permission XML contains invalid domain id. */
+  code = test_invalid_file_uri("Test_Permissions_ca.pem",
+                               "Test_Permissions_invalid_element.p7s",
+                               "Test_Governance_ok.p7s");
+  CU_ASSERT(code == DDS_SECURITY_ERR_CAN_NOT_PARSE_PERMISSIONS_CODE);
+
+  /* Permission XML is missing the 'not before' validity tag.*/
+  code = test_invalid_file_uri("Test_Permissions_ca.pem",
+                               "Test_Permissions_lack_of_not_before.p7s",
+                               "Test_Governance_ok.p7s");
+  CU_ASSERT(code == DDS_SECURITY_ERR_CAN_NOT_PARSE_PERMISSIONS_CODE);
+
+  /* Permission XML is missing the 'not after' validity tag.*/
+  code = test_invalid_file_uri("Test_Permissions_ca.pem",
+                               "Test_Permissions_lack_of_not_after.p7s",
+                               "Test_Governance_ok.p7s");
+  CU_ASSERT(code == DDS_SECURITY_ERR_CAN_NOT_PARSE_PERMISSIONS_CODE);
+
+  /* Governance XML contains invalid encryption kind.*/
+  code = test_invalid_file_uri("Test_Permissions_ca.pem",
+                               "Test_Permissions_ok.p7s",
+                               "Test_Governance_invalid_data.p7s");
+  CU_ASSERT(code == DDS_SECURITY_ERR_CAN_NOT_PARSE_GOVERNANCE_CODE);
+
+  /* Governance XML contains unknown element.*/
+  code = test_invalid_file_uri("Test_Permissions_ca.pem",
+                               "Test_Permissions_ok.p7s",
+                               "Test_Governance_invalid_element.p7s");
+  CU_ASSERT(code == DDS_SECURITY_ERR_CAN_NOT_PARSE_GOVERNANCE_CODE);
+}
diff --git a/src/security/builtin_plugins/tests/validate_remote_permissions/etc/Test_Governance_ok.p7s b/src/security/builtin_plugins/tests/validate_remote_permissions/etc/Test_Governance_ok.p7s
new file mode 100644
index 0000000..c39903f
--- /dev/null
+++ b/src/security/builtin_plugins/tests/validate_remote_permissions/etc/Test_Governance_ok.p7s
@@ -0,0 +1,114 @@
+MIME-Version: 1.0
+Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg="sha-256"; boundary="----DB94A190D9780A24156FB0E8F1E76B5F"
+
+This is an S/MIME signed message
+
+------DB94A190D9780A24156FB0E8F1E76B5F
+Content-Type: text/plain
+
+<?xml version="1.0" encoding="utf-8"?>
+<dds xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xsi:noNamespaceSchemaLocation="http://www.omg.org/spec/DDSSecurity/
+20170801/omg_shared_ca_domain_governance.xsd">
+    <domain_access_rules>
+        <domain_rule>
+            <domains>
+                <!-- All domains -->
+                <id_range>
+                    <min>0</min>
+                    <max>230</max>
+                </id_range>
+            </domains>
+
+            <!-- DomainParticipant that cann not authenticate or fail the authentication should be
+                 allowed to join the domain and see any any discovery data that are configured as "unprotected"
+                 and topics that are configured as "unprotected" -->
+            <allow_unauthenticated_participants>false</allow_unauthenticated_participants>
+
+            <!--  Only and any authenticated DomainParticipant should be allowed to join the domain and
+                  see the discovery data without checking access control  -->
+            <enable_join_access_control>true</enable_join_access_control>
+
+            <!-- Discovery information should be protected with encryption followed by MAC (Message Authentication Codes) -->
+            <discovery_protection_kind>ENCRYPT</discovery_protection_kind>
+
+            <!--  Liveliness messages are also encrypted -->
+            <liveliness_protection_kind>ENCRYPT</liveliness_protection_kind>
+
+            <!-- Whole RTPS message is not protected -->
+            <rtps_protection_kind>NONE</rtps_protection_kind>
+
+            <topic_access_rules>
+                <topic_rule>
+                    <!-- All (non-builtin) topics -->
+                    <topic_expression>*</topic_expression>
+
+                    <!-- Liveliness QoS data is protected -->
+                    <enable_liveliness_protection>true</enable_liveliness_protection>
+
+                    <!-- The discovery information on specific Topics should be sent
+                         using the secure (protected) discovery writers -->
+                    <enable_discovery_protection>true</enable_discovery_protection>
+
+                    <!-- The read access to all topics should be open to all. -->
+                    <enable_read_access_control>false</enable_read_access_control>
+
+                    <!-- The write access to all topics should be open to all. -->
+                    <enable_write_access_control>false</enable_write_access_control>
+
+                    <!-- Whole RTPS sub-message is protected. This includes metadata information
+                         like sequence numbers, heartbeats, key hashes, gaps,
+                         acknowledgment messages, etc. It also includes th possible payload. -->
+                    <metadata_protection_kind>ENCRYPT</metadata_protection_kind>
+
+                    <!-- The payload data sent on the Topic (serialized application level data) should be
+                         protected with Encrypt then MAC. -->
+                    <data_protection_kind>ENCRYPT</data_protection_kind>
+                </topic_rule>
+            </topic_access_rules>
+        </domain_rule>
+    </domain_access_rules>
+</dds>
+
+------DB94A190D9780A24156FB0E8F1E76B5F
+Content-Type: application/x-pkcs7-signature; name="smime.p7s"
+Content-Transfer-Encoding: base64
+Content-Disposition: attachment; filename="smime.p7s"
+
+MIIGSAYJKoZIhvcNAQcCoIIGOTCCBjUCAQExDzANBglghkgBZQMEAgEFADALBgkq
+hkiG9w0BBwGgggORMIIDjTCCAnWgAwIBAgIJANsr3sm0NrypMA0GCSqGSIb3DQEB
+CwUAMFwxCzAJBgNVBAYTAk5MMRMwEQYDVQQIDApTb21lLVN0YXRlMR8wHQYDVQQK
+DBZBRExJTksgVGVjaG5vbG9jeSBJbmMuMRcwFQYDVQQDDA5hZGxpbmt0ZWNoLmNv
+bTAgFw0xODA3MzAxMjQ1NTVaGA8yMTE4MDcwNjEyNDU1NVowXDELMAkGA1UEBhMC
+TkwxEzARBgNVBAgMClNvbWUtU3RhdGUxHzAdBgNVBAoMFkFETElOSyBUZWNobm9s
+b2N5IEluYy4xFzAVBgNVBAMMDmFkbGlua3RlY2guY29tMIIBIjANBgkqhkiG9w0B
+AQEFAAOCAQ8AMIIBCgKCAQEAu7jfnJ0wYVuXgG+PgNawdN38+dRpa8jceqi+blID
+ehV6XCxrnGXusTCDuFmo7HMOBVMVNDXlcBWgoGd+u5EultnOEiIeGTgtHc1O6V9w
+icp3BGSpZZax/TcONjMVORaqHCADbQ2J8wsz1FHxuKDwX6BJElYOlK77lb/x3yLs
+DFFC+a0qn2RFh37rcWBRAHy8VEASXKZElT9ZmfKd+KUq34KojhNJ4DepKStTq074
+BRDXVivx+wVD951LFNPiQXq+mgHcLj1k37KlZflTFhdP5oEMtATNsXNJPHlEymiy
+SogRWAmKhysLQudukHfNKN+r0FEQMk/hzpYcFeZSOvbfNQIDAQABo1AwTjAdBgNV
+HQ4EFgQURWMbWvBKZwJvRV1/tyc1R82k0+gwHwYDVR0jBBgwFoAURWMbWvBKZwJv
+RV1/tyc1R82k0+gwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAkPF+
+ysVtvHnk2hpu9yNDLCJ96ZzIoKOyY7uRj4ovzlAHFdpNOJQdcJihTmN8i7Trht9X
+Vh0rGoR/6nHzo3TIeiogRC80RlDtuA3PF2dDQBMVDStlZMTZPb693hfjdAjhyyw9
+yghhKHHqNDvSsAL0KfBqjG4yGfGpJylYXIT5fWuKlo/ln/yyPa5s54T5XDo+CMbt
+lLX3QnwVOmaRyzylPiTcPCDIkdLBdXmlfyJcmW6fWa6kPx+35MOxPsXZbujCo+42
++OyLqcH1rKT6XhcshjXBEf+kdgUfSClrM1pNRWsw2ChIYim0F+nry5JFy0Y+8Hbb
+6SDB340BFmtgDHbFHTGCAnswggJ3AgEBMGkwXDELMAkGA1UEBhMCTkwxEzARBgNV
+BAgMClNvbWUtU3RhdGUxHzAdBgNVBAoMFkFETElOSyBUZWNobm9sb2N5IEluYy4x
+FzAVBgNVBAMMDmFkbGlua3RlY2guY29tAgkA2yveybQ2vKkwDQYJYIZIAWUDBAIB
+BQCggeQwGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAcBgkqhkiG9w0BCQUxDxcN
+MTgwOTEzMDczOTUwWjAvBgkqhkiG9w0BCQQxIgQgXv8DkvlwebXMwHDbNc0/Pc30
+gyG3xWCnwet49TRMWFsweQYJKoZIhvcNAQkPMWwwajALBglghkgBZQMEASowCwYJ
+YIZIAWUDBAEWMAsGCWCGSAFlAwQBAjAKBggqhkiG9w0DBzAOBggqhkiG9w0DAgIC
+AIAwDQYIKoZIhvcNAwICAUAwBwYFKw4DAgcwDQYIKoZIhvcNAwICASgwDQYJKoZI
+hvcNAQEBBQAEggEANy8t0EFmv5j1n0+mMn2ut3Chu8PSJceC8gd34IiKq79uC1O3
+PbL9xgiJ2vz7QiTEEeNL2q+CG77cXOcHGUWa4nvbggr/9CqLfHEKGQxDfyXlJZfM
+8l550xIXRRBOQ7ilOGLD4QJFfbf9XA4rMuRe8WEYN3FleAaYBJag1tMPg1SS6tgA
+BBDM9b1kXHU319zYOk6kZFjlbwHv6XO22SEVRUpXrKudAI8hrGvwksF/+W0S/jS5
+NmYtj/1oMGlCGIaA5rs27H9CkgwrzoMQ3MsR98JlwEUSa4PEe8CClsIziOulQxsp
+MicBlMWL0rzpBPVfPTE4gZ/kP7hGBDEQlRzVTA==
+
+------DB94A190D9780A24156FB0E8F1E76B5F--
+
diff --git a/src/security/builtin_plugins/tests/validate_remote_permissions/etc/Test_Permissions_different_subject_representation.p7s b/src/security/builtin_plugins/tests/validate_remote_permissions/etc/Test_Permissions_different_subject_representation.p7s
new file mode 100644
index 0000000..13273ba
--- /dev/null
+++ b/src/security/builtin_plugins/tests/validate_remote_permissions/etc/Test_Permissions_different_subject_representation.p7s
@@ -0,0 +1,96 @@
+MIME-Version: 1.0
+Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg="sha-256"; boundary="----57B71E0E17C33E9E1569D11B98DA1D03"
+
+This is an S/MIME signed message
+
+------57B71E0E17C33E9E1569D11B98DA1D03
+Content-Type: text/plain
+
+<?xml version="1.0" encoding="utf-8"?>
+<dds xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xsi:noNamespaceSchemaLocation="https://www.omg.org/spec/DDS-SECURITY/20170901/omg_shared_ca_permissions.xsd">
+    <permissions>
+        <grant name="OpenSplicePermissions">
+            <subject_name>/O=Internet Widgits Pty Ltd/ST=Some-State/C=NL/CN=CHAM500 cert</subject_name>
+            <validity>
+                <!-- Format is CCYY-MM-DDThh:mm:ss[Z|(+|-)hh:mm] in GMT -->
+                <not_before>2015-09-15T01:00:00</not_before>
+                <not_after>2115-09-15T01:00:00</not_after>
+            </validity>
+            <allow_rule>
+                <domains>
+                    <id_range>
+                        <min>0</min>
+                        <max>230</max>
+                    </id_range>
+                </domains>
+                <publish>
+                    <topics>
+                        <topic>K*</topic>
+                        <topic>*OldMessage</topic>
+                        <topic>OldMessanger</topic>
+                        <topic>NewMessage</topic>
+                    </topics>
+        <partitions>
+      <partition>Apart</partition>
+      <partition>Bpa?t*</partition>
+        </partitions>
+                </publish>
+                <subscribe>
+                    <topics>
+                        <topic>K*</topic>
+                        <topic>*OldMessage</topic>
+                        <topic>OldMessanger</topic>
+                        <topic>NewMessage</topic>
+                    </topics>
+                </subscribe>
+            </allow_rule>
+
+            <default>ALLOW</default>
+        </grant>
+    </permissions>
+</dds>
+
+------57B71E0E17C33E9E1569D11B98DA1D03
+Content-Type: application/x-pkcs7-signature; name="smime.p7s"
+Content-Transfer-Encoding: base64
+Content-Disposition: attachment; filename="smime.p7s"
+
+MIIGXgYJKoZIhvcNAQcCoIIGTzCCBksCAQExDzANBglghkgBZQMEAgEFADALBgkq
+hkiG9w0BBwGgggORMIIDjTCCAnWgAwIBAgIJANsr3sm0NrypMA0GCSqGSIb3DQEB
+CwUAMFwxCzAJBgNVBAYTAk5MMRMwEQYDVQQIDApTb21lLVN0YXRlMR8wHQYDVQQK
+DBZBRExJTksgVGVjaG5vbG9jeSBJbmMuMRcwFQYDVQQDDA5hZGxpbmt0ZWNoLmNv
+bTAgFw0xODA3MzAxMjQ1NTVaGA8yMTE4MDcwNjEyNDU1NVowXDELMAkGA1UEBhMC
+TkwxEzARBgNVBAgMClNvbWUtU3RhdGUxHzAdBgNVBAoMFkFETElOSyBUZWNobm9s
+b2N5IEluYy4xFzAVBgNVBAMMDmFkbGlua3RlY2guY29tMIIBIjANBgkqhkiG9w0B
+AQEFAAOCAQ8AMIIBCgKCAQEAu7jfnJ0wYVuXgG+PgNawdN38+dRpa8jceqi+blID
+ehV6XCxrnGXusTCDuFmo7HMOBVMVNDXlcBWgoGd+u5EultnOEiIeGTgtHc1O6V9w
+icp3BGSpZZax/TcONjMVORaqHCADbQ2J8wsz1FHxuKDwX6BJElYOlK77lb/x3yLs
+DFFC+a0qn2RFh37rcWBRAHy8VEASXKZElT9ZmfKd+KUq34KojhNJ4DepKStTq074
+BRDXVivx+wVD951LFNPiQXq+mgHcLj1k37KlZflTFhdP5oEMtATNsXNJPHlEymiy
+SogRWAmKhysLQudukHfNKN+r0FEQMk/hzpYcFeZSOvbfNQIDAQABo1AwTjAdBgNV
+HQ4EFgQURWMbWvBKZwJvRV1/tyc1R82k0+gwHwYDVR0jBBgwFoAURWMbWvBKZwJv
+RV1/tyc1R82k0+gwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAkPF+
+ysVtvHnk2hpu9yNDLCJ96ZzIoKOyY7uRj4ovzlAHFdpNOJQdcJihTmN8i7Trht9X
+Vh0rGoR/6nHzo3TIeiogRC80RlDtuA3PF2dDQBMVDStlZMTZPb693hfjdAjhyyw9
+yghhKHHqNDvSsAL0KfBqjG4yGfGpJylYXIT5fWuKlo/ln/yyPa5s54T5XDo+CMbt
+lLX3QnwVOmaRyzylPiTcPCDIkdLBdXmlfyJcmW6fWa6kPx+35MOxPsXZbujCo+42
++OyLqcH1rKT6XhcshjXBEf+kdgUfSClrM1pNRWsw2ChIYim0F+nry5JFy0Y+8Hbb
+6SDB340BFmtgDHbFHTGCApEwggKNAgEBMGkwXDELMAkGA1UEBhMCTkwxEzARBgNV
+BAgMClNvbWUtU3RhdGUxHzAdBgNVBAoMFkFETElOSyBUZWNobm9sb2N5IEluYy4x
+FzAVBgNVBAMMDmFkbGlua3RlY2guY29tAgkA2yveybQ2vKkwDQYJYIZIAWUDBAIB
+BQCggfowGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAcBgkqhkiG9w0BCQUxDxcN
+MTkwMzI5MTMwODAzWjAvBgkqhkiG9w0BCQQxIgQgocQS4FLDqU6X3kzlYhW9GLLt
+ItKIWQ9ghIL29OEyHPcwgY4GCSqGSIb3DQEJDzGBgDB+MAsGCWCGSAFlAwQBKjAI
+BgYqhQMCAgkwCAYGKoUDAgIVMAsGCWCGSAFlAwQBFjALBglghkgBZQMEAQIwCgYI
+KoZIhvcNAwcwDgYIKoZIhvcNAwICAgCAMA0GCCqGSIb3DQMCAgFAMAcGBSsOAwIH
+MA0GCCqGSIb3DQMCAgEoMA0GCSqGSIb3DQEBAQUABIIBADPtNnKmzgMNaoeAiyxH
+0oO3D9qsLWlon9eG+ri3e4O4IBGAwPtwN92ah3OmqXeB7xqBlZwnR4jQIxwVl8eL
+Zs2y7lJ6LxPYHJj6qERlYbRjS55X7Wnjcwy81w+yQelSLFcKvdmrV5HIuLbeskWw
+WiJxu3Sxtett3NnJxV5za6C27pxGXmv+xdspUe1Zeoz7WjAA0ljOazSUXAyCriQH
+LXSGjTM8Lgn/P8xJTVzGgxmLmGm9fAhhYk+25G9Fspomigvnj+B6HobEf4xKA/Mm
+WPaLsNkLtbi954g5+EM9AOjpCR/2Ii1NB4lWeKGZLtbEm71dEUe2VDePy2ju+oOB
+9ec=
+
+------57B71E0E17C33E9E1569D11B98DA1D03--
+
diff --git a/src/security/builtin_plugins/tests/validate_remote_permissions/etc/Test_Permissions_different_subject_representation.xml b/src/security/builtin_plugins/tests/validate_remote_permissions/etc/Test_Permissions_different_subject_representation.xml
new file mode 100644
index 0000000..585030e
--- /dev/null
+++ b/src/security/builtin_plugins/tests/validate_remote_permissions/etc/Test_Permissions_different_subject_representation.xml
@@ -0,0 +1,44 @@
+<?xml version="1.0" encoding="utf-8"?>
+<dds xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xsi:noNamespaceSchemaLocation="https://www.omg.org/spec/DDS-SECURITY/20170901/omg_shared_ca_permissions.xsd">
+    <permissions>
+        <grant name="OpenSplicePermissions">
+            <subject_name>/O=Internet Widgits Pty Ltd/ST=Some-State/C=NL/CN=CHAM500 cert</subject_name>
+            <validity>
+                <!-- Format is CCYY-MM-DDThh:mm:ss[Z|(+|-)hh:mm] in GMT -->
+                <not_before>2015-09-15T01:00:00</not_before>
+                <not_after>2115-09-15T01:00:00</not_after>
+            </validity>
+            <allow_rule>
+                <domains>
+                    <id_range>
+                        <min>0</min>
+                        <max>230</max>
+                    </id_range>
+                </domains>
+                <publish>
+                    <topics>
+                        <topic>K*</topic>
+                        <topic>*OldMessage</topic>
+                        <topic>OldMessanger</topic>
+                        <topic>NewMessage</topic>
+                    </topics>
+        <partitions>
+      <partition>Apart</partition>
+      <partition>Bpa?t*</partition>
+        </partitions>
+                </publish>
+                <subscribe>
+                    <topics>
+                        <topic>K*</topic>
+                        <topic>*OldMessage</topic>
+                        <topic>OldMessanger</topic>
+                        <topic>NewMessage</topic>
+                    </topics>
+                </subscribe>
+            </allow_rule>
+
+            <default>ALLOW</default>
+        </grant>
+    </permissions>
+</dds>
diff --git a/src/security/builtin_plugins/tests/validate_remote_permissions/etc/Test_Permissions_expired.p7s b/src/security/builtin_plugins/tests/validate_remote_permissions/etc/Test_Permissions_expired.p7s
new file mode 100644
index 0000000..bf35bf7
--- /dev/null
+++ b/src/security/builtin_plugins/tests/validate_remote_permissions/etc/Test_Permissions_expired.p7s
@@ -0,0 +1,243 @@
+MIME-Version: 1.0
+Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg="sha-256"; boundary="----11798C99B4C31493D0479BB8A2064C72"
+
+This is an S/MIME signed message
+
+------11798C99B4C31493D0479BB8A2064C72
+Content-Type: text/plain
+
+<?xml version="1.0" encoding="utf-8"?>
+<dds xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xsi:noNamespaceSchemaLocation="https://www.omg.org/spec/DDS-SECURITY/20170901/omg_shared_ca_permissions.xsd">
+    <permissions>
+        <grant name="OpenSplicePermissions">
+            <subject_name>CN=CHAM500 cert,O=Internet Widgits Pty Ltd,ST=Some-State,C=NL</subject_name>
+            <validity>
+                <!-- Format is CCYY-MM-DDThh:mm:ss[Z|(+|-)hh:mm] in GMT -->
+                <not_before>2015-09-15T01:00:00</not_before>
+                <not_after>2016-09-15T01:00:00</not_after>
+            </validity>
+            <allow_rule>
+                <domains>
+                    <id_range>
+                        <min>0</min>
+                        <max>230</max>
+                    </id_range>
+                </domains>
+                <publish>
+                    <topics>
+                        <topic>K*</topic>
+                        <topic>*OldMessage</topic>
+                        <topic>OldMessanger</topic>
+                        <topic>NewMessage</topic>
+                    </topics>
+        <partitions>
+      <partition>Apart</partition>
+      <partition>Bpa?t*</partition>
+        </partitions>
+                </publish>
+                <subscribe>
+                    <topics>
+                        <topic>K*</topic>
+                        <topic>*OldMessage</topic>
+                        <topic>OldMessanger</topic>
+                        <topic>NewMessage</topic>
+                    </topics>
+        <partitions>
+      <partition>Apart</partition>
+      <partition>Bpa?t*</partition>
+        </partitions>
+                </subscribe>
+            </allow_rule>
+            <deny_rule>
+                <domains>
+                    <id_range>
+                        <min>0</min>
+                        <max>230</max>
+                    </id_range>
+                </domains>
+                <publish>
+                    <topics>
+                        <topic>P*</topic>
+                        <topic>*WrongMessage</topic>
+                        <topic>FakeMessanger</topic>
+                        <topic>ChangedMessage</topic>
+                    </topics>
+        <partitions>
+      <partition>Apart</partition>
+      <partition>Bpa?t*</partition>
+        </partitions>
+                </publish>
+                <subscribe>
+                    <topics>
+                        <topic>P*</topic>
+                        <topic>*WrongMessage</topic>
+                        <topic>FakeMessanger</topic>
+                        <topic>ChangedMessage</topic>
+                    </topics>
+        <partitions>
+      <partition>Apart</partition>
+      <partition>Bpa?t*</partition>
+        </partitions>
+                </subscribe>
+            </deny_rule>
+
+            <default>DENY</default>
+        </grant>
+        <grant name="SpareNodeOpenSplicePermissions">
+            <subject_name>CN=Spare cert,O=Internet Widgits Pty Ltd,ST=Some-State,C=NL</subject_name>
+            <validity>
+                <!-- Format is CCYY-MM-DDThh:mm:ss[Z|(+|-)hh:mm] in GMT -->
+                <not_before>2015-09-15T01:00:00</not_before>
+                <not_after>2115-09-15T01:00:00</not_after>
+            </validity>
+            <allow_rule>
+                <domains>
+                <!-- All domains -->
+                 <id>20</id>
+                 <id>30</id>
+                 <id_range>
+                     <min>0</min>
+                     <max>23</max>
+                 </id_range>
+                 <id_range>
+                     <min>100</min>
+                     <max>120</max>
+                 </id_range>
+                 <id>200</id>
+               </domains>
+                <publish>
+                    <topics>
+                        <topic>K*</topic>
+                        <topic>*OldMessage</topic>
+                        <topic>OldMessanger</topic>
+                        <topic>NewMessage</topic>
+                    </topics>
+        <partitions>
+      <partition>Apart</partition>
+      <partition>Bpa?t*</partition>
+        </partitions>
+                </publish>
+                <subscribe>
+                    <topics>
+                        <topic>K*</topic>
+                        <topic>*OldMessage</topic>
+                        <topic>OldMessanger</topic>
+                        <topic>NewMessage</topic>
+                    </topics>
+        <partitions>
+      <partition>Apart</partition>
+      <partition>Bpa?t*</partition>
+        </partitions>
+                </subscribe>
+            </allow_rule>
+            <deny_rule>
+                <domains>
+                 <id_range>
+                     <min>0</min>
+                     <max>23</max>
+                 </id_range>
+                 <id_range>
+                     <min>100</min>
+                     <max>120</max>
+                 </id_range>
+                 <id>200</id>
+                </domains>
+                <publish>
+                    <topics>
+                        <topic>P*</topic>
+                        <topic>*WrongMessage</topic>
+                        <topic>FakeMessanger</topic>
+                        <topic>ChangedMessage</topic>
+                    </topics>
+                    <partitions>
+                      <partition>Apart</partition>
+                      <partition>Bpa?t*</partition>
+                    </partitions>
+                </publish>
+                <subscribe>
+                    <topics>
+                        <topic>P*</topic>
+                        <topic>*WrongMessage</topic>
+                        <topic>FakeMessanger</topic>
+                        <topic>ChangedMessage</topic>
+                    </topics>
+                    <partitions>
+                      <partition>Apart</partition>
+                      <partition>Bpa?t*</partition>
+                    </partitions>
+                    <data_tags>
+                      <tag>
+                        <name>aTagName1</name>
+                        <value>aTagValue1</value>
+                      </tag>
+                    </data_tags>
+                </subscribe>
+                <relay>
+                  <topics>
+                        <topic>P*</topic>
+                        <topic>*WrongMessage</topic>
+                        <topic>FakeMessanger</topic>
+                        <topic>ChangedMessage</topic>
+                    </topics>
+                    <partitions>
+                      <partition>Apart</partition>
+                      <partition>Bpa?t*</partition>
+                    </partitions>
+                    <data_tags>
+                      <tag>
+                        <name>aTagName1</name>
+                        <value>aTagValue1</value>
+                      </tag>
+                    </data_tags>
+                </relay>
+            </deny_rule>
+
+            <default>ALLOW</default>
+        </grant>
+    </permissions>
+</dds>
+
+------11798C99B4C31493D0479BB8A2064C72
+Content-Type: application/x-pkcs7-signature; name="smime.p7s"
+Content-Transfer-Encoding: base64
+Content-Disposition: attachment; filename="smime.p7s"
+
+MIIGXgYJKoZIhvcNAQcCoIIGTzCCBksCAQExDzANBglghkgBZQMEAgEFADALBgkq
+hkiG9w0BBwGgggORMIIDjTCCAnWgAwIBAgIJANsr3sm0NrypMA0GCSqGSIb3DQEB
+CwUAMFwxCzAJBgNVBAYTAk5MMRMwEQYDVQQIDApTb21lLVN0YXRlMR8wHQYDVQQK
+DBZBRExJTksgVGVjaG5vbG9jeSBJbmMuMRcwFQYDVQQDDA5hZGxpbmt0ZWNoLmNv
+bTAgFw0xODA3MzAxMjQ1NTVaGA8yMTE4MDcwNjEyNDU1NVowXDELMAkGA1UEBhMC
+TkwxEzARBgNVBAgMClNvbWUtU3RhdGUxHzAdBgNVBAoMFkFETElOSyBUZWNobm9s
+b2N5IEluYy4xFzAVBgNVBAMMDmFkbGlua3RlY2guY29tMIIBIjANBgkqhkiG9w0B
+AQEFAAOCAQ8AMIIBCgKCAQEAu7jfnJ0wYVuXgG+PgNawdN38+dRpa8jceqi+blID
+ehV6XCxrnGXusTCDuFmo7HMOBVMVNDXlcBWgoGd+u5EultnOEiIeGTgtHc1O6V9w
+icp3BGSpZZax/TcONjMVORaqHCADbQ2J8wsz1FHxuKDwX6BJElYOlK77lb/x3yLs
+DFFC+a0qn2RFh37rcWBRAHy8VEASXKZElT9ZmfKd+KUq34KojhNJ4DepKStTq074
+BRDXVivx+wVD951LFNPiQXq+mgHcLj1k37KlZflTFhdP5oEMtATNsXNJPHlEymiy
+SogRWAmKhysLQudukHfNKN+r0FEQMk/hzpYcFeZSOvbfNQIDAQABo1AwTjAdBgNV
+HQ4EFgQURWMbWvBKZwJvRV1/tyc1R82k0+gwHwYDVR0jBBgwFoAURWMbWvBKZwJv
+RV1/tyc1R82k0+gwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAkPF+
+ysVtvHnk2hpu9yNDLCJ96ZzIoKOyY7uRj4ovzlAHFdpNOJQdcJihTmN8i7Trht9X
+Vh0rGoR/6nHzo3TIeiogRC80RlDtuA3PF2dDQBMVDStlZMTZPb693hfjdAjhyyw9
+yghhKHHqNDvSsAL0KfBqjG4yGfGpJylYXIT5fWuKlo/ln/yyPa5s54T5XDo+CMbt
+lLX3QnwVOmaRyzylPiTcPCDIkdLBdXmlfyJcmW6fWa6kPx+35MOxPsXZbujCo+42
++OyLqcH1rKT6XhcshjXBEf+kdgUfSClrM1pNRWsw2ChIYim0F+nry5JFy0Y+8Hbb
+6SDB340BFmtgDHbFHTGCApEwggKNAgEBMGkwXDELMAkGA1UEBhMCTkwxEzARBgNV
+BAgMClNvbWUtU3RhdGUxHzAdBgNVBAoMFkFETElOSyBUZWNobm9sb2N5IEluYy4x
+FzAVBgNVBAMMDmFkbGlua3RlY2guY29tAgkA2yveybQ2vKkwDQYJYIZIAWUDBAIB
+BQCggfowGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAcBgkqhkiG9w0BCQUxDxcN
+MTkwMzI5MTMwODAzWjAvBgkqhkiG9w0BCQQxIgQgXPEkUvQgZwRMdZgxT8k/mrsJ
+delB0E3RjpayHUkKYzowgY4GCSqGSIb3DQEJDzGBgDB+MAsGCWCGSAFlAwQBKjAI
+BgYqhQMCAgkwCAYGKoUDAgIVMAsGCWCGSAFlAwQBFjALBglghkgBZQMEAQIwCgYI
+KoZIhvcNAwcwDgYIKoZIhvcNAwICAgCAMA0GCCqGSIb3DQMCAgFAMAcGBSsOAwIH
+MA0GCCqGSIb3DQMCAgEoMA0GCSqGSIb3DQEBAQUABIIBAA/TNULF62fO5mfjXm1L
+Yk4Dg/5ZxAF/grDAjamo5v2fxGn6B1rrkj8YtyB1FEA0moM/cL31kNXNMqLvFdhY
+lHCmX8x5PHkKzLihTIMx6diSCupBvvqUACeA7Ir1A3tMqW5tYYMg6sZ/YolgLLFG
+8XmhttpEibtZm90MN3Xpsa4TiW5PlEWHC5ai3tyeyd/RCVoeQJVA0pAytmjdf2Mw
+C3W/28tUxVCAjdlqXYap6jWZlNv/43P5HED837bF5iqoa1dTvDirca6WPanNjp28
+GQDi4bnD1kAk8wAKIm14qwS+fzxM3SKxJtdQuUCx+s/tPma4bLCqt843ok35SoWo
+QKM=
+
+------11798C99B4C31493D0479BB8A2064C72--
+
diff --git a/src/security/builtin_plugins/tests/validate_remote_permissions/etc/Test_Permissions_expired.xml b/src/security/builtin_plugins/tests/validate_remote_permissions/etc/Test_Permissions_expired.xml
new file mode 100644
index 0000000..f408942
--- /dev/null
+++ b/src/security/builtin_plugins/tests/validate_remote_permissions/etc/Test_Permissions_expired.xml
@@ -0,0 +1,191 @@
+<?xml version="1.0" encoding="utf-8"?>
+<dds xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xsi:noNamespaceSchemaLocation="https://www.omg.org/spec/DDS-SECURITY/20170901/omg_shared_ca_permissions.xsd">
+    <permissions>
+        <grant name="OpenSplicePermissions">
+            <subject_name>CN=CHAM500 cert,O=Internet Widgits Pty Ltd,ST=Some-State,C=NL</subject_name>
+            <validity>
+                <!-- Format is CCYY-MM-DDThh:mm:ss[Z|(+|-)hh:mm] in GMT -->
+                <not_before>2015-09-15T01:00:00</not_before>
+                <not_after>2016-09-15T01:00:00</not_after>
+            </validity>
+            <allow_rule>
+                <domains>
+                    <id_range>
+                        <min>0</min>
+                        <max>230</max>
+                    </id_range>
+                </domains>
+                <publish>
+                    <topics>
+                        <topic>K*</topic>
+                        <topic>*OldMessage</topic>
+                        <topic>OldMessanger</topic>
+                        <topic>NewMessage</topic>
+                    </topics>
+        <partitions>
+      <partition>Apart</partition>
+      <partition>Bpa?t*</partition>
+        </partitions>
+                </publish>
+                <subscribe>
+                    <topics>
+                        <topic>K*</topic>
+                        <topic>*OldMessage</topic>
+                        <topic>OldMessanger</topic>
+                        <topic>NewMessage</topic>
+                    </topics>
+        <partitions>
+      <partition>Apart</partition>
+      <partition>Bpa?t*</partition>
+        </partitions>
+                </subscribe>
+            </allow_rule>
+            <deny_rule>
+                <domains>
+                    <id_range>
+                        <min>0</min>
+                        <max>230</max>
+                    </id_range>
+                </domains>
+                <publish>
+                    <topics>
+                        <topic>P*</topic>
+                        <topic>*WrongMessage</topic>
+                        <topic>FakeMessanger</topic>
+                        <topic>ChangedMessage</topic>
+                    </topics>
+        <partitions>
+      <partition>Apart</partition>
+      <partition>Bpa?t*</partition>
+        </partitions>
+                </publish>
+                <subscribe>
+                    <topics>
+                        <topic>P*</topic>
+                        <topic>*WrongMessage</topic>
+                        <topic>FakeMessanger</topic>
+                        <topic>ChangedMessage</topic>
+                    </topics>
+        <partitions>
+      <partition>Apart</partition>
+      <partition>Bpa?t*</partition>
+        </partitions>
+                </subscribe>
+            </deny_rule>
+
+            <default>DENY</default>
+        </grant>
+        <grant name="SpareNodeOpenSplicePermissions">
+            <subject_name>CN=Spare cert,O=Internet Widgits Pty Ltd,ST=Some-State,C=NL</subject_name>
+            <validity>
+                <!-- Format is CCYY-MM-DDThh:mm:ss[Z|(+|-)hh:mm] in GMT -->
+                <not_before>2015-09-15T01:00:00</not_before>
+                <not_after>2115-09-15T01:00:00</not_after>
+            </validity>
+            <allow_rule>
+                <domains>
+                <!-- All domains -->
+                 <id>20</id>
+                 <id>30</id>
+                 <id_range>
+                     <min>0</min>
+                     <max>23</max>
+                 </id_range>
+                 <id_range>
+                     <min>100</min>
+                     <max>120</max>
+                 </id_range>
+                 <id>200</id>
+               </domains>
+                <publish>
+                    <topics>
+                        <topic>K*</topic>
+                        <topic>*OldMessage</topic>
+                        <topic>OldMessanger</topic>
+                        <topic>NewMessage</topic>
+                    </topics>
+        <partitions>
+      <partition>Apart</partition>
+      <partition>Bpa?t*</partition>
+        </partitions>
+                </publish>
+                <subscribe>
+                    <topics>
+                        <topic>K*</topic>
+                        <topic>*OldMessage</topic>
+                        <topic>OldMessanger</topic>
+                        <topic>NewMessage</topic>
+                    </topics>
+        <partitions>
+      <partition>Apart</partition>
+      <partition>Bpa?t*</partition>
+        </partitions>
+                </subscribe>
+            </allow_rule>
+            <deny_rule>
+                <domains>
+                 <id_range>
+                     <min>0</min>
+                     <max>23</max>
+                 </id_range>
+                 <id_range>
+                     <min>100</min>
+                     <max>120</max>
+                 </id_range>
+                 <id>200</id>
+                </domains>
+                <publish>
+                    <topics>
+                        <topic>P*</topic>
+                        <topic>*WrongMessage</topic>
+                        <topic>FakeMessanger</topic>
+                        <topic>ChangedMessage</topic>
+                    </topics>
+                    <partitions>
+                      <partition>Apart</partition>
+                      <partition>Bpa?t*</partition>
+                    </partitions>
+                </publish>
+                <subscribe>
+                    <topics>
+                        <topic>P*</topic>
+                        <topic>*WrongMessage</topic>
+                        <topic>FakeMessanger</topic>
+                        <topic>ChangedMessage</topic>
+                    </topics>
+                    <partitions>
+                      <partition>Apart</partition>
+                      <partition>Bpa?t*</partition>
+                    </partitions>
+                    <data_tags>
+                      <tag>
+                        <name>aTagName1</name>
+                        <value>aTagValue1</value>
+                      </tag>
+                    </data_tags>
+                </subscribe>
+                <relay>
+                  <topics>
+                        <topic>P*</topic>
+                        <topic>*WrongMessage</topic>
+                        <topic>FakeMessanger</topic>
+                        <topic>ChangedMessage</topic>
+                    </topics>
+                    <partitions>
+                      <partition>Apart</partition>
+                      <partition>Bpa?t*</partition>
+                    </partitions>
+                    <data_tags>
+                      <tag>
+                        <name>aTagName1</name>
+                        <value>aTagValue1</value>
+                      </tag>
+                    </data_tags>
+                </relay>
+            </deny_rule>
+
+            <default>ALLOW</default>
+        </grant>
+    </permissions>
+</dds>
diff --git a/src/security/builtin_plugins/tests/validate_remote_permissions/etc/Test_Permissions_invalid_data.p7s b/src/security/builtin_plugins/tests/validate_remote_permissions/etc/Test_Permissions_invalid_data.p7s
new file mode 100644
index 0000000..b3b969e
--- /dev/null
+++ b/src/security/builtin_plugins/tests/validate_remote_permissions/etc/Test_Permissions_invalid_data.p7s
@@ -0,0 +1,219 @@
+MIME-Version: 1.0
+Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg="sha-256"; boundary="----62BE4CE8CF1FCB0420A2F2884B1618E6"
+
+This is an S/MIME signed message
+
+------62BE4CE8CF1FCB0420A2F2884B1618E6
+Content-Type: text/plain
+
+<?xml version="1.0" encoding="utf-8"?>
+<dds xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xsi:noNamespaceSchemaLocation="https://www.omg.org/spec/DDS-SECURITY/20170901/omg_shared_ca_permissions.xsd">
+    <permissions>
+        <grant name="OpenSplicePermissions">
+            <subject_name>CN=CHAM500 cert,O=Internet Widgits Pty Ltd,ST=Some-State,C=NL</subject_name>
+            <validity>
+                <!-- Format is CCYY-MM-DDThh:mm:ss[Z|(+|-)hh:mm] in GMT -->
+                <not_before>2015-09-15T01:00:00</not_before>
+                <not_after>2115-09-15T01:00:00</not_after>
+            </validity>
+            <allow_rule>
+                <domains>
+                    <id_range>
+                        <min>0</min>
+                        <max>430</max>
+                    </id_range>
+                </domains>
+                <publish>
+                    <topics>
+                        <topic>K*</topic>
+                        <topic>*OldMessage</topic>
+                        <topic>OldMessanger</topic>
+                        <topic>NewMessage</topic>
+                    </topics>
+		    <partitions>
+			<partition>Apart</partition>
+			<partition>Bpa?t*</partition>
+		    </partitions>
+                </publish>
+                <subscribe>
+                    <topics>
+                        <topic>K*</topic>
+                        <topic>*OldMessage</topic>
+                        <topic>OldMessanger</topic>
+                        <topic>NewMessage</topic>
+                    </topics>
+		    <partitions>
+			<partition>Apart</partition>
+			<partition>Bpa?t*</partition>
+		    </partitions>
+                </subscribe>
+            </allow_rule>
+            <deny_rule>
+                <domains>
+                    <id_range>
+                        <min>0</min>
+                        <max>230</max>
+                    </id_range>
+                </domains>
+                <publish>
+                    <topics>
+                        <topic>P*</topic>
+                        <topic>*WrongMessage</topic>
+                        <topic>FakeMessanger</topic>
+                        <topic>ChangedMessage</topic>
+                    </topics>
+		    <partitions>
+			<partition>Apart</partition>
+			<partition>Bpa?t*</partition>
+		    </partitions>
+                </publish>
+                <subscribe>
+                    <topics>
+                        <topic>P*</topic>
+                        <topic>*WrongMessage</topic>
+                        <topic>FakeMessanger</topic>
+                        <topic>ChangedMessage</topic>
+                    </topics>
+		    <partitions>
+			<partition>Apart</partition>
+			<partition>Bpa?t*</partition>
+		    </partitions>
+                </subscribe>
+            </deny_rule>
+
+            <default>DENY</default>
+        </grant>
+        <grant name="SpareNodeOpenSplicePermissions">
+            <subject_name>CN=CHAM500 cert,O=Internet Widgits Pty Ltd,ST=Some-State,C=NL</subject_name>
+            <validity>
+                <!-- Format is CCYY-MM-DDThh:mm:ss[Z|(+|-)hh:mm] in GMT -->
+                <not_before>2015-09-15T01:00:00</not_before>
+                <not_after>2115-09-15T01:00:00</not_after>
+            </validity>
+            <allow_rule>
+                <domains>
+                <!-- All domains -->
+                 <id>20</id>
+                 <id>30</id>
+                 <id_range>
+                     <min>0</min>
+                     <max>23</max>
+                 </id_range>
+                 <id_range>
+                     <min>100</min>
+                     <max>120</max>
+                 </id_range>
+                 <id>200</id>
+               </domains>
+                <publish>
+                    <topics>
+                        <topic>K*</topic>
+                        <topic>*OldMessage</topic>
+                        <topic>OldMessanger</topic>
+                        <topic>NewMessage</topic>
+                    </topics>
+		    <partitions>
+			<partition>Apart</partition>
+			<partition>Bpa?t*</partition>
+		    </partitions>
+                </publish>
+                <subscribe>
+                    <topics>
+                        <topic>K*</topic>
+                        <topic>*OldMessage</topic>
+                        <topic>OldMessanger</topic>
+                        <topic>NewMessage</topic>
+                    </topics>
+		    <partitions>
+			<partition>Apart</partition>
+			<partition>Bpa?t*</partition>
+		    </partitions>
+                </subscribe>
+            </allow_rule>
+            <deny_rule>
+                <domains>
+                 <id_range>
+                     <min>0</min>
+                     <max>23</max>
+                 </id_range>
+                 <id_range>
+                     <min>100</min>
+                     <max>120</max>
+                 </id_range>
+                 <id>200</id>
+                </domains>
+                <publish>
+                    <topics>
+                        <topic>P*</topic>
+                        <topic>*WrongMessage</topic>
+                        <topic>FakeMessanger</topic>
+                        <topic>ChangedMessage</topic>
+                    </topics>
+		    <partitions>
+			<partition>Apart</partition>
+			<partition>Bpa?t*</partition>
+		    </partitions>
+                </publish>
+                <subscribe>
+                    <topics>
+                        <topic>P*</topic>
+                        <topic>*WrongMessage</topic>
+                        <topic>FakeMessanger</topic>
+                        <topic>ChangedMessage</topic>
+                    </topics>
+		    <partitions>
+			<partition>Apart</partition>
+			<partition>Bpa?t*</partition>
+		    </partitions>
+                </subscribe>
+            </deny_rule>
+
+            <default>DENY</default>
+        </grant>
+    </permissions>
+</dds>
+
+------62BE4CE8CF1FCB0420A2F2884B1618E6
+Content-Type: application/x-pkcs7-signature; name="smime.p7s"
+Content-Transfer-Encoding: base64
+Content-Disposition: attachment; filename="smime.p7s"
+
+MIIGXgYJKoZIhvcNAQcCoIIGTzCCBksCAQExDzANBglghkgBZQMEAgEFADALBgkq
+hkiG9w0BBwGgggORMIIDjTCCAnWgAwIBAgIJANsr3sm0NrypMA0GCSqGSIb3DQEB
+CwUAMFwxCzAJBgNVBAYTAk5MMRMwEQYDVQQIDApTb21lLVN0YXRlMR8wHQYDVQQK
+DBZBRExJTksgVGVjaG5vbG9jeSBJbmMuMRcwFQYDVQQDDA5hZGxpbmt0ZWNoLmNv
+bTAgFw0xODA3MzAxMjQ1NTVaGA8yMTE4MDcwNjEyNDU1NVowXDELMAkGA1UEBhMC
+TkwxEzARBgNVBAgMClNvbWUtU3RhdGUxHzAdBgNVBAoMFkFETElOSyBUZWNobm9s
+b2N5IEluYy4xFzAVBgNVBAMMDmFkbGlua3RlY2guY29tMIIBIjANBgkqhkiG9w0B
+AQEFAAOCAQ8AMIIBCgKCAQEAu7jfnJ0wYVuXgG+PgNawdN38+dRpa8jceqi+blID
+ehV6XCxrnGXusTCDuFmo7HMOBVMVNDXlcBWgoGd+u5EultnOEiIeGTgtHc1O6V9w
+icp3BGSpZZax/TcONjMVORaqHCADbQ2J8wsz1FHxuKDwX6BJElYOlK77lb/x3yLs
+DFFC+a0qn2RFh37rcWBRAHy8VEASXKZElT9ZmfKd+KUq34KojhNJ4DepKStTq074
+BRDXVivx+wVD951LFNPiQXq+mgHcLj1k37KlZflTFhdP5oEMtATNsXNJPHlEymiy
+SogRWAmKhysLQudukHfNKN+r0FEQMk/hzpYcFeZSOvbfNQIDAQABo1AwTjAdBgNV
+HQ4EFgQURWMbWvBKZwJvRV1/tyc1R82k0+gwHwYDVR0jBBgwFoAURWMbWvBKZwJv
+RV1/tyc1R82k0+gwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAkPF+
+ysVtvHnk2hpu9yNDLCJ96ZzIoKOyY7uRj4ovzlAHFdpNOJQdcJihTmN8i7Trht9X
+Vh0rGoR/6nHzo3TIeiogRC80RlDtuA3PF2dDQBMVDStlZMTZPb693hfjdAjhyyw9
+yghhKHHqNDvSsAL0KfBqjG4yGfGpJylYXIT5fWuKlo/ln/yyPa5s54T5XDo+CMbt
+lLX3QnwVOmaRyzylPiTcPCDIkdLBdXmlfyJcmW6fWa6kPx+35MOxPsXZbujCo+42
++OyLqcH1rKT6XhcshjXBEf+kdgUfSClrM1pNRWsw2ChIYim0F+nry5JFy0Y+8Hbb
+6SDB340BFmtgDHbFHTGCApEwggKNAgEBMGkwXDELMAkGA1UEBhMCTkwxEzARBgNV
+BAgMClNvbWUtU3RhdGUxHzAdBgNVBAoMFkFETElOSyBUZWNobm9sb2N5IEluYy4x
+FzAVBgNVBAMMDmFkbGlua3RlY2guY29tAgkA2yveybQ2vKkwDQYJYIZIAWUDBAIB
+BQCggfowGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAcBgkqhkiG9w0BCQUxDxcN
+MTkwMzI5MTMwODAzWjAvBgkqhkiG9w0BCQQxIgQghoicue+FOmdIHF9rpsNCfmjP
++ZyN+t9kCdmR68JCJU0wgY4GCSqGSIb3DQEJDzGBgDB+MAsGCWCGSAFlAwQBKjAI
+BgYqhQMCAgkwCAYGKoUDAgIVMAsGCWCGSAFlAwQBFjALBglghkgBZQMEAQIwCgYI
+KoZIhvcNAwcwDgYIKoZIhvcNAwICAgCAMA0GCCqGSIb3DQMCAgFAMAcGBSsOAwIH
+MA0GCCqGSIb3DQMCAgEoMA0GCSqGSIb3DQEBAQUABIIBAI0BX2tu2DbQjvuzKG35
+myNBcOC9ZzRDqJEtmQhcY/2hAJzurlnclJVTEXFyXdpV4ywtA+lQvbtToh11AvnY
+IY1QWNVm19mfO1J6m6PFu18tizd30sG7p1TZKxGB3zDeVVqmedZ+o7QJHv9/ixzz
+Pyo2B9tG5Su94+ADc0LQNyGICjeMr7L6dhFDsm7fXBi8pMBKy/zEAynTA3r1ibsn
+5zlizPMlad2HCaYv44x7Xksg9FSbzJwJpTiprbQbZSUPYk4WlfVz0l4plzRKu4AP
+lCOsdRE6C6GQFnK5bLyndu3Ycp10niwfkfobruCDyigu+gjZtmmF/T7A8Xkk1uvx
+fAM=
+
+------62BE4CE8CF1FCB0420A2F2884B1618E6--
+
diff --git a/src/security/builtin_plugins/tests/validate_remote_permissions/etc/Test_Permissions_invalid_data.xml b/src/security/builtin_plugins/tests/validate_remote_permissions/etc/Test_Permissions_invalid_data.xml
new file mode 100644
index 0000000..5ebb397
--- /dev/null
+++ b/src/security/builtin_plugins/tests/validate_remote_permissions/etc/Test_Permissions_invalid_data.xml
@@ -0,0 +1,167 @@
+<?xml version="1.0" encoding="utf-8"?>
+<dds xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xsi:noNamespaceSchemaLocation="https://www.omg.org/spec/DDS-SECURITY/20170901/omg_shared_ca_permissions.xsd">
+    <permissions>
+        <grant name="OpenSplicePermissions">
+            <subject_name>CN=CHAM500 cert,O=Internet Widgits Pty Ltd,ST=Some-State,C=NL</subject_name>
+            <validity>
+                <!-- Format is CCYY-MM-DDThh:mm:ss[Z|(+|-)hh:mm] in GMT -->
+                <not_before>2015-09-15T01:00:00</not_before>
+                <not_after>2115-09-15T01:00:00</not_after>
+            </validity>
+            <allow_rule>
+                <domains>
+                    <id_range>
+                        <min>0</min>
+                        <max>430</max>
+                    </id_range>
+                </domains>
+                <publish>
+                    <topics>
+                        <topic>K*</topic>
+                        <topic>*OldMessage</topic>
+                        <topic>OldMessanger</topic>
+                        <topic>NewMessage</topic>
+                    </topics>
+		    <partitions>
+			<partition>Apart</partition>
+			<partition>Bpa?t*</partition>
+		    </partitions>
+                </publish>
+                <subscribe>
+                    <topics>
+                        <topic>K*</topic>
+                        <topic>*OldMessage</topic>
+                        <topic>OldMessanger</topic>
+                        <topic>NewMessage</topic>
+                    </topics>
+		    <partitions>
+			<partition>Apart</partition>
+			<partition>Bpa?t*</partition>
+		    </partitions>
+                </subscribe>
+            </allow_rule>
+            <deny_rule>
+                <domains>
+                    <id_range>
+                        <min>0</min>
+                        <max>230</max>
+                    </id_range>
+                </domains>
+                <publish>
+                    <topics>
+                        <topic>P*</topic>
+                        <topic>*WrongMessage</topic>
+                        <topic>FakeMessanger</topic>
+                        <topic>ChangedMessage</topic>
+                    </topics>
+		    <partitions>
+			<partition>Apart</partition>
+			<partition>Bpa?t*</partition>
+		    </partitions>
+                </publish>
+                <subscribe>
+                    <topics>
+                        <topic>P*</topic>
+                        <topic>*WrongMessage</topic>
+                        <topic>FakeMessanger</topic>
+                        <topic>ChangedMessage</topic>
+                    </topics>
+		    <partitions>
+			<partition>Apart</partition>
+			<partition>Bpa?t*</partition>
+		    </partitions>
+                </subscribe>
+            </deny_rule>
+
+            <default>DENY</default>
+        </grant>
+        <grant name="SpareNodeOpenSplicePermissions">
+            <subject_name>CN=CHAM500 cert,O=Internet Widgits Pty Ltd,ST=Some-State,C=NL</subject_name>
+            <validity>
+                <!-- Format is CCYY-MM-DDThh:mm:ss[Z|(+|-)hh:mm] in GMT -->
+                <not_before>2015-09-15T01:00:00</not_before>
+                <not_after>2115-09-15T01:00:00</not_after>
+            </validity>
+            <allow_rule>
+                <domains>
+                <!-- All domains -->
+                 <id>20</id>
+                 <id>30</id>
+                 <id_range>
+                     <min>0</min>
+                     <max>23</max>
+                 </id_range>
+                 <id_range>
+                     <min>100</min>
+                     <max>120</max>
+                 </id_range>
+                 <id>200</id>
+               </domains>
+                <publish>
+                    <topics>
+                        <topic>K*</topic>
+                        <topic>*OldMessage</topic>
+                        <topic>OldMessanger</topic>
+                        <topic>NewMessage</topic>
+                    </topics>
+		    <partitions>
+			<partition>Apart</partition>
+			<partition>Bpa?t*</partition>
+		    </partitions>
+                </publish>
+                <subscribe>
+                    <topics>
+                        <topic>K*</topic>
+                        <topic>*OldMessage</topic>
+                        <topic>OldMessanger</topic>
+                        <topic>NewMessage</topic>
+                    </topics>
+		    <partitions>
+			<partition>Apart</partition>
+			<partition>Bpa?t*</partition>
+		    </partitions>
+                </subscribe>
+            </allow_rule>
+            <deny_rule>
+                <domains>
+                 <id_range>
+                     <min>0</min>
+                     <max>23</max>
+                 </id_range>
+                 <id_range>
+                     <min>100</min>
+                     <max>120</max>
+                 </id_range>
+                 <id>200</id>
+                </domains>
+                <publish>
+                    <topics>
+                        <topic>P*</topic>
+                        <topic>*WrongMessage</topic>
+                        <topic>FakeMessanger</topic>
+                        <topic>ChangedMessage</topic>
+                    </topics>
+		    <partitions>
+			<partition>Apart</partition>
+			<partition>Bpa?t*</partition>
+		    </partitions>
+                </publish>
+                <subscribe>
+                    <topics>
+                        <topic>P*</topic>
+                        <topic>*WrongMessage</topic>
+                        <topic>FakeMessanger</topic>
+                        <topic>ChangedMessage</topic>
+                    </topics>
+		    <partitions>
+			<partition>Apart</partition>
+			<partition>Bpa?t*</partition>
+		    </partitions>
+                </subscribe>
+            </deny_rule>
+
+            <default>DENY</default>
+        </grant>
+    </permissions>
+</dds>
diff --git a/src/security/builtin_plugins/tests/validate_remote_permissions/etc/Test_Permissions_missing_subject_component.p7s b/src/security/builtin_plugins/tests/validate_remote_permissions/etc/Test_Permissions_missing_subject_component.p7s
new file mode 100644
index 0000000..1362a86
--- /dev/null
+++ b/src/security/builtin_plugins/tests/validate_remote_permissions/etc/Test_Permissions_missing_subject_component.p7s
@@ -0,0 +1,96 @@
+MIME-Version: 1.0
+Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg="sha-256"; boundary="----DE8A6693E9678989859C23D21F4587AD"
+
+This is an S/MIME signed message
+
+------DE8A6693E9678989859C23D21F4587AD
+Content-Type: text/plain
+
+<?xml version="1.0" encoding="utf-8"?>
+<dds xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xsi:noNamespaceSchemaLocation="https://www.omg.org/spec/DDS-SECURITY/20170901/omg_shared_ca_permissions.xsd">
+    <permissions>
+        <grant name="OpenSplicePermissions">
+            <subject_name>/O=Internet Widgits Pty Ltd/ST=Some-State/CN=CHAM500 cert</subject_name>
+            <validity>
+                <!-- Format is CCYY-MM-DDThh:mm:ss[Z|(+|-)hh:mm] in GMT -->
+                <not_before>2015-09-15T01:00:00</not_before>
+                <not_after>2115-09-15T01:00:00</not_after>
+            </validity>
+            <allow_rule>
+                <domains>
+                    <id_range>
+                        <min>0</min>
+                        <max>230</max>
+                    </id_range>
+                </domains>
+                <publish>
+                    <topics>
+                        <topic>K*</topic>
+                        <topic>*OldMessage</topic>
+                        <topic>OldMessanger</topic>
+                        <topic>NewMessage</topic>
+                    </topics>
+        <partitions>
+      <partition>Apart</partition>
+      <partition>Bpa?t*</partition>
+        </partitions>
+                </publish>
+                <subscribe>
+                    <topics>
+                        <topic>K*</topic>
+                        <topic>*OldMessage</topic>
+                        <topic>OldMessanger</topic>
+                        <topic>NewMessage</topic>
+                    </topics>
+                </subscribe>
+            </allow_rule>
+
+            <default>ALLOW</default>
+        </grant>
+    </permissions>
+</dds>
+
+------DE8A6693E9678989859C23D21F4587AD
+Content-Type: application/x-pkcs7-signature; name="smime.p7s"
+Content-Transfer-Encoding: base64
+Content-Disposition: attachment; filename="smime.p7s"
+
+MIIGXgYJKoZIhvcNAQcCoIIGTzCCBksCAQExDzANBglghkgBZQMEAgEFADALBgkq
+hkiG9w0BBwGgggORMIIDjTCCAnWgAwIBAgIJANsr3sm0NrypMA0GCSqGSIb3DQEB
+CwUAMFwxCzAJBgNVBAYTAk5MMRMwEQYDVQQIDApTb21lLVN0YXRlMR8wHQYDVQQK
+DBZBRExJTksgVGVjaG5vbG9jeSBJbmMuMRcwFQYDVQQDDA5hZGxpbmt0ZWNoLmNv
+bTAgFw0xODA3MzAxMjQ1NTVaGA8yMTE4MDcwNjEyNDU1NVowXDELMAkGA1UEBhMC
+TkwxEzARBgNVBAgMClNvbWUtU3RhdGUxHzAdBgNVBAoMFkFETElOSyBUZWNobm9s
+b2N5IEluYy4xFzAVBgNVBAMMDmFkbGlua3RlY2guY29tMIIBIjANBgkqhkiG9w0B
+AQEFAAOCAQ8AMIIBCgKCAQEAu7jfnJ0wYVuXgG+PgNawdN38+dRpa8jceqi+blID
+ehV6XCxrnGXusTCDuFmo7HMOBVMVNDXlcBWgoGd+u5EultnOEiIeGTgtHc1O6V9w
+icp3BGSpZZax/TcONjMVORaqHCADbQ2J8wsz1FHxuKDwX6BJElYOlK77lb/x3yLs
+DFFC+a0qn2RFh37rcWBRAHy8VEASXKZElT9ZmfKd+KUq34KojhNJ4DepKStTq074
+BRDXVivx+wVD951LFNPiQXq+mgHcLj1k37KlZflTFhdP5oEMtATNsXNJPHlEymiy
+SogRWAmKhysLQudukHfNKN+r0FEQMk/hzpYcFeZSOvbfNQIDAQABo1AwTjAdBgNV
+HQ4EFgQURWMbWvBKZwJvRV1/tyc1R82k0+gwHwYDVR0jBBgwFoAURWMbWvBKZwJv
+RV1/tyc1R82k0+gwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAkPF+
+ysVtvHnk2hpu9yNDLCJ96ZzIoKOyY7uRj4ovzlAHFdpNOJQdcJihTmN8i7Trht9X
+Vh0rGoR/6nHzo3TIeiogRC80RlDtuA3PF2dDQBMVDStlZMTZPb693hfjdAjhyyw9
+yghhKHHqNDvSsAL0KfBqjG4yGfGpJylYXIT5fWuKlo/ln/yyPa5s54T5XDo+CMbt
+lLX3QnwVOmaRyzylPiTcPCDIkdLBdXmlfyJcmW6fWa6kPx+35MOxPsXZbujCo+42
++OyLqcH1rKT6XhcshjXBEf+kdgUfSClrM1pNRWsw2ChIYim0F+nry5JFy0Y+8Hbb
+6SDB340BFmtgDHbFHTGCApEwggKNAgEBMGkwXDELMAkGA1UEBhMCTkwxEzARBgNV
+BAgMClNvbWUtU3RhdGUxHzAdBgNVBAoMFkFETElOSyBUZWNobm9sb2N5IEluYy4x
+FzAVBgNVBAMMDmFkbGlua3RlY2guY29tAgkA2yveybQ2vKkwDQYJYIZIAWUDBAIB
+BQCggfowGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAcBgkqhkiG9w0BCQUxDxcN
+MTkwMzI5MTMwODAzWjAvBgkqhkiG9w0BCQQxIgQgrFwsV4SyJfHq+dBhrRXj6PlS
+nZYIo1hJ+L29+U2Xpk0wgY4GCSqGSIb3DQEJDzGBgDB+MAsGCWCGSAFlAwQBKjAI
+BgYqhQMCAgkwCAYGKoUDAgIVMAsGCWCGSAFlAwQBFjALBglghkgBZQMEAQIwCgYI
+KoZIhvcNAwcwDgYIKoZIhvcNAwICAgCAMA0GCCqGSIb3DQMCAgFAMAcGBSsOAwIH
+MA0GCCqGSIb3DQMCAgEoMA0GCSqGSIb3DQEBAQUABIIBAAt1pbdIgmqHNrruevrr
+TUptMNDw6YzlmXpWAq3KZBGaeaiHpYbkI+WhJJee9hG7bF9NGI/SfjPhiaiTjk2X
+XCgmFZJUQhY8pOWkVPSAhBxd+r4kQtRxo2Na148Z2nrxeqcLbk+SE1hxTwT2OgLh
+HWHBoQofZcRFp36Z9v51fZHAZLbQ8pD45+oAe/7ElyrO80MnJc+2RUxcnLScT1J0
+ykgTsgrQxcVVZX6EFHhQxnzpqCbjGvpdGSnyojAFI4PuQ3uNiOTPTYqad4jf/vIq
+YHngEXSMN8wkd8bopl1EPVdxDqKkXuwAb29Q6UvDWLQ4IDZkdHTWc/ojiKjxWsKF
+wuQ=
+
+------DE8A6693E9678989859C23D21F4587AD--
+
diff --git a/src/security/builtin_plugins/tests/validate_remote_permissions/etc/Test_Permissions_missing_subject_component.xml b/src/security/builtin_plugins/tests/validate_remote_permissions/etc/Test_Permissions_missing_subject_component.xml
new file mode 100644
index 0000000..de70a1c
--- /dev/null
+++ b/src/security/builtin_plugins/tests/validate_remote_permissions/etc/Test_Permissions_missing_subject_component.xml
@@ -0,0 +1,44 @@
+<?xml version="1.0" encoding="utf-8"?>
+<dds xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xsi:noNamespaceSchemaLocation="https://www.omg.org/spec/DDS-SECURITY/20170901/omg_shared_ca_permissions.xsd">
+    <permissions>
+        <grant name="OpenSplicePermissions">
+            <subject_name>/O=Internet Widgits Pty Ltd/ST=Some-State/CN=CHAM500 cert</subject_name>
+            <validity>
+                <!-- Format is CCYY-MM-DDThh:mm:ss[Z|(+|-)hh:mm] in GMT -->
+                <not_before>2015-09-15T01:00:00</not_before>
+                <not_after>2115-09-15T01:00:00</not_after>
+            </validity>
+            <allow_rule>
+                <domains>
+                    <id_range>
+                        <min>0</min>
+                        <max>230</max>
+                    </id_range>
+                </domains>
+                <publish>
+                    <topics>
+                        <topic>K*</topic>
+                        <topic>*OldMessage</topic>
+                        <topic>OldMessanger</topic>
+                        <topic>NewMessage</topic>
+                    </topics>
+        <partitions>
+      <partition>Apart</partition>
+      <partition>Bpa?t*</partition>
+        </partitions>
+                </publish>
+                <subscribe>
+                    <topics>
+                        <topic>K*</topic>
+                        <topic>*OldMessage</topic>
+                        <topic>OldMessanger</topic>
+                        <topic>NewMessage</topic>
+                    </topics>
+                </subscribe>
+            </allow_rule>
+
+            <default>ALLOW</default>
+        </grant>
+    </permissions>
+</dds>
diff --git a/src/security/builtin_plugins/tests/validate_remote_permissions/etc/Test_Permissions_not_signed.p7s b/src/security/builtin_plugins/tests/validate_remote_permissions/etc/Test_Permissions_not_signed.p7s
new file mode 100644
index 0000000..8759d91
--- /dev/null
+++ b/src/security/builtin_plugins/tests/validate_remote_permissions/etc/Test_Permissions_not_signed.p7s
@@ -0,0 +1,33 @@
+<?xml version="1.0" encoding="utf-8"?>
+<dds xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xsi:noNamespaceSchemaLocation="https://www.omg.org/spec/DDS-SECURITY/20170901/omg_shared_ca_permissions.xsd">
+    <permissions>
+        <grant name="OpenSplicePermissions">
+            <subject_name>CN=CHAM500 cert,O=Internet Widgits Pty Ltd,ST=Some-State,C=NL</subject_name>
+            <validity>
+                <!-- Format is CCYY-MM-DDThh:mm:ss[Z|(+|-)hh:mm] in GMT -->
+                <not_before>2015-09-15T01:00:00</not_before>
+                <not_after>2115-09-15T01:00:00</not_after>
+            </validity>
+            <allow_rule>
+                <domains>
+                    <id_range>
+                        <min>0</min>
+                        <max>230</max>
+                    </id_range>
+                </domains>
+                <publish>
+                    <topics>
+                        <topic>*</topic>
+                    </topics>
+                </publish>
+                <subscribe>
+                    <topics>
+                        <topic>*</topic>
+                    </topics>
+                </subscribe>
+            </allow_rule>
+            <default>DENY</default>
+        </grant>
+    </permissions>
+</dds>
diff --git a/src/security/builtin_plugins/tests/validate_remote_permissions/etc/Test_Permissions_notyet.p7s b/src/security/builtin_plugins/tests/validate_remote_permissions/etc/Test_Permissions_notyet.p7s
new file mode 100644
index 0000000..7fd4098
--- /dev/null
+++ b/src/security/builtin_plugins/tests/validate_remote_permissions/etc/Test_Permissions_notyet.p7s
@@ -0,0 +1,243 @@
+MIME-Version: 1.0
+Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg="sha-256"; boundary="----F87E07CA6CCEAB50B03A143AC2354EB4"
+
+This is an S/MIME signed message
+
+------F87E07CA6CCEAB50B03A143AC2354EB4
+Content-Type: text/plain
+
+<?xml version="1.0" encoding="utf-8"?>
+<dds xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xsi:noNamespaceSchemaLocation="https://www.omg.org/spec/DDS-SECURITY/20170901/omg_shared_ca_permissions.xsd">
+    <permissions>
+        <grant name="OpenSplicePermissions">
+            <subject_name>CN=CHAM500 cert,O=Internet Widgits Pty Ltd,ST=Some-State,C=NL</subject_name>
+            <validity>
+                <!-- Format is CCYY-MM-DDThh:mm:ss[Z|(+|-)hh:mm] in GMT -->
+                <not_before>2035-09-15T01:00:00</not_before>
+                <not_after>2046-09-15T01:00:00</not_after>
+            </validity>
+            <allow_rule>
+                <domains>
+                    <id_range>
+                        <min>0</min>
+                        <max>230</max>
+                    </id_range>
+                </domains>
+                <publish>
+                    <topics>
+                        <topic>K*</topic>
+                        <topic>*OldMessage</topic>
+                        <topic>OldMessanger</topic>
+                        <topic>NewMessage</topic>
+                    </topics>
+        <partitions>
+      <partition>Apart</partition>
+      <partition>Bpa?t*</partition>
+        </partitions>
+                </publish>
+                <subscribe>
+                    <topics>
+                        <topic>K*</topic>
+                        <topic>*OldMessage</topic>
+                        <topic>OldMessanger</topic>
+                        <topic>NewMessage</topic>
+                    </topics>
+        <partitions>
+      <partition>Apart</partition>
+      <partition>Bpa?t*</partition>
+        </partitions>
+                </subscribe>
+            </allow_rule>
+            <deny_rule>
+                <domains>
+                    <id_range>
+                        <min>0</min>
+                        <max>230</max>
+                    </id_range>
+                </domains>
+                <publish>
+                    <topics>
+                        <topic>P*</topic>
+                        <topic>*WrongMessage</topic>
+                        <topic>FakeMessanger</topic>
+                        <topic>ChangedMessage</topic>
+                    </topics>
+        <partitions>
+      <partition>Apart</partition>
+      <partition>Bpa?t*</partition>
+        </partitions>
+                </publish>
+                <subscribe>
+                    <topics>
+                        <topic>P*</topic>
+                        <topic>*WrongMessage</topic>
+                        <topic>FakeMessanger</topic>
+                        <topic>ChangedMessage</topic>
+                    </topics>
+        <partitions>
+      <partition>Apart</partition>
+      <partition>Bpa?t*</partition>
+        </partitions>
+                </subscribe>
+            </deny_rule>
+
+            <default>DENY</default>
+        </grant>
+        <grant name="SpareNodeOpenSplicePermissions">
+            <subject_name>CN=Spare cert,O=Internet Widgits Pty Ltd,ST=Some-State,C=NL</subject_name>
+            <validity>
+                <!-- Format is CCYY-MM-DDThh:mm:ss[Z|(+|-)hh:mm] in GMT -->
+                <not_before>2015-09-15T01:00:00</not_before>
+                <not_after>2115-09-15T01:00:00</not_after>
+            </validity>
+            <allow_rule>
+                <domains>
+                <!-- All domains -->
+                 <id>20</id>
+                 <id>30</id>
+                 <id_range>
+                     <min>0</min>
+                     <max>23</max>
+                 </id_range>
+                 <id_range>
+                     <min>100</min>
+                     <max>120</max>
+                 </id_range>
+                 <id>200</id>
+               </domains>
+                <publish>
+                    <topics>
+                        <topic>K*</topic>
+                        <topic>*OldMessage</topic>
+                        <topic>OldMessanger</topic>
+                        <topic>NewMessage</topic>
+                    </topics>
+        <partitions>
+      <partition>Apart</partition>
+      <partition>Bpa?t*</partition>
+        </partitions>
+                </publish>
+                <subscribe>
+                    <topics>
+                        <topic>K*</topic>
+                        <topic>*OldMessage</topic>
+                        <topic>OldMessanger</topic>
+                        <topic>NewMessage</topic>
+                    </topics>
+        <partitions>
+      <partition>Apart</partition>
+      <partition>Bpa?t*</partition>
+        </partitions>
+                </subscribe>
+            </allow_rule>
+            <deny_rule>
+                <domains>
+                 <id_range>
+                     <min>0</min>
+                     <max>23</max>
+                 </id_range>
+                 <id_range>
+                     <min>100</min>
+                     <max>120</max>
+                 </id_range>
+                 <id>200</id>
+                </domains>
+                <publish>
+                    <topics>
+                        <topic>P*</topic>
+                        <topic>*WrongMessage</topic>
+                        <topic>FakeMessanger</topic>
+                        <topic>ChangedMessage</topic>
+                    </topics>
+                    <partitions>
+                      <partition>Apart</partition>
+                      <partition>Bpa?t*</partition>
+                    </partitions>
+                </publish>
+                <subscribe>
+                    <topics>
+                        <topic>P*</topic>
+                        <topic>*WrongMessage</topic>
+                        <topic>FakeMessanger</topic>
+                        <topic>ChangedMessage</topic>
+                    </topics>
+                    <partitions>
+                      <partition>Apart</partition>
+                      <partition>Bpa?t*</partition>
+                    </partitions>
+                    <data_tags>
+                      <tag>
+                        <name>aTagName1</name>
+                        <value>aTagValue1</value>
+                      </tag>
+                    </data_tags>
+                </subscribe>
+                <relay>
+                  <topics>
+                        <topic>P*</topic>
+                        <topic>*WrongMessage</topic>
+                        <topic>FakeMessanger</topic>
+                        <topic>ChangedMessage</topic>
+                    </topics>
+                    <partitions>
+                      <partition>Apart</partition>
+                      <partition>Bpa?t*</partition>
+                    </partitions>
+                    <data_tags>
+                      <tag>
+                        <name>aTagName1</name>
+                        <value>aTagValue1</value>
+                      </tag>
+                    </data_tags>
+                </relay>
+            </deny_rule>
+
+            <default>ALLOW</default>
+        </grant>
+    </permissions>
+</dds>
+
+------F87E07CA6CCEAB50B03A143AC2354EB4
+Content-Type: application/x-pkcs7-signature; name="smime.p7s"
+Content-Transfer-Encoding: base64
+Content-Disposition: attachment; filename="smime.p7s"
+
+MIIGXgYJKoZIhvcNAQcCoIIGTzCCBksCAQExDzANBglghkgBZQMEAgEFADALBgkq
+hkiG9w0BBwGgggORMIIDjTCCAnWgAwIBAgIJANsr3sm0NrypMA0GCSqGSIb3DQEB
+CwUAMFwxCzAJBgNVBAYTAk5MMRMwEQYDVQQIDApTb21lLVN0YXRlMR8wHQYDVQQK
+DBZBRExJTksgVGVjaG5vbG9jeSBJbmMuMRcwFQYDVQQDDA5hZGxpbmt0ZWNoLmNv
+bTAgFw0xODA3MzAxMjQ1NTVaGA8yMTE4MDcwNjEyNDU1NVowXDELMAkGA1UEBhMC
+TkwxEzARBgNVBAgMClNvbWUtU3RhdGUxHzAdBgNVBAoMFkFETElOSyBUZWNobm9s
+b2N5IEluYy4xFzAVBgNVBAMMDmFkbGlua3RlY2guY29tMIIBIjANBgkqhkiG9w0B
+AQEFAAOCAQ8AMIIBCgKCAQEAu7jfnJ0wYVuXgG+PgNawdN38+dRpa8jceqi+blID
+ehV6XCxrnGXusTCDuFmo7HMOBVMVNDXlcBWgoGd+u5EultnOEiIeGTgtHc1O6V9w
+icp3BGSpZZax/TcONjMVORaqHCADbQ2J8wsz1FHxuKDwX6BJElYOlK77lb/x3yLs
+DFFC+a0qn2RFh37rcWBRAHy8VEASXKZElT9ZmfKd+KUq34KojhNJ4DepKStTq074
+BRDXVivx+wVD951LFNPiQXq+mgHcLj1k37KlZflTFhdP5oEMtATNsXNJPHlEymiy
+SogRWAmKhysLQudukHfNKN+r0FEQMk/hzpYcFeZSOvbfNQIDAQABo1AwTjAdBgNV
+HQ4EFgQURWMbWvBKZwJvRV1/tyc1R82k0+gwHwYDVR0jBBgwFoAURWMbWvBKZwJv
+RV1/tyc1R82k0+gwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAkPF+
+ysVtvHnk2hpu9yNDLCJ96ZzIoKOyY7uRj4ovzlAHFdpNOJQdcJihTmN8i7Trht9X
+Vh0rGoR/6nHzo3TIeiogRC80RlDtuA3PF2dDQBMVDStlZMTZPb693hfjdAjhyyw9
+yghhKHHqNDvSsAL0KfBqjG4yGfGpJylYXIT5fWuKlo/ln/yyPa5s54T5XDo+CMbt
+lLX3QnwVOmaRyzylPiTcPCDIkdLBdXmlfyJcmW6fWa6kPx+35MOxPsXZbujCo+42
++OyLqcH1rKT6XhcshjXBEf+kdgUfSClrM1pNRWsw2ChIYim0F+nry5JFy0Y+8Hbb
+6SDB340BFmtgDHbFHTGCApEwggKNAgEBMGkwXDELMAkGA1UEBhMCTkwxEzARBgNV
+BAgMClNvbWUtU3RhdGUxHzAdBgNVBAoMFkFETElOSyBUZWNobm9sb2N5IEluYy4x
+FzAVBgNVBAMMDmFkbGlua3RlY2guY29tAgkA2yveybQ2vKkwDQYJYIZIAWUDBAIB
+BQCggfowGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAcBgkqhkiG9w0BCQUxDxcN
+MTkwMzI5MTMwODAzWjAvBgkqhkiG9w0BCQQxIgQg0GGu1gWhHWhfWnmg55AIr4tv
+zMK0kIxNfJYQbb7LpJ8wgY4GCSqGSIb3DQEJDzGBgDB+MAsGCWCGSAFlAwQBKjAI
+BgYqhQMCAgkwCAYGKoUDAgIVMAsGCWCGSAFlAwQBFjALBglghkgBZQMEAQIwCgYI
+KoZIhvcNAwcwDgYIKoZIhvcNAwICAgCAMA0GCCqGSIb3DQMCAgFAMAcGBSsOAwIH
+MA0GCCqGSIb3DQMCAgEoMA0GCSqGSIb3DQEBAQUABIIBALsPI2+b0w+iUPJGJeMd
+VdrY7s/GZYm6M8qOA5fmh3144bY1rZRjdHjXtLdaNDNN1Z5buRCiQcklAilf6O14
+7u6a5HR12N4LTbg3OYQplwz4ed/wBsL726htmkAK3JogGk5OVLqmmdrz3UOD8IaZ
+wAfx2tpj3VJOVuW0XsqOrzQpnOjGWcPeOw6NAxRH1gLsxBP9HDz5+wrsKXjV/zG8
+dFTaZ0bKnBXTp5ccc9jB4qbcllC9nlJkJszGqvwOP7zWBAOXeU+joUGM4Bt+8Pmt
+pKsVAmEqMpc368RMayDBWtTqUWpUKvDh4HSkuOGD4Hj5ViAoLFjisROhIK2d98XI
+cRQ=
+
+------F87E07CA6CCEAB50B03A143AC2354EB4--
+
diff --git a/src/security/builtin_plugins/tests/validate_remote_permissions/etc/Test_Permissions_notyet.xml b/src/security/builtin_plugins/tests/validate_remote_permissions/etc/Test_Permissions_notyet.xml
new file mode 100644
index 0000000..99fec50
--- /dev/null
+++ b/src/security/builtin_plugins/tests/validate_remote_permissions/etc/Test_Permissions_notyet.xml
@@ -0,0 +1,191 @@
+<?xml version="1.0" encoding="utf-8"?>
+<dds xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xsi:noNamespaceSchemaLocation="https://www.omg.org/spec/DDS-SECURITY/20170901/omg_shared_ca_permissions.xsd">
+    <permissions>
+        <grant name="OpenSplicePermissions">
+            <subject_name>CN=CHAM500 cert,O=Internet Widgits Pty Ltd,ST=Some-State,C=NL</subject_name>
+            <validity>
+                <!-- Format is CCYY-MM-DDThh:mm:ss[Z|(+|-)hh:mm] in GMT -->
+                <not_before>2035-09-15T01:00:00</not_before>
+                <not_after>2046-09-15T01:00:00</not_after>
+            </validity>
+            <allow_rule>
+                <domains>
+                    <id_range>
+                        <min>0</min>
+                        <max>230</max>
+                    </id_range>
+                </domains>
+                <publish>
+                    <topics>
+                        <topic>K*</topic>
+                        <topic>*OldMessage</topic>
+                        <topic>OldMessanger</topic>
+                        <topic>NewMessage</topic>
+                    </topics>
+        <partitions>
+      <partition>Apart</partition>
+      <partition>Bpa?t*</partition>
+        </partitions>
+                </publish>
+                <subscribe>
+                    <topics>
+                        <topic>K*</topic>
+                        <topic>*OldMessage</topic>
+                        <topic>OldMessanger</topic>
+                        <topic>NewMessage</topic>
+                    </topics>
+        <partitions>
+      <partition>Apart</partition>
+      <partition>Bpa?t*</partition>
+        </partitions>
+                </subscribe>
+            </allow_rule>
+            <deny_rule>
+                <domains>
+                    <id_range>
+                        <min>0</min>
+                        <max>230</max>
+                    </id_range>
+                </domains>
+                <publish>
+                    <topics>
+                        <topic>P*</topic>
+                        <topic>*WrongMessage</topic>
+                        <topic>FakeMessanger</topic>
+                        <topic>ChangedMessage</topic>
+                    </topics>
+        <partitions>
+      <partition>Apart</partition>
+      <partition>Bpa?t*</partition>
+        </partitions>
+                </publish>
+                <subscribe>
+                    <topics>
+                        <topic>P*</topic>
+                        <topic>*WrongMessage</topic>
+                        <topic>FakeMessanger</topic>
+                        <topic>ChangedMessage</topic>
+                    </topics>
+        <partitions>
+      <partition>Apart</partition>
+      <partition>Bpa?t*</partition>
+        </partitions>
+                </subscribe>
+            </deny_rule>
+
+            <default>DENY</default>
+        </grant>
+        <grant name="SpareNodeOpenSplicePermissions">
+            <subject_name>CN=Spare cert,O=Internet Widgits Pty Ltd,ST=Some-State,C=NL</subject_name>
+            <validity>
+                <!-- Format is CCYY-MM-DDThh:mm:ss[Z|(+|-)hh:mm] in GMT -->
+                <not_before>2015-09-15T01:00:00</not_before>
+                <not_after>2115-09-15T01:00:00</not_after>
+            </validity>
+            <allow_rule>
+                <domains>
+                <!-- All domains -->
+                 <id>20</id>
+                 <id>30</id>
+                 <id_range>
+                     <min>0</min>
+                     <max>23</max>
+                 </id_range>
+                 <id_range>
+                     <min>100</min>
+                     <max>120</max>
+                 </id_range>
+                 <id>200</id>
+               </domains>
+                <publish>
+                    <topics>
+                        <topic>K*</topic>
+                        <topic>*OldMessage</topic>
+                        <topic>OldMessanger</topic>
+                        <topic>NewMessage</topic>
+                    </topics>
+        <partitions>
+      <partition>Apart</partition>
+      <partition>Bpa?t*</partition>
+        </partitions>
+                </publish>
+                <subscribe>
+                    <topics>
+                        <topic>K*</topic>
+                        <topic>*OldMessage</topic>
+                        <topic>OldMessanger</topic>
+                        <topic>NewMessage</topic>
+                    </topics>
+        <partitions>
+      <partition>Apart</partition>
+      <partition>Bpa?t*</partition>
+        </partitions>
+                </subscribe>
+            </allow_rule>
+            <deny_rule>
+                <domains>
+                 <id_range>
+                     <min>0</min>
+                     <max>23</max>
+                 </id_range>
+                 <id_range>
+                     <min>100</min>
+                     <max>120</max>
+                 </id_range>
+                 <id>200</id>
+                </domains>
+                <publish>
+                    <topics>
+                        <topic>P*</topic>
+                        <topic>*WrongMessage</topic>
+                        <topic>FakeMessanger</topic>
+                        <topic>ChangedMessage</topic>
+                    </topics>
+                    <partitions>
+                      <partition>Apart</partition>
+                      <partition>Bpa?t*</partition>
+                    </partitions>
+                </publish>
+                <subscribe>
+                    <topics>
+                        <topic>P*</topic>
+                        <topic>*WrongMessage</topic>
+                        <topic>FakeMessanger</topic>
+                        <topic>ChangedMessage</topic>
+                    </topics>
+                    <partitions>
+                      <partition>Apart</partition>
+                      <partition>Bpa?t*</partition>
+                    </partitions>
+                    <data_tags>
+                      <tag>
+                        <name>aTagName1</name>
+                        <value>aTagValue1</value>
+                      </tag>
+                    </data_tags>
+                </subscribe>
+                <relay>
+                  <topics>
+                        <topic>P*</topic>
+                        <topic>*WrongMessage</topic>
+                        <topic>FakeMessanger</topic>
+                        <topic>ChangedMessage</topic>
+                    </topics>
+                    <partitions>
+                      <partition>Apart</partition>
+                      <partition>Bpa?t*</partition>
+                    </partitions>
+                    <data_tags>
+                      <tag>
+                        <name>aTagName1</name>
+                        <value>aTagValue1</value>
+                      </tag>
+                    </data_tags>
+                </relay>
+            </deny_rule>
+
+            <default>ALLOW</default>
+        </grant>
+    </permissions>
+</dds>
diff --git a/src/security/builtin_plugins/tests/validate_remote_permissions/etc/Test_Permissions_ok.p7s b/src/security/builtin_plugins/tests/validate_remote_permissions/etc/Test_Permissions_ok.p7s
new file mode 100644
index 0000000..052075b
--- /dev/null
+++ b/src/security/builtin_plugins/tests/validate_remote_permissions/etc/Test_Permissions_ok.p7s
@@ -0,0 +1,85 @@
+MIME-Version: 1.0
+Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg="sha-256"; boundary="----6B91005B007BBA8EDE10CD1CE487DB27"
+
+This is an S/MIME signed message
+
+------6B91005B007BBA8EDE10CD1CE487DB27
+Content-Type: text/plain
+
+<?xml version="1.0" encoding="utf-8"?>
+<dds xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xsi:noNamespaceSchemaLocation="https://www.omg.org/spec/DDS-SECURITY/20170901/omg_shared_ca_permissions.xsd">
+    <permissions>
+        <grant name="OpenSplicePermissions">
+            <subject_name>CN=CHAM500 cert,O=Internet Widgits Pty Ltd,ST=Some-State,C=NL</subject_name>
+            <validity>
+                <!-- Format is CCYY-MM-DDThh:mm:ss[Z|(+|-)hh:mm] in GMT -->
+                <not_before>2015-09-15T01:00:00</not_before>
+                <not_after>2115-09-15T01:00:00</not_after>
+            </validity>
+            <allow_rule>
+                <domains>
+                    <id_range>
+                        <min>0</min>
+                        <max>230</max>
+                    </id_range>
+                </domains>
+                <publish>
+                    <topics>
+                        <topic>*</topic>
+                    </topics>
+                </publish>
+                <subscribe>
+                    <topics>
+                        <topic>*</topic>
+                    </topics>
+                </subscribe>
+            </allow_rule>
+            <default>DENY</default>
+        </grant>
+    </permissions>
+</dds>
+
+------6B91005B007BBA8EDE10CD1CE487DB27
+Content-Type: application/x-pkcs7-signature; name="smime.p7s"
+Content-Transfer-Encoding: base64
+Content-Disposition: attachment; filename="smime.p7s"
+
+MIIGXgYJKoZIhvcNAQcCoIIGTzCCBksCAQExDzANBglghkgBZQMEAgEFADALBgkq
+hkiG9w0BBwGgggORMIIDjTCCAnWgAwIBAgIJANsr3sm0NrypMA0GCSqGSIb3DQEB
+CwUAMFwxCzAJBgNVBAYTAk5MMRMwEQYDVQQIDApTb21lLVN0YXRlMR8wHQYDVQQK
+DBZBRExJTksgVGVjaG5vbG9jeSBJbmMuMRcwFQYDVQQDDA5hZGxpbmt0ZWNoLmNv
+bTAgFw0xODA3MzAxMjQ1NTVaGA8yMTE4MDcwNjEyNDU1NVowXDELMAkGA1UEBhMC
+TkwxEzARBgNVBAgMClNvbWUtU3RhdGUxHzAdBgNVBAoMFkFETElOSyBUZWNobm9s
+b2N5IEluYy4xFzAVBgNVBAMMDmFkbGlua3RlY2guY29tMIIBIjANBgkqhkiG9w0B
+AQEFAAOCAQ8AMIIBCgKCAQEAu7jfnJ0wYVuXgG+PgNawdN38+dRpa8jceqi+blID
+ehV6XCxrnGXusTCDuFmo7HMOBVMVNDXlcBWgoGd+u5EultnOEiIeGTgtHc1O6V9w
+icp3BGSpZZax/TcONjMVORaqHCADbQ2J8wsz1FHxuKDwX6BJElYOlK77lb/x3yLs
+DFFC+a0qn2RFh37rcWBRAHy8VEASXKZElT9ZmfKd+KUq34KojhNJ4DepKStTq074
+BRDXVivx+wVD951LFNPiQXq+mgHcLj1k37KlZflTFhdP5oEMtATNsXNJPHlEymiy
+SogRWAmKhysLQudukHfNKN+r0FEQMk/hzpYcFeZSOvbfNQIDAQABo1AwTjAdBgNV
+HQ4EFgQURWMbWvBKZwJvRV1/tyc1R82k0+gwHwYDVR0jBBgwFoAURWMbWvBKZwJv
+RV1/tyc1R82k0+gwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAkPF+
+ysVtvHnk2hpu9yNDLCJ96ZzIoKOyY7uRj4ovzlAHFdpNOJQdcJihTmN8i7Trht9X
+Vh0rGoR/6nHzo3TIeiogRC80RlDtuA3PF2dDQBMVDStlZMTZPb693hfjdAjhyyw9
+yghhKHHqNDvSsAL0KfBqjG4yGfGpJylYXIT5fWuKlo/ln/yyPa5s54T5XDo+CMbt
+lLX3QnwVOmaRyzylPiTcPCDIkdLBdXmlfyJcmW6fWa6kPx+35MOxPsXZbujCo+42
++OyLqcH1rKT6XhcshjXBEf+kdgUfSClrM1pNRWsw2ChIYim0F+nry5JFy0Y+8Hbb
+6SDB340BFmtgDHbFHTGCApEwggKNAgEBMGkwXDELMAkGA1UEBhMCTkwxEzARBgNV
+BAgMClNvbWUtU3RhdGUxHzAdBgNVBAoMFkFETElOSyBUZWNobm9sb2N5IEluYy4x
+FzAVBgNVBAMMDmFkbGlua3RlY2guY29tAgkA2yveybQ2vKkwDQYJYIZIAWUDBAIB
+BQCggfowGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAcBgkqhkiG9w0BCQUxDxcN
+MTkwMzI5MTMwODAzWjAvBgkqhkiG9w0BCQQxIgQgl3LfUhn9L0vG/3QRPVYptcYw
+/NH5HMN99aMe9JAT+LAwgY4GCSqGSIb3DQEJDzGBgDB+MAsGCWCGSAFlAwQBKjAI
+BgYqhQMCAgkwCAYGKoUDAgIVMAsGCWCGSAFlAwQBFjALBglghkgBZQMEAQIwCgYI
+KoZIhvcNAwcwDgYIKoZIhvcNAwICAgCAMA0GCCqGSIb3DQMCAgFAMAcGBSsOAwIH
+MA0GCCqGSIb3DQMCAgEoMA0GCSqGSIb3DQEBAQUABIIBAHe9vakfXPvbpgMeqlhG
+SW6Z3uVA3Yri9bgQDpJ9daIUsM0/TLBSQVs85twTMXvqUSntKbfSGehxDQ9F+yje
+mOEPMIwxOqcVyc2jpqoYsUWqpwiiZyk49DHUFrOfWJUx+rKdBftZWkxD05Wkovhk
+2d4hGS/65Haoho4Z0AZwcyH+F52FZMiqw7I9FKrPlhxvJfQXmhIjOKtnvWnQ+Ar7
+YYiSrBEHMCy82LF1aKzz0nkL1SYWQHuQX475qoU4LMYY1J8WsD3rSBeq4GYZrl2K
+X/JcOquMYqjfJLMYZY4fsc3FgEBkKNqJz1tDZ3ir24VMl+WsbEjVK8oXe/wt4V0U
+aNQ=
+
+------6B91005B007BBA8EDE10CD1CE487DB27--
+
diff --git a/src/security/builtin_plugins/tests/validate_remote_permissions/etc/Test_Permissions_ok.xml b/src/security/builtin_plugins/tests/validate_remote_permissions/etc/Test_Permissions_ok.xml
new file mode 100644
index 0000000..8759d91
--- /dev/null
+++ b/src/security/builtin_plugins/tests/validate_remote_permissions/etc/Test_Permissions_ok.xml
@@ -0,0 +1,33 @@
+<?xml version="1.0" encoding="utf-8"?>
+<dds xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xsi:noNamespaceSchemaLocation="https://www.omg.org/spec/DDS-SECURITY/20170901/omg_shared_ca_permissions.xsd">
+    <permissions>
+        <grant name="OpenSplicePermissions">
+            <subject_name>CN=CHAM500 cert,O=Internet Widgits Pty Ltd,ST=Some-State,C=NL</subject_name>
+            <validity>
+                <!-- Format is CCYY-MM-DDThh:mm:ss[Z|(+|-)hh:mm] in GMT -->
+                <not_before>2015-09-15T01:00:00</not_before>
+                <not_after>2115-09-15T01:00:00</not_after>
+            </validity>
+            <allow_rule>
+                <domains>
+                    <id_range>
+                        <min>0</min>
+                        <max>230</max>
+                    </id_range>
+                </domains>
+                <publish>
+                    <topics>
+                        <topic>*</topic>
+                    </topics>
+                </publish>
+                <subscribe>
+                    <topics>
+                        <topic>*</topic>
+                    </topics>
+                </subscribe>
+            </allow_rule>
+            <default>DENY</default>
+        </grant>
+    </permissions>
+</dds>
diff --git a/src/security/builtin_plugins/tests/validate_remote_permissions/etc/Test_Permissions_unknown_ca.p7s b/src/security/builtin_plugins/tests/validate_remote_permissions/etc/Test_Permissions_unknown_ca.p7s
new file mode 100644
index 0000000..6a2905a
--- /dev/null
+++ b/src/security/builtin_plugins/tests/validate_remote_permissions/etc/Test_Permissions_unknown_ca.p7s
@@ -0,0 +1,87 @@
+MIME-Version: 1.0
+Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg="sha-256"; boundary="----7FBACED8776E5A4CF7612C83F9C33E17"
+
+This is an S/MIME signed message
+
+------7FBACED8776E5A4CF7612C83F9C33E17
+Content-Type: text/plain
+
+<?xml version="1.0" encoding="utf-8"?>
+<dds xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xsi:noNamespaceSchemaLocation="https://www.omg.org/spec/DDS-SECURITY/20170901/omg_shared_ca_permissions.xsd">
+    <permissions>
+        <grant name="OpenSplicePermissions">
+            <subject_name>/C=NL/ST=Some-State/O=ADLINK Technolocy Inc./CN=adlinktech.com</subject_name>
+            <validity>
+                <!-- Format is CCYY-MM-DDThh:mm:ss[Z|(+|-)hh:mm] in GMT -->
+                <not_before>2015-09-15T01:00:00</not_before>
+                <not_after>2115-09-15T01:00:00</not_after>
+            </validity>
+            <allow_rule>
+                <domains>
+                    <id_range>
+                        <min>0</min>
+                        <max>230</max>
+                    </id_range>
+                </domains>
+                <publish>
+                    <topics>
+                        <topic>*</topic>
+                    </topics>
+                </publish>
+                <subscribe>
+                    <topics>
+                        <topic>*</topic>
+                    </topics>
+                </subscribe>
+            </allow_rule>
+            <default>DENY</default>
+        </grant>
+    </permissions>
+</dds>
+
+------7FBACED8776E5A4CF7612C83F9C33E17
+Content-Type: application/x-pkcs7-signature; name="smime.p7s"
+Content-Transfer-Encoding: base64
+Content-Disposition: attachment; filename="smime.p7s"
+
+MIIGywYJKoZIhvcNAQcCoIIGvDCCBrgCAQExDzANBglghkgBZQMEAgEFADALBgkq
+hkiG9w0BBwGgggPKMIIDxjCCAq4CCQCBuTktP0h8BDANBgkqhkiG9w0BAQsFADCB
+pDEWMBQGA1UEBwwNTG9jYWxpdHkgTmFtZTEhMB8GA1UECwwYT3JnYW5pemF0aW9u
+YWwgVW5pdCBOYW1lMRwwGgYJKoZIhvcNAQkBFg1FbWFpbCBBZGRyZXNzMQswCQYD
+VQQGEwJVUzELMAkGA1UECAwCTkoxGjAYBgNVBAoMEUV4YW1wbGUgU2lnbmVyIENB
+MRMwEQYDVQQDDApFeGFtcGxlIENBMB4XDTE4MDgxNTA4NTE0MVoXDTQzMDgwOTA4
+NTE0MVowgaQxFjAUBgNVBAcMDUxvY2FsaXR5IE5hbWUxITAfBgNVBAsMGE9yZ2Fu
+aXphdGlvbmFsIFVuaXQgTmFtZTEcMBoGCSqGSIb3DQEJARYNRW1haWwgQWRkcmVz
+czELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAk5KMRowGAYDVQQKDBFFeGFtcGxlIFNp
+Z25lciBDQTETMBEGA1UEAwwKRXhhbXBsZSBDQTCCASIwDQYJKoZIhvcNAQEBBQAD
+ggEPADCCAQoCggEBALStAQ0yjM2qAWwsOXdX3hiyoZ6DDHWOTNI5LoCZGaN9rUZe
+MY0waSxWNQ0ruURgZISeOFkdQTAE81Em+UaZI+MZvfYcEcSlVtF6yve/WnIzRYWu
+f917moMCAInktfch4E6mskr4h7n+9sEz+3GsQS8SQRtwUe+PiXzjZrqHSbLC4Kn3
+/b8Mt+Ww3a4FyjHDZQJZsGSvrScr0Gq3xeKfMwb+KYNEnmh0o4os0gEGA4KUR+/1
+YDl1NmxQnm/AIMqwJzeaezBoMn0Nsi+OlAms85imGURNj9BCEJZBWwuuNL5ECDAq
+WLOM3AKUsApVgtGd8/OLWW1RwYkW8uqTtkIR87MCAwEAATANBgkqhkiG9w0BAQsF
+AAOCAQEAokKC77/kvxlObLSwkT5+7+S+DeznLBRiGVEh8+9PQw1q91sjiOZWf0e3
+T3XPH7CR/NDYoQJkrsqzIwKYrj41z/1jAs+HkH45NpTFiGlUFXNs5iwNh4RUqgf4
+e78Mge4q7pHMFzWTEwEn4DJMGcDDjLW1kN8GobGwHR7O0MpAJKrqcBSo+SPomnQv
+TgiEMQ+Vlz0EJx6JPsq8c7HrxlSdeDAAWIOww/wcGyzlpYEoyz6voSSfdhMt5iy5
+k5BvhBJnTiJTasCHy9KRuis/6qpTZKEj0d7J7LAqpGh8oRIphMwCbFYQT0QBgV6p
+gM8Ufss/RZ6CshMNxz7KtIYpvmxPPTGCAsUwggLBAgEBMIGyMIGkMRYwFAYDVQQH
+DA1Mb2NhbGl0eSBOYW1lMSEwHwYDVQQLDBhPcmdhbml6YXRpb25hbCBVbml0IE5h
+bWUxHDAaBgkqhkiG9w0BCQEWDUVtYWlsIEFkZHJlc3MxCzAJBgNVBAYTAlVTMQsw
+CQYDVQQIDAJOSjEaMBgGA1UECgwRRXhhbXBsZSBTaWduZXIgQ0ExEzARBgNVBAMM
+CkV4YW1wbGUgQ0ECCQCBuTktP0h8BDANBglghkgBZQMEAgEFAKCB5DAYBgkqhkiG
+9w0BCQMxCwYJKoZIhvcNAQcBMBwGCSqGSIb3DQEJBTEPFw0xODA5MTMwOTIzMDNa
+MC8GCSqGSIb3DQEJBDEiBCCvP08gFBO7651mPPDFQ2suhL+eprGCGuRLXmiBmdvx
+ITB5BgkqhkiG9w0BCQ8xbDBqMAsGCWCGSAFlAwQBKjALBglghkgBZQMEARYwCwYJ
+YIZIAWUDBAECMAoGCCqGSIb3DQMHMA4GCCqGSIb3DQMCAgIAgDANBggqhkiG9w0D
+AgIBQDAHBgUrDgMCBzANBggqhkiG9w0DAgIBKDANBgkqhkiG9w0BAQEFAASCAQB/
+4EQel+0LsmiNFCUjWM68u4ZvPtFBpeDe456DJuG6QR0LIzW42U7N4P2ZTIqjpGZx
+YekBCNdkiVy6ER5IA4WfcKd6zXZEuXVxkMrGpJlqGdd+IdZpTsrBygGZJS4vMUfD
+/6ty6OycET88RmJIu4V/TM3yLVKzHuj6TxCXb4OIYx8g3mdXUwUrp6DGgqggRSPJ
+tatbpnqGZGcvty8MusXVnjnEwUWnJ/jojypY3MyL4MTbjufjv0K6NKQ3RzoLssot
+SLq0YDLwvX/s9sLXDCedAwFXBS/6Qv56v0M2x4o8e3Eul7gGTMuCd/dJ0BhF8CW+
+IGxR5I3xXssh/AuWRRtV
+
+------7FBACED8776E5A4CF7612C83F9C33E17--
+
diff --git a/src/security/builtin_plugins/tests/validate_remote_permissions/etc/Test_Permissions_unknown_subject.p7s b/src/security/builtin_plugins/tests/validate_remote_permissions/etc/Test_Permissions_unknown_subject.p7s
new file mode 100644
index 0000000..fb488c7
--- /dev/null
+++ b/src/security/builtin_plugins/tests/validate_remote_permissions/etc/Test_Permissions_unknown_subject.p7s
@@ -0,0 +1,85 @@
+MIME-Version: 1.0
+Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg="sha-256"; boundary="----7B161F9203F175A7F82A389A3E044741"
+
+This is an S/MIME signed message
+
+------7B161F9203F175A7F82A389A3E044741
+Content-Type: text/plain
+
+<?xml version="1.0" encoding="utf-8"?>
+<dds xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xsi:noNamespaceSchemaLocation="https://www.omg.org/spec/DDS-SECURITY/20170901/omg_shared_ca_permissions.xsd">
+    <permissions>
+        <grant name="OpenSplicePermissions">
+            <subject_name>gibberish</subject_name>
+            <validity>
+                <!-- Format is CCYY-MM-DDThh:mm:ss[Z|(+|-)hh:mm] in GMT -->
+                <not_before>2015-09-15T01:00:00</not_before>
+                <not_after>2115-09-15T01:00:00</not_after>
+            </validity>
+            <allow_rule>
+                <domains>
+                    <id_range>
+                        <min>0</min>
+                        <max>230</max>
+                    </id_range>
+                </domains>
+                <publish>
+                    <topics>
+                        <topic>*</topic>
+                    </topics>
+                </publish>
+                <subscribe>
+                    <topics>
+                        <topic>*</topic>
+                    </topics>
+                </subscribe>
+            </allow_rule>
+            <default>DENY</default>
+        </grant>
+    </permissions>
+</dds>
+
+------7B161F9203F175A7F82A389A3E044741
+Content-Type: application/x-pkcs7-signature; name="smime.p7s"
+Content-Transfer-Encoding: base64
+Content-Disposition: attachment; filename="smime.p7s"
+
+MIIGXgYJKoZIhvcNAQcCoIIGTzCCBksCAQExDzANBglghkgBZQMEAgEFADALBgkq
+hkiG9w0BBwGgggORMIIDjTCCAnWgAwIBAgIJANsr3sm0NrypMA0GCSqGSIb3DQEB
+CwUAMFwxCzAJBgNVBAYTAk5MMRMwEQYDVQQIDApTb21lLVN0YXRlMR8wHQYDVQQK
+DBZBRExJTksgVGVjaG5vbG9jeSBJbmMuMRcwFQYDVQQDDA5hZGxpbmt0ZWNoLmNv
+bTAgFw0xODA3MzAxMjQ1NTVaGA8yMTE4MDcwNjEyNDU1NVowXDELMAkGA1UEBhMC
+TkwxEzARBgNVBAgMClNvbWUtU3RhdGUxHzAdBgNVBAoMFkFETElOSyBUZWNobm9s
+b2N5IEluYy4xFzAVBgNVBAMMDmFkbGlua3RlY2guY29tMIIBIjANBgkqhkiG9w0B
+AQEFAAOCAQ8AMIIBCgKCAQEAu7jfnJ0wYVuXgG+PgNawdN38+dRpa8jceqi+blID
+ehV6XCxrnGXusTCDuFmo7HMOBVMVNDXlcBWgoGd+u5EultnOEiIeGTgtHc1O6V9w
+icp3BGSpZZax/TcONjMVORaqHCADbQ2J8wsz1FHxuKDwX6BJElYOlK77lb/x3yLs
+DFFC+a0qn2RFh37rcWBRAHy8VEASXKZElT9ZmfKd+KUq34KojhNJ4DepKStTq074
+BRDXVivx+wVD951LFNPiQXq+mgHcLj1k37KlZflTFhdP5oEMtATNsXNJPHlEymiy
+SogRWAmKhysLQudukHfNKN+r0FEQMk/hzpYcFeZSOvbfNQIDAQABo1AwTjAdBgNV
+HQ4EFgQURWMbWvBKZwJvRV1/tyc1R82k0+gwHwYDVR0jBBgwFoAURWMbWvBKZwJv
+RV1/tyc1R82k0+gwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAkPF+
+ysVtvHnk2hpu9yNDLCJ96ZzIoKOyY7uRj4ovzlAHFdpNOJQdcJihTmN8i7Trht9X
+Vh0rGoR/6nHzo3TIeiogRC80RlDtuA3PF2dDQBMVDStlZMTZPb693hfjdAjhyyw9
+yghhKHHqNDvSsAL0KfBqjG4yGfGpJylYXIT5fWuKlo/ln/yyPa5s54T5XDo+CMbt
+lLX3QnwVOmaRyzylPiTcPCDIkdLBdXmlfyJcmW6fWa6kPx+35MOxPsXZbujCo+42
++OyLqcH1rKT6XhcshjXBEf+kdgUfSClrM1pNRWsw2ChIYim0F+nry5JFy0Y+8Hbb
+6SDB340BFmtgDHbFHTGCApEwggKNAgEBMGkwXDELMAkGA1UEBhMCTkwxEzARBgNV
+BAgMClNvbWUtU3RhdGUxHzAdBgNVBAoMFkFETElOSyBUZWNobm9sb2N5IEluYy4x
+FzAVBgNVBAMMDmFkbGlua3RlY2guY29tAgkA2yveybQ2vKkwDQYJYIZIAWUDBAIB
+BQCggfowGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAcBgkqhkiG9w0BCQUxDxcN
+MTkwMzI5MTMwODAzWjAvBgkqhkiG9w0BCQQxIgQg44QSCYJrKGm9hdPbOKQjrnQ8
+LXMSbo0mve1cRKvrm3gwgY4GCSqGSIb3DQEJDzGBgDB+MAsGCWCGSAFlAwQBKjAI
+BgYqhQMCAgkwCAYGKoUDAgIVMAsGCWCGSAFlAwQBFjALBglghkgBZQMEAQIwCgYI
+KoZIhvcNAwcwDgYIKoZIhvcNAwICAgCAMA0GCCqGSIb3DQMCAgFAMAcGBSsOAwIH
+MA0GCCqGSIb3DQMCAgEoMA0GCSqGSIb3DQEBAQUABIIBAH/fJ90OwloC73faPAGC
+VRZrhW/gSsy/1VnprvWdDAU1ZZK+srIISFZAy19LcApTis0Vy9yz2PG8pue49R+y
+UF6mCDSuN/l9SRBdUN+CXQdQ8sGq5SHXNhGzSX/nbR20ol4cSUMpKlEGx66E0KUW
+tkk8HzYw7aHMiwK2E2Y0sbm/M/rdmAbgEoywYfvc25V4FHP66TstfCLBjN9Hz3bH
+WcrCZuPjZo6vBd/rIJQSlgH81aCWn5RfCIccbc3iogwzIhYxAr6d+4do3LNa6H80
+W6CMgl0AnWFfa4QwnXFUzb1/W2rFjHp453w1Cbqk4Ll4ZlVJr4fzIuyuJMQlMrmK
+1P0=
+
+------7B161F9203F175A7F82A389A3E044741--
+
diff --git a/src/security/builtin_plugins/tests/validate_remote_permissions/etc/Test_Permissions_unknown_subject.xml b/src/security/builtin_plugins/tests/validate_remote_permissions/etc/Test_Permissions_unknown_subject.xml
new file mode 100644
index 0000000..8a55faf
--- /dev/null
+++ b/src/security/builtin_plugins/tests/validate_remote_permissions/etc/Test_Permissions_unknown_subject.xml
@@ -0,0 +1,33 @@
+<?xml version="1.0" encoding="utf-8"?>
+<dds xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xsi:noNamespaceSchemaLocation="https://www.omg.org/spec/DDS-SECURITY/20170901/omg_shared_ca_permissions.xsd">
+    <permissions>
+        <grant name="OpenSplicePermissions">
+            <subject_name>gibberish</subject_name>
+            <validity>
+                <!-- Format is CCYY-MM-DDThh:mm:ss[Z|(+|-)hh:mm] in GMT -->
+                <not_before>2015-09-15T01:00:00</not_before>
+                <not_after>2115-09-15T01:00:00</not_after>
+            </validity>
+            <allow_rule>
+                <domains>
+                    <id_range>
+                        <min>0</min>
+                        <max>230</max>
+                    </id_range>
+                </domains>
+                <publish>
+                    <topics>
+                        <topic>*</topic>
+                    </topics>
+                </publish>
+                <subscribe>
+                    <topics>
+                        <topic>*</topic>
+                    </topics>
+                </subscribe>
+            </allow_rule>
+            <default>DENY</default>
+        </grant>
+    </permissions>
+</dds>
diff --git a/src/security/builtin_plugins/tests/validate_remote_permissions/src/validate_remote_permissions_utests.c b/src/security/builtin_plugins/tests/validate_remote_permissions/src/validate_remote_permissions_utests.c
new file mode 100644
index 0000000..137137a
--- /dev/null
+++ b/src/security/builtin_plugins/tests/validate_remote_permissions/src/validate_remote_permissions_utests.c
@@ -0,0 +1,1068 @@
+/*
+ * Copyright(c) 2006 to 2019 ADLINK Technology Limited and others
+ *
+ * This program and the accompanying materials are made available under the
+ * terms of the Eclipse Public License v. 2.0 which is available at
+ * http://www.eclipse.org/legal/epl-2.0, or the Eclipse Distribution License
+ * v. 1.0 which is available at
+ * http://www.eclipse.org/org/documents/edl-v10.php.
+ *
+ * SPDX-License-Identifier: EPL-2.0 OR BSD-3-Clause
+ */
+#include <assert.h>
+#include <openssl/evp.h>
+#include <openssl/hmac.h>
+#include <openssl/bio.h>
+#include <openssl/err.h>
+
+#include "dds/ddsrt/environ.h"
+#include "dds/ddsrt/heap.h"
+#include "dds/ddsrt/io.h"
+#include "dds/ddsrt/string.h"
+#include "dds/ddsrt/types.h"
+#include "dds/security/dds_security_api.h"
+#include "dds/security/core/dds_security_utils.h"
+#include "CUnit/CUnit.h"
+#include "CUnit/Test.h"
+#include "common/src/loader.h"
+#include "config_env.h"
+
+static const char *ACCESS_PERMISSIONS_TOKEN_ID = "DDS:Access:Permissions:1.0";
+static const char *AUTH_PROTOCOL_CLASS_ID = "DDS:Auth:PKI-DH:1.0";
+
+static const char *PROPERTY_IDENTITY_CA = "dds.sec.auth.identity_ca";
+static const char *PROPERTY_PRIVATE_KEY = "dds.sec.auth.private_key";
+static const char *PROPERTY_IDENTITY_CERT = "dds.sec.auth.identity_certificate";
+static const char *PROPERTY_PERMISSIONS_CA = "dds.sec.access.permissions_ca";
+static const char *PROPERTY_PERMISSIONS = "dds.sec.access.permissions";
+static const char *PROPERTY_GOVERNANCE = "dds.sec.access.governance";
+
+static const char *PROPERTY_PERMISSIONS_CA_SN = "dds.perm_ca.sn";
+static const char *PROPERTY_PERMISSIONS_CA_ALGO = "dds.perm_ca.algo";
+static const char *PROPERTY_C_ID = "c.id";
+static const char *PROPERTY_C_PERM = "c.perm";
+
+static const char *SUBJECT_NAME_PERMISSIONS_CA = "C=NL, ST=Some-State, O=ADLINK Technolocy Inc., CN=adlinktech.com";
+static const char *RSA_2048_ALGORITHM_NAME = "RSA-2048";
+
+static const char *RELATIVE_PATH_TO_ETC_DIR = "/validate_remote_permissions/etc/";
+
+static const char *identity_certificate =
+    "data:,-----BEGIN CERTIFICATE-----\n"
+    "MIIEQTCCAymgAwIBAgIINpuaAAnrQZIwDQYJKoZIhvcNAQELBQAwXzELMAkGA1UE\n"
+    "BhMCTkwxEzARBgNVBAgTClNvbWUtU3RhdGUxITAfBgNVBAoTGEludGVybmV0IFdp\n"
+    "ZGdpdHMgUHR5IEx0ZDEYMBYGA1UEAxMPQ0hBTTUwMCByb290IGNhMCAXDTE3MDIy\n"
+    "MjIyMjIwMFoYDzIyMjIwMjIyMjIyMjAwWjBcMQswCQYDVQQGEwJOTDETMBEGA1UE\n"
+    "CBMKU29tZS1TdGF0ZTEhMB8GA1UEChMYSW50ZXJuZXQgV2lkZ2l0cyBQdHkgTHRk\n"
+    "MRUwEwYDVQQDEwxDSEFNNTAwIGNlcnQwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw\n"
+    "ggEKAoIBAQDCpVhivH/wBIyu74rvQncnSZqKyspN6CvD1pmV9wft5PHhVt9jV79v\n"
+    "gSub5LADoRHAgFdv9duYgBr17Ob6uRrIY4B18CcrCjhQcC4gjx8y2jl9PeYm+qYD\n"
+    "3o44FYBrBq0QCnrQgKsb/qX9Z+Mw/VUiw65x68W876LEHQQoEgT4kxSuagwBoVRk\n"
+    "ePD6fYAKmT4XS3x+O0v+rHESTcsKF6yMadgp7h3eH1b8kJTzSx8JV9Zzq++mxjox\n"
+    "qhbBVP5nDze2hhSIeCkCvSrx7efkgKS4AQXa5/Z44GiAu1TfXXUqdic9rxwD0edn\n"
+    "ajNElnZe7sjok/0yuqvH+2hSqpNva/zpAgMBAAGjggEAMIH9MAwGA1UdDwQFAwMH\n"
+    "/4AwgewGA1UdJQSB5DCB4QYIKwYBBQUHAwEGCCsGAQUFBwMCBggrBgEFBQcDAwYI\n"
+    "KwYBBQUHAwQGCCsGAQUFBwMIBgorBgEEAYI3AgEVBgorBgEEAYI3AgEWBgorBgEE\n"
+    "AYI3CgMBBgorBgEEAYI3CgMDBgorBgEEAYI3CgMEBglghkgBhvhCBAEGCysGAQQB\n"
+    "gjcKAwQBBggrBgEFBQcDBQYIKwYBBQUHAwYGCCsGAQUFBwMHBggrBgEFBQgCAgYK\n"
+    "KwYBBAGCNxQCAgYIKwYBBQUHAwkGCCsGAQUFBwMNBggrBgEFBQcDDgYHKwYBBQID\n"
+    "BTANBgkqhkiG9w0BAQsFAAOCAQEAawdHy0Xw7nTK2ltp91Ion6fJ7hqYuj///zr7\n"
+    "Adt6uonpDh/xl3esuwcFimIJrJrHujnGkL0nLddRCikmnzuBMNDWS6yq0/Ckl/YG\n"
+    "yjNr44dlX24wo+MVAgkj3/8CyWDZ3a8kBg9QT3bs2SqbjmhTrXN1DRyf9S5vJysE\n"
+    "I7V1gTN66BeKL64hOrAlRVrEu8Ds6TWL6Q/YH+61ViZkoLTeSaPjH4nknaFr4C35\n"
+    "iji0JhkyfRHRRVPHFnaj25AkxOrSV64qVKoTMjDl5fji5iMGtjm6iJ7q05ml/qDl\n"
+    "nLotHXemZNvYhbwUmRzbt4Dls9EMH4VRbP85I94nM5TAvtHVNA==\n"
+    "-----END CERTIFICATE-----\n";
+
+static const char *identity_ca =
+    "data:,-----BEGIN CERTIFICATE-----\n"
+    "MIIEmTCCA4GgAwIBAgIIZ5gEIUFhO5wwDQYJKoZIhvcNAQELBQAwXzELMAkGA1UE\n"
+    "BhMCTkwxEzARBgNVBAgTClNvbWUtU3RhdGUxITAfBgNVBAoTGEludGVybmV0IFdp\n"
+    "ZGdpdHMgUHR5IEx0ZDEYMBYGA1UEAxMPQ0hBTTUwMCByb290IGNhMCAXDTE4MDIx\n"
+    "MjE1MDUwMFoYDzIyMjIwMjIyMjIyMjAwWjBfMQswCQYDVQQGEwJOTDETMBEGA1UE\n"
+    "CBMKU29tZS1TdGF0ZTEhMB8GA1UEChMYSW50ZXJuZXQgV2lkZ2l0cyBQdHkgTHRk\n"
+    "MRgwFgYDVQQDEw9DSEFNNTAwIHJvb3QgY2EwggEiMA0GCSqGSIb3DQEBAQUAA4IB\n"
+    "DwAwggEKAoIBAQC6Fa3TheL+UrdZCp9GhU/2WbneP2t/avUa3muwDttPxeI2XU9k\n"
+    "ZjBR95mAXme4SPXHk5+YDN319AqIje3oKhzky/ngvKH2GkoJKYxWnuDBfMEHdViz\n"
+    "2Q9/xso2ZvH50ukwWa0pfx2/EVV1wRxeQcRd/UVfq3KTJizG0M88mOYvGEAw3LFf\n"
+    "zef7k1aCuOofQmBvLukUudcYpMzfyHFp7lQqU4CcrrR5RtmfiUfrWfdGLea2iPDB\n"
+    "pJgN8ESOMwEHtOTEBDclYnH9L4t7CHQz+fXXS5IWFsDK9fCMQjnxDsDVeNrNzTYL\n"
+    "FaZrMg9S6IUQCEsQWsnq5weS8omOpVLUm9klAgMBAAGjggFVMIIBUTAMBgNVHRME\n"
+    "BTADAQH/MB0GA1UdDgQWBBQg2FZB/j8uWDVnJhjwXkX278znSTAfBgNVHSMEGDAW\n"
+    "gBQg2FZB/j8uWDVnJhjwXkX278znSTAPBgNVHQ8BAf8EBQMDB/+AMIHvBgNVHSUB\n"
+    "Af8EgeQwgeEGCCsGAQUFBwMBBggrBgEFBQcDAgYIKwYBBQUHAwMGCCsGAQUFBwME\n"
+    "BggrBgEFBQcDCAYKKwYBBAGCNwIBFQYKKwYBBAGCNwIBFgYKKwYBBAGCNwoDAQYK\n"
+    "KwYBBAGCNwoDAwYKKwYBBAGCNwoDBAYJYIZIAYb4QgQBBgsrBgEEAYI3CgMEAQYI\n"
+    "KwYBBQUHAwUGCCsGAQUFBwMGBggrBgEFBQcDBwYIKwYBBQUIAgIGCisGAQQBgjcU\n"
+    "AgIGCCsGAQUFBwMJBggrBgEFBQcDDQYIKwYBBQUHAw4GBysGAQUCAwUwDQYJKoZI\n"
+    "hvcNAQELBQADggEBAKHmwejWRwGE1wf1k2rG8SNRV/neGsZ6Qfqf6co3TpR/Wi1s\n"
+    "iZDvSeT/rbqNBS7z34xnG88NIUwu00y78e8Mfon31ZZbK4Uo7fla9/D3ukdJqPQC\n"
+    "LKdbKJjR2kH+KCukY/1rghjJ8/X+t2egBit0LCOdsFCl07Sfksb9kpGUIZSFcYYm\n"
+    "geqhjhoNwxazzHiw+QWHC5HG9248JIizBmy1aymNWuMnPudhjHAnPcsIlqMVNq3t\n"
+    "Rv9ap7S8JeCxHVRPJvJeCwXWvW3dW/v3xH52Yn/fqRblN1w9Fxz5NhopKx0gj/Jd\n"
+    "sw2N4Fk4gaOWEolFpa0bwNw8nAx7moehZpowzfw=\n"
+    "-----END CERTIFICATE-----\n";
+
+static const char *private_key =
+    "data:,-----BEGIN RSA PRIVATE KEY-----\n"
+    "MIIEogIBAAKCAQEAwqVYYrx/8ASMru+K70J3J0maisrKTegrw9aZlfcH7eTx4Vbf\n"
+    "Y1e/b4Erm+SwA6ERwIBXb/XbmIAa9ezm+rkayGOAdfAnKwo4UHAuII8fMto5fT3m\n"
+    "JvqmA96OOBWAawatEAp60ICrG/6l/WfjMP1VIsOucevFvO+ixB0EKBIE+JMUrmoM\n"
+    "AaFUZHjw+n2ACpk+F0t8fjtL/qxxEk3LChesjGnYKe4d3h9W/JCU80sfCVfWc6vv\n"
+    "psY6MaoWwVT+Zw83toYUiHgpAr0q8e3n5ICkuAEF2uf2eOBogLtU3111KnYnPa8c\n"
+    "A9HnZ2ozRJZ2Xu7I6JP9Mrqrx/toUqqTb2v86QIDAQABAoIBAC1q32DKkx+yMBFx\n"
+    "m32QiLUGG6VfBC2BixS7MkMnzRXZYgcuehl4FBc0kLRjfB6cqsO8LqrVN1QyMBhK\n"
+    "GutN3c38SbE7RChqzhEW2+yE+Mao3Nk4ZEecHLiyaYT0n25ZtHAVwep823BAzwJ+\n"
+    "BykbM45VEpNKbG1VjSktjBa9faNyZiZAEJEjVyla+6R8N4kHV52LbZcLjvJv3IQ2\n"
+    "iPYRrmMyI5C23qTni0vy7yJbAXBo3CqgSlwie9FARBWT7Puu7F4mF1O1c/SnTysw\n"
+    "Tm3e5FzgfHipQbnRVn0w4rDprPMKmPxMnvf/Wkw0zVgNadp1Tc1I6Yj525DEQ07i\n"
+    "2gIn/gECgYEA4jNnY1u2Eu7x3pAQF3dRO0x35boVtuq9iwQk7q+uaZaK4RJRr+0Y\n"
+    "T68S3bPnfer6SHvcxtST89Bvs/j/Ky4SOaX037UYjFh6T7OIzPl+MzO1yb+VOBT6\n"
+    "D6FVGEJGp8ZAITU1OfJPeTYViUeEC8tHFGoKUCk50FbB6jOf1oKtv/ECgYEA3EnB\n"
+    "Y7kSbJJaUuj9ciFUL/pAno86Cim3VjegK1wKgEiyDb610bhoMErovPwfVJbtcttG\n"
+    "eKJNuwizkRcVbj+vpjDvqqaP5eMxLl6/Nd4haPMJYzGo88Z8NJpwFRNF2KEWjOpQ\n"
+    "2NEvoCeRtVulCJyka2Tpljzw8cOXkxhPOe2UhHkCgYBo3entj0QO7QXm56T+LAvV\n"
+    "0PK45xdQEO3EuCwjGAFk5C0IgUSrqeCeeIzniZMltj1IQ1wsNbtNynEu3530t8wt\n"
+    "O7oVyFBUKGSz9IjUdkpClJOPr6kPMfJoMqRPtdIpz+hFPPSrI6IikKdVWHloOlp+\n"
+    "pVaYqTQrWT1XRY2xli3VEQKBgGySmZN6Cx+h/oywswIGdUT0VdcQhq2to+QFpJba\n"
+    "VX6m1cM6hMip2Ag9U3qZ1SNPBBdBBfm9HQybHE3dj713/C2wHuAAGhpXIM1W+20k\n"
+    "X1knuC/AsSH9aQhQOf/ZMOq1crTfZBuI9q0782/sjGmzMsKPySU4QhUWruVb7OiD\n"
+    "NVkZAoGAEvihW7G+8/iOE40vGHyBqUeopAAWLciTAUIEwM/Oi3BYfNWNTWF/FWNc\n"
+    "nMvCZPYigY8C1vO+1iT2Frtd3CIU+f01Q3fJNJoRLlEiKLNZUJRF48OKUqjKSmsi\n"
+    "w6pucFO40z05YW7utApj4L82rZnOS0pd1tUI1yexqvj0i4ThJfk=\n"
+    "-----END RSA PRIVATE KEY-----\n";
+
+static const char *permissions_ca =
+    "data:,-----BEGIN CERTIFICATE-----\n"
+    "MIIDjTCCAnWgAwIBAgIJANsr3sm0NrypMA0GCSqGSIb3DQEBCwUAMFwxCzAJBgNV\n"
+    "BAYTAk5MMRMwEQYDVQQIDApTb21lLVN0YXRlMR8wHQYDVQQKDBZBRExJTksgVGVj\n"
+    "aG5vbG9jeSBJbmMuMRcwFQYDVQQDDA5hZGxpbmt0ZWNoLmNvbTAgFw0xODA3MzAx\n"
+    "MjQ1NTVaGA8yMTE4MDcwNjEyNDU1NVowXDELMAkGA1UEBhMCTkwxEzARBgNVBAgM\n"
+    "ClNvbWUtU3RhdGUxHzAdBgNVBAoMFkFETElOSyBUZWNobm9sb2N5IEluYy4xFzAV\n"
+    "BgNVBAMMDmFkbGlua3RlY2guY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB\n"
+    "CgKCAQEAu7jfnJ0wYVuXgG+PgNawdN38+dRpa8jceqi+blIDehV6XCxrnGXusTCD\n"
+    "uFmo7HMOBVMVNDXlcBWgoGd+u5EultnOEiIeGTgtHc1O6V9wicp3BGSpZZax/TcO\n"
+    "NjMVORaqHCADbQ2J8wsz1FHxuKDwX6BJElYOlK77lb/x3yLsDFFC+a0qn2RFh37r\n"
+    "cWBRAHy8VEASXKZElT9ZmfKd+KUq34KojhNJ4DepKStTq074BRDXVivx+wVD951L\n"
+    "FNPiQXq+mgHcLj1k37KlZflTFhdP5oEMtATNsXNJPHlEymiySogRWAmKhysLQudu\n"
+    "kHfNKN+r0FEQMk/hzpYcFeZSOvbfNQIDAQABo1AwTjAdBgNVHQ4EFgQURWMbWvBK\n"
+    "ZwJvRV1/tyc1R82k0+gwHwYDVR0jBBgwFoAURWMbWvBKZwJvRV1/tyc1R82k0+gw\n"
+    "DAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAkPF+ysVtvHnk2hpu9yND\n"
+    "LCJ96ZzIoKOyY7uRj4ovzlAHFdpNOJQdcJihTmN8i7Trht9XVh0rGoR/6nHzo3TI\n"
+    "eiogRC80RlDtuA3PF2dDQBMVDStlZMTZPb693hfjdAjhyyw9yghhKHHqNDvSsAL0\n"
+    "KfBqjG4yGfGpJylYXIT5fWuKlo/ln/yyPa5s54T5XDo+CMbtlLX3QnwVOmaRyzyl\n"
+    "PiTcPCDIkdLBdXmlfyJcmW6fWa6kPx+35MOxPsXZbujCo+42+OyLqcH1rKT6Xhcs\n"
+    "hjXBEf+kdgUfSClrM1pNRWsw2ChIYim0F+nry5JFy0Y+8Hbb6SDB340BFmtgDHbF\n"
+    "HQ==\n"
+    "-----END CERTIFICATE-----\n";
+
+static struct plugins_hdl *plugins = NULL;
+static dds_security_authentication *auth = NULL;
+static dds_security_access_control *access_control = NULL;
+static DDS_Security_IdentityHandle local_identity_handle = DDS_SECURITY_HANDLE_NIL;
+static DDS_Security_IdentityHandle remote_identity_handle = DDS_SECURITY_HANDLE_NIL;
+static DDS_Security_PermissionsHandle local_permissions_handle = DDS_SECURITY_HANDLE_NIL;
+static DDS_Security_GUID_t local_participant_guid;
+static char *g_path_to_etc_dir = NULL;
+
+static void dds_security_property_init(DDS_Security_PropertySeq *seq, DDS_Security_unsigned_long size)
+{
+  seq->_length = size;
+  seq->_maximum = size;
+  seq->_buffer = ddsrt_malloc(size * sizeof(DDS_Security_Property_t));
+  memset(seq->_buffer, 0, size * sizeof(DDS_Security_Property_t));
+}
+
+static void dds_security_property_deinit(DDS_Security_PropertySeq *seq)
+{
+  uint32_t i;
+
+  for (i = 0; i < seq->_length; i++)
+  {
+    ddsrt_free(seq->_buffer[i].name);
+    ddsrt_free(seq->_buffer[i].value);
+  }
+  ddsrt_free(seq->_buffer);
+}
+
+static void reset_exception(DDS_Security_SecurityException *ex)
+{
+  ex->code = 0;
+  ex->minor_code = 0;
+  ddsrt_free(ex->message);
+  ex->message = NULL;
+}
+
+static void fill_participant_qos(DDS_Security_Qos *qos, const char *permission_filename, const char *governance_filename)
+{
+  char *permission_uri;
+  char *governance_uri;
+
+  ddsrt_asprintf(&permission_uri, "file:%s%s", g_path_to_etc_dir, permission_filename);
+  ddsrt_asprintf(&governance_uri, "file:%s%s", g_path_to_etc_dir, governance_filename);
+
+  memset(qos, 0, sizeof(*qos));
+  dds_security_property_init(&qos->property.value, 6);
+  qos->property.value._buffer[0].name = ddsrt_strdup(PROPERTY_IDENTITY_CERT);
+  qos->property.value._buffer[0].value = ddsrt_strdup(identity_certificate);
+  qos->property.value._buffer[1].name = ddsrt_strdup(PROPERTY_IDENTITY_CA);
+  qos->property.value._buffer[1].value = ddsrt_strdup(identity_ca);
+  qos->property.value._buffer[2].name = ddsrt_strdup(PROPERTY_PRIVATE_KEY);
+  qos->property.value._buffer[2].value = ddsrt_strdup(private_key);
+  qos->property.value._buffer[3].name = ddsrt_strdup(PROPERTY_PERMISSIONS_CA);
+  qos->property.value._buffer[3].value = ddsrt_strdup(permissions_ca);
+  qos->property.value._buffer[4].name = ddsrt_strdup(PROPERTY_PERMISSIONS);
+  qos->property.value._buffer[4].value = ddsrt_strdup(permission_uri);
+  qos->property.value._buffer[5].name = ddsrt_strdup(PROPERTY_GOVERNANCE);
+  qos->property.value._buffer[5].value = ddsrt_strdup(governance_uri);
+
+  ddsrt_free(permission_uri);
+  ddsrt_free(governance_uri);
+}
+
+static void fill_permissions_token(DDS_Security_PermissionsToken *token)
+{
+  memset(token, 0, sizeof(DDS_Security_PermissionsToken));
+
+  token->class_id = ddsrt_strdup(ACCESS_PERMISSIONS_TOKEN_ID);
+  token->properties._length = token->properties._maximum = 2;
+  token->properties._buffer = DDS_Security_PropertySeq_allocbuf(2);
+
+  token->properties._buffer[0].name = ddsrt_strdup(PROPERTY_PERMISSIONS_CA_SN);
+  token->properties._buffer[0].value = ddsrt_strdup(SUBJECT_NAME_PERMISSIONS_CA);
+
+  token->properties._buffer[1].name = ddsrt_strdup(PROPERTY_PERMISSIONS_CA_ALGO);
+  token->properties._buffer[1].value = ddsrt_strdup(RSA_2048_ALGORITHM_NAME);
+}
+
+static int fill_peer_credential_token(DDS_Security_AuthenticatedPeerCredentialToken *token, const char *permission_filename)
+{
+  int result = 1;
+  char *permission_uri;
+  char *permission_data;
+
+  memset(token, 0, sizeof(DDS_Security_AuthenticatedPeerCredentialToken));
+
+  ddsrt_asprintf(&permission_uri, "%s%s", g_path_to_etc_dir, permission_filename);
+
+  permission_data = load_file_contents(permission_uri);
+
+  if (permission_data)
+  {
+    token->class_id = ddsrt_strdup(AUTH_PROTOCOL_CLASS_ID);
+    token->properties._length = token->properties._maximum = 2;
+    token->properties._buffer = DDS_Security_PropertySeq_allocbuf(2);
+
+    token->properties._buffer[0].name = ddsrt_strdup(PROPERTY_C_ID);
+    token->properties._buffer[0].value = ddsrt_strdup(&identity_certificate[6]);
+
+    token->properties._buffer[1].name = ddsrt_strdup(PROPERTY_C_PERM);
+    token->properties._buffer[1].value = permission_data;
+  }
+  else
+  {
+    ddsrt_free(permission_data);
+    result = 0;
+  }
+  ddsrt_free(permission_uri);
+
+  return result;
+}
+
+static void corrupt_permission_signature(DDS_Security_AuthenticatedPeerCredentialToken *token)
+{
+  DDS_Security_string permissions;
+  size_t len;
+
+  /* It is expected that the permissions are available in a fixed location. */
+  CU_ASSERT_FATAL(token != NULL);
+  CU_ASSERT_FATAL(token->properties._buffer != NULL);
+  CU_ASSERT_FATAL(token->properties._length == 2);
+  CU_ASSERT_FATAL(token->properties._buffer[1].name != NULL);
+  CU_ASSERT_FATAL(token->properties._buffer[1].value != NULL);
+  CU_ASSERT_FATAL(strcmp(token->properties._buffer[1].name, PROPERTY_C_PERM) == 0);
+
+  /* Corrupt a byte somewhere in the signature. */
+  permissions = token->properties._buffer[1].value;
+  CU_ASSERT_FATAL(permissions != NULL);
+  len = strlen(permissions);
+  CU_ASSERT_FATAL(len > 100);
+  permissions[len - 75]--;
+}
+
+static int validate_local_identity_and_permissions(void)
+{
+  int res = 0;
+  DDS_Security_ValidationResult_t result;
+  DDS_Security_DomainId domain_id = 0;
+  DDS_Security_Qos participant_qos;
+  DDS_Security_GUID_t candidate_participant_guid;
+  DDS_Security_SecurityException exception = {NULL, 0, 0};
+  DDS_Security_GuidPrefix_t prefix = {0xb0, 0xb1, 0xb2, 0xb3, 0xb4, 0xb5, 0xb6, 0xb7, 0xb8, 0xb9, 0xba, 0xbb};
+  DDS_Security_EntityId_t entityId = {{0xb0, 0xb1, 0xb2}, 0x1};
+
+  memset(&local_participant_guid, 0, sizeof(local_participant_guid));
+  memcpy(&candidate_participant_guid.prefix, &prefix, sizeof(prefix));
+  memcpy(&candidate_participant_guid.entityId, &entityId, sizeof(entityId));
+
+  fill_participant_qos(&participant_qos, "Test_Permissions_ok.p7s", "Test_Governance_ok.p7s");
+
+  /* Now call the function. */
+  result = auth->validate_local_identity(
+      auth,
+      &local_identity_handle,
+      &local_participant_guid,
+      domain_id,
+      &participant_qos,
+      &candidate_participant_guid,
+      &exception);
+
+  if (result != DDS_SECURITY_VALIDATION_OK)
+  {
+    res = -1;
+    printf("validate_local_identity_failed: %s\n", exception.message ? exception.message : "Error message missing");
+  }
+
+  reset_exception(&exception);
+
+  if (res == 0)
+  {
+    local_permissions_handle = access_control->validate_local_permissions(
+        access_control,
+        auth,
+        local_identity_handle,
+        0,
+        &participant_qos,
+        &exception);
+
+    if (local_permissions_handle == DDS_SECURITY_HANDLE_NIL)
+    {
+      res = -1;
+      printf("validate_local_permissions_failed: %s\n", exception.message ? exception.message : "Error message missing");
+    }
+  }
+
+  dds_security_property_deinit(&participant_qos.property.value);
+
+  return res;
+}
+
+static void clear_local_identity_and_permissions(void)
+{
+  DDS_Security_SecurityException exception = {NULL, 0, 0};
+  DDS_Security_boolean success;
+
+  if (local_permissions_handle != DDS_SECURITY_HANDLE_NIL)
+  {
+    success = access_control->return_permissions_handle(access_control, local_permissions_handle, &exception);
+    if (!success)
+      printf("return_permission_handle failed: %s\n", exception.message ? exception.message : "Error message missing");
+    reset_exception(&exception);
+  }
+
+  if (local_identity_handle != DDS_SECURITY_HANDLE_NIL)
+  {
+    success = auth->return_identity_handle(auth, local_identity_handle, &exception);
+    if (!success)
+      printf("return_identity_handle failed: %s\n", exception.message ? exception.message : "Error message missing");
+    reset_exception(&exception);
+  }
+}
+
+static void set_path_to_etc_dir(void)
+{
+  ddsrt_asprintf(&g_path_to_etc_dir, "%s%s", CONFIG_ENV_TESTS_DIR, RELATIVE_PATH_TO_ETC_DIR);
+}
+
+static void suite_validate_remote_permissions_init(void)
+{
+  plugins = load_plugins(&access_control, &auth, NULL /* Cryptograpy */);
+  CU_ASSERT_FATAL(plugins != NULL);
+  set_path_to_etc_dir();
+  validate_local_identity_and_permissions();
+}
+
+static void suite_validate_remote_permissions_fini(void)
+{
+  clear_local_identity_and_permissions();
+  unload_plugins(plugins);
+  ddsrt_free(g_path_to_etc_dir);
+}
+
+CU_Test(ddssec_builtin_validate_remote_permissions, valid_permissions, .init = suite_validate_remote_permissions_init, .fini = suite_validate_remote_permissions_fini)
+{
+  DDS_Security_PermissionsHandle result;
+  DDS_Security_PermissionsToken permissions_token;
+  DDS_Security_AuthenticatedPeerCredentialToken credential_token;
+  DDS_Security_SecurityException exception = {NULL, 0, 0};
+  int r;
+
+  /* Check if we actually have validate_remote_permissions function. */
+  CU_ASSERT_FATAL(access_control != NULL);
+  CU_ASSERT_FATAL(local_identity_handle != DDS_SECURITY_HANDLE_NIL);
+  CU_ASSERT_FATAL(access_control->validate_remote_permissions != NULL);
+  CU_ASSERT_FATAL(access_control->return_permissions_handle != NULL);
+
+  fill_permissions_token(&permissions_token);
+  r = fill_peer_credential_token(&credential_token, "Test_Permissions_ok.p7s");
+  CU_ASSERT_FATAL(r);
+
+  remote_identity_handle++;
+
+  result = access_control->validate_remote_permissions(
+      access_control,
+      auth,
+      local_identity_handle,
+      remote_identity_handle,
+      &permissions_token,
+      &credential_token,
+      &exception);
+
+  if (result == 0)
+    printf("validate_remote_permissions_failed: %s\n", exception.message ? exception.message : "Error message missing");
+  reset_exception(&exception);
+  CU_ASSERT_FATAL(result != 0);
+  access_control->return_permissions_handle(access_control, result, &exception);
+  reset_exception(&exception);
+  DDS_Security_DataHolder_deinit((DDS_Security_DataHolder *)&permissions_token);
+  DDS_Security_DataHolder_deinit((DDS_Security_DataHolder *)&credential_token);
+}
+
+CU_Test(ddssec_builtin_validate_remote_permissions, permissions_unknown_ca, .init = suite_validate_remote_permissions_init, .fini = suite_validate_remote_permissions_fini)
+{
+  DDS_Security_PermissionsHandle result;
+  DDS_Security_PermissionsToken permissions_token;
+  DDS_Security_AuthenticatedPeerCredentialToken credential_token;
+  DDS_Security_SecurityException exception = {NULL, 0, 0};
+  int r;
+
+  /* Check if we actually have validate_remote_permissions function. */
+  CU_ASSERT_FATAL(access_control != NULL);
+  CU_ASSERT_FATAL(local_identity_handle != DDS_SECURITY_HANDLE_NIL);
+  CU_ASSERT_FATAL(access_control->validate_remote_permissions != NULL);
+  CU_ASSERT_FATAL(access_control->return_permissions_handle != NULL);
+
+  fill_permissions_token(&permissions_token);
+  r = fill_peer_credential_token(&credential_token, "Test_Permissions_unknown_ca.p7s");
+  CU_ASSERT_FATAL(r);
+
+  remote_identity_handle++;
+
+  result = access_control->validate_remote_permissions(
+      access_control,
+      auth,
+      local_identity_handle,
+      remote_identity_handle,
+      &permissions_token,
+      &credential_token,
+      &exception);
+
+  if (result == 0)
+  {
+    printf("validate_remote_permissions_failed: %s\n", exception.message ? exception.message : "Error message missing");
+  }
+
+  CU_ASSERT(result == 0);
+  if (result == 0)
+  {
+    CU_ASSERT(exception.code != 0);
+    CU_ASSERT(exception.message != NULL);
+  }
+  else
+  {
+    reset_exception(&exception);
+    access_control->return_permissions_handle(access_control, result, &exception);
+  }
+
+  reset_exception(&exception);
+
+  DDS_Security_DataHolder_deinit((DDS_Security_DataHolder *)&permissions_token);
+  DDS_Security_DataHolder_deinit((DDS_Security_DataHolder *)&credential_token);
+}
+
+CU_Test(ddssec_builtin_validate_remote_permissions, permissions_not_signed, .init = suite_validate_remote_permissions_init, .fini = suite_validate_remote_permissions_fini)
+{
+  DDS_Security_PermissionsHandle result;
+  DDS_Security_PermissionsToken permissions_token;
+  DDS_Security_AuthenticatedPeerCredentialToken credential_token;
+  DDS_Security_SecurityException exception = {NULL, 0, 0};
+  int r;
+
+  /* Check if we actually have validate_remote_permissions function. */
+  CU_ASSERT_FATAL(access_control != NULL);
+  CU_ASSERT_FATAL(local_identity_handle != DDS_SECURITY_HANDLE_NIL);
+  CU_ASSERT_FATAL(access_control->validate_remote_permissions != NULL);
+  CU_ASSERT_FATAL(access_control->return_permissions_handle != NULL);
+
+  fill_permissions_token(&permissions_token);
+  r = fill_peer_credential_token(&credential_token, "Test_Permissions_not_signed.p7s");
+  CU_ASSERT_FATAL(r);
+
+  remote_identity_handle++;
+
+  result = access_control->validate_remote_permissions(
+      access_control,
+      auth,
+      local_identity_handle,
+      remote_identity_handle,
+      &permissions_token,
+      &credential_token,
+      &exception);
+
+  if (result == 0)
+  {
+    printf("validate_remote_permissions_failed: %s\n", exception.message ? exception.message : "Error message missing");
+  }
+
+  CU_ASSERT(result == 0);
+  if (result == 0)
+  {
+    CU_ASSERT(exception.code != 0);
+    CU_ASSERT(exception.message != NULL);
+  }
+  else
+  {
+    reset_exception(&exception);
+    access_control->return_permissions_handle(access_control, result, &exception);
+  }
+
+  reset_exception(&exception);
+
+  DDS_Security_DataHolder_deinit((DDS_Security_DataHolder *)&permissions_token);
+  DDS_Security_DataHolder_deinit((DDS_Security_DataHolder *)&credential_token);
+}
+
+CU_Test(ddssec_builtin_validate_remote_permissions, invalid_credential_token, .init = suite_validate_remote_permissions_init, .fini = suite_validate_remote_permissions_fini)
+{
+  DDS_Security_PermissionsHandle result;
+  DDS_Security_PermissionsToken permissions_token;
+  DDS_Security_AuthenticatedPeerCredentialToken credential_token;
+  DDS_Security_SecurityException exception = {NULL, 0, 0};
+
+  /* Check if we actually have validate_remote_permissions function. */
+  CU_ASSERT_FATAL(access_control != NULL);
+  CU_ASSERT_FATAL(local_identity_handle != DDS_SECURITY_HANDLE_NIL);
+  CU_ASSERT_FATAL(access_control->validate_remote_permissions != NULL);
+  CU_ASSERT_FATAL(access_control->return_permissions_handle != NULL);
+
+  remote_identity_handle++;
+
+  fill_permissions_token(&permissions_token);
+
+  /* empty peer credential token */
+  memset(&credential_token, 0, sizeof(credential_token));
+
+  result = access_control->validate_remote_permissions(
+      access_control,
+      auth,
+      local_identity_handle,
+      remote_identity_handle,
+      &permissions_token,
+      &credential_token,
+      &exception);
+
+  if (result == 0)
+  {
+    printf("validate_remote_permissions_failed: %s\n", exception.message ? exception.message : "Error message missing");
+  }
+
+  CU_ASSERT(result == 0);
+  if (result == 0)
+  {
+    CU_ASSERT(exception.code != 0);
+    CU_ASSERT(exception.message != NULL);
+  }
+  else
+  {
+    reset_exception(&exception);
+    access_control->return_permissions_handle(access_control, result, &exception);
+  }
+
+  reset_exception(&exception);
+
+  /* peer credential token with invalid class id */
+  credential_token.class_id = "UNKNOWN";
+
+  result = access_control->validate_remote_permissions(
+      access_control,
+      auth,
+      local_identity_handle,
+      remote_identity_handle,
+      &permissions_token,
+      &credential_token,
+      &exception);
+
+  if (result == 0)
+  {
+    printf("validate_remote_permissions_failed: %s\n", exception.message ? exception.message : "Error message missing");
+  }
+
+  CU_ASSERT(result == 0);
+  if (result == 0)
+  {
+    CU_ASSERT(exception.code != 0);
+    CU_ASSERT(exception.message != NULL);
+  }
+  else
+  {
+    reset_exception(&exception);
+    access_control->return_permissions_handle(access_control, result, &exception);
+  }
+
+  reset_exception(&exception);
+
+  /* peer credential token with no properties */
+  credential_token.class_id = ddsrt_strdup(AUTH_PROTOCOL_CLASS_ID);
+
+  result = access_control->validate_remote_permissions(
+      access_control,
+      auth,
+      local_identity_handle,
+      remote_identity_handle,
+      &permissions_token,
+      &credential_token,
+      &exception);
+
+  if (result == 0)
+  {
+    printf("validate_remote_permissions_failed: %s\n", exception.message ? exception.message : "Error message missing");
+  }
+
+  CU_ASSERT(result == 0);
+  if (result == 0)
+  {
+    CU_ASSERT(exception.code != 0);
+    CU_ASSERT(exception.message != NULL);
+  }
+  else
+  {
+    reset_exception(&exception);
+    access_control->return_permissions_handle(access_control, result, &exception);
+  }
+
+  reset_exception(&exception);
+
+  /* peer credential token with empty properties */
+  credential_token.properties._length = credential_token.properties._maximum = 2;
+  credential_token.properties._buffer = DDS_Security_PropertySeq_allocbuf(2);
+
+  result = access_control->validate_remote_permissions(
+      access_control,
+      auth,
+      local_identity_handle,
+      remote_identity_handle,
+      &permissions_token,
+      &credential_token,
+      &exception);
+
+  if (result == 0)
+  {
+    printf("validate_remote_permissions_failed: %s\n", exception.message ? exception.message : "Error message missing");
+  }
+
+  CU_ASSERT(result == 0);
+  if (result == 0)
+  {
+    CU_ASSERT(exception.code != 0);
+    CU_ASSERT(exception.message != NULL);
+  }
+  else
+  {
+    reset_exception(&exception);
+    access_control->return_permissions_handle(access_control, result, &exception);
+  }
+
+  reset_exception(&exception);
+
+  /* peer credential token with no c.id value */
+  credential_token.properties._buffer[0].name = ddsrt_strdup(PROPERTY_C_ID);
+
+  result = access_control->validate_remote_permissions(
+      access_control,
+      auth,
+      local_identity_handle,
+      remote_identity_handle,
+      &permissions_token,
+      &credential_token,
+      &exception);
+
+  if (result == 0)
+  {
+    printf("validate_remote_permissions_failed: %s\n", exception.message ? exception.message : "Error message missing");
+  }
+
+  CU_ASSERT(result == 0);
+  if (result == 0)
+  {
+    CU_ASSERT(exception.code != 0);
+    CU_ASSERT(exception.message != NULL);
+  }
+  else
+  {
+    reset_exception(&exception);
+    access_control->return_permissions_handle(access_control, result, &exception);
+  }
+
+  reset_exception(&exception);
+
+  /* peer credential token with no c.perm */
+  credential_token.properties._buffer[0].value = ddsrt_strdup(PROPERTY_IDENTITY_CERT);
+
+  result = access_control->validate_remote_permissions(
+      access_control,
+      auth,
+      local_identity_handle,
+      remote_identity_handle,
+      &permissions_token,
+      &credential_token,
+      &exception);
+
+  if (result == 0)
+  {
+    printf("validate_remote_permissions_failed: %s\n", exception.message ? exception.message : "Error message missing");
+  }
+
+  CU_ASSERT(result == 0);
+  if (result == 0)
+  {
+    CU_ASSERT(exception.code != 0);
+    CU_ASSERT(exception.message != NULL);
+  }
+  else
+  {
+    reset_exception(&exception);
+    access_control->return_permissions_handle(access_control, result, &exception);
+  }
+
+  reset_exception(&exception);
+
+  /* peer credential token with no c.perm value*/
+  credential_token.properties._buffer[1].name = ddsrt_strdup(PROPERTY_C_PERM);
+
+  result = access_control->validate_remote_permissions(
+      access_control,
+      auth,
+      local_identity_handle,
+      remote_identity_handle,
+      &permissions_token,
+      &credential_token,
+      &exception);
+
+  if (result == 0)
+  {
+    printf("validate_remote_permissions_failed: %s\n", exception.message ? exception.message : "Error message missing");
+  }
+
+  CU_ASSERT(result == 0);
+  if (result == 0)
+  {
+    CU_ASSERT(exception.code != 0);
+    CU_ASSERT(exception.message != NULL);
+  }
+  else
+  {
+    reset_exception(&exception);
+    access_control->return_permissions_handle(access_control, result, &exception);
+  }
+
+  reset_exception(&exception);
+
+  /* peer credential token with invalid c.perm value */
+  credential_token.properties._buffer[1].value = ddsrt_strdup("Invalid value");
+
+  result = access_control->validate_remote_permissions(
+      access_control,
+      auth,
+      local_identity_handle,
+      remote_identity_handle,
+      &permissions_token,
+      &credential_token,
+      &exception);
+
+  if (result == 0)
+  {
+    printf("validate_remote_permissions_failed: %s\n", exception.message ? exception.message : "Error message missing");
+  }
+
+  CU_ASSERT(result == 0);
+  if (result == 0)
+  {
+    CU_ASSERT(exception.code != 0);
+    CU_ASSERT(exception.message != NULL);
+  }
+  else
+  {
+    reset_exception(&exception);
+    access_control->return_permissions_handle(access_control, result, &exception);
+  }
+
+  reset_exception(&exception);
+
+  DDS_Security_DataHolder_deinit((DDS_Security_DataHolder *)&permissions_token);
+  DDS_Security_DataHolder_deinit((DDS_Security_DataHolder *)&credential_token);
+}
+
+CU_Test(ddssec_builtin_validate_remote_permissions, invalid_xml, .init = suite_validate_remote_permissions_init, .fini = suite_validate_remote_permissions_fini)
+{
+  DDS_Security_PermissionsHandle result;
+  DDS_Security_PermissionsToken permissions_token;
+  DDS_Security_AuthenticatedPeerCredentialToken credential_token;
+  DDS_Security_SecurityException exception = {NULL, 0, 0};
+  int r;
+
+  /* Check if we actually have validate_remote_permissions function. */
+  CU_ASSERT_FATAL(access_control != NULL);
+  CU_ASSERT_FATAL(local_identity_handle != DDS_SECURITY_HANDLE_NIL);
+  CU_ASSERT_FATAL(access_control->validate_remote_permissions != NULL);
+  CU_ASSERT_FATAL(access_control->return_permissions_handle != NULL);
+
+  fill_permissions_token(&permissions_token);
+  //permissions_token.
+  r = fill_peer_credential_token(&credential_token, "Test_Permissions_invalid_data.p7s");
+  CU_ASSERT_FATAL(r);
+
+  remote_identity_handle++;
+
+  result = access_control->validate_remote_permissions(
+      access_control,
+      auth,
+      local_identity_handle,
+      remote_identity_handle,
+      &permissions_token,
+      &credential_token,
+      &exception);
+
+  CU_ASSERT(result == 0);
+  CU_ASSERT(exception.code == DDS_SECURITY_ERR_CAN_NOT_PARSE_PERMISSIONS_CODE);
+  CU_ASSERT(exception.message != NULL);
+  if (exception.message)
+  {
+    printf("(%d) %s\n", (int)exception.code, exception.message);
+  }
+  reset_exception(&exception);
+
+  DDS_Security_DataHolder_deinit((DDS_Security_DataHolder *)&permissions_token);
+  DDS_Security_DataHolder_deinit((DDS_Security_DataHolder *)&credential_token);
+}
+
+CU_Test(ddssec_builtin_validate_remote_permissions, permissions_expired, .init = suite_validate_remote_permissions_init, .fini = suite_validate_remote_permissions_fini)
+{
+  DDS_Security_PermissionsHandle result;
+  DDS_Security_PermissionsToken permissions_token;
+  DDS_Security_AuthenticatedPeerCredentialToken credential_token;
+  DDS_Security_SecurityException exception = {NULL, 0, 0};
+  int r;
+
+  /* Check if we actually have validate_remote_permissions function. */
+  CU_ASSERT_FATAL(access_control != NULL);
+  CU_ASSERT_FATAL(local_identity_handle != DDS_SECURITY_HANDLE_NIL);
+  CU_ASSERT_FATAL(access_control->validate_remote_permissions != NULL);
+  CU_ASSERT_FATAL(access_control->return_permissions_handle != NULL);
+
+  fill_permissions_token(&permissions_token);
+  r = fill_peer_credential_token(&credential_token, "Test_Permissions_expired.p7s");
+  CU_ASSERT_FATAL(r);
+
+  remote_identity_handle++;
+
+  result = access_control->validate_remote_permissions(
+      access_control,
+      auth,
+      local_identity_handle,
+      remote_identity_handle,
+      &permissions_token,
+      &credential_token,
+      &exception);
+
+  CU_ASSERT_FATAL(result == 0);
+  CU_ASSERT_FATAL(exception.code == DDS_SECURITY_ERR_VALIDITY_PERIOD_EXPIRED_CODE);
+  CU_ASSERT_NSTRING_EQUAL_FATAL(DDS_SECURITY_ERR_VALIDITY_PERIOD_EXPIRED_MESSAGE, exception.message, strlen(DDS_SECURITY_ERR_VALIDITY_PERIOD_EXPIRED_MESSAGE) - 16);
+  reset_exception(&exception);
+
+  DDS_Security_DataHolder_deinit((DDS_Security_DataHolder *)&permissions_token);
+  DDS_Security_DataHolder_deinit((DDS_Security_DataHolder *)&credential_token);
+}
+
+CU_Test(ddssec_builtin_validate_remote_permissions, permissions_not_yet, .init = suite_validate_remote_permissions_init, .fini = suite_validate_remote_permissions_fini)
+{
+  DDS_Security_PermissionsHandle result;
+  DDS_Security_PermissionsToken permissions_token;
+  DDS_Security_AuthenticatedPeerCredentialToken credential_token;
+  DDS_Security_SecurityException exception = {NULL, 0, 0};
+  int r;
+
+  /* Check if we actually have validate_remote_permissions function. */
+  CU_ASSERT_FATAL(access_control != NULL);
+  CU_ASSERT_FATAL(local_identity_handle != DDS_SECURITY_HANDLE_NIL);
+  CU_ASSERT_FATAL(access_control->validate_remote_permissions != NULL);
+  CU_ASSERT_FATAL(access_control->return_permissions_handle != NULL);
+
+  fill_permissions_token(&permissions_token);
+  r = fill_peer_credential_token(&credential_token, "Test_Permissions_notyet.p7s");
+  CU_ASSERT_FATAL(r);
+
+  remote_identity_handle++;
+
+  result = access_control->validate_remote_permissions(
+      access_control,
+      auth,
+      local_identity_handle,
+      remote_identity_handle,
+      &permissions_token,
+      &credential_token,
+      &exception);
+
+  CU_ASSERT_FATAL(result == 0);
+  CU_ASSERT_FATAL(exception.code == DDS_SECURITY_ERR_VALIDITY_PERIOD_NOT_STARTED_CODE);
+  CU_ASSERT_NSTRING_EQUAL_FATAL(DDS_SECURITY_ERR_VALIDITY_PERIOD_NOT_STARTED_MESSAGE, exception.message, strlen(DDS_SECURITY_ERR_VALIDITY_PERIOD_NOT_STARTED_MESSAGE) - 14);
+  reset_exception(&exception);
+
+  DDS_Security_DataHolder_deinit((DDS_Security_DataHolder *)&permissions_token);
+  DDS_Security_DataHolder_deinit((DDS_Security_DataHolder *)&credential_token);
+}
+
+CU_Test(ddssec_builtin_validate_remote_permissions, permissions_unknown_subject_name, .init = suite_validate_remote_permissions_init, .fini = suite_validate_remote_permissions_fini)
+{
+  DDS_Security_PermissionsHandle result;
+  DDS_Security_PermissionsToken permissions_token;
+  DDS_Security_AuthenticatedPeerCredentialToken credential_token;
+  DDS_Security_SecurityException exception = {NULL, 0, 0};
+  int r;
+
+  /* Check if we actually have validate_remote_permissions function. */
+  CU_ASSERT_FATAL(access_control != NULL);
+  CU_ASSERT_FATAL(local_identity_handle != DDS_SECURITY_HANDLE_NIL);
+  CU_ASSERT_FATAL(access_control->validate_remote_permissions != NULL);
+  CU_ASSERT_FATAL(access_control->return_permissions_handle != NULL);
+
+  fill_permissions_token(&permissions_token);
+  r = fill_peer_credential_token(&credential_token, "Test_Permissions_unknown_subject.p7s");
+  CU_ASSERT_FATAL(r);
+
+  remote_identity_handle++;
+
+  result = access_control->validate_remote_permissions(
+      access_control,
+      auth,
+      local_identity_handle,
+      remote_identity_handle,
+      &permissions_token,
+      &credential_token,
+      &exception);
+
+  CU_ASSERT_FATAL(result == 0);
+  CU_ASSERT_FATAL(exception.code == DDS_SECURITY_ERR_INVALID_SUBJECT_NAME_CODE);
+  CU_ASSERT_STRING_EQUAL_FATAL(DDS_SECURITY_ERR_INVALID_SUBJECT_NAME_MESSAGE, exception.message);
+  reset_exception(&exception);
+
+  DDS_Security_DataHolder_deinit((DDS_Security_DataHolder *)&permissions_token);
+  DDS_Security_DataHolder_deinit((DDS_Security_DataHolder *)&credential_token);
+
+  /* missing subject name component */
+
+  fill_permissions_token(&permissions_token);
+  r = fill_peer_credential_token(&credential_token, "Test_Permissions_missing_subject_component.p7s");
+  CU_ASSERT_FATAL(r);
+
+  remote_identity_handle++;
+
+  result = access_control->validate_remote_permissions(
+      access_control,
+      auth,
+      local_identity_handle,
+      remote_identity_handle,
+      &permissions_token,
+      &credential_token,
+      &exception);
+
+  CU_ASSERT_FATAL(result == 0);
+  CU_ASSERT_FATAL(exception.code == DDS_SECURITY_ERR_INVALID_SUBJECT_NAME_CODE);
+  CU_ASSERT_STRING_EQUAL_FATAL(DDS_SECURITY_ERR_INVALID_SUBJECT_NAME_MESSAGE, exception.message);
+  reset_exception(&exception);
+
+  DDS_Security_DataHolder_deinit((DDS_Security_DataHolder *)&permissions_token);
+  DDS_Security_DataHolder_deinit((DDS_Security_DataHolder *)&credential_token);
+}
+
+CU_Test(ddssec_builtin_validate_remote_permissions, permissions_different_subject, .init = suite_validate_remote_permissions_init, .fini = suite_validate_remote_permissions_fini)
+{
+  DDS_Security_PermissionsHandle result;
+  DDS_Security_PermissionsToken permissions_token;
+  DDS_Security_AuthenticatedPeerCredentialToken credential_token;
+  DDS_Security_SecurityException exception = {NULL, 0, 0};
+  int r;
+
+  /* Check if we actually have validate_remote_permissions function. */
+  CU_ASSERT_FATAL(access_control != NULL);
+  CU_ASSERT_FATAL(local_identity_handle != DDS_SECURITY_HANDLE_NIL);
+  CU_ASSERT_FATAL(access_control->validate_remote_permissions != NULL);
+  CU_ASSERT_FATAL(access_control->return_permissions_handle != NULL);
+
+  fill_permissions_token(&permissions_token);
+  r = fill_peer_credential_token(&credential_token, "Test_Permissions_different_subject_representation.p7s");
+  CU_ASSERT_FATAL(r);
+
+  remote_identity_handle++;
+
+  result = access_control->validate_remote_permissions(
+      access_control,
+      auth,
+      local_identity_handle,
+      remote_identity_handle,
+      &permissions_token,
+      &credential_token,
+      &exception);
+
+  CU_ASSERT_FATAL(result != 0);
+  CU_ASSERT_FATAL(exception.code == DDS_SECURITY_ERR_OK_CODE);
+
+  reset_exception(&exception);
+
+  DDS_Security_DataHolder_deinit((DDS_Security_DataHolder *)&permissions_token);
+  DDS_Security_DataHolder_deinit((DDS_Security_DataHolder *)&credential_token);
+}
+
+CU_Test(ddssec_builtin_validate_remote_permissions, corrupted_signature, .init = suite_validate_remote_permissions_init, .fini = suite_validate_remote_permissions_fini)
+{
+  DDS_Security_PermissionsHandle result;
+  DDS_Security_PermissionsToken permissions_token;
+  DDS_Security_AuthenticatedPeerCredentialToken credential_token;
+  DDS_Security_SecurityException exception = {NULL, 0, 0};
+  int r;
+
+  /* Check if we actually have validate_remote_permissions function. */
+  CU_ASSERT_FATAL(access_control != NULL);
+  CU_ASSERT_FATAL(local_identity_handle != DDS_SECURITY_HANDLE_NIL);
+  CU_ASSERT_FATAL(access_control->validate_remote_permissions != NULL);
+  CU_ASSERT_FATAL(access_control->return_permissions_handle != NULL);
+
+  fill_permissions_token(&permissions_token);
+  //permissions_token.
+  r = fill_peer_credential_token(&credential_token, "Test_Permissions_ok.p7s");
+  CU_ASSERT_FATAL(r);
+
+  corrupt_permission_signature(&credential_token);
+
+  remote_identity_handle++;
+
+  result = access_control->validate_remote_permissions(
+      access_control,
+      auth,
+      local_identity_handle,
+      remote_identity_handle,
+      &permissions_token,
+      &credential_token,
+      &exception);
+
+  CU_ASSERT(result == 0);
+  CU_ASSERT(exception.code == DDS_SECURITY_ERR_INVALID_SMIME_DOCUMENT_CODE);
+  CU_ASSERT(exception.message != NULL);
+  if (exception.message)
+  {
+    printf("(%d) %s\n", (int)exception.code, exception.message);
+  }
+  reset_exception(&exception);
+
+  DDS_Security_DataHolder_deinit((DDS_Security_DataHolder *)&permissions_token);
+  DDS_Security_DataHolder_deinit((DDS_Security_DataHolder *)&credential_token);
+}
diff --git a/src/security/core/include/dds/security/core/dds_security_utils.h b/src/security/core/include/dds/security/core/dds_security_utils.h
index fe975d6..a66c4d3 100644
--- a/src/security/core/include/dds/security/core/dds_security_utils.h
+++ b/src/security/core/include/dds/security/core/dds_security_utils.h
@@ -13,10 +13,12 @@
 #ifndef DSCMN_SECURITY_UTILS_H_
 #define DSCMN_SECURITY_UTILS_H_
 
-#include "dds/export.h"
 #include <stddef.h>
 #include <stdint.h>
 #include <stdbool.h>
+#include "dds/export.h"
+#include "dds/ddsrt/strtol.h"
+#include "dds/ddsrt/time.h"
 #include "dds/security/core/dds_security_types.h"
 #include "dds/security/dds_security_api.h"
 
@@ -339,6 +341,10 @@ ddssec_strchrs (
         const char *chrs,
         bool inc);
 
+DDS_EXPORT dds_time_t
+DDS_Security_parse_xml_date(
+        char *buf);
+
 
 #define DDS_Security_ParticipantCryptoTokenSeq_alloc() \
                     DDS_Security_DataHolderSeq_alloc())
diff --git a/src/security/core/src/dds_security_utils.c b/src/security/core/src/dds_security_utils.c
index 665e587..8a5cef7 100644
--- a/src/security/core/src/dds_security_utils.c
+++ b/src/security/core/src/dds_security_utils.c
@@ -807,47 +807,34 @@ DDS_Security_Exception_set(
 #if DDSI_INCLUDE_SSL
 DDS_EXPORT void
 DDS_Security_Exception_set_with_openssl_error(
-         DDS_Security_SecurityException *ex,
-         const char *context,
-         int code,
-         int minor_code,
-         const char *error_area
-        )
+    DDS_Security_SecurityException *ex,
+    const char *context,
+    int code,
+    int minor_code,
+    const char *error_area)
 {
+    BIO *bio;
+    assert(context);
+    assert(error_area);
+    assert(ex);
+    DDSRT_UNUSED_ARG(context);
 
-  BIO *bio;
-  char *buf = NULL;
-  char *str;
-  size_t len; /*BIO_get_mem_data requires long int */
-  assert(context);
-  assert(error_area);
-  assert(ex);
-  DDSRT_UNUSED_ARG( context );
-
-  bio = BIO_new(BIO_s_mem());
-
-  if (bio) {
-      size_t exception_msg_len;
-      ERR_print_errors(bio);
-      len = (size_t)BIO_get_mem_data (bio, &buf);
-      exception_msg_len = len + strlen(error_area) + 1;
-      str = ddsrt_malloc(  exception_msg_len );
-
-      ddsrt_strlcpy(str, error_area, exception_msg_len);
-      memcpy(str + strlen(error_area), buf, len );
-      str [ exception_msg_len -1 ] = '\0';
-      //snprintf( str, exception_msg_len, "%s%s", error_area, buf );
-
-      ex->message = str;
-      ex->code = code;
-      ex->minor_code = minor_code;
-
-      BIO_free(bio);
-
-  } else {
-      DDS_Security_Exception_set(ex, context, code,  minor_code, "BIO_new failed");
-  }
-
+    if ((bio = BIO_new(BIO_s_mem()))) {
+        ERR_print_errors(bio);
+        char *buf = NULL;
+        size_t len = (size_t)BIO_get_mem_data(bio, &buf);
+        size_t exception_msg_len = len + strlen(error_area) + 1;
+        char *str = ddsrt_malloc(exception_msg_len);
+        ddsrt_strlcpy(str, error_area, exception_msg_len);
+        memcpy(str + strlen(error_area), buf, len);
+        str[exception_msg_len - 1] = '\0';
+        ex->message = str;
+        ex->code = code;
+        ex->minor_code = minor_code;
+        BIO_free(bio);
+    } else {
+        DDS_Security_Exception_set(ex, context, code, minor_code, "BIO_new failed");
+    }
 }
 #endif
 
@@ -1104,6 +1091,203 @@ DDS_Security_normalize_file(
     }
 #undef __FILESEPCHAR
     return norm;
-
 }
 
+/**
+ * Parses an XML date string and returns this as a dds_time_t value. As leap seconds are not permitted
+ * in the XML date format (as stated in the XML Schema specification), this parser function does not
+ * accept leap seconds in its input string. This complies with the dds_time_t representation on posix,
+ * which is a unix timestamp (that also ignores leap seconds).
+ *
+ * As a dds_time_t is expressed as nanoseconds, the fractional seconds part of the input string will
+ * be rounded in case the fractional part has more than 9 digits.
+ */
+dds_time_t
+DDS_Security_parse_xml_date(
+    char *buf)
+{
+  int32_t year = -1;
+  int32_t month = -1;
+  int32_t day = -1;
+  int32_t hour = -1;
+  int32_t minute = -1;
+  int32_t second = -1;
+  int32_t hour_offset = -1;
+  int32_t minute_offset = -1;
+
+  int64_t frac_ns = 0;
+
+  size_t cnt = 0;
+  size_t cnt_frac_sec = 0;
+
+  assert(buf != NULL);
+
+  /* Make an integrity check of the string before the conversion*/
+  while (buf[cnt] != '\0')
+  {
+    if (cnt == 4 || cnt == 7)
+    {
+      if (buf[cnt] != '-')
+        return DDS_TIME_INVALID;
+    }
+    else if (cnt == 10)
+    {
+      if (buf[cnt] != 'T')
+        return DDS_TIME_INVALID;
+    }
+    else if (cnt == 13 || cnt == 16)
+    {
+      if (buf[cnt] != ':')
+        return DDS_TIME_INVALID;
+    }
+    else if (cnt == 19)
+    {
+      if (buf[cnt] != 'Z' && buf[cnt] != '+' && buf[cnt] != '-' && buf[cnt] != '.')
+        return DDS_TIME_INVALID;
+
+      /* If a dot is found then a variable number of fractional seconds is present.
+               A second integrity loop to account for the variability is used */
+      if (buf[cnt] == '.' && !cnt_frac_sec)
+      {
+        cnt_frac_sec = 1;
+        while (buf[cnt + 1] != '\0' && buf[cnt + 1] >= '0' && buf[cnt + 1] <= '9')
+        {
+          cnt_frac_sec++;
+          cnt++;
+        }
+      }
+    }
+    else if (cnt == 19 + cnt_frac_sec)
+    {
+      if (buf[cnt] != 'Z' && buf[cnt] != '+' && buf[cnt] != '-')
+        return DDS_TIME_INVALID;
+    }
+    else if (cnt == 22 + cnt_frac_sec)
+    {
+      if (buf[cnt] != ':')
+        return DDS_TIME_INVALID;
+    }
+    else
+    {
+      if (buf[cnt] < '0' || buf[cnt] > '9')
+        return DDS_TIME_INVALID;
+    }
+    cnt++;
+  }
+
+  /* Do not allow more than 12 (13 including the dot) and less than 1 fractional second digits if they are used */
+  if (cnt_frac_sec && (cnt_frac_sec < 2 || cnt_frac_sec > 13))
+    return DDS_TIME_INVALID;
+
+  /* Valid string length value at this stage are 19, 20 and 25 plus the fractional seconds part */
+  if (cnt != 19 + cnt_frac_sec && cnt != 20 + cnt_frac_sec && cnt != 25 + cnt_frac_sec)
+    return DDS_TIME_INVALID;
+
+  year = ddsrt_todigit(buf[0]) * 1000 + ddsrt_todigit(buf[1]) * 100 + ddsrt_todigit(buf[2]) * 10 + ddsrt_todigit(buf[3]);
+  month = ddsrt_todigit(buf[5]) * 10 + ddsrt_todigit(buf[6]);
+  day = ddsrt_todigit(buf[8]) * 10 + ddsrt_todigit(buf[9]);
+
+  hour = ddsrt_todigit(buf[11]) * 10 + ddsrt_todigit(buf[12]);
+  minute = ddsrt_todigit(buf[14]) * 10 + ddsrt_todigit(buf[15]);
+  second = ddsrt_todigit(buf[17]) * 10 + ddsrt_todigit(buf[18]);
+
+  {
+    int64_t frac_ns_pow = DDS_NSECS_IN_SEC / 10;
+    size_t n = 0;
+    for (n = 0; cnt_frac_sec && n < cnt_frac_sec - 1; n++)
+    {
+      /* Maximum granularity is nanosecond so round to maximum 9 digits */
+      if (n == 9)
+      {
+        if (ddsrt_todigit(buf[20 + n]) >= 5)
+          frac_ns++;
+        break;
+      }
+      frac_ns += ddsrt_todigit(buf[20 + n]) * frac_ns_pow;
+      frac_ns_pow = frac_ns_pow / 10;
+    }
+  }
+
+  /* If the length is 20 the last character must be a Z representing UTC time zone */
+  if (cnt == 19 + cnt_frac_sec || (cnt == 20 + cnt_frac_sec && buf[19 + cnt_frac_sec] == 'Z'))
+  {
+    hour_offset = 0;
+    minute_offset = 0;
+  }
+  else if (cnt == 25 + cnt_frac_sec)
+  {
+    hour_offset = ddsrt_todigit(buf[20 + cnt_frac_sec]) * 10 + ddsrt_todigit(buf[21 + cnt_frac_sec]);
+    minute_offset = ddsrt_todigit(buf[23 + cnt_frac_sec]) * 10 + ddsrt_todigit(buf[24 + cnt_frac_sec]);
+  }
+  else
+    return DDS_TIME_INVALID;
+
+  /* Make a limit check to make sure that all the numbers are within absolute boundaries.
+     Note that leap seconds are not allowed in XML dates and therefore not supported. */
+  if (year < 1970 || year > 2262 || month < 1 || month > 12 || day < 1 || day > 31 ||
+      hour < 0 || hour > 23 || minute < 0 || minute > 59 || second < 0 || second > 59 ||
+      ((hour_offset < 0 || hour_offset > 11 || minute_offset < 0 || minute_offset > 59) && (hour_offset != 12 || minute_offset != 0)))
+  {
+    return DDS_TIME_INVALID;
+  }
+
+  /*  Boundary check including consideration for month and leap years */
+  if (!(((month == 4 || month == 6 || month == 9 || month == 11) && (day >= 1 && day <= 30)) ||
+      ((month == 1 || month == 3 || month == 5 || month == 7 || month == 8 || month == 10 || month == 12) && (day >= 1 && day <= 31)) ||
+      (month == 2 && ((year % 100 != 0 && year % 4 == 0) || (year % 400 == 0)) && (day >= 1 && day <= 29)) ||
+      (month == 2 && (day >= 1 && day <= 28))))
+  {
+    return DDS_TIME_INVALID;
+  }
+
+  /* Convert the year-month-day to total number of days */
+  int32_t total_leap_years = (year - 1970 + 1) / 4;
+  /* Leap year count decreased by the number of xx00 years before current year because these are not leap years,
+     except for 2000. The year 2400 is not in the valid year range so we don't take that into account. */
+  if (year > 2100)
+    total_leap_years -= year / 100 - 20;
+  if (year == 2200)
+    total_leap_years++;
+
+  int32_t total_reg_years = year - 1970 - total_leap_years;
+  int32_t total_num_days = total_leap_years * 366 + total_reg_years * 365;
+  int32_t month_cnt;
+
+  for (month_cnt = 1; month_cnt < month; month_cnt++)
+  {
+    if (month_cnt == 4 || month_cnt == 6 || month_cnt == 9 || month_cnt == 11)
+      total_num_days += 30;
+    else if (month_cnt == 2)
+    {
+      if (year % 400 == 0 || (year % 100 != 0 && year % 4 == 0))
+        total_num_days += 29;
+      else
+        total_num_days += 28;
+    }
+    else
+      total_num_days += 31;
+  }
+  total_num_days += day - 1;
+
+  /* Correct the offset sign if negative */
+  if (buf[19 + cnt_frac_sec] == '-')
+  {
+    hour_offset = -hour_offset;
+    minute_offset = -minute_offset;
+  }
+  /* Convert the total number of days to seconds */
+  int64_t ts_days = (int64_t)total_num_days * 24 * 60 * 60;
+  int64_t ts_hms = hour * 60 * 60 + minute * 60 + second;
+  if (ts_days + ts_hms > INT64_MAX / DDS_NSECS_IN_SEC)
+    return DDS_TIME_INVALID;
+  int64_t ts = DDS_SECS(ts_days + ts_hms);
+
+  /* Apply the hour and minute offset */
+  int64_t ts_offset = DDS_SECS((int64_t)hour_offset * 60 * 60 + minute_offset * 60);
+
+  /* Prevent the offset from making the timestamp negative or overflow it */
+  if ((ts_offset <= 0 || (ts_offset > 0 && ts_offset < ts)) && INT64_MAX - ts - frac_ns >= -ts_offset)
+    return ts - ts_offset + frac_ns;
+
+  return DDS_TIME_INVALID;
+}
diff --git a/src/security/core/tests/CMakeLists.txt b/src/security/core/tests/CMakeLists.txt
index 9cd0e27..d240583 100644
--- a/src/security/core/tests/CMakeLists.txt
+++ b/src/security/core/tests/CMakeLists.txt
@@ -15,6 +15,7 @@ include (CUnit)
 set(security_core_test_sources
     "tc_fsm.c"
     "dds_security_core.c"
+    "security_utils.c"
   )
 
 add_definitions(-DDDSI_INCLUDE_SECURITY)
diff --git a/src/security/core/tests/security_utils.c b/src/security/core/tests/security_utils.c
new file mode 100644
index 0000000..ec4ab89
--- /dev/null
+++ b/src/security/core/tests/security_utils.c
@@ -0,0 +1,62 @@
+/*
+ * Copyright(c) 2006 to 2019 ADLINK Technology Limited and others
+ *
+ * This program and the accompanying materials are made available under the
+ * terms of the Eclipse Public License v. 2.0 which is available at
+ * http://www.eclipse.org/legal/epl-2.0, or the Eclipse Distribution License
+ * v. 1.0 which is available at
+ * http://www.eclipse.org/org/documents/edl-v10.php.
+ *
+ * SPDX-License-Identifier: EPL-2.0 OR BSD-3-Clause
+ */
+
+#include <stdio.h>
+#include <string.h>
+#include "CUnit/CUnit.h"
+#include "CUnit/Test.h"
+#include "dds/ddsrt/time.h"
+#include "dds/security/core/dds_security_utils.h"
+
+CU_Test(ddssec_security_utils, parse_xml_date)
+{
+  CU_ASSERT_EQUAL(DDS_Security_parse_xml_date(""), DDS_TIME_INVALID);
+  CU_ASSERT_EQUAL(DDS_Security_parse_xml_date("abc"), DDS_TIME_INVALID);
+  CU_ASSERT_EQUAL(DDS_Security_parse_xml_date("2020-01-01"), DDS_TIME_INVALID);
+  CU_ASSERT_EQUAL(DDS_Security_parse_xml_date("2020-01-01D01:01:01Z"), DDS_TIME_INVALID);
+  CU_ASSERT_EQUAL(DDS_Security_parse_xml_date("2019-02-29T01:01:01Z"), DDS_TIME_INVALID);
+  CU_ASSERT_EQUAL(DDS_Security_parse_xml_date("2100-02-29T01:01:01Z"), DDS_TIME_INVALID);
+  CU_ASSERT_EQUAL(DDS_Security_parse_xml_date("1969-01-01T01:01:01Z"), DDS_TIME_INVALID);
+  CU_ASSERT_EQUAL(DDS_Security_parse_xml_date("2010-01-01T23:59:60Z"), DDS_TIME_INVALID);
+  CU_ASSERT_EQUAL(DDS_Security_parse_xml_date("1969-01-01T01:01:01+01"), DDS_TIME_INVALID);
+  CU_ASSERT_EQUAL(DDS_Security_parse_xml_date("1969-01-01T01:01:01+0100"), DDS_TIME_INVALID);
+  CU_ASSERT_EQUAL(DDS_Security_parse_xml_date("1969-01-01T01:01:01+0:00"), DDS_TIME_INVALID);
+  CU_ASSERT_EQUAL(DDS_Security_parse_xml_date("1970-01-01T00:00:00+01:00"), DDS_TIME_INVALID);
+  CU_ASSERT_EQUAL(DDS_Security_parse_xml_date("2020-01-01T01:01:01.0000000000001+01:00"), DDS_TIME_INVALID);
+  CU_ASSERT_EQUAL(DDS_Security_parse_xml_date("2020-01-01T01:01:01.0.1+01:00"), DDS_TIME_INVALID);
+  CU_ASSERT_EQUAL(DDS_Security_parse_xml_date("2020-01-01T01:01:01.+01:00"), DDS_TIME_INVALID);
+
+  CU_ASSERT_EQUAL(DDS_Security_parse_xml_date("1970-01-01T00:00:00Z"), 0);
+  CU_ASSERT_EQUAL(DDS_Security_parse_xml_date("2000-02-29T00:00:00Z"), DDS_SECS(951782400));
+  CU_ASSERT_EQUAL(DDS_Security_parse_xml_date("2020-01-01T01:01:01Z"), DDS_SECS(1577840461));
+  CU_ASSERT_EQUAL(DDS_Security_parse_xml_date("2020-01-01T01:01:01+00:30"), DDS_SECS(1577840461 - 30 * 60));
+  CU_ASSERT_EQUAL(DDS_Security_parse_xml_date("2020-01-01T01:01:01+01:00"), DDS_SECS(1577840461 - 60 * 60));
+  CU_ASSERT_EQUAL(DDS_Security_parse_xml_date("2020-01-01T01:01:01+12:00"), DDS_SECS(1577840461 - 12 * 60 * 60));
+  CU_ASSERT_EQUAL(DDS_Security_parse_xml_date("2020-01-01T01:01:01-01:00"), DDS_SECS(1577840461 + 60 * 60));
+  CU_ASSERT_EQUAL(DDS_Security_parse_xml_date("2020-12-31T23:59:59Z"), DDS_SECS(1609459199));
+  CU_ASSERT_EQUAL(DDS_Security_parse_xml_date("2020-02-29T01:01:01Z"), DDS_SECS(1582938061));
+  CU_ASSERT_EQUAL(DDS_Security_parse_xml_date("2038-01-19T03:14:07Z"), DDS_SECS(INT32_MAX));
+  CU_ASSERT_EQUAL(DDS_Security_parse_xml_date("2038-01-19T03:14:08Z"), DDS_SECS(INT64_C(INT32_MAX + 1)));
+  CU_ASSERT_EQUAL(DDS_Security_parse_xml_date("2100-01-01T00:00:00Z"), DDS_SECS(4102444800));
+  CU_ASSERT_EQUAL(DDS_Security_parse_xml_date("2120-01-01T00:00:00Z"), DDS_SECS(4733510400));
+  CU_ASSERT_EQUAL(DDS_Security_parse_xml_date("2200-01-01T00:00:00Z"), DDS_SECS(7258118400));
+  CU_ASSERT_EQUAL(DDS_Security_parse_xml_date("2220-01-01T00:00:00Z"), DDS_SECS(7889184000));
+  CU_ASSERT_EQUAL(DDS_Security_parse_xml_date("2262-04-11T23:47:16.854775807Z"), INT64_MAX);
+  CU_ASSERT_EQUAL(DDS_Security_parse_xml_date("2262-04-11T23:47:16.854775808Z"), DDS_TIME_INVALID);
+  CU_ASSERT_EQUAL(DDS_Security_parse_xml_date("2262-04-11T23:47:16.854775807+00:01"), INT64_MAX - DDS_SECS(60));
+  CU_ASSERT_EQUAL(DDS_Security_parse_xml_date("2262-04-11T23:47:16.854775807-00:01"), DDS_TIME_INVALID);
+
+  CU_ASSERT_EQUAL(DDS_Security_parse_xml_date("2020-01-01T01:01:01.000000001+01:00"),  INT64_C(1577836861000000001));
+  CU_ASSERT_EQUAL(DDS_Security_parse_xml_date("2020-01-01T01:01:01.0000000004+01:00"), INT64_C(1577836861000000000));
+  CU_ASSERT_EQUAL(DDS_Security_parse_xml_date("2020-01-01T01:01:01.0000000005+01:00"), INT64_C(1577836861000000001));
+  CU_ASSERT_EQUAL(DDS_Security_parse_xml_date("2020-01-01T01:01:01.987654321+01:00"),  INT64_C(1577836861987654321));
+}