From 3b4facbd454308247e7be3a423e1f1f44cf944d7 Mon Sep 17 00:00:00 2001
From: Dennis Potman <dennis.potman@adlinktech.com>
Date: Thu, 21 Nov 2019 12:01:34 +0100
Subject: [PATCH] DDS Security built-in Access Control plugin

This commit adds the build-in Access Control plugin that is part of the
DDS Security implementation for Cyclone.

The Access Control Plugin API defines the types and operations necessary
to support an access control mechanism for DDS Domain Participants.

Similar to other builtin plugins, the DDS Security access control plugin
is built as a shared library to allow dynamic library loading on runtime.
This enables DDS participants to use specific plugin implementations with
different configurations.

This commit includes some basic tests for the access control functions.
This initial version of the plugin does not support permissions expiry
(not-valid-after date in permissions configuration).

Signed-off-by: Dennis Potman <dennis.potman@adlinktech.com>

Process review comments for access control plugin

Signed-off-by: Dennis Potman <dennis.potman@adlinktech.com>

Part 2 of processing review changes for access control

Signed-off-by: Dennis Potman <dennis.potman@adlinktech.com>

Add test for topicname dcps, add comment for xml date parser

Signed-off-by: Dennis Potman <dennis.potman@adlinktech.com>

Fixed an bug in leap year count for year 2200, changed the rounding for sub-ns fraction and added an additional overflow test in DDS_Security_parse_xml_date

Signed-off-by: Dennis Potman <dennis.potman@adlinktech.com>
---
 src/core/ddsc/src/dds__topic.h                |    2 +
 src/core/ddsc/src/dds_builtin.c               |    2 +-
 src/core/ddsc/src/dds_topic.c                 |   11 +-
 src/core/ddsc/tests/topic.c                   |    2 +-
 .../dds/security/dds_security_api_err.h       |   10 +-
 src/security/builtin_plugins/CMakeLists.txt   |    1 +
 .../access_control/CMakeLists.txt             |   55 +
 .../access_control/src/access_control.c       | 2486 +++++++++++++++++
 .../access_control/src/access_control.h       |   21 +
 .../src/access_control_objects.c              |  283 ++
 .../src/access_control_objects.h              |  106 +
 .../src/access_control_parser.c               | 1212 ++++++++
 .../src/access_control_parser.h               |  301 ++
 .../access_control/src/access_control_utils.c |  406 +++
 .../access_control/src/access_control_utils.h |   30 +
 .../builtin_plugins/tests/CMakeLists.txt      |   27 +-
 .../src/access_control_fnmatch_utests.c       |   67 +
 .../etc/Test_Governance_ok.p7s                |  114 +
 .../etc/Test_Permissions_ok.p7s               |   85 +
 .../get_permissions_credential_token_utests.c |  497 ++++
 .../etc/Test_Governance_ok.p7s                |  114 +
 .../etc/Test_Permissions_ok.p7s               |   85 +
 .../src/get_permissions_token_utests.c        |  439 +++
 .../etc/Test_Governance_full.p7s              |  267 ++
 ..._Governance_liveliness_discovery_clear.p7s |  114 +
 ..._Governance_liveliness_discovery_clear.xml |   62 +
 ...ernance_liveliness_discovery_different.p7s |  114 +
 ...ernance_liveliness_discovery_different.xml |   62 +
 ...ernance_liveliness_discovery_encrypted.p7s |  114 +
 ...ernance_liveliness_discovery_encrypted.xml |   62 +
 ..._discovery_encrypted_and_authenticated.p7s |  114 +
 ..._discovery_encrypted_and_authenticated.xml |   62 +
 ...Governance_liveliness_discovery_signed.p7s |  114 +
 ...Governance_liveliness_discovery_signed.xml |   62 +
 ...ess_discovery_signed_and_authenticated.p7s |  114 +
 ...ess_discovery_signed_and_authenticated.xml |   62 +
 .../etc/Test_Permissions_ok.p7s               |   85 +
 .../src/get_xxx_sec_attributes_utests.c       | 1649 +++++++++++
 .../etc/Test_Governance_ok.p7s                |  114 +
 .../etc/Test_Permissions_ca.pem               |   22 +
 .../etc/Test_Permissions_ca_key.pem           |   27 +
 .../etc/Test_Permissions_listener.p7s         |   51 +
 .../src/listeners_access_control_utests.c     |  671 +++++
 .../etc/Test_File_empty.txt                   |    0
 .../etc/Test_File_text.txt                    |    3 +
 ...st_Governance_check_create_participant.p7s |  199 ++
 ...st_Governance_check_create_participant.xml |  147 +
 .../etc/Test_Governance_full.p7s              |  267 ++
 .../etc/Test_Governance_full.xml              |  215 ++
 .../etc/Test_Governance_invalid_data.p7s      |  175 ++
 .../etc/Test_Governance_invalid_data.xml      |  123 +
 .../etc/Test_Governance_invalid_element.p7s   |  178 ++
 .../etc/Test_Governance_invalid_element.xml   |  126 +
 .../etc/Test_Governance_not_signed.p7s        |   62 +
 .../etc/Test_Governance_ok.p7s                |  114 +
 .../etc/Test_Governance_unknown_ca.p7s        |  117 +
 .../etc/Test_Permissions_ca.pem               |   22 +
 .../etc/Test_Permissions_ca_key.pem           |   27 +
 .../etc/Test_Permissions_expired.p7s          |  243 ++
 .../etc/Test_Permissions_expired.xml          |  191 ++
 .../etc/Test_Permissions_full.p7s             |  243 ++
 .../etc/Test_Permissions_full.xml             |  191 ++
 .../etc/Test_Permissions_invalid_data.p7s     |  219 ++
 .../etc/Test_Permissions_invalid_data.xml     |  167 ++
 .../etc/Test_Permissions_invalid_element.p7s  |  219 ++
 .../etc/Test_Permissions_invalid_element.xml  |  167 ++
 .../Test_Permissions_lack_of_not_after.p7s    |   95 +
 .../Test_Permissions_lack_of_not_after.xml    |   43 +
 .../Test_Permissions_lack_of_not_before.p7s   |   95 +
 .../Test_Permissions_lack_of_not_before.xml   |   43 +
 .../etc/Test_Permissions_not_signed.p7s       |   33 +
 .../etc/Test_Permissions_notyet.p7s           |  243 ++
 .../etc/Test_Permissions_notyet.xml           |  191 ++
 .../etc/Test_Permissions_ok.p7s               |   85 +
 .../etc/Test_Permissions_ok.xml               |   33 +
 .../etc/Test_Permissions_unknown_ca.p7s       |   87 +
 .../etc/Test_Permissions_unknown_subject.p7s  |   85 +
 .../etc/Test_Permissions_unknown_subject.xml  |   33 +
 .../src/validate_local_permissions_utests.c   | 1020 +++++++
 .../etc/Test_Governance_ok.p7s                |  114 +
 ...sions_different_subject_representation.p7s |   96 +
 ...sions_different_subject_representation.xml |   44 +
 .../etc/Test_Permissions_expired.p7s          |  243 ++
 .../etc/Test_Permissions_expired.xml          |  191 ++
 .../etc/Test_Permissions_invalid_data.p7s     |  219 ++
 .../etc/Test_Permissions_invalid_data.xml     |  167 ++
 ..._Permissions_missing_subject_component.p7s |   96 +
 ..._Permissions_missing_subject_component.xml |   44 +
 .../etc/Test_Permissions_not_signed.p7s       |   33 +
 .../etc/Test_Permissions_notyet.p7s           |  243 ++
 .../etc/Test_Permissions_notyet.xml           |  191 ++
 .../etc/Test_Permissions_ok.p7s               |   85 +
 .../etc/Test_Permissions_ok.xml               |   33 +
 .../etc/Test_Permissions_unknown_ca.p7s       |   87 +
 .../etc/Test_Permissions_unknown_subject.p7s  |   85 +
 .../etc/Test_Permissions_unknown_subject.xml  |   33 +
 .../src/validate_remote_permissions_utests.c  | 1068 +++++++
 .../dds/security/core/dds_security_utils.h    |    8 +-
 src/security/core/src/dds_security_utils.c    |  264 +-
 src/security/core/tests/CMakeLists.txt        |    1 +
 src/security/core/tests/security_utils.c      |   62 +
 101 files changed, 19154 insertions(+), 52 deletions(-)
 create mode 100644 src/security/builtin_plugins/access_control/CMakeLists.txt
 create mode 100644 src/security/builtin_plugins/access_control/src/access_control.c
 create mode 100644 src/security/builtin_plugins/access_control/src/access_control.h
 create mode 100644 src/security/builtin_plugins/access_control/src/access_control_objects.c
 create mode 100644 src/security/builtin_plugins/access_control/src/access_control_objects.h
 create mode 100644 src/security/builtin_plugins/access_control/src/access_control_parser.c
 create mode 100644 src/security/builtin_plugins/access_control/src/access_control_parser.h
 create mode 100644 src/security/builtin_plugins/access_control/src/access_control_utils.c
 create mode 100644 src/security/builtin_plugins/access_control/src/access_control_utils.h
 create mode 100644 src/security/builtin_plugins/tests/access_control_fnmatch/src/access_control_fnmatch_utests.c
 create mode 100644 src/security/builtin_plugins/tests/get_permissions_credential_token/etc/Test_Governance_ok.p7s
 create mode 100644 src/security/builtin_plugins/tests/get_permissions_credential_token/etc/Test_Permissions_ok.p7s
 create mode 100644 src/security/builtin_plugins/tests/get_permissions_credential_token/src/get_permissions_credential_token_utests.c
 create mode 100644 src/security/builtin_plugins/tests/get_permissions_token/etc/Test_Governance_ok.p7s
 create mode 100644 src/security/builtin_plugins/tests/get_permissions_token/etc/Test_Permissions_ok.p7s
 create mode 100644 src/security/builtin_plugins/tests/get_permissions_token/src/get_permissions_token_utests.c
 create mode 100644 src/security/builtin_plugins/tests/get_xxx_sec_attributes/etc/Test_Governance_full.p7s
 create mode 100644 src/security/builtin_plugins/tests/get_xxx_sec_attributes/etc/Test_Governance_liveliness_discovery_clear.p7s
 create mode 100644 src/security/builtin_plugins/tests/get_xxx_sec_attributes/etc/Test_Governance_liveliness_discovery_clear.xml
 create mode 100644 src/security/builtin_plugins/tests/get_xxx_sec_attributes/etc/Test_Governance_liveliness_discovery_different.p7s
 create mode 100644 src/security/builtin_plugins/tests/get_xxx_sec_attributes/etc/Test_Governance_liveliness_discovery_different.xml
 create mode 100644 src/security/builtin_plugins/tests/get_xxx_sec_attributes/etc/Test_Governance_liveliness_discovery_encrypted.p7s
 create mode 100644 src/security/builtin_plugins/tests/get_xxx_sec_attributes/etc/Test_Governance_liveliness_discovery_encrypted.xml
 create mode 100644 src/security/builtin_plugins/tests/get_xxx_sec_attributes/etc/Test_Governance_liveliness_discovery_encrypted_and_authenticated.p7s
 create mode 100644 src/security/builtin_plugins/tests/get_xxx_sec_attributes/etc/Test_Governance_liveliness_discovery_encrypted_and_authenticated.xml
 create mode 100644 src/security/builtin_plugins/tests/get_xxx_sec_attributes/etc/Test_Governance_liveliness_discovery_signed.p7s
 create mode 100644 src/security/builtin_plugins/tests/get_xxx_sec_attributes/etc/Test_Governance_liveliness_discovery_signed.xml
 create mode 100644 src/security/builtin_plugins/tests/get_xxx_sec_attributes/etc/Test_Governance_liveliness_discovery_signed_and_authenticated.p7s
 create mode 100644 src/security/builtin_plugins/tests/get_xxx_sec_attributes/etc/Test_Governance_liveliness_discovery_signed_and_authenticated.xml
 create mode 100644 src/security/builtin_plugins/tests/get_xxx_sec_attributes/etc/Test_Permissions_ok.p7s
 create mode 100644 src/security/builtin_plugins/tests/get_xxx_sec_attributes/src/get_xxx_sec_attributes_utests.c
 create mode 100644 src/security/builtin_plugins/tests/listeners_access_control/etc/Test_Governance_ok.p7s
 create mode 100644 src/security/builtin_plugins/tests/listeners_access_control/etc/Test_Permissions_ca.pem
 create mode 100644 src/security/builtin_plugins/tests/listeners_access_control/etc/Test_Permissions_ca_key.pem
 create mode 100644 src/security/builtin_plugins/tests/listeners_access_control/etc/Test_Permissions_listener.p7s
 create mode 100644 src/security/builtin_plugins/tests/listeners_access_control/src/listeners_access_control_utests.c
 create mode 100644 src/security/builtin_plugins/tests/validate_local_permissions/etc/Test_File_empty.txt
 create mode 100644 src/security/builtin_plugins/tests/validate_local_permissions/etc/Test_File_text.txt
 create mode 100644 src/security/builtin_plugins/tests/validate_local_permissions/etc/Test_Governance_check_create_participant.p7s
 create mode 100644 src/security/builtin_plugins/tests/validate_local_permissions/etc/Test_Governance_check_create_participant.xml
 create mode 100644 src/security/builtin_plugins/tests/validate_local_permissions/etc/Test_Governance_full.p7s
 create mode 100644 src/security/builtin_plugins/tests/validate_local_permissions/etc/Test_Governance_full.xml
 create mode 100644 src/security/builtin_plugins/tests/validate_local_permissions/etc/Test_Governance_invalid_data.p7s
 create mode 100644 src/security/builtin_plugins/tests/validate_local_permissions/etc/Test_Governance_invalid_data.xml
 create mode 100644 src/security/builtin_plugins/tests/validate_local_permissions/etc/Test_Governance_invalid_element.p7s
 create mode 100644 src/security/builtin_plugins/tests/validate_local_permissions/etc/Test_Governance_invalid_element.xml
 create mode 100644 src/security/builtin_plugins/tests/validate_local_permissions/etc/Test_Governance_not_signed.p7s
 create mode 100644 src/security/builtin_plugins/tests/validate_local_permissions/etc/Test_Governance_ok.p7s
 create mode 100644 src/security/builtin_plugins/tests/validate_local_permissions/etc/Test_Governance_unknown_ca.p7s
 create mode 100644 src/security/builtin_plugins/tests/validate_local_permissions/etc/Test_Permissions_ca.pem
 create mode 100644 src/security/builtin_plugins/tests/validate_local_permissions/etc/Test_Permissions_ca_key.pem
 create mode 100644 src/security/builtin_plugins/tests/validate_local_permissions/etc/Test_Permissions_expired.p7s
 create mode 100644 src/security/builtin_plugins/tests/validate_local_permissions/etc/Test_Permissions_expired.xml
 create mode 100644 src/security/builtin_plugins/tests/validate_local_permissions/etc/Test_Permissions_full.p7s
 create mode 100644 src/security/builtin_plugins/tests/validate_local_permissions/etc/Test_Permissions_full.xml
 create mode 100644 src/security/builtin_plugins/tests/validate_local_permissions/etc/Test_Permissions_invalid_data.p7s
 create mode 100644 src/security/builtin_plugins/tests/validate_local_permissions/etc/Test_Permissions_invalid_data.xml
 create mode 100644 src/security/builtin_plugins/tests/validate_local_permissions/etc/Test_Permissions_invalid_element.p7s
 create mode 100644 src/security/builtin_plugins/tests/validate_local_permissions/etc/Test_Permissions_invalid_element.xml
 create mode 100644 src/security/builtin_plugins/tests/validate_local_permissions/etc/Test_Permissions_lack_of_not_after.p7s
 create mode 100644 src/security/builtin_plugins/tests/validate_local_permissions/etc/Test_Permissions_lack_of_not_after.xml
 create mode 100644 src/security/builtin_plugins/tests/validate_local_permissions/etc/Test_Permissions_lack_of_not_before.p7s
 create mode 100644 src/security/builtin_plugins/tests/validate_local_permissions/etc/Test_Permissions_lack_of_not_before.xml
 create mode 100644 src/security/builtin_plugins/tests/validate_local_permissions/etc/Test_Permissions_not_signed.p7s
 create mode 100644 src/security/builtin_plugins/tests/validate_local_permissions/etc/Test_Permissions_notyet.p7s
 create mode 100644 src/security/builtin_plugins/tests/validate_local_permissions/etc/Test_Permissions_notyet.xml
 create mode 100644 src/security/builtin_plugins/tests/validate_local_permissions/etc/Test_Permissions_ok.p7s
 create mode 100644 src/security/builtin_plugins/tests/validate_local_permissions/etc/Test_Permissions_ok.xml
 create mode 100644 src/security/builtin_plugins/tests/validate_local_permissions/etc/Test_Permissions_unknown_ca.p7s
 create mode 100644 src/security/builtin_plugins/tests/validate_local_permissions/etc/Test_Permissions_unknown_subject.p7s
 create mode 100644 src/security/builtin_plugins/tests/validate_local_permissions/etc/Test_Permissions_unknown_subject.xml
 create mode 100644 src/security/builtin_plugins/tests/validate_local_permissions/src/validate_local_permissions_utests.c
 create mode 100644 src/security/builtin_plugins/tests/validate_remote_permissions/etc/Test_Governance_ok.p7s
 create mode 100644 src/security/builtin_plugins/tests/validate_remote_permissions/etc/Test_Permissions_different_subject_representation.p7s
 create mode 100644 src/security/builtin_plugins/tests/validate_remote_permissions/etc/Test_Permissions_different_subject_representation.xml
 create mode 100644 src/security/builtin_plugins/tests/validate_remote_permissions/etc/Test_Permissions_expired.p7s
 create mode 100644 src/security/builtin_plugins/tests/validate_remote_permissions/etc/Test_Permissions_expired.xml
 create mode 100644 src/security/builtin_plugins/tests/validate_remote_permissions/etc/Test_Permissions_invalid_data.p7s
 create mode 100644 src/security/builtin_plugins/tests/validate_remote_permissions/etc/Test_Permissions_invalid_data.xml
 create mode 100644 src/security/builtin_plugins/tests/validate_remote_permissions/etc/Test_Permissions_missing_subject_component.p7s
 create mode 100644 src/security/builtin_plugins/tests/validate_remote_permissions/etc/Test_Permissions_missing_subject_component.xml
 create mode 100644 src/security/builtin_plugins/tests/validate_remote_permissions/etc/Test_Permissions_not_signed.p7s
 create mode 100644 src/security/builtin_plugins/tests/validate_remote_permissions/etc/Test_Permissions_notyet.p7s
 create mode 100644 src/security/builtin_plugins/tests/validate_remote_permissions/etc/Test_Permissions_notyet.xml
 create mode 100644 src/security/builtin_plugins/tests/validate_remote_permissions/etc/Test_Permissions_ok.p7s
 create mode 100644 src/security/builtin_plugins/tests/validate_remote_permissions/etc/Test_Permissions_ok.xml
 create mode 100644 src/security/builtin_plugins/tests/validate_remote_permissions/etc/Test_Permissions_unknown_ca.p7s
 create mode 100644 src/security/builtin_plugins/tests/validate_remote_permissions/etc/Test_Permissions_unknown_subject.p7s
 create mode 100644 src/security/builtin_plugins/tests/validate_remote_permissions/etc/Test_Permissions_unknown_subject.xml
 create mode 100644 src/security/builtin_plugins/tests/validate_remote_permissions/src/validate_remote_permissions_utests.c
 create mode 100644 src/security/core/tests/security_utils.c

diff --git a/src/core/ddsc/src/dds__topic.h b/src/core/ddsc/src/dds__topic.h
index d59dc1f..f6de42a 100644
--- a/src/core/ddsc/src/dds__topic.h
+++ b/src/core/ddsc/src/dds__topic.h
@@ -35,6 +35,8 @@ DDS_EXPORT void dds_topic_set_filter_with_ctx
 DDS_EXPORT dds_topic_intern_filter_fn dds_topic_get_filter_with_ctx
   (dds_entity_t topic);
 
+DDS_EXPORT dds_entity_t dds_create_topic_impl (dds_entity_t participant, struct ddsi_sertopic *sertopic, const dds_qos_t *qos, const dds_listener_t *listener, const nn_plist_t *sedp_plist);
+
 #if defined (__cplusplus)
 }
 #endif
diff --git a/src/core/ddsc/src/dds_builtin.c b/src/core/ddsc/src/dds_builtin.c
index 8dd026f..ca45561 100644
--- a/src/core/ddsc/src/dds_builtin.c
+++ b/src/core/ddsc/src/dds_builtin.c
@@ -76,7 +76,7 @@ dds_entity_t dds__get_builtin_topic (dds_entity_t entity, dds_entity_t topic)
   }
 
   dds_qos_t *qos = dds__create_builtin_qos ();
-  tp = dds_create_topic_arbitrary (par->m_entity.m_hdllink.hdl, sertopic, qos, NULL, NULL);
+  tp = dds_create_topic_impl (par->m_entity.m_hdllink.hdl, sertopic, qos, NULL, NULL);
   dds_delete_qos (qos);
   dds_entity_unpin (e);
   return tp;
diff --git a/src/core/ddsc/src/dds_topic.c b/src/core/ddsc/src/dds_topic.c
index 7d9df7d..4796703 100644
--- a/src/core/ddsc/src/dds_topic.c
+++ b/src/core/ddsc/src/dds_topic.c
@@ -280,7 +280,7 @@ const struct dds_entity_deriver dds_entity_deriver_topic = {
   .validate_status = dds_topic_status_validate
 };
 
-dds_entity_t dds_create_topic_arbitrary (dds_entity_t participant, struct ddsi_sertopic *sertopic, const dds_qos_t *qos, const dds_listener_t *listener, const nn_plist_t *sedp_plist)
+dds_entity_t dds_create_topic_impl (dds_entity_t participant, struct ddsi_sertopic *sertopic, const dds_qos_t *qos, const dds_listener_t *listener, const nn_plist_t *sedp_plist)
 {
   dds_return_t rc;
   dds_participant *par;
@@ -465,6 +465,15 @@ err_invalid_qos:
   return rc;
 }
 
+dds_entity_t dds_create_topic_arbitrary (dds_entity_t participant, struct ddsi_sertopic *sertopic, const dds_qos_t *qos, const dds_listener_t *listener, const nn_plist_t *sedp_plist)
+{
+  assert(sertopic);
+  assert(sertopic->name);
+  if (!strncmp(sertopic->name, "DCPS", 4))
+    return DDS_RETCODE_BAD_PARAMETER;
+  return dds_create_topic_impl (participant, sertopic, qos, listener, sedp_plist);
+}
+
 dds_entity_t dds_create_topic (dds_entity_t participant, const dds_topic_descriptor_t *desc, const char *name, const dds_qos_t *qos, const dds_listener_t *listener)
 {
   struct ddsi_sertopic_default *st;
diff --git a/src/core/ddsc/tests/topic.c b/src/core/ddsc/tests/topic.c
index d71c8d5..3707715 100644
--- a/src/core/ddsc/tests/topic.c
+++ b/src/core/ddsc/tests/topic.c
@@ -177,7 +177,7 @@ CU_Test(ddsc_topic_create, desc_null, .init=ddsc_topic_init, .fini=ddsc_topic_fi
 
 
 CU_TheoryDataPoints(ddsc_topic_create, invalid_names) = {
-        CU_DataPoints(char *, NULL, "", "mi-dle", "-start", "end-", "1st", "Thus$", "pl+s", "t(4)"),
+        CU_DataPoints(char *, NULL, "", "mi-dle", "-start", "end-", "1st", "Thus$", "pl+s", "t(4)", "DCPSmytopic"),
 };
 CU_Theory((char *name), ddsc_topic_create, invalid_names, .init=ddsc_topic_init, .fini=ddsc_topic_fini)
 {
diff --git a/src/security/api/include/dds/security/dds_security_api_err.h b/src/security/api/include/dds/security/dds_security_api_err.h
index 20ee24b..9246ba5 100644
--- a/src/security/api/include/dds/security/dds_security_api_err.h
+++ b/src/security/api/include/dds/security/dds_security_api_err.h
@@ -97,16 +97,14 @@ extern "C" {
 #define DDS_SECURITY_ERR_INVALID_SUBJECT_NAME_CODE 146
 #define DDS_SECURITY_ERR_INVALID_SUBJECT_NAME_MESSAGE "Subject name is invalid"
 #define DDS_SECURITY_ERR_VALIDITY_PERIOD_EXPIRED_CODE 147
-#define DDS_SECURITY_ERR_VALIDITY_PERIOD_EXPIRED_MESSAGE "Permissions validity period expired for %s"
+#define DDS_SECURITY_ERR_VALIDITY_PERIOD_EXPIRED_MESSAGE "Permissions validity period expired for %s (expired: %s)"
 #define DDS_SECURITY_ERR_VALIDITY_PERIOD_NOT_STARTED_CODE 148
-#define DDS_SECURITY_ERR_VALIDITY_PERIOD_NOT_STARTED_MESSAGE "Permissions validity period has not started yet for %s"
+#define DDS_SECURITY_ERR_VALIDITY_PERIOD_NOT_STARTED_MESSAGE "Permissions validity period has not started yet for %s (start: %s)"
 #define DDS_SECURITY_ERR_CAN_NOT_FIND_PERMISSIONS_GRANT_CODE 149
 #define DDS_SECURITY_ERR_CAN_NOT_FIND_PERMISSIONS_GRANT_MESSAGE "Could not find valid grant in permissions"
-#define DDS_SECURITY_ERR_PERMISSIONS_OUT_OF_VALIDITY_DATE_CODE 150
-#define DDS_SECURITY_ERR_PERMISSIONS_OUT_OF_VALIDITY_DATE_MESSAGE "Permissions of subject (%s) outside validity date: %s - %s"
-#define DDS_SECURITY_ERR_URI_TYPE_NOT_SUPPORTED_CODE 151
+#define DDS_SECURITY_ERR_URI_TYPE_NOT_SUPPORTED_CODE 150
 #define DDS_SECURITY_ERR_URI_TYPE_NOT_SUPPORTED_MESSAGE "Unsupported URI type: %s"
-#define DDS_SECURITY_ERR_INVALID_CRYPTO_DATA_NOT_ALIGNED_CODE 152
+#define DDS_SECURITY_ERR_INVALID_CRYPTO_DATA_NOT_ALIGNED_CODE 151
 #define DDS_SECURITY_ERR_INVALID_CRYPTO_DATA_NOT_ALIGNED_MESSAGE "The payload is not aligned at 4 bytes"
 
 #define DDS_SECURITY_ERR_UNDEFINED_CODE 200
diff --git a/src/security/builtin_plugins/CMakeLists.txt b/src/security/builtin_plugins/CMakeLists.txt
index 113d0b4..93feffb 100644
--- a/src/security/builtin_plugins/CMakeLists.txt
+++ b/src/security/builtin_plugins/CMakeLists.txt
@@ -11,6 +11,7 @@
 #
 cmake_minimum_required(VERSION 3.7)
 
+add_subdirectory("${CMAKE_CURRENT_LIST_DIR}/access_control")
 add_subdirectory("${CMAKE_CURRENT_LIST_DIR}/authentication")
 add_subdirectory("${CMAKE_CURRENT_LIST_DIR}/cryptographic")
 
diff --git a/src/security/builtin_plugins/access_control/CMakeLists.txt b/src/security/builtin_plugins/access_control/CMakeLists.txt
new file mode 100644
index 0000000..c0cee0a
--- /dev/null
+++ b/src/security/builtin_plugins/access_control/CMakeLists.txt
@@ -0,0 +1,55 @@
+#
+# Copyright(c) 2006 to 2019 ADLINK Technology Limited and others
+#
+# This program and the accompanying materials are made available under the
+# terms of the Eclipse Public License v. 2.0 which is available at
+# http://www.eclipse.org/legal/epl-2.0, or the Eclipse Distribution License
+# v. 1.0 which is available at
+# http://www.eclipse.org/org/documents/edl-v10.php.
+#
+# SPDX-License-Identifier: EPL-2.0 OR BSD-3-Clause
+#
+include (GenerateExportHeader)
+
+find_package(OpenSSL)
+
+PREPEND(srcs_accesscontrol "${CMAKE_CURRENT_LIST_DIR}/src"
+    access_control_objects.c
+    access_control_parser.c
+    access_control_utils.c
+    access_control.c
+)
+
+add_library(dds_security_ac SHARED "")
+
+generate_export_header(
+    dds_security_ac
+        BASE_NAME SECURITY
+        EXPORT_FILE_NAME "${CMAKE_CURRENT_BINARY_DIR}/include/dds/security/export.h"
+)
+
+add_definitions(-DDDSI_INCLUDE_SSL)
+
+target_link_libraries(dds_security_ac PUBLIC ddsc)
+target_link_libraries(dds_security_ac PUBLIC OpenSSL::SSL)
+
+target_sources(dds_security_ac
+    PRIVATE
+        ${srcs_accesscontrol}
+)
+
+target_include_directories(dds_security_ac
+    PUBLIC
+        "$<BUILD_INTERFACE:$<TARGET_PROPERTY:security_api,INTERFACE_INCLUDE_DIRECTORIES>>"
+        "$<BUILD_INTERFACE:$<TARGET_PROPERTY:security_core,INTERFACE_INCLUDE_DIRECTORIES>>"
+        "$<BUILD_INTERFACE:$<TARGET_PROPERTY:ddsrt,INTERFACE_INCLUDE_DIRECTORIES>>"
+        "$<BUILD_INTERFACE:${CMAKE_CURRENT_BINARY_DIR}/include>"
+)
+
+install(
+  TARGETS
+  EXPORT "${PROJECT_NAME}"
+  RUNTIME DESTINATION "${CMAKE_INSTALL_BINDIR}" COMPONENT lib
+  LIBRARY DESTINATION "${CMAKE_INSTALL_LIBDIR}" COMPONENT lib
+  ARCHIVE DESTINATION "${CMAKE_INSTALL_LIBDIR}" COMPONENT lib
+)
diff --git a/src/security/builtin_plugins/access_control/src/access_control.c b/src/security/builtin_plugins/access_control/src/access_control.c
new file mode 100644
index 0000000..f356445
--- /dev/null
+++ b/src/security/builtin_plugins/access_control/src/access_control.c
@@ -0,0 +1,2486 @@
+/*
+ * Copyright(c) 2006 to 2019 ADLINK Technology Limited and others
+ *
+ * This program and the accompanying materials are made available under the
+ * terms of the Eclipse Public License v. 2.0 which is available at
+ * http://www.eclipse.org/legal/epl-2.0, or the Eclipse Distribution License
+ * v. 1.0 which is available at
+ * http://www.eclipse.org/org/documents/edl-v10.php.
+ *
+ * SPDX-License-Identifier: EPL-2.0 OR BSD-3-Clause
+ */
+#define ACCESS_CONTROL_USE_ONE_PERMISSION
+
+#include <assert.h>
+#include <string.h>
+#include <openssl/x509.h>
+#include <openssl/err.h>
+#include "dds/ddsrt/heap.h"
+#include "dds/ddsrt/misc.h"
+#include "dds/ddsrt/string.h"
+#include "dds/ddsrt/sync.h"
+#include "dds/ddsrt/types.h"
+#include "dds/security/dds_security_api.h"
+#include "dds/security/core/dds_security_utils.h"
+#include "access_control.h"
+#include "access_control_utils.h"
+#include "access_control_objects.h"
+#include "access_control_parser.h"
+
+#if OPENSSL_VERSION_NUMBER >= 0x10000000L && OPENSSL_VERSION_NUMBER < 0x10100000L
+#define REMOVE_THREAD_STATE() ERR_remove_thread_state(NULL);
+#elif OPENSSL_VERSION_NUMBER < 0x10000000L
+#define REMOVE_THREAD_STATE() ERR_remove_state(0);
+#else
+#define REMOVE_THREAD_STATE()
+#endif
+
+static const char *ACCESS_CONTROL_PROTOCOL_CLASS = "DDS:Access";
+static const unsigned ACCESS_CONTROL_PROTOCOL_VERSION_MAJOR = 1;
+static const unsigned ACCESS_CONTROL_PROTOCOL_VERSION_MINOR = 0;
+
+static const char *ACCESS_CONTROL_PERMISSIONS_CLASS_ID = "Permissions";
+
+static const char *QOS_PROPERTY_PERMISSIONS_DOCUMENT = "dds.sec.access.permissions";
+static const char *QOS_PROPERTY_GOVERNANCE_DOCUMENT = "dds.sec.access.governance";
+static const char *QOS_PROPERTY_PERMISSIONS_CA = "dds.sec.access.permissions_ca";
+static const char *QOS_PROPERTY_IDENTITY_CERT = "dds.sec.auth.identity_certificate";
+
+static const char *ACCESS_PERMISSIONS_CREDENTIAL_TOKEN_ID = "DDS:Access:PermissionsCredential";
+static const char *ACCESS_PROPERTY_PERMISSION_DOCUMENT = "dds.perm.cert";
+
+typedef enum TOPIC_TYPE
+{
+  TOPIC_TYPE_USER = 0,
+  TOPIC_TYPE_NON_SECURE_BUILTIN,
+  TOPIC_TYPE_SECURE_ParticipantsSecure,
+  TOPIC_TYPE_SECURE_PublicationsSecure,
+  TOPIC_TYPE_SECURE_SubscriptionsSecure,
+  TOPIC_TYPE_SECURE_ParticipantMessageSecure,
+  TOPIC_TYPE_SECURE_ParticipantStatelessMessage,
+  TOPIC_TYPE_SECURE_ParticipantVolatileMessageSecure
+} TOPIC_TYPE;
+
+/**
+ * Implementation structure for storing encapsulated members of the instance
+ * while giving only the interface definition to user
+ */
+
+typedef struct dds_security_access_control_impl
+{
+  dds_security_access_control base;
+  ddsrt_mutex_t lock;
+
+#ifdef ACCESS_CONTROL_USE_ONE_PERMISSION
+  local_participant_access_rights *local_access_rights;
+#else
+  /* TODO: implement access rights per participant */
+  struct AccessControlTable *local_permissions;
+#endif
+  struct AccessControlTable *remote_permissions;
+#if TIMED_CALLBACK_IMPLEMENTED
+  struct ut_timed_dispatcher_t *timed_callbacks;
+#endif
+} dds_security_access_control_impl;
+
+static bool get_sec_attributes(dds_security_access_control_impl *ac, const DDS_Security_PermissionsHandle permissions_handle, const char *topic_name,
+    DDS_Security_EndpointSecurityAttributes *attributes, DDS_Security_SecurityException *ex);
+static char *get_access_control_class_id(const char *classid);
+static local_participant_access_rights *check_and_create_local_participant_rights(DDS_Security_IdentityHandle identity_handle, int domain_id, const DDS_Security_Qos *participant_qos, DDS_Security_SecurityException *ex);
+static remote_participant_access_rights *check_and_create_remote_participant_rights(DDS_Security_IdentityHandle remote_identity_handle, local_participant_access_rights *local_rights,
+    const DDS_Security_PermissionsToken *remote_permissions_token, const DDS_Security_AuthenticatedPeerCredentialToken *remote_credential_token, DDS_Security_SecurityException *ex);
+static local_participant_access_rights *find_local_access_rights(dds_security_access_control_impl *ac, DDS_Security_PermissionsHandle handle);
+static local_participant_access_rights *find_local_rights_by_identity(dds_security_access_control_impl *ac, DDS_Security_IdentityHandle identity_handle);
+static remote_participant_access_rights *find_remote_rights_by_identity(dds_security_access_control_impl *ac, DDS_Security_IdentityHandle identity_handle);
+static DDS_Security_boolean domainid_within_sets(struct domain_id_set *domain, int domain_id);
+static DDS_Security_boolean is_topic_in_criteria(const struct criteria *criteria, const char *topic_name);
+static DDS_Security_boolean is_partition_qos_in_criteria(const struct criteria *criteria, const DDS_Security_PartitionQosPolicy *partitions);
+static DDS_Security_boolean is_partition_in_criteria(const struct criteria *criteria, const char *partition_name);
+static struct domain_rule *find_domain_rule_in_governance(struct domain_rule *rule, int domain_id);
+static DDS_Security_boolean get_participant_sec_attributes(dds_security_access_control *instance, const DDS_Security_PermissionsHandle permissions_handle,
+    DDS_Security_ParticipantSecurityAttributes *attributes, DDS_Security_SecurityException *ex);
+static DDS_Security_boolean get_permissions_token(dds_security_access_control *instance, DDS_Security_PermissionsToken *permissions_token, const DDS_Security_PermissionsHandle handle, DDS_Security_SecurityException *ex);
+static remote_participant_access_rights *find_remote_permissions_by_permissions_handle(dds_security_access_control_impl *ac, DDS_Security_PermissionsHandle permissions_handle);
+static struct topic_rule *find_topic_from_domain_rule(struct domain_rule *domain_rule, const char *topic_name);
+static DDS_Security_boolean domainid_within_sets(struct domain_id_set *domain, int domain_id);
+static DDS_Security_boolean compare_class_id_plugin_classname(DDS_Security_string class_id_1, DDS_Security_string class_id_2);
+static DDS_Security_boolean compare_class_id_major_ver(DDS_Security_string class_id_1, DDS_Security_string class_id_2);
+#if TIMED_CALLBACK_IMPLEMENTED
+  static void add_validity_end_trigger(dds_security_access_control_impl *ac, const DDS_Security_PermissionsHandle permissions_handle, dds_time_t end);
+#endif
+static DDS_Security_boolean is_allowed_by_permissions(struct permissions_parser *permissions, int domain_id, const char *topic_name, const DDS_Security_PartitionQosPolicy *partitions,
+    const char *identity_subject_name, permission_criteria_type criteria_type, DDS_Security_SecurityException *ex);
+static void sanity_check_local_access_rights(local_participant_access_rights *rights);
+static void sanity_check_remote_access_rights(remote_participant_access_rights *rights);
+static TOPIC_TYPE get_topic_type(const char *topic_name);
+
+
+static DDS_Security_PermissionsHandle
+validate_local_permissions(
+    dds_security_access_control *instance,
+    const dds_security_authentication *auth_plugin,
+    const DDS_Security_IdentityHandle identity_handle,
+    const DDS_Security_DomainId domain_id,
+    const DDS_Security_Qos *participant_qos,
+    DDS_Security_SecurityException *ex)
+{
+  dds_security_access_control_impl *ac = (dds_security_access_control_impl *)instance;
+  local_participant_access_rights *rights;
+  DDS_Security_PermissionsHandle permissions_handle = DDS_SECURITY_HANDLE_NIL;
+
+  if (!instance || !auth_plugin || identity_handle == DDS_SECURITY_HANDLE_NIL || !participant_qos)
+  {
+    DDS_Security_Exception_set(ex, DDS_ACCESS_CONTROL_PLUGIN_CONTEXT, DDS_SECURITY_ERR_INVALID_PARAMETER_CODE, 0, DDS_SECURITY_ERR_INVALID_PARAMETER_MESSAGE);
+    return DDS_SECURITY_HANDLE_NIL;
+  }
+
+#ifdef ACCESS_CONTROL_USE_ONE_PERMISSION
+  ddsrt_mutex_lock(&ac->lock);
+  if (ac->local_access_rights == NULL)
+  {
+    rights = check_and_create_local_participant_rights(identity_handle, domain_id, participant_qos, ex);
+    ac->local_access_rights = rights;
+  }
+  else
+  {
+    ACCESS_CONTROL_OBJECT_KEEP(ac->local_access_rights);
+    rights = ac->local_access_rights;
+  }
+  ddsrt_mutex_unlock(&ac->lock);
+#else
+  {
+    local_participant_access_rights *existing = find_local_rights_by_identity(ac, identity_handle);
+    if (existing)
+    {
+      ACCESS_CONTROL_OBJECT_RELEASE(existing);
+      return ACCESS_CONTROL_OBJECT_HANDLE(existing);
+    }
+
+    rights = check_and_create_local_participant_rights(identity_handle, domain_id, participant_qos, ex);
+    if (rights)
+      access_control_table_insert(ac->local_permissions, (AccessControlObject *)rights);
+  }
+#endif
+
+  permissions_handle = ACCESS_CONTROL_OBJECT_HANDLE(rights);
+
+  if (permissions_handle != DDS_SECURITY_HANDLE_NIL)
+  {
+    assert (rights->permissions_expiry != DDS_TIME_INVALID);
+
+#if TIMED_CALLBACK_IMPLEMENTED
+    if (rights->permissions_expiry != 0)
+      add_validity_end_trigger(ac, permissions_handle, rights->permissions_expiry);
+#endif
+  }
+
+  return permissions_handle;
+}
+
+static DDS_Security_PermissionsHandle
+validate_remote_permissions(
+    dds_security_access_control *instance,
+    const dds_security_authentication *auth_plugin,
+    const DDS_Security_IdentityHandle local_identity_handle,
+    const DDS_Security_IdentityHandle remote_identity_handle,
+    const DDS_Security_PermissionsToken *remote_permissions_token,
+    const DDS_Security_AuthenticatedPeerCredentialToken *remote_credential_token,
+    DDS_Security_SecurityException *ex)
+{
+  dds_security_access_control_impl *ac = (dds_security_access_control_impl *)instance;
+  local_participant_access_rights *local_rights;
+  remote_participant_access_rights *remote_rights, *existing;
+  DDS_Security_PermissionsHandle permissions_handle = DDS_SECURITY_HANDLE_NIL;
+
+  if (!instance || !auth_plugin || local_identity_handle == DDS_SECURITY_HANDLE_NIL || remote_identity_handle == DDS_SECURITY_HANDLE_NIL ||
+      !remote_permissions_token || !remote_permissions_token->class_id || !remote_credential_token)
+  {
+    DDS_Security_Exception_set(ex, DDS_ACCESS_CONTROL_PLUGIN_CONTEXT, DDS_SECURITY_ERR_INVALID_PARAMETER_CODE, 0, DDS_SECURITY_ERR_INVALID_PARAMETER_MESSAGE);
+    return DDS_SECURITY_HANDLE_NIL;
+  }
+
+  if (!(local_rights = find_local_rights_by_identity(ac, local_identity_handle)))
+  {
+    DDS_Security_Exception_set(ex, DDS_ACCESS_CONTROL_PLUGIN_CONTEXT, DDS_SECURITY_ERR_INVALID_PARAMETER_CODE, 0, DDS_SECURITY_ERR_INVALID_PARAMETER_MESSAGE);
+    return DDS_SECURITY_HANDLE_NIL;
+  }
+
+  if ((existing = find_remote_rights_by_identity(ac, remote_identity_handle)))
+  {
+    if (existing->local_rights->local_identity == local_identity_handle)
+    {
+      ACCESS_CONTROL_OBJECT_RELEASE(existing);
+      return ACCESS_CONTROL_OBJECT_HANDLE(existing);
+    }
+  }
+
+#ifdef ACCESS_CONTROL_USE_ONE_PERMISSION
+  if (existing)
+  {
+    /* No check because it has already been checked */
+    remote_rights = ac_remote_participant_access_rights_new(remote_identity_handle, local_rights, existing->permissions, existing->permissions_expiry, remote_permissions_token, existing->identity_subject_name);
+    sanity_check_remote_access_rights(remote_rights);
+    /* TODO: copy or relate security attributes of existing with new remote permissions object */
+  }
+  else
+  {
+    remote_rights = check_and_create_remote_participant_rights(remote_identity_handle, local_rights, remote_permissions_token, remote_credential_token, ex);
+  }
+#else
+  remote_rights = check_and_create_remote_participant_rights(remote_identity_handle, local_rights, remote_permissions_token, remote_credential_token, ex);
+#endif
+
+  permissions_handle = ACCESS_CONTROL_OBJECT_HANDLE(remote_rights);
+
+#if TIMED_CALLBACK_IMPLEMENTED
+  if (permissions_handle != DDS_SECURITY_HANDLE_NIL)
+    add_validity_end_trigger(ac, permissions_handle, remote_rights->permissions_expiry);
+#endif
+
+  if (remote_rights)
+    access_control_table_insert(ac->remote_permissions, (AccessControlObject *)remote_rights);
+
+  ACCESS_CONTROL_OBJECT_RELEASE(existing);
+  ACCESS_CONTROL_OBJECT_RELEASE(remote_rights);
+  ACCESS_CONTROL_OBJECT_RELEASE(local_rights);
+
+  return permissions_handle;
+}
+
+static DDS_Security_boolean
+check_create_participant(dds_security_access_control *instance,
+                         const DDS_Security_PermissionsHandle permissions_handle,
+                         const DDS_Security_DomainId domain_id,
+                         const DDS_Security_Qos *participant_qos,
+                         DDS_Security_SecurityException *ex)
+{
+  dds_security_access_control_impl *ac = (dds_security_access_control_impl *)instance;
+  local_participant_access_rights *rights;
+  struct domain_rule *domainRule = NULL;
+  struct topic_rule *topicRule = NULL;
+  DDS_Security_ParticipantSecurityAttributes participantSecurityAttributes;
+  DDS_Security_boolean result = false;
+
+  if (instance == NULL || permissions_handle == DDS_SECURITY_HANDLE_NIL || participant_qos == NULL)
+  {
+    DDS_Security_Exception_set(ex, DDS_ACCESS_CONTROL_PLUGIN_CONTEXT, DDS_SECURITY_ERR_INVALID_PARAMETER_CODE, 0, DDS_SECURITY_ERR_INVALID_PARAMETER_MESSAGE);
+    return false;
+  }
+
+  /* Retrieve rights */
+  if ((rights = find_local_access_rights(ac, permissions_handle)) == NULL)
+  {
+    DDS_Security_Exception_set(ex, DDS_ACCESS_CONTROL_PLUGIN_CONTEXT, DDS_SECURITY_ERR_INVALID_PARAMETER_CODE, 0, "Could not find local rights for the participant.");
+    return false;
+  }
+
+  /* Retrieve domain rules */
+  domainRule = find_domain_rule_in_governance(rights->governance_tree->dds->domain_access_rules->domain_rule, domain_id);
+  if (domainRule == NULL || domainRule->topic_access_rules == NULL || domainRule->topic_access_rules->topic_rule == NULL)
+  {
+    DDS_Security_Exception_set(ex, DDS_ACCESS_CONTROL_PLUGIN_CONTEXT, DDS_SECURITY_ERR_CAN_NOT_FIND_DOMAIN_IN_GOVERNANCE_CODE, 0, DDS_SECURITY_ERR_CAN_NOT_FIND_DOMAIN_IN_GOVERNANCE_MESSAGE, domain_id);
+    goto exit;
+  }
+
+  /* Iterate over topics rules*/
+  topicRule = domainRule->topic_access_rules->topic_rule;
+  while (topicRule != NULL)
+  {
+    if (!topicRule->enable_read_access_control->value || !topicRule->enable_write_access_control->value)
+    {
+      /* Governance specifies any topics on the DomainParticipant
+         domain_id with enable_read_access_control set to false or with enable_write_access_control set to false */
+      result = true;
+      goto exit;
+    }
+    topicRule = (struct topic_rule *)topicRule->node.next;
+  }
+
+  if (!get_participant_sec_attributes(instance, permissions_handle, &participantSecurityAttributes, ex))
+    goto exit;
+
+  if (!participantSecurityAttributes.is_access_protected)
+  {
+    result = true;
+    goto exit;
+  }
+
+  /* Is this participant permitted? */
+  result = is_allowed_by_permissions(rights->permissions_tree, domain_id, NULL /* topic_name */, NULL /* partitions */, rights->identity_subject_name, UNKNOWN_CRITERIA, ex);
+
+exit:
+  ACCESS_CONTROL_OBJECT_RELEASE(rights);
+  return result;
+}
+
+static DDS_Security_boolean
+check_create_datawriter(dds_security_access_control *instance,
+                        const DDS_Security_PermissionsHandle permissions_handle,
+                        const DDS_Security_DomainId domain_id, const char *topic_name,
+                        const DDS_Security_Qos *writer_qos,
+                        const DDS_Security_PartitionQosPolicy *partition,
+                        const DDS_Security_DataTags *data_tag,
+                        DDS_Security_SecurityException *ex)
+{
+  DDS_Security_TopicSecurityAttributes topic_sec_attr;
+  local_participant_access_rights *local_rights;
+  DDS_Security_boolean result = false;
+  DDSRT_UNUSED_ARG(data_tag);
+
+  if (instance == NULL)
+  {
+    DDS_Security_Exception_set(ex, DDS_ACCESS_CONTROL_PLUGIN_CONTEXT, DDS_SECURITY_ERR_INVALID_PARAMETER_CODE, 0, "Plugin instance not provided");
+    return false;
+  }
+  if (permissions_handle == DDS_SECURITY_HANDLE_NIL)
+  {
+    DDS_Security_Exception_set(ex, DDS_ACCESS_CONTROL_PLUGIN_CONTEXT, DDS_SECURITY_ERR_INVALID_PARAMETER_CODE, 0, "Permissions handle not provided");
+    return false;
+  }
+  if (topic_name == NULL)
+  {
+    DDS_Security_Exception_set(ex, DDS_ACCESS_CONTROL_PLUGIN_CONTEXT, DDS_SECURITY_ERR_INVALID_PARAMETER_CODE, 0, "Topic name not provided");
+    return false;
+  }
+  if (writer_qos == NULL)
+  {
+    DDS_Security_Exception_set(ex, DDS_ACCESS_CONTROL_PLUGIN_CONTEXT, DDS_SECURITY_ERR_INVALID_PARAMETER_CODE, 0, "QoS not provided");
+    return false;
+  }
+  if (partition == NULL)
+  {
+    DDS_Security_Exception_set(ex, DDS_ACCESS_CONTROL_PLUGIN_CONTEXT, DDS_SECURITY_ERR_INVALID_PARAMETER_CODE, 0, "Partition not provided");
+    return false;
+  }
+  if ((local_rights = find_local_access_rights((dds_security_access_control_impl *)instance, permissions_handle)) == NULL)
+  {
+    DDS_Security_Exception_set(ex, DDS_ACCESS_CONTROL_PLUGIN_CONTEXT, DDS_SECURITY_ERR_INVALID_PARAMETER_CODE, 0, "Could not find rights material");
+    return false;
+  }
+  if (local_rights->domain_id != domain_id)
+  {
+    DDS_Security_Exception_set(ex, DDS_ACCESS_CONTROL_PLUGIN_CONTEXT, DDS_SECURITY_ERR_INVALID_PARAMETER_CODE, 0,
+        "Given domain_id (%d) does not match the related participant domain_id (%d)\n", domain_id, local_rights->domain_id);
+    goto exit;
+  }
+
+  /* Find a topic with the specified topic name in the Governance */
+  if (!(result = instance->get_topic_sec_attributes(instance, permissions_handle, topic_name, &topic_sec_attr, ex)))
+    goto exit;
+
+  if (!topic_sec_attr.is_write_protected)
+  {
+    result = true;
+    goto exit;
+  }
+
+  /* Find a topic with the specified topic name in the Governance */
+  result = is_allowed_by_permissions(local_rights->permissions_tree, domain_id, topic_name, partition, local_rights->identity_subject_name, PUBLISH_CRITERIA, ex);
+
+exit:
+  ACCESS_CONTROL_OBJECT_RELEASE(local_rights);
+  return result;
+}
+
+static DDS_Security_boolean
+check_create_datareader(dds_security_access_control *instance,
+                        const DDS_Security_PermissionsHandle permissions_handle,
+                        const DDS_Security_DomainId domain_id,
+                        const char *topic_name,
+                        const DDS_Security_Qos *reader_qos,
+                        const DDS_Security_PartitionQosPolicy *partition,
+                        const DDS_Security_DataTags *data_tag,
+                        DDS_Security_SecurityException *ex)
+{
+  DDS_Security_TopicSecurityAttributes topic_sec_attr;
+  local_participant_access_rights *local_rights;
+  DDS_Security_boolean result = false;
+
+  DDSRT_UNUSED_ARG(data_tag);
+
+  if (instance == NULL || permissions_handle == DDS_SECURITY_HANDLE_NIL || topic_name == NULL || reader_qos == NULL || partition == NULL)
+  {
+    DDS_Security_Exception_set(ex, DDS_ACCESS_CONTROL_PLUGIN_CONTEXT, DDS_SECURITY_ERR_INVALID_PARAMETER_CODE, 0, DDS_SECURITY_ERR_INVALID_PARAMETER_MESSAGE);
+    return false;
+  }
+  if ((local_rights = find_local_access_rights((dds_security_access_control_impl *)instance, permissions_handle)) == NULL)
+  {
+    DDS_Security_Exception_set(ex, DDS_ACCESS_CONTROL_PLUGIN_CONTEXT, DDS_SECURITY_ERR_INVALID_PARAMETER_CODE, 0, DDS_SECURITY_ERR_INVALID_PARAMETER_MESSAGE);
+    return false;
+  }
+  if (local_rights->domain_id != domain_id)
+  {
+    DDS_Security_Exception_set(ex, DDS_ACCESS_CONTROL_PLUGIN_CONTEXT, DDS_SECURITY_ERR_INVALID_PARAMETER_CODE, 0,
+        "Given domain_id (%d) does not match the related participant domain_id (%d)\n", domain_id, local_rights->domain_id);
+    goto exit;
+  }
+
+  /* Find a topic with the specified topic name in the Governance */
+  if ((result = instance->get_topic_sec_attributes(instance, permissions_handle, topic_name, &topic_sec_attr, ex)) == false)
+    goto exit;
+
+  if (topic_sec_attr.is_read_protected == false)
+  {
+    result = true;
+    goto exit;
+  }
+
+  /* Find a topic with the specified topic name in the Governance */
+  result = is_allowed_by_permissions(local_rights->permissions_tree, domain_id, topic_name, partition, local_rights->identity_subject_name, SUBSCRIBE_CRITERIA, ex);
+
+exit:
+  ACCESS_CONTROL_OBJECT_RELEASE(local_rights);
+  return result;
+}
+
+static DDS_Security_boolean
+check_create_topic(dds_security_access_control *instance,
+                   const DDS_Security_PermissionsHandle permissions_handle,
+                   const DDS_Security_DomainId domain_id, const char *topic_name,
+                   const DDS_Security_Qos *qos, DDS_Security_SecurityException *ex)
+{
+  DDS_Security_TopicSecurityAttributes topic_sec_attr;
+  local_participant_access_rights *local_rights;
+  DDS_Security_boolean result = false;
+
+  if (instance == NULL || permissions_handle == DDS_SECURITY_HANDLE_NIL || qos == NULL || topic_name == NULL)
+  {
+    DDS_Security_Exception_set(ex, DDS_ACCESS_CONTROL_PLUGIN_CONTEXT, DDS_SECURITY_ERR_INVALID_PARAMETER_CODE, 0, DDS_SECURITY_ERR_INVALID_PARAMETER_MESSAGE);
+    return false;
+  }
+  if ((local_rights = find_local_access_rights((dds_security_access_control_impl *)instance, permissions_handle)) == NULL)
+  {
+    DDS_Security_Exception_set(ex, DDS_ACCESS_CONTROL_PLUGIN_CONTEXT, DDS_SECURITY_ERR_INVALID_PARAMETER_CODE, 0, DDS_SECURITY_ERR_INVALID_PARAMETER_MESSAGE);
+    return false;
+  }
+  if (local_rights->domain_id != domain_id)
+  {
+    DDS_Security_Exception_set(ex, DDS_ACCESS_CONTROL_PLUGIN_CONTEXT, DDS_SECURITY_ERR_INVALID_PARAMETER_CODE, 0,
+        "Given domain_id (%d) does not match the related participant domain_id (%d)\n", domain_id, local_rights->domain_id);
+    goto exit;
+  }
+
+  /* Find a topic with the specified topic name in the Governance */
+  if ((result = instance->get_topic_sec_attributes(instance, permissions_handle, topic_name, &topic_sec_attr, ex)) == false)
+    goto exit;
+
+  if (topic_sec_attr.is_read_protected == false || topic_sec_attr.is_write_protected == false)
+  {
+    result = true;
+    goto exit;
+  }
+
+  /* Find a topic with the specified topic name in the Governance */
+  result = is_allowed_by_permissions(local_rights->permissions_tree, domain_id, topic_name, NULL, local_rights->identity_subject_name, UNKNOWN_CRITERIA /* both publish and subscribe rules */, ex);
+
+exit:
+  ACCESS_CONTROL_OBJECT_RELEASE(local_rights);
+  return result;
+}
+
+static DDS_Security_boolean
+check_local_datawriter_register_instance(
+    dds_security_access_control *instance,
+    const DDS_Security_PermissionsHandle permissions_handle,
+    const DDS_Security_Entity *writer, const DDS_Security_DynamicData *key,
+    DDS_Security_SecurityException *ex)
+{
+  DDSRT_UNUSED_ARG(permissions_handle);
+  DDSRT_UNUSED_ARG(writer);
+  DDSRT_UNUSED_ARG(key);
+  DDSRT_UNUSED_ARG(ex);
+  DDSRT_UNUSED_ARG(instance);
+
+  /* Not implemented */
+  return true;
+}
+
+static DDS_Security_boolean
+check_local_datawriter_dispose_instance(
+    dds_security_access_control *instance,
+    const DDS_Security_PermissionsHandle permissions_handle,
+    const DDS_Security_Entity *writer, const DDS_Security_DynamicData key,
+    DDS_Security_SecurityException *ex)
+{
+  DDSRT_UNUSED_ARG(permissions_handle);
+  DDSRT_UNUSED_ARG(writer);
+  DDSRT_UNUSED_ARG(key);
+  DDSRT_UNUSED_ARG(ex);
+  DDSRT_UNUSED_ARG(instance);
+
+  /* Not implemented */
+  return true;
+}
+
+static DDS_Security_boolean
+check_remote_participant(dds_security_access_control *instance,
+                         const DDS_Security_PermissionsHandle permissions_handle,
+                         const DDS_Security_DomainId domain_id,
+                         const DDS_Security_ParticipantBuiltinTopicDataSecure *participant_data,
+                         DDS_Security_SecurityException *ex)
+{
+  dds_security_access_control_impl *ac = (dds_security_access_control_impl *)instance;
+  remote_participant_access_rights *remote_rights = NULL;
+  DDS_Security_boolean isValid = false;
+  DDS_Security_ParticipantSecurityAttributes participantSecurityAttributes;
+  DDS_Security_PermissionsHandle local_permissions_handle;
+  DDS_Security_string class_id_remote_str;
+  DDS_Security_string class_id_local_str;
+  DDS_Security_boolean result = false;
+
+  if (instance == NULL || permissions_handle == DDS_SECURITY_HANDLE_NIL || participant_data == NULL)
+  {
+    DDS_Security_Exception_set(ex, DDS_ACCESS_CONTROL_PLUGIN_CONTEXT, DDS_SECURITY_ERR_INVALID_PARAMETER_CODE, 0, DDS_SECURITY_ERR_INVALID_PARAMETER_MESSAGE);
+    return false;
+  }
+
+  /* retrieve the cached remote DomainParticipant Governance; the permissions_handle is associated with the remote participant */
+  if ((remote_rights = find_remote_permissions_by_permissions_handle(ac, permissions_handle)) == NULL)
+  {
+    DDS_Security_Exception_set(ex, DDS_ACCESS_CONTROL_PLUGIN_CONTEXT, DDS_SECURITY_ERR_INVALID_PARAMETER_CODE, 0, DDS_SECURITY_ERR_INVALID_PARAMETER_MESSAGE);
+    return false;
+  }
+
+  /* The local rights pointer is actually the local permissions handle. */
+  local_permissions_handle = ACCESS_CONTROL_OBJECT_HANDLE(remote_rights->local_rights);
+  if ((isValid = get_participant_sec_attributes(instance, local_permissions_handle, &participantSecurityAttributes, ex)) == false)
+    goto exit;
+  if (participantSecurityAttributes.is_access_protected == false)
+  {
+    result = true;
+    goto exit;
+  }
+
+  /* 2) If the PluginClassName or the MajorVersion of the local permissions_token differ from those in the remote_permissions_token,
+       the operation shall return false. */
+  class_id_remote_str = remote_rights->permissions->remote_permissions_token_class_id;
+  class_id_local_str = get_access_control_class_id(ACCESS_CONTROL_PERMISSIONS_CLASS_ID);
+  if (compare_class_id_plugin_classname(class_id_remote_str, class_id_local_str) == false)
+  {
+    DDS_Security_Exception_set(ex, DDS_ACCESS_CONTROL_PLUGIN_CONTEXT, DDS_SECURITY_ERR_INCOMPATIBLE_REMOTE_PLUGIN_CLASSNAME_CODE, 0, DDS_SECURITY_ERR_INCOMPATIBLE_REMOTE_PLUGIN_CLASSNAME_MESSAGE);
+    goto exit_free_classid;
+  }
+  if (compare_class_id_major_ver(class_id_remote_str, class_id_local_str) == false)
+  {
+    DDS_Security_Exception_set(ex, DDS_ACCESS_CONTROL_PLUGIN_CONTEXT, DDS_SECURITY_ERR_INCOMPATIBLE_REMOTE_PLUGIN_MAJORVERSION_CODE, 0, DDS_SECURITY_ERR_INCOMPATIBLE_REMOTE_PLUGIN_MAJORVERSION_MESSAGE);
+    goto exit_free_classid;
+  }
+
+  /* 3) If the Permissions document contains a Grant for the remote DomainParticipant and the Grant contains an allow rule on
+       the DomainParticipant domain_id, then the  operation shall succeed and return true. */
+  /* Iterate over the grants and rules of the remote participant */
+  result = is_allowed_by_permissions(remote_rights->permissions->permissions_tree, domain_id, NULL, NULL, remote_rights->identity_subject_name, UNKNOWN_CRITERIA, ex);
+
+exit_free_classid:
+  ddsrt_free(class_id_local_str);
+exit:
+  ACCESS_CONTROL_OBJECT_RELEASE(remote_rights);
+  return result;
+}
+
+static DDS_Security_boolean
+check_remote_datawriter(dds_security_access_control *instance,
+                        const DDS_Security_PermissionsHandle permissions_handle,
+                        const DDS_Security_DomainId domain_id,
+                        const DDS_Security_PublicationBuiltinTopicDataSecure *publication_data,
+                        DDS_Security_SecurityException *ex)
+{
+  dds_security_access_control_impl *ac = (dds_security_access_control_impl *)instance;
+  DDS_Security_TopicSecurityAttributes topic_sec_attr;
+  remote_participant_access_rights *remote_rights;
+  DDS_Security_string class_id_remote_str;
+  DDS_Security_string class_id_local_str;
+  DDS_Security_boolean result = false;
+
+  if (instance == NULL || permissions_handle == DDS_SECURITY_HANDLE_NIL || publication_data == NULL)
+  {
+    DDS_Security_Exception_set(ex, DDS_ACCESS_CONTROL_PLUGIN_CONTEXT, DDS_SECURITY_ERR_INVALID_PARAMETER_CODE, 0, DDS_SECURITY_ERR_INVALID_PARAMETER_MESSAGE);
+    return false;
+  }
+  if ((remote_rights = find_remote_permissions_by_permissions_handle(ac, permissions_handle)) == NULL)
+  {
+    DDS_Security_Exception_set(ex, DDS_ACCESS_CONTROL_PLUGIN_CONTEXT, DDS_SECURITY_ERR_INVALID_PARAMETER_CODE, 0, DDS_SECURITY_ERR_INVALID_PARAMETER_MESSAGE);
+    return false;
+  }
+  if ((result = instance->get_topic_sec_attributes(instance, ACCESS_CONTROL_OBJECT_HANDLE(remote_rights->local_rights), publication_data->topic_name, &topic_sec_attr, ex)) == false)
+    goto exit;
+  if (topic_sec_attr.is_write_protected == false)
+  {
+    result = true;
+    goto exit;
+  }
+
+  /* Compare PluginClassName and MajorVersion parts */
+  class_id_remote_str = remote_rights->permissions->remote_permissions_token_class_id;
+  class_id_local_str = get_access_control_class_id(ACCESS_CONTROL_PERMISSIONS_CLASS_ID);
+  if (compare_class_id_plugin_classname(class_id_remote_str, class_id_local_str) == false)
+  {
+    DDS_Security_Exception_set(ex, DDS_ACCESS_CONTROL_PLUGIN_CONTEXT, DDS_SECURITY_ERR_INCOMPATIBLE_REMOTE_PLUGIN_CLASSNAME_CODE, 0,
+        DDS_SECURITY_ERR_INCOMPATIBLE_REMOTE_PLUGIN_CLASSNAME_MESSAGE);
+    goto exit_free_classid;
+  }
+  if (compare_class_id_major_ver(class_id_remote_str, class_id_local_str) == false)
+  {
+    DDS_Security_Exception_set(ex, DDS_ACCESS_CONTROL_PLUGIN_CONTEXT, DDS_SECURITY_ERR_INCOMPATIBLE_REMOTE_PLUGIN_MAJORVERSION_CODE, 0,
+        DDS_SECURITY_ERR_INCOMPATIBLE_REMOTE_PLUGIN_MAJORVERSION_MESSAGE);
+    goto exit_free_classid;
+  }
+
+  /* Find a topic with the specified topic name in the Governance */
+  result = is_allowed_by_permissions(remote_rights->permissions->permissions_tree, domain_id, publication_data->topic_name,
+      &(publication_data->partition), remote_rights->identity_subject_name, PUBLISH_CRITERIA, ex);
+
+exit_free_classid:
+  ddsrt_free(class_id_local_str);
+exit:
+  ACCESS_CONTROL_OBJECT_RELEASE(remote_rights);
+  return result;
+}
+
+static DDS_Security_boolean
+check_remote_datareader(dds_security_access_control *instance,
+                        const DDS_Security_PermissionsHandle permissions_handle,
+                        const DDS_Security_DomainId domain_id,
+                        const DDS_Security_SubscriptionBuiltinTopicDataSecure *subscription_data,
+                        DDS_Security_boolean *relay_only,
+                        DDS_Security_SecurityException *ex)
+{
+  dds_security_access_control_impl *ac = (dds_security_access_control_impl *)instance;
+  DDS_Security_TopicSecurityAttributes topic_sec_attr;
+  remote_participant_access_rights *remote_rights;
+  DDS_Security_string class_id_remote_str;
+  DDS_Security_string class_id_local_str;
+
+  DDS_Security_boolean result = false;
+
+  if (instance == NULL || permissions_handle == DDS_SECURITY_HANDLE_NIL || subscription_data == NULL || relay_only == NULL)
+  {
+    DDS_Security_Exception_set(ex, DDS_ACCESS_CONTROL_PLUGIN_CONTEXT, DDS_SECURITY_ERR_INVALID_PARAMETER_CODE, 0, DDS_SECURITY_ERR_INVALID_PARAMETER_MESSAGE);
+    return false;
+  }
+
+  *relay_only = false;
+  if ((remote_rights = find_remote_permissions_by_permissions_handle(ac, permissions_handle)) == NULL)
+  {
+    DDS_Security_Exception_set(ex, DDS_ACCESS_CONTROL_PLUGIN_CONTEXT, DDS_SECURITY_ERR_INVALID_PARAMETER_CODE, 0, DDS_SECURITY_ERR_INVALID_PARAMETER_MESSAGE);
+    return false;
+  }
+  if (!(instance->get_topic_sec_attributes(instance, ACCESS_CONTROL_OBJECT_HANDLE(remote_rights->local_rights), subscription_data->topic_name, &topic_sec_attr, ex)))
+    goto exit;
+  if (!topic_sec_attr.is_read_protected)
+  {
+    result = true;
+    goto exit;
+  }
+
+  /* Compare PluginClassName and MajorVersion parts */
+  class_id_remote_str = remote_rights->permissions->remote_permissions_token_class_id;
+  class_id_local_str = get_access_control_class_id(ACCESS_CONTROL_PERMISSIONS_CLASS_ID);
+  if (compare_class_id_plugin_classname(class_id_remote_str, class_id_local_str) == false)
+  {
+    DDS_Security_Exception_set(ex, DDS_ACCESS_CONTROL_PLUGIN_CONTEXT, DDS_SECURITY_ERR_INCOMPATIBLE_REMOTE_PLUGIN_CLASSNAME_CODE, 0,
+        DDS_SECURITY_ERR_INCOMPATIBLE_REMOTE_PLUGIN_CLASSNAME_MESSAGE);
+    goto exit_free_classid;
+  }
+  if (compare_class_id_major_ver(class_id_remote_str, class_id_local_str) == false)
+  {
+    DDS_Security_Exception_set(ex, DDS_ACCESS_CONTROL_PLUGIN_CONTEXT, DDS_SECURITY_ERR_INCOMPATIBLE_REMOTE_PLUGIN_MAJORVERSION_CODE, 0,
+                               DDS_SECURITY_ERR_INCOMPATIBLE_REMOTE_PLUGIN_MAJORVERSION_MESSAGE);
+    ACCESS_CONTROL_OBJECT_RELEASE(remote_rights);
+    goto exit_free_classid;
+  }
+
+  /* Find a topic with the specified topic name in the Governance */
+  result = is_allowed_by_permissions(remote_rights->permissions->permissions_tree, domain_id, subscription_data->topic_name,
+      &(subscription_data->partition), remote_rights->identity_subject_name, SUBSCRIBE_CRITERIA, ex);
+
+exit_free_classid:
+  ddsrt_free(class_id_local_str);
+exit:
+  ACCESS_CONTROL_OBJECT_RELEASE(remote_rights);
+  return result;
+}
+
+static DDS_Security_boolean
+check_remote_topic(dds_security_access_control *instance,
+                   const DDS_Security_PermissionsHandle permissions_handle,
+                   const DDS_Security_DomainId domain_id,
+                   const DDS_Security_TopicBuiltinTopicData *topic_data,
+                   DDS_Security_SecurityException *ex)
+{
+  dds_security_access_control_impl *ac = (dds_security_access_control_impl *)instance;
+  DDS_Security_TopicSecurityAttributes topic_sec_attr;
+  remote_participant_access_rights *remote_rights;
+  DDS_Security_string class_id_remote_str;
+  DDS_Security_string class_id_local_str;
+  DDS_Security_boolean result = false;
+
+  if (instance == NULL || permissions_handle == DDS_SECURITY_HANDLE_NIL || topic_data == NULL)
+  {
+    DDS_Security_Exception_set(ex, DDS_ACCESS_CONTROL_PLUGIN_CONTEXT, DDS_SECURITY_ERR_INVALID_PARAMETER_CODE, 0, DDS_SECURITY_ERR_INVALID_PARAMETER_MESSAGE);
+    return false;
+  }
+  if ((remote_rights = find_remote_permissions_by_permissions_handle(ac, permissions_handle)) == NULL)
+  {
+    DDS_Security_Exception_set(ex, DDS_ACCESS_CONTROL_PLUGIN_CONTEXT, DDS_SECURITY_ERR_INVALID_PARAMETER_CODE, 0, DDS_SECURITY_ERR_INVALID_PARAMETER_MESSAGE);
+    return false;
+  }
+  if ((result = instance->get_topic_sec_attributes(instance, ACCESS_CONTROL_OBJECT_HANDLE(remote_rights->local_rights), topic_data->name, &topic_sec_attr, ex)) == false)
+    goto exit;
+  if (!topic_sec_attr.is_read_protected || !topic_sec_attr.is_write_protected)
+  {
+    result = true;
+    goto exit;
+  }
+
+  /* Compare PluginClassName and MajorVersion parts */
+  class_id_remote_str = remote_rights->permissions->remote_permissions_token_class_id;
+  class_id_local_str = get_access_control_class_id(ACCESS_CONTROL_PERMISSIONS_CLASS_ID);
+  if (!compare_class_id_plugin_classname(class_id_remote_str, class_id_local_str))
+  {
+    DDS_Security_Exception_set(ex, DDS_ACCESS_CONTROL_PLUGIN_CONTEXT, DDS_SECURITY_ERR_INCOMPATIBLE_REMOTE_PLUGIN_CLASSNAME_CODE, 0,
+      DDS_SECURITY_ERR_INCOMPATIBLE_REMOTE_PLUGIN_CLASSNAME_MESSAGE);
+    goto exit_free_classid;
+  }
+  if (!compare_class_id_major_ver(class_id_remote_str, class_id_local_str))
+  {
+    DDS_Security_Exception_set(ex, DDS_ACCESS_CONTROL_PLUGIN_CONTEXT, DDS_SECURITY_ERR_INCOMPATIBLE_REMOTE_PLUGIN_MAJORVERSION_CODE, 0,
+      DDS_SECURITY_ERR_INCOMPATIBLE_REMOTE_PLUGIN_MAJORVERSION_MESSAGE);
+    goto exit_free_classid;
+  }
+
+  result = is_allowed_by_permissions(remote_rights->permissions->permissions_tree, domain_id, topic_data->name, NULL, remote_rights->identity_subject_name, UNKNOWN_CRITERIA, ex);
+
+exit_free_classid:
+  ddsrt_free(class_id_local_str);
+exit:
+  ACCESS_CONTROL_OBJECT_RELEASE(remote_rights);
+  return result;
+}
+
+static DDS_Security_boolean
+check_local_datawriter_match(
+    dds_security_access_control *instance,
+    const DDS_Security_PermissionsHandle writer_permissions_handle,
+    const DDS_Security_PermissionsHandle reader_permissions_handle,
+    const DDS_Security_PublicationBuiltinTopicDataSecure *publication_data,
+    const DDS_Security_SubscriptionBuiltinTopicDataSecure *subscription_data,
+    DDS_Security_SecurityException *ex)
+{
+  DDSRT_UNUSED_ARG(writer_permissions_handle);
+  DDSRT_UNUSED_ARG(reader_permissions_handle);
+  DDSRT_UNUSED_ARG(publication_data);
+  DDSRT_UNUSED_ARG(subscription_data);
+  DDSRT_UNUSED_ARG(ex);
+  DDSRT_UNUSED_ARG(instance);
+
+  /* This function is not implemented because it relies on DataTagging,
+     an optional DDS Security feature that is not implemented */
+  return true;
+}
+
+static DDS_Security_boolean
+check_local_datareader_match(
+    dds_security_access_control *instance,
+    const DDS_Security_PermissionsHandle reader_permissions_handle,
+    const DDS_Security_PermissionsHandle writer_permissions_handle,
+    const DDS_Security_SubscriptionBuiltinTopicDataSecure *subscription_data,
+    const DDS_Security_PublicationBuiltinTopicDataSecure *publication_data,
+    DDS_Security_SecurityException *ex)
+{
+  DDSRT_UNUSED_ARG(reader_permissions_handle);
+  DDSRT_UNUSED_ARG(writer_permissions_handle);
+  DDSRT_UNUSED_ARG(subscription_data);
+  DDSRT_UNUSED_ARG(publication_data);
+  DDSRT_UNUSED_ARG(ex);
+  DDSRT_UNUSED_ARG(instance);
+
+  /* Not implemented */
+  return true;
+}
+
+static DDS_Security_boolean
+check_remote_datawriter_register_instance(
+    dds_security_access_control *instance,
+    const DDS_Security_PermissionsHandle permissions_handle,
+    const DDS_Security_Entity *reader,
+    const DDS_Security_InstanceHandle publication_handle,
+    const DDS_Security_DynamicData key,
+    const DDS_Security_InstanceHandle instance_handle,
+    DDS_Security_SecurityException *ex)
+{
+  DDSRT_UNUSED_ARG(permissions_handle);
+  DDSRT_UNUSED_ARG(reader);
+  DDSRT_UNUSED_ARG(publication_handle);
+  DDSRT_UNUSED_ARG(key);
+  DDSRT_UNUSED_ARG(instance_handle);
+  DDSRT_UNUSED_ARG(ex);
+  DDSRT_UNUSED_ARG(instance);
+
+  /* Not implemented */
+  return true;
+}
+
+static DDS_Security_boolean
+check_remote_datawriter_dispose_instance(
+    dds_security_access_control *instance,
+    const DDS_Security_PermissionsHandle permissions_handle,
+    const DDS_Security_Entity *reader,
+    const DDS_Security_InstanceHandle publication_handle,
+    const DDS_Security_DynamicData key,
+    DDS_Security_SecurityException *ex)
+{
+  DDSRT_UNUSED_ARG(permissions_handle);
+  DDSRT_UNUSED_ARG(reader);
+  DDSRT_UNUSED_ARG(publication_handle);
+  DDSRT_UNUSED_ARG(key);
+  DDSRT_UNUSED_ARG(ex);
+  DDSRT_UNUSED_ARG(instance);
+
+  /* Not implemented */
+  return true;
+}
+
+static DDS_Security_boolean
+get_permissions_token(dds_security_access_control *instance,
+                      DDS_Security_PermissionsToken *permissions_token,
+                      const DDS_Security_PermissionsHandle handle,
+                      DDS_Security_SecurityException *ex)
+{
+  local_participant_access_rights *rights;
+  if (!ex)
+    return false;
+  if (!instance)
+  {
+    DDS_Security_Exception_set(ex, DDS_ACCESS_CONTROL_PLUGIN_CONTEXT, DDS_SECURITY_ERR_INVALID_PARAMETER_CODE, DDS_SECURITY_VALIDATION_FAILED, "get_permissions_token: No instance provided");
+    return false;
+  }
+  if (!permissions_token)
+  {
+    DDS_Security_Exception_set(ex, DDS_ACCESS_CONTROL_PLUGIN_CONTEXT, DDS_SECURITY_ERR_INVALID_PARAMETER_CODE, DDS_SECURITY_VALIDATION_FAILED, "get_permissions_token: No permissions token provided");
+    return false;
+  }
+  if (handle == DDS_SECURITY_HANDLE_NIL)
+  {
+    DDS_Security_Exception_set(ex, DDS_ACCESS_CONTROL_PLUGIN_CONTEXT, DDS_SECURITY_ERR_INVALID_PARAMETER_CODE, DDS_SECURITY_VALIDATION_FAILED, "get_permissions_token: No permissions handle provided");
+    return false;
+  }
+  if ((rights = find_local_access_rights((dds_security_access_control_impl *)instance, handle)) == NULL)
+  {
+    DDS_Security_Exception_set(ex, DDS_ACCESS_CONTROL_PLUGIN_CONTEXT, DDS_SECURITY_ERR_INVALID_PARAMETER_CODE, 0, "get_permissions_token: Unused permissions handle provided");
+    return false;
+  }
+
+  ACCESS_CONTROL_OBJECT_RELEASE(rights);
+  memset(permissions_token, 0, sizeof(*permissions_token));
+  permissions_token->class_id = get_access_control_class_id(ACCESS_CONTROL_PERMISSIONS_CLASS_ID);
+  return true;
+}
+
+static DDS_Security_boolean
+get_permissions_credential_token(
+    dds_security_access_control *instance,
+    DDS_Security_PermissionsCredentialToken *permissions_credential_token,
+    const DDS_Security_PermissionsHandle handle,
+    DDS_Security_SecurityException *ex)
+{
+  dds_security_access_control_impl *ac = (dds_security_access_control_impl *)instance;
+  local_participant_access_rights *rights;
+  if (!ex)
+    return false;
+  if (!instance)
+  {
+    DDS_Security_Exception_set(ex, DDS_ACCESS_CONTROL_PLUGIN_CONTEXT, DDS_SECURITY_ERR_INVALID_PARAMETER_CODE, DDS_SECURITY_VALIDATION_FAILED, "get_permissions_credential_token: No instance provided");
+    return false;
+  }
+  if (!permissions_credential_token)
+  {
+    DDS_Security_Exception_set(ex, DDS_ACCESS_CONTROL_PLUGIN_CONTEXT, DDS_SECURITY_ERR_INVALID_PARAMETER_CODE, DDS_SECURITY_VALIDATION_FAILED, "get_permissions_credential_token: No permissions credential token provided");
+    return false;
+  }
+  if (handle == DDS_SECURITY_HANDLE_NIL)
+  {
+    DDS_Security_Exception_set(ex, DDS_ACCESS_CONTROL_PLUGIN_CONTEXT, DDS_SECURITY_ERR_INVALID_PARAMETER_CODE, DDS_SECURITY_VALIDATION_FAILED, "get_permissions_credential_token: No permissions handle provided");
+    return false;
+  }
+  if ((rights = find_local_access_rights(ac, handle)) == NULL)
+  {
+    DDS_Security_Exception_set(ex, DDS_ACCESS_CONTROL_PLUGIN_CONTEXT, DDS_SECURITY_ERR_INVALID_PARAMETER_CODE, 0, "get_permissions_credential_token: Unused permissions handle provided");
+    return false;
+  }
+
+  memset(permissions_credential_token, 0, sizeof(*permissions_credential_token));
+  permissions_credential_token->class_id = ddsrt_strdup(ACCESS_PERMISSIONS_CREDENTIAL_TOKEN_ID);
+  permissions_credential_token->properties._length = permissions_credential_token->properties._maximum = 1;
+  permissions_credential_token->properties._buffer = DDS_Security_PropertySeq_allocbuf(1);
+  permissions_credential_token->properties._buffer[0].name = ddsrt_strdup(ACCESS_PROPERTY_PERMISSION_DOCUMENT);
+  permissions_credential_token->properties._buffer[0].value = ddsrt_strdup(rights->permissions_document);
+  ACCESS_CONTROL_OBJECT_RELEASE(rights);
+  return true;
+}
+
+
+static DDS_Security_boolean
+set_listener(dds_security_access_control *instance,
+             const dds_security_access_control_listener *listener,
+             DDS_Security_SecurityException *ex)
+{
+  DDSRT_UNUSED_ARG(ex);
+#if TIMED_CALLBACK_IMPLEMENTED
+  dds_security_access_control_impl *ac = (dds_security_access_control_impl *)instance;
+  if (listener)
+    ut_timed_dispatcher_enable(ac->timed_callbacks, (void *)listener);
+  else
+    ut_timed_dispatcher_disable(ac->timed_callbacks);
+#else
+  DDSRT_UNUSED_ARG(instance);
+  DDSRT_UNUSED_ARG(listener);
+#endif
+
+  return true;
+}
+
+static DDS_Security_boolean
+return_permissions_token(
+    dds_security_access_control *instance,
+    const DDS_Security_PermissionsToken *token,
+    DDS_Security_SecurityException *ex)
+{
+  if (!instance || !token)
+  {
+    DDS_Security_Exception_set(ex, DDS_ACCESS_CONTROL_PLUGIN_CONTEXT, DDS_SECURITY_ERR_INVALID_PARAMETER_CODE, 0, DDS_SECURITY_ERR_INVALID_PARAMETER_MESSAGE);
+    return false;
+  }
+  DDS_Security_DataHolder_deinit((DDS_Security_DataHolder *)token);
+  return true;
+}
+
+static DDS_Security_boolean
+return_permissions_credential_token(
+    dds_security_access_control *instance,
+    const DDS_Security_PermissionsCredentialToken *permissions_credential_token,
+    DDS_Security_SecurityException *ex)
+{
+  if (!instance || !permissions_credential_token)
+  {
+    DDS_Security_Exception_set(ex, DDS_ACCESS_CONTROL_PLUGIN_CONTEXT, DDS_SECURITY_ERR_INVALID_PARAMETER_CODE, 0, DDS_SECURITY_ERR_INVALID_PARAMETER_MESSAGE);
+    return false;
+  }
+  DDS_Security_DataHolder_deinit((DDS_Security_DataHolder *)permissions_credential_token);
+  return true;
+}
+
+static void
+protectionkind_to_participant_attribute(
+    DDS_Security_ProtectionKind kind,
+    DDS_Security_boolean *is_protected,
+    DDS_Security_ParticipantSecurityAttributesMask *mask,
+    DDS_Security_ParticipantSecurityAttributesMask encryption_bit,
+    DDS_Security_ParticipantSecurityAttributesMask authentication_bit)
+{
+  switch (kind)
+  {
+  case DDS_SECURITY_PROTECTION_KIND_ENCRYPT_WITH_ORIGIN_AUTHENTICATION:
+    (*mask) |= authentication_bit;
+    (*mask) |= encryption_bit;
+    (*is_protected) = true;
+    break;
+  case DDS_SECURITY_PROTECTION_KIND_ENCRYPT:
+    (*mask) |= encryption_bit;
+    (*is_protected) = true;
+    break;
+  case DDS_SECURITY_PROTECTION_KIND_SIGN_WITH_ORIGIN_AUTHENTICATION:
+    (*mask) |= authentication_bit;
+    (*is_protected) = true;
+    break;
+  case DDS_SECURITY_PROTECTION_KIND_SIGN:
+    (*is_protected) = true;
+    break;
+  case DDS_SECURITY_PROTECTION_KIND_NONE:
+  default:
+    (*is_protected) = false;
+    break;
+  }
+}
+
+static DDS_Security_PluginEndpointSecurityAttributesMask
+get_plugin_endpoint_security_attributes_mask(
+    DDS_Security_boolean is_payload_encrypted,
+    DDS_Security_boolean is_submessage_encrypted,
+    DDS_Security_boolean is_submessage_origin_authenticated)
+{
+  DDS_Security_PluginEndpointSecurityAttributesMask mask = DDS_SECURITY_ENDPOINT_ATTRIBUTES_FLAG_IS_VALID;
+  if (is_submessage_encrypted)
+    mask |= DDS_SECURITY_PLUGIN_ENDPOINT_ATTRIBUTES_FLAG_IS_SUBMESSAGE_ENCRYPTED;
+  if (is_payload_encrypted)
+    mask |= DDS_SECURITY_PLUGIN_ENDPOINT_ATTRIBUTES_FLAG_IS_PAYLOAD_ENCRYPTED;
+  if (is_submessage_origin_authenticated)
+    mask |= DDS_SECURITY_PLUGIN_ENDPOINT_ATTRIBUTES_FLAG_IS_SUBMESSAGE_ORIGIN_AUTHENTICATED;
+  return mask;
+}
+
+static void
+domain_rule_to_participant_attributes(
+    const struct domain_rule *rule,
+    DDS_Security_ParticipantSecurityAttributes *attributes)
+{
+  /* Expect proper rule. */
+  assert(rule);
+  assert(rule->allow_unauthenticated_participants);
+  assert(rule->enable_join_access_control);
+  assert(rule->liveliness_protection_kind);
+  assert(rule->discovery_protection_kind);
+  assert(rule->rtps_protection_kind);
+  assert(attributes);
+
+  memset(attributes, 0, sizeof(DDS_Security_ParticipantSecurityAttributes));
+
+  attributes->allow_unauthenticated_participants = rule->allow_unauthenticated_participants->value;
+  attributes->is_access_protected = rule->enable_join_access_control->value;
+
+  attributes->plugin_participant_attributes = DDS_SECURITY_PARTICIPANT_ATTRIBUTES_FLAG_IS_VALID;
+
+  protectionkind_to_participant_attribute(
+      rule->discovery_protection_kind->value,
+      &(attributes->is_discovery_protected),
+      &(attributes->plugin_participant_attributes),
+      DDS_SECURITY_PLUGIN_PARTICIPANT_ATTRIBUTES_FLAG_IS_DISCOVERY_ENCRYPTED,
+      DDS_SECURITY_PLUGIN_PARTICIPANT_ATTRIBUTES_FLAG_IS_DISCOVERY_AUTHENTICATED);
+
+  protectionkind_to_participant_attribute(
+      rule->liveliness_protection_kind->value,
+      &(attributes->is_liveliness_protected),
+      &(attributes->plugin_participant_attributes),
+      DDS_SECURITY_PLUGIN_PARTICIPANT_ATTRIBUTES_FLAG_IS_LIVELINESS_ENCRYPTED,
+      DDS_SECURITY_PLUGIN_PARTICIPANT_ATTRIBUTES_FLAG_IS_LIVELINESS_AUTHENTICATED);
+
+  protectionkind_to_participant_attribute(
+      rule->rtps_protection_kind->value,
+      &(attributes->is_rtps_protected),
+      &(attributes->plugin_participant_attributes),
+      DDS_SECURITY_PLUGIN_PARTICIPANT_ATTRIBUTES_FLAG_IS_RTPS_ENCRYPTED,
+      DDS_SECURITY_PLUGIN_PARTICIPANT_ATTRIBUTES_FLAG_IS_RTPS_AUTHENTICATED);
+}
+
+static DDS_Security_boolean
+domainid_within_sets(
+    struct domain_id_set *domain,
+    int domain_id)
+{
+  DDS_Security_boolean found = false;
+  int32_t min;
+  int32_t max;
+
+  while (domain != NULL && !found)
+  {
+    assert(domain->min);
+    min = domain->min->value;
+    max = domain->max ? domain->max->value : min;
+    if ((domain_id >= min) && (domain_id <= max))
+      found = true;
+    domain = (struct domain_id_set *)domain->node.next;
+  }
+  return found;
+}
+
+static struct domain_rule *
+find_domain_rule_in_governance(struct domain_rule *rule, int domain_id)
+{
+  struct domain_rule *found = NULL;
+  while ((rule != NULL) && (found == NULL))
+  {
+    assert(rule->domains);
+    if (domainid_within_sets(rule->domains->domain_id_set, domain_id))
+      found = rule;
+    rule = (struct domain_rule *)rule->node.next;
+  }
+  return found;
+}
+
+static DDS_Security_boolean
+get_participant_sec_attributes(
+    dds_security_access_control *instance,
+    const DDS_Security_PermissionsHandle permissions_handle,
+    DDS_Security_ParticipantSecurityAttributes *attributes,
+    DDS_Security_SecurityException *ex)
+{
+  dds_security_access_control_impl *ac = (dds_security_access_control_impl *)instance;
+  local_participant_access_rights *local_rights;
+  struct domain_rule *found = NULL;
+  DDS_Security_boolean result = false;
+
+  if (instance == 0 || permissions_handle == DDS_SECURITY_HANDLE_NIL || attributes == NULL)
+  {
+    DDS_Security_Exception_set(ex, DDS_ACCESS_CONTROL_PLUGIN_CONTEXT, DDS_SECURITY_ERR_INVALID_PARAMETER_CODE, 0, DDS_SECURITY_ERR_INVALID_PARAMETER_MESSAGE);
+    return false;
+  }
+
+  /* The local rights are actually the local permissions handle. Check that. */
+  if ((local_rights = find_local_access_rights(ac, permissions_handle)) == NULL)
+  {
+    DDS_Security_Exception_set(ex, DDS_ACCESS_CONTROL_PLUGIN_CONTEXT, DDS_SECURITY_ERR_INVALID_PARAMETER_CODE, 0, "Invalid permissions handle");
+    return false;
+  }
+  if ((found = find_domain_rule_in_governance(local_rights->governance_tree->dds->domain_access_rules->domain_rule, local_rights->domain_id)))
+  {
+    domain_rule_to_participant_attributes(found, attributes);
+    result = true;
+  }
+  else
+  {
+    DDS_Security_Exception_set(ex, DDS_ACCESS_CONTROL_PLUGIN_CONTEXT, DDS_SECURITY_ERR_IDENTITY_EMPTY_CODE, 0, "Could not domain id within governance file.");
+  }
+  ACCESS_CONTROL_OBJECT_RELEASE(local_rights);
+  return result;
+}
+
+static DDS_Security_boolean
+compare_class_id_plugin_classname(DDS_Security_string classid1, DDS_Security_string classid2)
+{
+  char *classname1 = strrchr(classid1, ':');
+  char *classname2 = strrchr(classid2, ':');
+  const ptrdiff_t len1 = classname1 - classid1;
+  const ptrdiff_t len2 = classname2 - classid2;
+  return len1 == len2 && classname1 && classname2 &&
+    ddsrt_strncasecmp(classid1, classid2, (size_t) len1) == 0;
+}
+
+static DDS_Security_boolean
+compare_class_id_major_ver(DDS_Security_string classid1, DDS_Security_string classid2)
+{
+  char *version_1 = strrchr(classid1, ':');
+  char *version_2 = strrchr(classid2, ':');
+  if (version_1 && version_2)
+  {
+    const char *majorVersion_1 = strrchr(version_1, '.');
+    const char *majorVersion_2 = strrchr(version_2, '.');
+    const ptrdiff_t len1 = majorVersion_1 - version_1;
+    const ptrdiff_t len2 = majorVersion_2 - version_2;
+    return len1 == len2 && majorVersion_1 && majorVersion_2 &&
+      ddsrt_strncasecmp(version_1, version_2, (size_t) len1) == 0;
+  }
+  return false;
+}
+
+static DDS_Security_boolean
+is_partition_qos_in_criteria(
+    const struct criteria *criteria,
+    const DDS_Security_PartitionQosPolicy *partitions)
+{
+  unsigned int partition_index = 0;
+  const char *partitionDefault[] = {""};
+  const DDS_Security_PartitionQosPolicy *partitionsToCheck;
+  DDS_Security_PartitionQosPolicy defaultPartitions;
+  defaultPartitions.name._length = 1;
+  defaultPartitions.name._maximum = 1;
+  defaultPartitions.name._buffer = (char **)partitionDefault;
+
+  if (criteria == NULL)
+    return false;
+
+  if (!partitions || partitions->name._length == 0)
+    partitionsToCheck = &defaultPartitions;
+  else
+    partitionsToCheck = partitions;
+
+  for (partition_index = 0; partition_index < partitionsToCheck->name._length; partition_index++)
+  {
+    if (is_partition_in_criteria(criteria, partitionsToCheck->name._buffer[partition_index]) == false)
+      return false;
+  }
+
+  return true;
+}
+
+static DDS_Security_boolean
+is_partition_in_criteria(
+    const struct criteria *criteria,
+    const char *partition_name)
+{
+  struct partitions *current_partitions;
+  struct string_value *current_partition;
+
+  if (criteria == NULL || partition_name == NULL)
+    return false;
+
+  current_partitions = (struct partitions *)criteria->partitions;
+  while (current_partitions != NULL)
+  {
+    current_partition = current_partitions->partition;
+    while (current_partition != NULL)
+    {
+      if (ac_fnmatch(current_partition->value, partition_name))
+        return true;
+      current_partition = (struct string_value *)current_partition->node.next;
+    }
+    current_partitions = (struct partitions *)current_partitions->node.next;
+  }
+  return false;
+}
+
+static DDS_Security_boolean
+is_topic_in_criteria(
+    const struct criteria *criteria,
+    const char *topic_name)
+{
+  struct topics *current_topics;
+  struct string_value *current_topic;
+
+  if (criteria == NULL || topic_name == NULL)
+    return false;
+
+  /* Start by checking for a matching topic */
+  current_topics = criteria->topics;
+  while (current_topics != NULL)
+  {
+    current_topic = current_topics->topic;
+    while (current_topic != NULL)
+    {
+      if (ac_fnmatch(current_topic->value, topic_name))
+        return true;
+      current_topic = (struct string_value *)current_topic->node.next;
+    }
+    current_topics = (struct topics *)current_topics->node.next;
+  }
+  return false;
+}
+
+static struct topic_rule *
+find_topic_from_domain_rule(
+    struct domain_rule *domain_rule,
+    const char *topic_name)
+{
+  struct topic_rule *topic_rule;
+  struct topic_rule *topic_found = NULL;
+
+  if (domain_rule->topic_access_rules != NULL &&
+      domain_rule->topic_access_rules->topic_rule != NULL)
+  {
+    topic_rule = domain_rule->topic_access_rules->topic_rule;
+    while (topic_rule != NULL && topic_found == NULL)
+    {
+      assert(topic_rule->topic_expression);
+      if (ac_fnmatch(topic_rule->topic_expression->value, topic_name))
+        topic_found = topic_rule;
+      topic_rule = (struct topic_rule *)topic_rule->node.next;
+    }
+  }
+  return topic_found;
+}
+
+static DDS_Security_boolean
+get_topic_sec_attributes(
+    dds_security_access_control *instance,
+    const DDS_Security_PermissionsHandle permissions_handle,
+    const char *topic_name,
+    DDS_Security_TopicSecurityAttributes *attributes,
+    DDS_Security_SecurityException *ex)
+{
+  dds_security_access_control_impl *ac = (dds_security_access_control_impl *)instance;
+  local_participant_access_rights *rights;
+  struct domain_rule *found;
+  DDS_Security_boolean result = false;
+
+  if (instance == 0)
+  {
+    DDS_Security_Exception_set(ex, DDS_ACCESS_CONTROL_PLUGIN_CONTEXT, DDS_SECURITY_ERR_INVALID_PARAMETER_CODE, 0, "No plugin instance provided");
+    return false;
+  }
+  if (permissions_handle == DDS_SECURITY_HANDLE_NIL)
+  {
+    DDS_Security_Exception_set(ex, DDS_ACCESS_CONTROL_PLUGIN_CONTEXT, DDS_SECURITY_ERR_INVALID_PARAMETER_CODE, 0, "No permissions handle provided");
+    return false;
+  }
+  if (topic_name == NULL || strlen(topic_name) == 0)
+  {
+    DDS_Security_Exception_set(ex, DDS_ACCESS_CONTROL_PLUGIN_CONTEXT, DDS_SECURITY_ERR_INVALID_PARAMETER_CODE, 0, "No topic name provided");
+    return false;
+  }
+  if (attributes == NULL)
+  {
+    DDS_Security_Exception_set(ex, DDS_ACCESS_CONTROL_PLUGIN_CONTEXT, DDS_SECURITY_ERR_INVALID_PARAMETER_CODE, 0, "No attributes provided");
+    return false;
+  }
+  rights = find_local_access_rights(ac, permissions_handle);
+  if (rights == NULL)
+  {
+    DDS_Security_Exception_set(ex, DDS_ACCESS_CONTROL_PLUGIN_CONTEXT, DDS_SECURITY_ERR_INVALID_PARAMETER_CODE, 0, "Unused permissions handle provided");
+    return false;
+  }
+
+  memset(attributes, 0, sizeof(*attributes));
+
+  if (get_topic_type(topic_name) != TOPIC_TYPE_USER)
+  {
+    /* No attributes are set for builtin topics. */
+    ACCESS_CONTROL_OBJECT_RELEASE(rights);
+    return true;
+  }
+
+  if ((found = find_domain_rule_in_governance(rights->governance_tree->dds->domain_access_rules->domain_rule, rights->domain_id)))
+  {
+    struct topic_rule *topic_rule = find_topic_from_domain_rule(found, topic_name);
+    if (topic_rule)
+    {
+      attributes->is_discovery_protected = topic_rule->enable_discovery_protection->value;
+      attributes->is_liveliness_protected = topic_rule->enable_liveliness_protection->value;
+      attributes->is_read_protected = topic_rule->enable_read_access_control->value;
+      attributes->is_write_protected = topic_rule->enable_write_access_control->value;
+      result = true;
+    }
+    else
+    {
+      DDS_Security_Exception_set(ex, DDS_ACCESS_CONTROL_PLUGIN_CONTEXT, DDS_SECURITY_ERR_CAN_NOT_FIND_TOPIC_IN_DOMAIN_CODE, 0, DDS_SECURITY_ERR_CAN_NOT_FIND_TOPIC_IN_DOMAIN_MESSAGE, topic_name, rights->domain_id);
+    }
+  }
+  else
+  {
+    DDS_Security_Exception_set(ex, DDS_ACCESS_CONTROL_PLUGIN_CONTEXT, DDS_SECURITY_ERR_CAN_NOT_FIND_DOMAIN_IN_GOVERNANCE_CODE, 0, DDS_SECURITY_ERR_CAN_NOT_FIND_DOMAIN_IN_GOVERNANCE_MESSAGE, rights->domain_id);
+  }
+
+  ACCESS_CONTROL_OBJECT_RELEASE(rights);
+  return result;
+}
+
+static DDS_Security_boolean
+get_datawriter_sec_attributes(
+    dds_security_access_control *instance,
+    const DDS_Security_PermissionsHandle permissions_handle,
+    const char *topic_name,
+    const DDS_Security_PartitionQosPolicy *partition,
+    const DDS_Security_DataTagQosPolicy *data_tag,
+    DDS_Security_EndpointSecurityAttributes *attributes,
+    DDS_Security_SecurityException *ex)
+{
+  DDSRT_UNUSED_ARG(partition);
+  DDSRT_UNUSED_ARG(data_tag);
+  dds_security_access_control_impl *ac = (dds_security_access_control_impl *)instance;
+
+  if (instance == 0 || permissions_handle == DDS_SECURITY_HANDLE_NIL || topic_name == 0 || strlen(topic_name) == 0 || attributes == NULL)
+  {
+    DDS_Security_Exception_set(ex, DDS_ACCESS_CONTROL_PLUGIN_CONTEXT, DDS_SECURITY_ERR_INVALID_PARAMETER_CODE, 0, DDS_SECURITY_ERR_INVALID_PARAMETER_MESSAGE);
+    return false;
+  }
+  return get_sec_attributes(ac, permissions_handle, topic_name, attributes, ex);
+}
+
+static DDS_Security_boolean
+get_datareader_sec_attributes(
+    dds_security_access_control *instance,
+    const DDS_Security_PermissionsHandle permissions_handle,
+    const char *topic_name,
+    const DDS_Security_PartitionQosPolicy *partition,
+    const DDS_Security_DataTagQosPolicy *data_tag,
+    DDS_Security_EndpointSecurityAttributes *attributes,
+    DDS_Security_SecurityException *ex)
+{
+  DDSRT_UNUSED_ARG(partition);
+  DDSRT_UNUSED_ARG(data_tag);
+  dds_security_access_control_impl *ac = (dds_security_access_control_impl *)instance;
+
+  if (instance == 0 || permissions_handle == DDS_SECURITY_HANDLE_NIL || topic_name == 0 || strlen(topic_name) == 0 || attributes == NULL)
+  {
+    DDS_Security_Exception_set(ex, DDS_ACCESS_CONTROL_PLUGIN_CONTEXT, DDS_SECURITY_ERR_INVALID_PARAMETER_CODE, 0, DDS_SECURITY_ERR_INVALID_PARAMETER_MESSAGE);
+    return false;
+  }
+  return get_sec_attributes(ac, permissions_handle, topic_name, attributes, ex);
+}
+
+static DDS_Security_boolean
+return_participant_sec_attributes(
+    dds_security_access_control *instance,
+    const DDS_Security_ParticipantSecurityAttributes *attributes,
+    DDS_Security_SecurityException *ex)
+{
+  DDSRT_UNUSED_ARG(attributes);
+  DDSRT_UNUSED_ARG(ex);
+  DDSRT_UNUSED_ARG(instance);
+  /* Nothing to do. */
+  return true;
+}
+
+static DDS_Security_boolean
+return_topic_sec_attributes(
+    dds_security_access_control *instance,
+    const DDS_Security_TopicSecurityAttributes *attributes,
+    DDS_Security_SecurityException *ex)
+{
+  DDSRT_UNUSED_ARG(attributes);
+  DDSRT_UNUSED_ARG(ex);
+  DDSRT_UNUSED_ARG(instance);
+  /* Nothing to do. */
+  return true;
+}
+
+static DDS_Security_boolean
+return_datawriter_sec_attributes(
+    dds_security_access_control *instance,
+    const DDS_Security_EndpointSecurityAttributes *attributes,
+    DDS_Security_SecurityException *ex)
+{
+  DDSRT_UNUSED_ARG(attributes);
+  DDSRT_UNUSED_ARG(ex);
+  DDSRT_UNUSED_ARG(instance);
+  /* Nothing to do. */
+  return true;
+}
+
+static DDS_Security_boolean
+return_datareader_sec_attributes(
+    dds_security_access_control *instance,
+    const DDS_Security_EndpointSecurityAttributes *attributes,
+    DDS_Security_SecurityException *ex)
+{
+  DDSRT_UNUSED_ARG(attributes);
+  DDSRT_UNUSED_ARG(ex);
+  DDSRT_UNUSED_ARG(instance);
+  /* Nothing to do. */
+  return true;
+}
+
+static DDS_Security_boolean
+return_permissions_handle(
+    dds_security_access_control *instance,
+    const DDS_Security_PermissionsHandle permissions_handle,
+    DDS_Security_SecurityException *ex)
+{
+  dds_security_access_control_impl *ac = (dds_security_access_control_impl *)instance;
+  AccessControlObject *object;
+
+  if (!instance || !permissions_handle)
+  {
+    DDS_Security_Exception_set(ex, DDS_ACCESS_CONTROL_PLUGIN_CONTEXT, DDS_SECURITY_ERR_INVALID_PARAMETER_CODE, 0, DDS_SECURITY_ERR_INVALID_PARAMETER_MESSAGE);
+    return false;
+  }
+
+#ifdef ACCESS_CONTROL_USE_ONE_PERMISSION
+  ddsrt_mutex_lock(&ac->lock);
+  if (permissions_handle == ACCESS_CONTROL_OBJECT_HANDLE(ac->local_access_rights))
+  {
+    ddsrt_mutex_unlock(&ac->lock);
+    return true;
+  }
+  ddsrt_mutex_unlock(&ac->lock);
+#else
+  object = access_control_table_find(ac->local_permissions, permissions_handle);
+  if (object)
+  {
+    access_control_table_remove_object(ac->local_permissions, object);
+    access_control_object_release(object);
+    return true;
+  }
+#endif
+
+  object = access_control_table_find(ac->remote_permissions, permissions_handle);
+  if (!object)
+  {
+    DDS_Security_Exception_set(ex, DDS_ACCESS_CONTROL_PLUGIN_CONTEXT, DDS_SECURITY_ERR_INVALID_PARAMETER_CODE, 0, DDS_SECURITY_ERR_INVALID_PARAMETER_MESSAGE);
+    return false;
+  }
+
+  access_control_table_remove_object(ac->remote_permissions, object);
+  access_control_object_release(object);
+  return true;
+}
+
+int init_access_control(const char *argument, void **context)
+{
+  DDSRT_UNUSED_ARG(argument);
+
+  dds_security_access_control_impl *access_control = ddsrt_malloc(sizeof(*access_control));
+  memset(access_control, 0, sizeof(*access_control));
+
+#if TIMED_CALLBACK_IMPLEMENTED
+  access_control->timed_callbacks = ut_timed_dispatcher_new();
+#endif
+  access_control->base.validate_local_permissions = &validate_local_permissions;
+  access_control->base.validate_remote_permissions = &validate_remote_permissions;
+  access_control->base.check_create_participant = &check_create_participant;
+  access_control->base.check_create_datawriter = &check_create_datawriter;
+  access_control->base.check_create_datareader = &check_create_datareader;
+  access_control->base.check_create_topic = &check_create_topic;
+  access_control->base.check_local_datawriter_register_instance = &check_local_datawriter_register_instance;
+  access_control->base.check_local_datawriter_dispose_instance = &check_local_datawriter_dispose_instance;
+  access_control->base.check_remote_participant = &check_remote_participant;
+  access_control->base.check_remote_datawriter = &check_remote_datawriter;
+  access_control->base.check_remote_datareader = &check_remote_datareader;
+  access_control->base.check_remote_topic = &check_remote_topic;
+  access_control->base.check_local_datawriter_match = &check_local_datawriter_match;
+  access_control->base.check_local_datareader_match = &check_local_datareader_match;
+  access_control->base.check_remote_datawriter_register_instance = &check_remote_datawriter_register_instance;
+  access_control->base.check_remote_datawriter_dispose_instance = &check_remote_datawriter_dispose_instance;
+  access_control->base.get_permissions_token = &get_permissions_token;
+  access_control->base.get_permissions_credential_token = &get_permissions_credential_token;
+  access_control->base.set_listener = &set_listener;
+  access_control->base.return_permissions_token = &return_permissions_token;
+  access_control->base.return_permissions_credential_token = &return_permissions_credential_token;
+  access_control->base.get_participant_sec_attributes = &get_participant_sec_attributes;
+  access_control->base.get_topic_sec_attributes = &get_topic_sec_attributes;
+  access_control->base.get_datawriter_sec_attributes = &get_datawriter_sec_attributes;
+  access_control->base.get_datareader_sec_attributes = &get_datareader_sec_attributes;
+  access_control->base.return_participant_sec_attributes = &return_participant_sec_attributes;
+  access_control->base.return_topic_sec_attributes = &return_topic_sec_attributes;
+  access_control->base.return_datawriter_sec_attributes = &return_datawriter_sec_attributes;
+  access_control->base.return_datareader_sec_attributes = &return_datareader_sec_attributes;
+  access_control->base.return_permissions_handle = &return_permissions_handle;
+  ddsrt_mutex_init(&access_control->lock);
+
+#ifdef ACCESS_CONTROL_USE_ONE_PERMISSION
+  access_control->local_access_rights = NULL;
+#else
+  access_control->local_permissions = access_control_table_new();
+#endif
+  access_control->remote_permissions = access_control_table_new();
+
+  OpenSSL_add_all_algorithms();
+  OpenSSL_add_all_ciphers();
+  OpenSSL_add_all_digests();
+  ERR_load_BIO_strings();
+  ERR_load_crypto_strings();
+
+  *context = access_control;
+  return 0;
+}
+
+static bool
+get_sec_attributes(
+    dds_security_access_control_impl *ac,
+    const DDS_Security_PermissionsHandle permissions_handle,
+    const char *topic_name,
+    DDS_Security_EndpointSecurityAttributes *attributes,
+    DDS_Security_SecurityException *ex)
+{
+  local_participant_access_rights *rights;
+  DDS_Security_boolean result = false;
+  TOPIC_TYPE topic_type;
+  assert(topic_name);
+  assert(attributes);
+  memset(attributes, 0, sizeof(DDS_Security_EndpointSecurityAttributes));
+  if ((rights = find_local_access_rights(ac, permissions_handle)) == NULL)
+  {
+    DDS_Security_Exception_set(ex, DDS_ACCESS_CONTROL_PLUGIN_CONTEXT, DDS_SECURITY_ERR_INVALID_PARAMETER_CODE, 0, "Invalid permissions handle");
+    return false;
+  }
+
+  if ((topic_type = get_topic_type(topic_name)) != TOPIC_TYPE_USER)
+  {
+    /* Builtin topics are treated in a special manner. */
+    result = true;
+
+    if (topic_type == TOPIC_TYPE_SECURE_ParticipantsSecure || topic_type == TOPIC_TYPE_SECURE_PublicationsSecure ||
+        topic_type == TOPIC_TYPE_SECURE_SubscriptionsSecure || topic_type == TOPIC_TYPE_SECURE_ParticipantMessageSecure)
+    {
+      struct domain_rule *found = find_domain_rule_in_governance(rights->governance_tree->dds->domain_access_rules->domain_rule, rights->domain_id);
+      if (found)
+      { /* Domain matched */
+        /* is_submessage_protected should match is_liveliness_protected of
+             * ParticipantSecurityAttributes for DCPSParticipantMessageSecure.
+             * is_submessage_protected should match is_discovery_protected of
+             * ParticipantSecurityAttributes for OTHER 3.*/
+        if (topic_type == TOPIC_TYPE_SECURE_ParticipantMessageSecure)
+        {
+          attributes->is_submessage_protected = !(found->liveliness_protection_kind->value == DDS_SECURITY_PROTECTION_KIND_NONE);
+          attributes->plugin_endpoint_attributes = get_plugin_endpoint_security_attributes_mask(
+              /* payload encrypted */
+              false,
+              /* submsg encrypted */
+              found->liveliness_protection_kind->value == DDS_SECURITY_PROTECTION_KIND_ENCRYPT ||
+                  found->liveliness_protection_kind->value == DDS_SECURITY_PROTECTION_KIND_ENCRYPT_WITH_ORIGIN_AUTHENTICATION,
+              /* submsg authenticated */
+              found->liveliness_protection_kind->value == DDS_SECURITY_PROTECTION_KIND_ENCRYPT_WITH_ORIGIN_AUTHENTICATION ||
+                  found->liveliness_protection_kind->value == DDS_SECURITY_PROTECTION_KIND_SIGN_WITH_ORIGIN_AUTHENTICATION);
+        }
+        else
+        {
+          attributes->is_submessage_protected = !(found->discovery_protection_kind->value == DDS_SECURITY_PROTECTION_KIND_NONE);
+          attributes->plugin_endpoint_attributes = get_plugin_endpoint_security_attributes_mask(
+              /* payload encrypted */
+              false,
+              /* submsg encrypted */
+              found->discovery_protection_kind->value == DDS_SECURITY_PROTECTION_KIND_ENCRYPT ||
+                  found->discovery_protection_kind->value == DDS_SECURITY_PROTECTION_KIND_ENCRYPT_WITH_ORIGIN_AUTHENTICATION,
+              /* submsg authenticated */
+              found->discovery_protection_kind->value == DDS_SECURITY_PROTECTION_KIND_ENCRYPT_WITH_ORIGIN_AUTHENTICATION ||
+                  found->discovery_protection_kind->value == DDS_SECURITY_PROTECTION_KIND_SIGN_WITH_ORIGIN_AUTHENTICATION);
+        }
+      }
+      else
+      {
+        DDS_Security_Exception_set(ex, DDS_ACCESS_CONTROL_PLUGIN_CONTEXT, DDS_SECURITY_ERR_CAN_NOT_FIND_DOMAIN_IN_GOVERNANCE_CODE, 0, DDS_SECURITY_ERR_CAN_NOT_FIND_DOMAIN_IN_GOVERNANCE_MESSAGE, rights->domain_id);
+        result = false;
+      }
+      attributes->is_read_protected = false;
+      attributes->is_write_protected = false;
+      attributes->is_payload_protected = false;
+      attributes->is_key_protected = false;
+    }
+    else if (topic_type == TOPIC_TYPE_SECURE_ParticipantStatelessMessage)
+    {
+      attributes->plugin_endpoint_attributes = DDS_SECURITY_ENDPOINT_ATTRIBUTES_FLAG_IS_VALID;
+      attributes->is_read_protected = false;
+      attributes->is_write_protected = false;
+      attributes->is_payload_protected = false;
+      attributes->is_key_protected = false;
+      attributes->is_submessage_protected = false;
+    }
+    else if (topic_type == TOPIC_TYPE_SECURE_ParticipantVolatileMessageSecure)
+    {
+      attributes->plugin_endpoint_attributes = DDS_SECURITY_ENDPOINT_ATTRIBUTES_FLAG_IS_VALID |
+                                               DDS_SECURITY_PLUGIN_ENDPOINT_ATTRIBUTES_FLAG_IS_SUBMESSAGE_ENCRYPTED;
+      attributes->is_read_protected = false;
+      attributes->is_write_protected = false;
+      attributes->is_payload_protected = false;
+      attributes->is_key_protected = false;
+      attributes->is_submessage_protected = true;
+    }
+    else
+    {
+      /* Non secure builtin topics. */
+      attributes->plugin_endpoint_attributes = DDS_SECURITY_ENDPOINT_ATTRIBUTES_FLAG_IS_VALID;
+      attributes->is_read_protected = false;
+      attributes->is_write_protected = false;
+      attributes->is_payload_protected = false;
+      attributes->is_key_protected = false;
+      attributes->is_submessage_protected = false;
+    }
+  }
+  else
+  {
+    /* Normal user topic attributes are acquired from governance and permission documents. */
+    struct domain_rule *found = find_domain_rule_in_governance(rights->governance_tree->dds->domain_access_rules->domain_rule, rights->domain_id);
+    if (found)
+    { /* Domain matched */
+      struct topic_rule *topic_rule = find_topic_from_domain_rule(found, topic_name);
+      if (topic_rule)
+      { /* Topic matched */
+        attributes->is_discovery_protected = topic_rule->enable_discovery_protection->value;
+        attributes->is_liveliness_protected = topic_rule->enable_liveliness_protection->value;
+        attributes->is_read_protected = topic_rule->enable_read_access_control->value;
+        attributes->is_write_protected = topic_rule->enable_write_access_control->value;
+        attributes->is_payload_protected = topic_rule->data_protection_kind->value != DDS_SECURITY_BASICPROTECTION_KIND_NONE;
+        attributes->is_submessage_protected = topic_rule->metadata_protection_kind->value != DDS_SECURITY_PROTECTION_KIND_NONE;
+        attributes->is_key_protected = topic_rule->data_protection_kind->value == DDS_SECURITY_BASICPROTECTION_KIND_ENCRYPT;
+
+        /*calculate and assign the mask */
+        attributes->plugin_endpoint_attributes = get_plugin_endpoint_security_attributes_mask(
+            topic_rule->data_protection_kind->value == DDS_SECURITY_BASICPROTECTION_KIND_ENCRYPT,
+            topic_rule->metadata_protection_kind->value == DDS_SECURITY_PROTECTION_KIND_ENCRYPT ||
+                    topic_rule->metadata_protection_kind->value == DDS_SECURITY_PROTECTION_KIND_ENCRYPT_WITH_ORIGIN_AUTHENTICATION,
+            topic_rule->metadata_protection_kind->value == DDS_SECURITY_PROTECTION_KIND_ENCRYPT_WITH_ORIGIN_AUTHENTICATION ||
+                    topic_rule->metadata_protection_kind->value == DDS_SECURITY_PROTECTION_KIND_SIGN_WITH_ORIGIN_AUTHENTICATION);
+
+        memset(&attributes->ac_endpoint_properties, 0, sizeof(DDS_Security_PropertySeq));
+        result = true;
+      }
+      else
+      {
+        DDS_Security_Exception_set(ex, DDS_ACCESS_CONTROL_PLUGIN_CONTEXT, DDS_SECURITY_ERR_CAN_NOT_FIND_TOPIC_IN_DOMAIN_CODE, 0, DDS_SECURITY_ERR_CAN_NOT_FIND_TOPIC_IN_DOMAIN_MESSAGE, topic_name, rights->domain_id);
+      }
+    }
+    else
+    {
+      DDS_Security_Exception_set(ex, DDS_ACCESS_CONTROL_PLUGIN_CONTEXT, DDS_SECURITY_ERR_CAN_NOT_FIND_DOMAIN_IN_GOVERNANCE_CODE, 0, DDS_SECURITY_ERR_CAN_NOT_FIND_DOMAIN_IN_GOVERNANCE_MESSAGE, rights->domain_id);
+    }
+  }
+  ACCESS_CONTROL_OBJECT_RELEASE(rights);
+  return result;
+}
+
+static char *
+get_access_control_class_id(
+    const char *classid)
+{
+  size_t sz = strlen(ACCESS_CONTROL_PROTOCOL_CLASS) + strlen(classid) + 6;
+  char *classId = ddsrt_malloc(sz);
+  snprintf(classId, sz, "%s:%s:%1u.%1u", ACCESS_CONTROL_PROTOCOL_CLASS, classid, ACCESS_CONTROL_PROTOCOL_VERSION_MAJOR, ACCESS_CONTROL_PROTOCOL_VERSION_MINOR);
+  return classId;
+}
+
+static void
+sanity_check_local_access_rights(
+    local_participant_access_rights *rights)
+{
+#ifndef NDEBUG
+  if (rights)
+  {
+    assert(rights->permissions_document);
+    assert(rights->governance_tree);
+    assert(rights->governance_tree->dds);
+    assert(rights->governance_tree->dds->domain_access_rules);
+    assert(rights->governance_tree->dds->domain_access_rules->domain_rule);
+    assert(rights->permissions_tree);
+    assert(rights->permissions_tree->dds);
+    assert(rights->permissions_tree->dds->permissions);
+    assert(rights->permissions_tree->dds->permissions->grant);
+  }
+#else
+  DDSRT_UNUSED_ARG(rights);
+#endif
+}
+
+static void
+sanity_check_remote_access_rights(
+    remote_participant_access_rights *rights)
+{
+#ifndef NDEBUG
+  /* Just some sanity checks. */
+  if (rights)
+  {
+    assert(rights->permissions);
+    assert(rights->permissions->permissions_tree);
+    assert(rights->permissions->permissions_tree->dds);
+    assert(rights->permissions->permissions_tree->dds->permissions);
+    assert(rights->permissions->remote_permissions_token_class_id);
+    assert(rights->local_rights);
+    sanity_check_local_access_rights(rights->local_rights);
+  }
+#else
+  DDSRT_UNUSED_ARG(rights);
+#endif
+}
+
+static local_participant_access_rights *
+find_local_access_rights(
+    dds_security_access_control_impl *ac,
+    DDS_Security_PermissionsHandle handle)
+{
+  local_participant_access_rights *rights = NULL;
+
+#ifdef ACCESS_CONTROL_USE_ONE_PERMISSION
+  DDSRT_UNUSED_ARG(handle);
+
+  ddsrt_mutex_lock(&ac->lock);
+  if (handle == ACCESS_CONTROL_OBJECT_HANDLE(ac->local_access_rights))
+    rights = (local_participant_access_rights *)ACCESS_CONTROL_OBJECT_KEEP(ac->local_access_rights);
+  ddsrt_mutex_unlock(&ac->lock);
+#else
+  rights = (local_participant_access_rights *)access_control_table_find(ac->local_permissions, handle);
+#endif
+
+  sanity_check_local_access_rights(rights);
+  return rights;
+}
+
+struct find_by_identity_arg
+{
+  AccessControlObject *object;
+  DDS_Security_IdentityHandle handle;
+};
+
+#ifndef ACCESS_CONTROL_USE_ONE_PERMISSION
+static int
+local_identity_handle_match(
+    AccessControlObject *obj,
+    void *arg)
+{
+  local_participant_access_rights *rights = (local_participant_access_rights *)obj;
+  struct find_by_identity_arg *info = arg;
+
+  if (rights->local_identity == info->handle)
+  {
+    info->object = obj;
+    return 0;
+  }
+
+  return 1;
+}
+#endif
+
+static int
+remote_identity_handle_match(
+    AccessControlObject *obj,
+    void *arg)
+{
+  remote_participant_access_rights *rights = (remote_participant_access_rights *)obj;
+  struct find_by_identity_arg *info = arg;
+
+  if (rights->remote_identity == info->handle)
+  {
+    info->object = ACCESS_CONTROL_OBJECT_KEEP(obj);
+    return 0;
+  }
+
+  return 1;
+}
+
+static local_participant_access_rights *
+find_local_rights_by_identity(
+    dds_security_access_control_impl *ac,
+    DDS_Security_IdentityHandle identity_handle)
+{
+  local_participant_access_rights *rights = NULL;
+
+#ifdef ACCESS_CONTROL_USE_ONE_PERMISSION
+  DDSRT_UNUSED_ARG(identity_handle);
+
+  ddsrt_mutex_lock(&ac->lock);
+  rights = (local_participant_access_rights *)ACCESS_CONTROL_OBJECT_KEEP(ac->local_access_rights);
+  ddsrt_mutex_unlock(&ac->lock);
+#else
+  {
+    struct find_by_identity_arg args;
+    args.object = NULL;
+    args.handle = identity_handle;
+    access_control_table_walk(ac->local_permissions, local_identity_handle_match, &args);
+    rights = (local_participant_access_rights *)args.object;
+  }
+#endif
+  sanity_check_local_access_rights(rights);
+  return rights;
+}
+
+static remote_participant_access_rights *
+find_remote_rights_by_identity(
+    dds_security_access_control_impl *ac,
+    DDS_Security_IdentityHandle identity_handle)
+{
+  struct find_by_identity_arg args;
+  args.object = NULL;
+  args.handle = identity_handle;
+  access_control_table_walk(ac->remote_permissions, remote_identity_handle_match, &args);
+  sanity_check_remote_access_rights((remote_participant_access_rights *)args.object);
+  return (remote_participant_access_rights *)args.object;
+}
+
+struct find_by_permissions_handle_arg
+{
+  AccessControlObject *object;
+  DDS_Security_PermissionsHandle handle;
+};
+
+static int
+remote_permissions_handle_match(
+    AccessControlObject *obj,
+    void *arg)
+{
+  struct find_by_permissions_handle_arg *info = arg;
+  if (obj->handle == info->handle)
+  {
+    info->object = ACCESS_CONTROL_OBJECT_KEEP(obj);
+    return 0;
+  }
+  return 1;
+}
+
+static remote_participant_access_rights *
+find_remote_permissions_by_permissions_handle(
+    dds_security_access_control_impl *ac,
+    DDS_Security_PermissionsHandle permissions_handle)
+{
+  struct find_by_permissions_handle_arg args;
+  args.object = NULL;
+  args.handle = permissions_handle;
+  access_control_table_walk(ac->remote_permissions, remote_permissions_handle_match, &args);
+  sanity_check_remote_access_rights((remote_participant_access_rights *)args.object);
+  return (remote_participant_access_rights *)args.object;
+}
+
+#if TIMED_CALLBACK_IMPLEMENTED
+
+typedef struct
+{
+  dds_security_access_control_impl *ac;
+  DDS_Security_PermissionsHandle hdl;
+} validity_cb_info;
+
+static void
+validity_callback(struct ut_timed_dispatcher_t *d,
+                  ut_timed_cb_kind kind,
+                  void *listener,
+                  void *arg)
+{
+  validity_cb_info *info = arg;
+  assert(d);
+  assert(arg);
+  if (kind == UT_TIMED_CB_KIND_TIMEOUT)
+  {
+    assert(listener);
+    if (1 /* TODO: Check if hdl is still valid or if it has been already returned. */)
+    {
+      dds_security_access_control_listener *ac_listener = (dds_security_access_control_listener *)listener;
+      if (ac_listener->on_revoke_permissions)
+        ac_listener->on_revoke_permissions(ac_listener, (dds_security_access_control *)info->ac, info->hdl);
+    }
+  }
+  ddsrt_free(arg);
+}
+
+static void
+add_validity_end_trigger(dds_security_access_control_impl *ac,
+                         const DDS_Security_PermissionsHandle permissions_handle,
+                         dds_time_t end)
+{
+  validity_cb_info *arg = ddsrt_malloc(sizeof(validity_cb_info));
+  arg->ac = ac;
+  arg->hdl = permissions_handle;
+  ut_timed_dispatcher_add(ac->timed_callbacks, validity_callback, end, (void *)arg);
+}
+#endif
+
+static DDS_Security_boolean
+is_allowed_by_permissions(struct permissions_parser *permissions,
+                          int domain_id,
+                          const char *topic_name,
+                          const DDS_Security_PartitionQosPolicy *partitions,
+                          const char *identity_subject_name,
+                          permission_criteria_type criteria_type,
+                          DDS_Security_SecurityException *ex)
+{
+  struct grant *permissions_grant;
+  struct allow_deny_rule *current_rule;
+  struct criteria *current_criteria;
+
+  assert(permissions);
+  assert(permissions->dds);
+  assert(permissions->dds->permissions);
+
+  permissions_grant = permissions->dds->permissions->grant;
+
+  /* Check for a matching grant */
+  while (permissions_grant != NULL)
+  {
+    /* Verify that it is within the validity date and the subject name matches */
+    if (permissions_grant->subject_name != NULL &&
+        permissions_grant->subject_name->value != NULL &&
+        strcmp(permissions_grant->subject_name->value, identity_subject_name) == 0)
+    {
+      dds_time_t tnow = dds_time();
+      if (tnow <= DDS_Security_parse_xml_date(permissions_grant->validity->not_before->value))
+      {
+        DDS_Security_Exception_set(ex, DDS_ACCESS_CONTROL_PLUGIN_CONTEXT, DDS_SECURITY_ERR_VALIDITY_PERIOD_NOT_STARTED_CODE, 0,
+            DDS_SECURITY_ERR_VALIDITY_PERIOD_NOT_STARTED_MESSAGE, permissions_grant->subject_name->value, permissions_grant->validity->not_before->value);
+        return false;
+      }
+      if (tnow >= DDS_Security_parse_xml_date(permissions_grant->validity->not_after->value))
+      {
+        DDS_Security_Exception_set(ex, DDS_ACCESS_CONTROL_PLUGIN_CONTEXT, DDS_SECURITY_ERR_VALIDITY_PERIOD_EXPIRED_CODE, 0,
+            DDS_SECURITY_ERR_VALIDITY_PERIOD_EXPIRED_MESSAGE, permissions_grant->subject_name->value, permissions_grant->validity->not_after->value);
+        return false;
+      }
+
+      current_rule = permissions_grant->allow_deny_rule;
+      while (current_rule != NULL)
+      {
+        /* Check if the domain matches the given ID otherwise move on */
+        if (domainid_within_sets(current_rule->domains->domain_id_set, domain_id))
+        {
+          if (topic_name == NULL)
+          {
+            if (current_rule->rule_type == ALLOW_RULE)
+              return true;
+          }
+
+          /* Check all subscribe criteria to find the topics, partition and tags */
+          current_criteria = current_rule->criteria;
+          while (current_criteria != NULL)
+          {
+            if (current_criteria->criteria_type == criteria_type || (int)criteria_type == UNKNOWN_CRITERIA)
+            {
+              if (is_topic_in_criteria(current_criteria, topic_name) && is_partition_qos_in_criteria(current_criteria, partitions))
+              {
+                if (current_rule->rule_type == ALLOW_RULE)
+                  return true;
+                if (current_rule->rule_type == DENY_RULE)
+                {
+                  DDS_Security_Exception_set(ex, DDS_ACCESS_CONTROL_PLUGIN_CONTEXT, DDS_SECURITY_ERR_ACCESS_DENIED_CODE, 0, "%s found in deny_rule.", topic_name);
+                  return false;
+                }
+              }
+            }
+            current_criteria = (struct criteria *)current_criteria->node.next;
+          }
+        }
+        current_rule = (struct allow_deny_rule *)current_rule->node.next;
+      }
+
+      /* If nothing found but the grant matches, return the default value */
+      if (permissions_grant->default_action == NULL)
+      {
+        DDS_Security_Exception_set(ex, DDS_ACCESS_CONTROL_PLUGIN_CONTEXT, DDS_SECURITY_ERR_ACCESS_DENIED_CODE, 0, "No rule found for %s", topic_name ? topic_name : "participant");
+        return false;
+      }
+
+      if (strcmp(permissions_grant->default_action->value, "ALLOW") != 0)
+      {
+        DDS_Security_Exception_set(ex, DDS_ACCESS_CONTROL_PLUGIN_CONTEXT, DDS_SECURITY_ERR_ACCESS_DENIED_CODE, 0, "%s denied by default rule", topic_name ? topic_name : "participant");
+        return false;
+      }
+
+      return true;
+    }
+    permissions_grant = (struct grant *)permissions_grant->node.next;
+  }
+
+  DDS_Security_Exception_set(ex, DDS_ACCESS_CONTROL_PLUGIN_CONTEXT, DDS_SECURITY_ERR_CAN_NOT_FIND_PERMISSIONS_GRANT_CODE, 0, DDS_SECURITY_ERR_CAN_NOT_FIND_PERMISSIONS_GRANT_MESSAGE);
+  return false;
+}
+
+static bool
+read_document_from_file(
+    const char *filename,
+    char **doc,
+    DDS_Security_SecurityException *ex)
+{
+  DDSRT_WARNING_MSVC_OFF(4996);
+  FILE *fp;
+  char *document = NULL;
+  char *fname = NULL;
+  size_t sz, r;
+
+  assert(doc);
+  *doc = NULL;
+  /* Get portable file name. */
+  fname = DDS_Security_normalize_file(filename);
+  if (fname)
+  {
+    /* Get size if it is a accessible regular file (no dir or link). */
+    sz = ac_regular_file_size(fname);
+    if (sz > 0)
+    {
+      /* Open the actual file. */
+      fp = fopen(fname, "r");
+      if (fp)
+      {
+        /* Read the content. */
+        document = ddsrt_malloc(sz + 1);
+        r = fread(document, 1, sz, fp);
+        if (r == 0)
+        {
+          ddsrt_free(document);
+        }
+        else
+        {
+          document[r] = '\0';
+          *doc = document;
+        }
+        (void)fclose(fp);
+      }
+    }
+    ddsrt_free(fname);
+  }
+
+  if ((*doc) == NULL)
+  {
+    DDS_Security_Exception_set(ex, DDS_ACCESS_CONTROL_PLUGIN_CONTEXT, DDS_SECURITY_ERR_INVALID_FILE_PATH_CODE, 0, DDS_SECURITY_ERR_INVALID_FILE_PATH_MESSAGE, (filename ? filename : "NULL"));
+    return false;
+  }
+  return true;
+  DDSRT_WARNING_MSVC_ON(4996);
+}
+
+static bool
+read_document(
+    const char *doc_uri,
+    char **doc,
+    DDS_Security_SecurityException *ex)
+{
+  bool result = true;
+  char *data = NULL;
+
+  switch (DDS_Security_get_conf_item_type(doc_uri, &data))
+  {
+  case DDS_SECURITY_CONFIG_ITEM_PREFIX_DATA:
+    *doc = data;
+    break;
+  case DDS_SECURITY_CONFIG_ITEM_PREFIX_FILE:
+    result = read_document_from_file(data, doc, ex);
+    ddsrt_free(data);
+    break;
+  default:
+    DDS_Security_Exception_set(ex, DDS_ACCESS_CONTROL_PLUGIN_CONTEXT, DDS_SECURITY_ERR_URI_TYPE_NOT_SUPPORTED_CODE, 0, DDS_SECURITY_ERR_URI_TYPE_NOT_SUPPORTED_MESSAGE, doc_uri);
+    return false;
+  }
+  return result;
+}
+
+static bool
+validate_subject_name_in_permissions(struct permissions_parser *permissions_tree,
+                                     const char *identity_subject_name,
+                                     char **permission_subject_name,
+                                     dds_time_t *permission_validity_not_after,
+                                     DDS_Security_SecurityException *ex)
+{
+
+  struct grant *permissions_grant;
+  assert(permission_subject_name);
+
+  *permission_subject_name = NULL;
+  if (permissions_tree == NULL || permissions_tree->dds == NULL || permissions_tree->dds->permissions == NULL || permissions_tree->dds->permissions->grant == NULL)
+  {
+    DDS_Security_Exception_set(ex, DDS_ACCESS_CONTROL_PLUGIN_CONTEXT, DDS_SECURITY_ERR_INVALID_PARAMETER_CODE, 0, DDS_SECURITY_ERR_INVALID_PARAMETER_MESSAGE);
+    return false;
+  }
+
+  permissions_grant = permissions_tree->dds->permissions->grant;
+  while (permissions_grant != NULL)
+  {
+    /* Verify that it is within the validity date and the subject name matches */
+    if (identity_subject_name != NULL && ac_check_subjects_are_equal(permissions_grant->subject_name->value, identity_subject_name))
+    {
+      dds_time_t tnow = dds_time ();
+      if (tnow <= DDS_Security_parse_xml_date(permissions_grant->validity->not_before->value))
+      {
+        DDS_Security_Exception_set(ex, DDS_ACCESS_CONTROL_PLUGIN_CONTEXT, DDS_SECURITY_ERR_VALIDITY_PERIOD_NOT_STARTED_CODE, 0,
+            DDS_SECURITY_ERR_VALIDITY_PERIOD_NOT_STARTED_MESSAGE, permissions_grant->subject_name->value, permissions_grant->validity->not_before->value);
+        return false;
+      }
+      if (tnow >= DDS_Security_parse_xml_date(permissions_grant->validity->not_after->value))
+      {
+        DDS_Security_Exception_set(ex, DDS_ACCESS_CONTROL_PLUGIN_CONTEXT, DDS_SECURITY_ERR_VALIDITY_PERIOD_EXPIRED_CODE, 0,
+            DDS_SECURITY_ERR_VALIDITY_PERIOD_EXPIRED_MESSAGE, permissions_grant->subject_name->value, permissions_grant->validity->not_after->value);
+        return false;
+      }
+
+      /* identity subject name and permission subject name may not be exactly same because of different string representations
+        * That's why we are returning the string in permissions file to be stored for further comparisons */
+      *permission_subject_name = ddsrt_strdup(permissions_grant->subject_name->value);
+      *permission_validity_not_after = DDS_Security_parse_xml_date(permissions_grant->validity->not_after->value);
+      return true;
+    }
+    permissions_grant = (struct grant *)permissions_grant->node.next;
+  }
+
+  DDS_Security_Exception_set(ex, DDS_ACCESS_CONTROL_PLUGIN_CONTEXT, DDS_SECURITY_ERR_INVALID_SUBJECT_NAME_CODE, 0,
+      DDS_SECURITY_ERR_INVALID_SUBJECT_NAME_MESSAGE);
+  return false;
+}
+
+static local_participant_access_rights *
+check_and_create_local_participant_rights(
+    DDS_Security_IdentityHandle identity_handle,
+    int domain_id,
+    const DDS_Security_Qos *participant_qos,
+    DDS_Security_SecurityException *ex)
+{
+  local_participant_access_rights *rights = NULL;
+  X509 *identity_cert;
+  X509 *permission_ca = NULL;
+  size_t pdlen;
+  size_t gvlen;
+  char *identity_cert_data = NULL;
+  char *permission_ca_data = NULL;
+  char *permission_document = NULL;
+  char *governance_document = NULL;
+  char *permission_xml = NULL;
+  char *governance_xml = NULL;
+  char *identity_subject = NULL;
+  struct governance_parser *governance_tree = NULL;
+  struct permissions_parser *permissions_tree = NULL;
+  char *permission_subject = NULL;
+  char *permissions_uri = NULL;
+  char *governance_uri = NULL;
+  dds_time_t permission_expiry = DDS_TIME_INVALID;
+
+  /* Retrieve the identity certificate from the participant QoS */
+  identity_cert_data = DDS_Security_Property_get_value(&participant_qos->property.value, QOS_PROPERTY_IDENTITY_CERT);
+  if (!identity_cert_data)
+  {
+    DDS_Security_Exception_set(ex, DDS_ACCESS_CONTROL_PLUGIN_CONTEXT, DDS_SECURITY_ERR_MISSING_PROPERTY_CODE, 0,
+        DDS_SECURITY_ERR_MISSING_PROPERTY_MESSAGE, QOS_PROPERTY_IDENTITY_CERT);
+    goto err_no_identity_cert;
+  }
+
+  if (!ac_X509_certificate_read(identity_cert_data, &identity_cert, ex))
+    goto err_inv_identity_cert;
+
+  if (!(identity_subject = ac_get_certificate_subject_name(identity_cert, ex)))
+    goto err_inv_identity_cert;
+
+  if (!(governance_uri = DDS_Security_Property_get_value(&participant_qos->property.value, QOS_PROPERTY_GOVERNANCE_DOCUMENT)))
+  {
+    DDS_Security_Exception_set(ex, DDS_ACCESS_CONTROL_PLUGIN_CONTEXT, DDS_SECURITY_ERR_MISSING_PROPERTY_CODE, 0,
+        DDS_SECURITY_ERR_MISSING_PROPERTY_MESSAGE, QOS_PROPERTY_GOVERNANCE_DOCUMENT);
+    goto err_no_governance;
+  }
+
+  if (!(permissions_uri = DDS_Security_Property_get_value(&participant_qos->property.value, QOS_PROPERTY_PERMISSIONS_DOCUMENT)))
+  {
+    DDS_Security_Exception_set(ex, DDS_ACCESS_CONTROL_PLUGIN_CONTEXT, DDS_SECURITY_ERR_MISSING_PROPERTY_CODE, 0,
+        DDS_SECURITY_ERR_MISSING_PROPERTY_MESSAGE, QOS_PROPERTY_PERMISSIONS_DOCUMENT);
+    goto err_no_permissions;
+  }
+
+  if (!(permission_ca_data = DDS_Security_Property_get_value(&participant_qos->property.value, QOS_PROPERTY_PERMISSIONS_CA)))
+  {
+    DDS_Security_Exception_set(ex, DDS_ACCESS_CONTROL_PLUGIN_CONTEXT, DDS_SECURITY_ERR_MISSING_PROPERTY_CODE, 0,
+        DDS_SECURITY_ERR_MISSING_PROPERTY_MESSAGE, QOS_PROPERTY_PERMISSIONS_CA);
+    goto err_no_permission_ca;
+  }
+
+  if (strlen(governance_uri) == 0 && strlen(permissions_uri) == 0 && strlen(permission_ca_data) == 0)
+  {
+    bool result;
+
+    result = ac_parse_governance_xml(DDS_SECURITY_DEFAULT_GOVERNANCE, &governance_tree, ex);
+    assert(result);
+    DDSRT_UNUSED_ARG(result);
+
+    result = ac_parse_permissions_xml(DDS_SECURITY_DEFAULT_PERMISSIONS, &permissions_tree, ex);
+    assert(result);
+    DDSRT_UNUSED_ARG(result);
+
+    /*set subject name on default permissions */
+    ddsrt_free(permissions_tree->dds->permissions->grant->subject_name->value);
+    permissions_tree->dds->permissions->grant->subject_name->value = ddsrt_strdup(identity_subject);
+    permission_document = ddsrt_strdup("");
+
+    rights = ac_local_participant_access_rights_new(identity_handle, domain_id, permission_document, NULL, identity_subject, governance_tree, permissions_tree);
+    sanity_check_local_access_rights(rights);
+  }
+  else if (strlen(governance_uri) > 0 && strlen(permissions_uri) > 0 && strlen(permission_ca_data) > 0)
+  {
+    /* Retrieve the permission ca certificate from the participant QoS */
+    if (!ac_X509_certificate_read(permission_ca_data, &permission_ca, ex))
+      goto err_inv_permission_ca;
+
+    /* Retrieve the permissions document from the participant QoS */
+    if (!read_document(permissions_uri, &permission_document, ex))
+      goto err_read_perm_doc;
+
+    if ((pdlen = strlen(permission_document)) == 0)
+    {
+      DDS_Security_Exception_set(ex, DDS_ACCESS_CONTROL_PLUGIN_CONTEXT, DDS_SECURITY_ERR_INVALID_PERMISSION_DOCUMENT_PROPERTY_CODE,
+          DDS_SECURITY_VALIDATION_FAILED, DDS_SECURITY_ERR_INVALID_PERMISSION_DOCUMENT_PROPERTY_MESSAGE);
+      goto err_read_perm_doc;
+    }
+
+    /* Retrieve the governance from the participant QoS */
+    if (!read_document(governance_uri, &governance_document, ex))
+      goto err_read_gov_doc;
+
+    if ((gvlen = strlen(governance_document)) == 0)
+    {
+      DDS_Security_Exception_set(ex, DDS_ACCESS_CONTROL_PLUGIN_CONTEXT, DDS_SECURITY_ERR_INVALID_GOVERNANCE_DOCUMENT_PROPERTY_CODE,
+          DDS_SECURITY_VALIDATION_FAILED, DDS_SECURITY_ERR_INVALID_GOVERNANCE_DOCUMENT_PROPERTY_MESSAGE);
+      goto err_read_gov_doc;
+    }
+
+    if (!ac_PKCS7_document_check(permission_document, pdlen, permission_ca, &permission_xml, ex))
+      goto err_inv_perm_doc;
+
+    if (!ac_PKCS7_document_check(governance_document, gvlen, permission_ca, &governance_xml, ex))
+      goto err_inv_gov_doc;
+
+    if (!ac_parse_governance_xml(governance_xml, &governance_tree, ex))
+      goto err_inv_gov_xml;
+
+    if (!ac_parse_permissions_xml(permission_xml, &permissions_tree, ex))
+    {
+      ac_return_governance_tree(governance_tree);
+      goto err_inv_perm_xml;
+    }
+
+    /* check if subject name of identity certificate matches the subject name in the permissions document */
+    if (!validate_subject_name_in_permissions(permissions_tree, identity_subject, &permission_subject, &permission_expiry, ex))
+    {
+      ac_return_governance_tree(governance_tree);
+      ac_return_permissions_tree(permissions_tree);
+      goto err_inv_subject;
+    }
+
+    rights = ac_local_participant_access_rights_new(identity_handle, domain_id, permission_document, permission_ca, permission_subject, governance_tree, permissions_tree);
+    rights->permissions_expiry = permission_expiry;
+    sanity_check_local_access_rights(rights);
+  }
+  else
+  { /*one of them is not empty but the others */
+    DDS_Security_Exception_set(ex, DDS_ACCESS_CONTROL_PLUGIN_CONTEXT, DDS_SECURITY_ERR_INVALID_PARAMETER_CODE, DDS_SECURITY_VALIDATION_FAILED,
+        "Governance, Permissions and Permissions CA properties do not exist properly. Either all must be empty or all must be valid");
+    goto err_inv_properties;
+  }
+
+err_inv_subject:
+err_inv_perm_xml:
+err_inv_gov_xml:
+  ddsrt_free(governance_xml);
+err_inv_gov_doc:
+  ddsrt_free(permission_xml);
+err_inv_perm_doc:
+err_read_gov_doc:
+  ddsrt_free(governance_document);
+err_read_perm_doc:
+  if (!rights)
+  {
+    ddsrt_free(permission_document);
+    X509_free(permission_ca);
+  }
+err_inv_properties:
+err_inv_permission_ca:
+  ddsrt_free(permission_ca_data);
+err_no_permission_ca:
+  ddsrt_free(permissions_uri);
+err_no_permissions:
+  ddsrt_free(governance_uri);
+err_no_governance:
+  X509_free(identity_cert);
+err_inv_identity_cert:
+  ddsrt_free(identity_subject);
+  ddsrt_free(permission_subject);
+  ddsrt_free(identity_cert_data);
+err_no_identity_cert:
+  return rights;
+}
+
+static remote_participant_access_rights *
+check_and_create_remote_participant_rights(
+    DDS_Security_IdentityHandle remote_identity_handle,
+    local_participant_access_rights *local_rights,
+    const DDS_Security_PermissionsToken *remote_permissions_token,
+    const DDS_Security_AuthenticatedPeerCredentialToken *remote_credential_token,
+    DDS_Security_SecurityException *ex)
+{
+  remote_participant_access_rights *rights = NULL;
+  X509 *identity_cert = NULL;
+  const DDS_Security_Property_t *identity_cert_property;
+  const DDS_Security_Property_t *permission_doc_property;
+  char *identity_subject = NULL;
+  char *permissions_xml = NULL;
+  remote_permissions *permissions = NULL;
+  char *permission_subject = NULL;
+  dds_time_t permission_expiry = DDS_TIME_INVALID;
+  size_t len;
+
+  /* Retrieve the remote identity certificate from the remote_credential_token */
+  identity_cert_property = DDS_Security_DataHolder_find_property(remote_credential_token, "c.id");
+  if (!identity_cert_property || !identity_cert_property->value)
+  {
+    DDS_Security_Exception_set(ex, DDS_ACCESS_CONTROL_PLUGIN_CONTEXT, DDS_SECURITY_ERR_MISSING_PROPERTY_CODE, 0,
+        DDS_SECURITY_ERR_MISSING_PROPERTY_MESSAGE, "c.id");
+    goto err_no_identity_cert;
+  }
+
+  len = strlen(identity_cert_property->value);
+  assert (len <= INT32_MAX);
+  if (!ac_X509_certificate_from_data(identity_cert_property->value, (int) len, &identity_cert, ex))
+    goto err_inv_identity_cert;
+
+  if (!(identity_subject = ac_get_certificate_subject_name(identity_cert, ex)))
+    goto err_inv_identity_cert;
+
+  /* Retrieve the remote permissions document from the remote_credential_token */
+  permission_doc_property = DDS_Security_DataHolder_find_property(remote_credential_token, "c.perm");
+  if (!permission_doc_property || !permission_doc_property->value)
+  {
+    DDS_Security_Exception_set(ex, DDS_ACCESS_CONTROL_PLUGIN_CONTEXT, DDS_SECURITY_ERR_MISSING_PROPERTY_CODE, 0, DDS_SECURITY_ERR_MISSING_PROPERTY_MESSAGE, "c.perm");
+    goto err_inv_perm_doc;
+  }
+
+  if (strlen(permission_doc_property->value) == 0)
+  {
+    /* use default permissions document (all deny) if there is no permissions file
+         *to communicate with access_control=false and comply with previous release */
+    struct domain_rule *domainRule = find_domain_rule_in_governance(local_rights->governance_tree->dds->domain_access_rules->domain_rule, local_rights->domain_id);
+    if (!domainRule->enable_join_access_control->value)
+    {
+      permissions_xml = ddsrt_str_replace(DDS_SECURITY_DEFAULT_PERMISSIONS, "DEFAULT_SUBJECT", identity_subject, 1);
+    }
+    else
+    {
+      DDS_Security_Exception_set(ex, DDS_ACCESS_CONTROL_PLUGIN_CONTEXT, DDS_SECURITY_ERR_INVALID_PERMISSION_DOCUMENT_PROPERTY_CODE, 0, DDS_SECURITY_ERR_INVALID_PERMISSION_DOCUMENT_PROPERTY_MESSAGE);
+      goto err_inv_perm_doc;
+    }
+  }
+  else
+  {
+    if (!ac_PKCS7_document_check(permission_doc_property->value, strlen(permission_doc_property->value), local_rights->permissions_ca, &permissions_xml, ex))
+      goto err_inv_perm_doc;
+  }
+
+  permissions = ddsrt_malloc(sizeof(remote_permissions));
+  permissions->ref_cnt = 0;
+  permissions->permissions_tree = NULL;
+  if (!ac_parse_permissions_xml(permissions_xml, &(permissions->permissions_tree), ex))
+  {
+    ddsrt_free(permissions);
+    goto err_inv_perm_xml;
+  }
+
+  /* check if subject name of identity certificate matches the subject name in the permissions document */
+  if (!validate_subject_name_in_permissions(permissions->permissions_tree, identity_subject, &permission_subject, &permission_expiry, ex))
+  {
+    ac_return_permissions_tree(permissions->permissions_tree);
+    ddsrt_free(permissions);
+    goto err_inv_subject;
+  }
+  rights = ac_remote_participant_access_rights_new(remote_identity_handle, local_rights, permissions, permission_expiry, remote_permissions_token, permission_subject);
+  sanity_check_remote_access_rights(rights);
+  ddsrt_free(permission_subject);
+
+err_inv_subject:
+err_inv_perm_xml:
+  ddsrt_free(permissions_xml);
+err_inv_perm_doc:
+  X509_free(identity_cert);
+err_inv_identity_cert:
+  ddsrt_free(identity_subject);
+err_no_identity_cert:
+  return rights;
+}
+
+static TOPIC_TYPE
+get_topic_type(
+    const char *topic_name)
+{
+  TOPIC_TYPE type = TOPIC_TYPE_USER;
+  assert(topic_name);
+
+  /* All builtin topics start with "DCPS" */
+  if (strncmp(topic_name, "DCPS", 4) == 0)
+  {
+    /* There are a number of builtin topics starting with "DCPSParticipant" */
+    if (strncmp(&(topic_name[4]), "Participant", 11) == 0)
+    {
+      if (strcmp(&(topic_name[15]), "") == 0)
+        type = TOPIC_TYPE_NON_SECURE_BUILTIN; /* DCPSParticipant */
+      else if (strcmp(&(topic_name[15]), "Message") == 0)
+        type = TOPIC_TYPE_NON_SECURE_BUILTIN; /* DCPSParticipantMessage */
+      else if (strcmp(&(topic_name[15]), "MessageSecure") == 0)
+        type = TOPIC_TYPE_SECURE_ParticipantMessageSecure; /* DCPSParticipantMessageSecure */
+      else if (strcmp(&(topic_name[15]), "VolatileMessageSecure") == 0)
+        type = TOPIC_TYPE_SECURE_ParticipantVolatileMessageSecure; /* DCPSParticipantVolatileMessageSecure */
+      else if (strcmp(&(topic_name[15]), "StatelessMessage") == 0)
+        type = TOPIC_TYPE_SECURE_ParticipantStatelessMessage; /* DCPSParticipantStatelessMessage */
+      else if (strcmp(&(topic_name[15]), "sSecure") == 0)
+        type = TOPIC_TYPE_SECURE_ParticipantsSecure; /* DCPSParticipantsSecure */
+    }
+    else if (strcmp(&(topic_name[4]), "SubscriptionsSecure") == 0)
+      type = TOPIC_TYPE_SECURE_SubscriptionsSecure; /* DCPSSubscriptionsSecure */
+    else if (strcmp(&(topic_name[4]), "PublicationsSecure") == 0)
+      type = TOPIC_TYPE_SECURE_PublicationsSecure; /* DCPSPublicationsSecure */
+    else if ((strcmp(&(topic_name[4]), "Topic") == 0) ||
+             (strcmp(&(topic_name[4]), "Publication") == 0) ||
+             (strcmp(&(topic_name[4]), "Subscription") == 0))
+    {
+      /* DCPSTopic        */
+      /* DCPSPublication  */
+      /* DCPSSubscription */
+      type = TOPIC_TYPE_NON_SECURE_BUILTIN;
+    }
+  }
+  return type;
+}
+
+int finalize_access_control(void *context)
+{
+  dds_security_access_control_impl *access_control = context;
+  if (access_control)
+  {
+#if TIMED_CALLBACK_IMPLEMENTED
+    ut_timed_dispatcher_free(access_control->timed_callbacks);
+#endif
+    access_control_table_free(access_control->remote_permissions);
+#ifdef ACCESS_CONTROL_USE_ONE_PERMISSION
+    if (access_control->local_access_rights)
+      access_control_object_free((AccessControlObject *)access_control->local_access_rights);
+#else
+    access_control_table_free(access_control->local_permissions);
+#endif
+    ddsrt_mutex_destroy(&access_control->lock);
+    ddsrt_free(access_control);
+  }
+  EVP_cleanup();
+  CRYPTO_cleanup_all_ex_data();
+  REMOVE_THREAD_STATE();
+  ERR_free_strings();
+  return 0;
+}
diff --git a/src/security/builtin_plugins/access_control/src/access_control.h b/src/security/builtin_plugins/access_control/src/access_control.h
new file mode 100644
index 0000000..b98d2d7
--- /dev/null
+++ b/src/security/builtin_plugins/access_control/src/access_control.h
@@ -0,0 +1,21 @@
+/*
+ * Copyright(c) 2006 to 2019 ADLINK Technology Limited and others
+ *
+ * This program and the accompanying materials are made available under the
+ * terms of the Eclipse Public License v. 2.0 which is available at
+ * http://www.eclipse.org/legal/epl-2.0, or the Eclipse Distribution License
+ * v. 1.0 which is available at
+ * http://www.eclipse.org/org/documents/edl-v10.php.
+ *
+ * SPDX-License-Identifier: EPL-2.0 OR BSD-3-Clause
+ */
+#ifndef ACCESS_CONTROL_H
+#define ACCESS_CONTROL_H
+
+#include "dds/security/dds_security_api.h"
+#include "dds/security/export.h"
+
+SECURITY_EXPORT int init_access_control(const char *argument, void **context);
+SECURITY_EXPORT int finalize_access_control(void *context);
+
+#endif /* ACCESS_CONTROL_H */
diff --git a/src/security/builtin_plugins/access_control/src/access_control_objects.c b/src/security/builtin_plugins/access_control/src/access_control_objects.c
new file mode 100644
index 0000000..cee88cb
--- /dev/null
+++ b/src/security/builtin_plugins/access_control/src/access_control_objects.c
@@ -0,0 +1,283 @@
+/*
+ * Copyright(c) 2006 to 2019 ADLINK Technology Limited and others
+ *
+ * This program and the accompanying materials are made available under the
+ * terms of the Eclipse Public License v. 2.0 which is available at
+ * http://www.eclipse.org/legal/epl-2.0, or the Eclipse Distribution License
+ * v. 1.0 which is available at
+ * http://www.eclipse.org/org/documents/edl-v10.php.
+ *
+ * SPDX-License-Identifier: EPL-2.0 OR BSD-3-Clause
+ */
+#include <assert.h>
+#include <string.h>
+#include "dds/ddsrt/atomics.h"
+#include "dds/ddsrt/heap.h"
+#include "dds/ddsrt/hopscotch.h"
+#include "dds/ddsrt/string.h"
+#include "dds/ddsrt/sync.h"
+#include "dds/ddsrt/types.h"
+#include "access_control_objects.h"
+#include "access_control_utils.h"
+#include "access_control_parser.h"
+
+struct AccessControlTable
+{
+  struct ddsrt_hh *htab;
+  ddsrt_mutex_t lock;
+};
+
+bool access_control_object_valid(const AccessControlObject *obj, const AccessControlObjectKind_t kind)
+{
+  if (!obj)
+    return false;
+  if (obj->kind != kind)
+    return false;
+  if (obj->handle != (int64_t)(uintptr_t)obj)
+    return false;
+
+  return true;
+}
+
+static uint32_t access_control_object_hash(const void *obj)
+{
+  const AccessControlObject *object = obj;
+  const uint64_t c = 0xE21B371BEB9E6C05;
+  const uint32_t x = (uint32_t)object->handle;
+  return (unsigned)((x * c) >> 32);
+}
+
+static int access_control_object_equal(const void *ha, const void *hb)
+{
+  const AccessControlObject *la = ha;
+  const AccessControlObject *lb = hb;
+  return la->handle == lb->handle;
+}
+
+void access_control_object_init(AccessControlObject *obj, AccessControlObjectKind_t kind, AccessControlObjectDestructor destructor)
+{
+  assert(obj);
+  obj->kind = kind;
+  obj->handle = (int64_t)(uintptr_t)obj;
+  obj->destructor = destructor;
+  ddsrt_atomic_st32(&obj->refcount, 1);
+}
+
+static void access_control_object_deinit(AccessControlObject *obj)
+{
+  assert(obj);
+  obj->handle = DDS_SECURITY_HANDLE_NIL;
+  obj->kind = ACCESS_CONTROL_OBJECT_KIND_UNKNOWN;
+  obj->destructor = NULL;
+}
+
+void access_control_object_free(AccessControlObject *obj)
+{
+  if (obj && obj->destructor)
+    obj->destructor(obj);
+}
+
+AccessControlObject *access_control_object_keep(AccessControlObject *obj)
+{
+  if (obj)
+    ddsrt_atomic_inc32(&obj->refcount);
+  return obj;
+}
+
+void access_control_object_release(AccessControlObject *obj)
+{
+  if (obj)
+  {
+    if (ddsrt_atomic_dec32_nv(&obj->refcount) == 0)
+      access_control_object_free(obj);
+  }
+}
+
+struct AccessControlTable *access_control_table_new(void)
+{
+  struct AccessControlTable *table;
+
+  table = ddsrt_malloc(sizeof(*table));
+  table->htab = ddsrt_hh_new(32, access_control_object_hash, access_control_object_equal);
+  ddsrt_mutex_init(&table->lock);
+  return table;
+}
+
+void access_control_table_free(struct AccessControlTable *table)
+{
+  struct ddsrt_hh_iter it;
+  AccessControlObject *obj;
+
+  if (!table)
+    return;
+  for (obj = ddsrt_hh_iter_first(table->htab, &it); obj; obj = ddsrt_hh_iter_next(&it))
+  {
+    (void)ddsrt_hh_remove(table->htab, obj);
+    access_control_object_release(obj);
+  }
+  ddsrt_hh_free(table->htab);
+  ddsrt_mutex_destroy(&table->lock);
+  ddsrt_free(table);
+}
+
+AccessControlObject *access_control_table_insert(struct AccessControlTable *table, AccessControlObject *object)
+{
+  AccessControlObject template;
+  AccessControlObject *cur;
+  assert(table);
+  assert(object);
+  template.handle = object->handle;
+  ddsrt_mutex_lock(&table->lock);
+  if (!(cur = access_control_object_keep(ddsrt_hh_lookup(table->htab, &template))))
+  {
+    cur = access_control_object_keep(object);
+    (void)ddsrt_hh_add(table->htab, cur);
+  }
+  ddsrt_mutex_unlock(&table->lock);
+  return cur;
+}
+
+void access_control_table_remove_object(struct AccessControlTable *table, AccessControlObject *object)
+{
+  assert(table);
+  assert(object);
+  ddsrt_mutex_lock(&table->lock);
+  (void)ddsrt_hh_remove(table->htab, object);
+  ddsrt_mutex_unlock(&table->lock);
+  access_control_object_release(object);
+}
+
+AccessControlObject *access_control_table_remove(struct AccessControlTable *table, int64_t handle)
+{
+  AccessControlObject template;
+  AccessControlObject *object;
+  assert(table);
+  template.handle = handle;
+  ddsrt_mutex_lock(&table->lock);
+  if ((object = access_control_object_keep(ddsrt_hh_lookup(table->htab, &template))))
+  {
+    (void)ddsrt_hh_remove(table->htab, object);
+    access_control_object_release(object);
+  }
+  ddsrt_mutex_unlock(&table->lock);
+  return object;
+}
+
+AccessControlObject *access_control_table_find(struct AccessControlTable *table, int64_t handle)
+{
+  AccessControlObject template;
+  AccessControlObject *object;
+  assert(table);
+  template.handle = handle;
+  ddsrt_mutex_lock(&table->lock);
+  object = access_control_object_keep(ddsrt_hh_lookup(table->htab, &template));
+  ddsrt_mutex_unlock(&table->lock);
+  return object;
+}
+
+void access_control_table_walk(struct AccessControlTable *table, AccessControlTableCallback callback, void *arg)
+{
+  struct ddsrt_hh_iter it;
+  AccessControlObject *obj;
+  int r = 1;
+  assert(table);
+  assert(callback);
+  ddsrt_mutex_lock(&table->lock);
+  for (obj = ddsrt_hh_iter_first(table->htab, &it); r && obj; obj = ddsrt_hh_iter_next(&it))
+    r = callback(obj, arg);
+  ddsrt_mutex_unlock(&table->lock);
+}
+
+static void local_participant_access_rights_free(AccessControlObject *obj)
+{
+  local_participant_access_rights *rights = (local_participant_access_rights *)obj;
+  if (rights)
+  {
+    ddsrt_free(rights->permissions_document);
+    if (rights->permissions_ca)
+      X509_free(rights->permissions_ca);
+    access_control_object_deinit((AccessControlObject *)rights);
+    if (rights->governance_tree)
+      ac_return_governance_tree(rights->governance_tree);
+    if (rights->permissions_tree)
+      ac_return_permissions_tree(rights->permissions_tree);
+    ddsrt_free(rights->identity_subject_name);
+    ddsrt_free(rights);
+  }
+}
+
+local_participant_access_rights *ac_local_participant_access_rights_new(
+    DDS_Security_IdentityHandle local_identity,
+    int domain_id,
+    char *permissions_document,
+    X509 *permissions_ca,
+    const char *identity_subject_name,
+    struct governance_parser *governance_tree,
+    struct permissions_parser *permissions_tree)
+{
+  local_participant_access_rights *rights = ddsrt_malloc(sizeof(local_participant_access_rights));
+  memset(rights, 0, sizeof(local_participant_access_rights));
+  access_control_object_init((AccessControlObject *)rights, ACCESS_CONTROL_OBJECT_KIND_LOCAL_PARTICIPANT, local_participant_access_rights_free);
+  rights->local_identity = local_identity;
+  rights->domain_id = domain_id;
+  rights->permissions_document = permissions_document;
+  rights->permissions_ca = permissions_ca;
+  rights->identity_subject_name = ddsrt_strdup(identity_subject_name);
+  rights->governance_tree = governance_tree;
+  rights->permissions_tree = permissions_tree;
+  return rights;
+}
+
+
+static void remote_participant_access_rights_free(AccessControlObject *obj)
+{
+  remote_participant_access_rights *rights = (remote_participant_access_rights *)obj;
+  if (rights)
+  {
+    if (rights->permissions)
+    {
+      assert(rights->permissions->ref_cnt > 0);
+      rights->permissions->ref_cnt--;
+      if (rights->permissions->ref_cnt == 0)
+      {
+        ac_return_permissions_tree(rights->permissions->permissions_tree);
+        ddsrt_free(rights->permissions->remote_permissions_token_class_id);
+        ddsrt_free(rights->permissions);
+      }
+    }
+    ddsrt_free(rights->identity_subject_name);
+    ACCESS_CONTROL_OBJECT_RELEASE(rights->local_rights);
+    access_control_object_deinit((AccessControlObject *)rights);
+    ddsrt_free(rights);
+  }
+}
+
+remote_participant_access_rights *
+ac_remote_participant_access_rights_new(
+    DDS_Security_IdentityHandle remote_identity,
+    const local_participant_access_rights *local_rights,
+    remote_permissions *permissions,
+    dds_time_t permission_expiry,
+    const DDS_Security_PermissionsToken *remote_permissions_token,
+    const char *identity_subject)
+{
+  remote_participant_access_rights *rights = ddsrt_malloc(sizeof(remote_participant_access_rights));
+  memset(rights, 0, sizeof(remote_participant_access_rights));
+  access_control_object_init((AccessControlObject *)rights, ACCESS_CONTROL_OBJECT_KIND_REMOTE_PARTICIPANT, remote_participant_access_rights_free);
+  rights->remote_identity = remote_identity;
+  rights->permissions = permissions;
+  rights->permissions_expiry = permission_expiry;
+  rights->local_rights = (local_participant_access_rights *)ACCESS_CONTROL_OBJECT_KEEP(local_rights);
+  if (rights->permissions)
+  {
+    rights->permissions->remote_permissions_token_class_id = ddsrt_strdup(remote_permissions_token->class_id);
+    rights->permissions->ref_cnt++;
+    rights->identity_subject_name = ddsrt_strdup(identity_subject);
+  }
+  else
+  {
+    assert(identity_subject == NULL);
+    rights->identity_subject_name = NULL;
+  }
+  return rights;
+}
diff --git a/src/security/builtin_plugins/access_control/src/access_control_objects.h b/src/security/builtin_plugins/access_control/src/access_control_objects.h
new file mode 100644
index 0000000..b1f033b
--- /dev/null
+++ b/src/security/builtin_plugins/access_control/src/access_control_objects.h
@@ -0,0 +1,106 @@
+/*
+ * Copyright(c) 2006 to 2019 ADLINK Technology Limited and others
+ *
+ * This program and the accompanying materials are made available under the
+ * terms of the Eclipse Public License v. 2.0 which is available at
+ * http://www.eclipse.org/legal/epl-2.0, or the Eclipse Distribution License
+ * v. 1.0 which is available at
+ * http://www.eclipse.org/org/documents/edl-v10.php.
+ *
+ * SPDX-License-Identifier: EPL-2.0 OR BSD-3-Clause
+ */
+#ifndef ACCESS_CONTROL_OBJECTS_H
+#define ACCESS_CONTROL_OBJECTS_H
+
+#include <openssl/x509.h>
+#include "dds/ddsrt/atomics.h"
+#include "dds/ddsrt/types.h"
+#include "dds/security/dds_security_api.h"
+
+#define ACCESS_CONTROL_OBJECT(o)            ((AccessControlObject *)(o))
+#define ACCESS_CONTROL_OBJECT_HANDLE(o)     ((o) ? ACCESS_CONTROL_OBJECT(o)->handle : DDS_SECURITY_HANDLE_NIL)
+
+#define ACCESS_CONTROL_OBJECT_KEEP(o)       access_control_object_keep((AccessControlObject *)(o))
+#define ACCESS_CONTROL_OBJECT_RELEASE(o)    access_control_object_release((AccessControlObject *)(o))
+#define ACCESS_CONTROL_OBJECT_VALID(o,k)    access_control_object_valid((AccessControlObject *)(o), k)
+
+typedef enum {
+    ACCESS_CONTROL_OBJECT_KIND_UNKNOWN,
+    ACCESS_CONTROL_OBJECT_KIND_LOCAL_PARTICIPANT,
+    ACCESS_CONTROL_OBJECT_KIND_REMOTE_PARTICIPANT,
+} AccessControlObjectKind_t;
+
+typedef struct AccessControlObject AccessControlObject;
+typedef void (*AccessControlObjectDestructor)(AccessControlObject *obj);
+
+struct AccessControlObject {
+    int64_t handle;
+    ddsrt_atomic_uint32_t refcount;
+    AccessControlObjectKind_t kind;
+    AccessControlObjectDestructor destructor;
+};
+
+typedef struct local_participant_access_rights {
+    AccessControlObject _parent;
+    DDS_Security_ParticipantSecurityAttributes participant_attributes;
+    DDS_Security_IdentityHandle local_identity;
+    struct governance_parser *governance_tree;
+    struct permissions_parser *permissions_tree;
+    int domain_id;
+    char *identity_subject_name;
+    char *permissions_document;
+    X509 *permissions_ca;
+    dds_time_t permissions_expiry;
+} local_participant_access_rights;
+
+
+typedef struct remote_permissions {
+    int ref_cnt;
+    struct permissions_parser *permissions_tree;
+    DDS_Security_string remote_permissions_token_class_id;
+} remote_permissions;
+
+typedef struct remote_participant_access_rights {
+    AccessControlObject _parent;
+    DDS_Security_IdentityHandle remote_identity;
+    local_participant_access_rights *local_rights;
+    remote_permissions *permissions;
+    char *identity_subject_name;
+    dds_time_t permissions_expiry;
+} remote_participant_access_rights;
+
+void access_control_object_init(AccessControlObject *obj, AccessControlObjectKind_t kind, AccessControlObjectDestructor destructor);
+AccessControlObject *access_control_object_keep(AccessControlObject *obj);
+void access_control_object_release(AccessControlObject *obj);
+bool access_control_object_valid(const AccessControlObject *obj, AccessControlObjectKind_t kind);
+void access_control_object_free(AccessControlObject *obj);
+
+struct AccessControlTable;
+typedef int (*AccessControlTableCallback)(AccessControlObject *obj, void *arg);
+struct AccessControlTable *access_control_table_new(void);
+
+void access_control_table_free(struct AccessControlTable *table);
+AccessControlObject *access_control_table_insert(struct AccessControlTable *table, AccessControlObject *object);
+void access_control_table_remove_object(struct AccessControlTable *table, AccessControlObject *object);
+AccessControlObject *access_control_table_remove(struct AccessControlTable *table, int64_t handle);
+AccessControlObject *access_control_table_find(struct AccessControlTable *table, int64_t handle);
+void access_control_table_walk(struct AccessControlTable *table, AccessControlTableCallback callback, void *arg);
+
+local_participant_access_rights *ac_local_participant_access_rights_new(
+    DDS_Security_IdentityHandle local_identity,
+    int domain_id,
+    char *permissions_document,
+    X509 *permissions_ca,
+    const char* identity_subject_name,
+    struct governance_parser *governance_tree,
+    struct permissions_parser *permissions_tree);
+
+remote_participant_access_rights *ac_remote_participant_access_rights_new(
+    DDS_Security_IdentityHandle remote_identity,
+    const local_participant_access_rights *local_rights,
+    remote_permissions *permissions,
+    dds_time_t permission_expiry,
+    const DDS_Security_PermissionsToken *remote_permissions_token,
+    const char *identity_subject);
+
+#endif /* ACCESS_CONTROL_OBJECTS_H */
diff --git a/src/security/builtin_plugins/access_control/src/access_control_parser.c b/src/security/builtin_plugins/access_control/src/access_control_parser.c
new file mode 100644
index 0000000..5f1cf2d
--- /dev/null
+++ b/src/security/builtin_plugins/access_control/src/access_control_parser.c
@@ -0,0 +1,1212 @@
+/*
+ * Copyright(c) 2006 to 2019 ADLINK Technology Limited and others
+ *
+ * This program and the accompanying materials are made available under the
+ * terms of the Eclipse Public License v. 2.0 which is available at
+ * http://www.eclipse.org/legal/epl-2.0, or the Eclipse Distribution License
+ * v. 1.0 which is available at
+ * http://www.eclipse.org/org/documents/edl-v10.php.
+ *
+ * SPDX-License-Identifier: EPL-2.0 OR BSD-3-Clause
+ */
+#include <assert.h>
+#include <string.h>
+#include <openssl/x509.h>
+#include <openssl/pkcs7.h>
+#include <openssl/pem.h>
+#include <openssl/bio.h>
+#include <openssl/err.h>
+#include "dds/ddsrt/heap.h"
+#include "dds/ddsrt/misc.h"
+#include "dds/ddsrt/string.h"
+#include "dds/ddsrt/strtol.h"
+#include "dds/ddsrt/types.h"
+#include "dds/ddsrt/xmlparser.h"
+#include "dds/security/dds_security_api.h"
+#include "dds/security/core/dds_security_utils.h"
+#include "access_control_parser.h"
+#include "access_control_utils.h"
+
+#define DEBUG_PARSER 0
+#if (DEBUG_PARSER)
+
+static void print_tab(int spaces)
+{
+  while (spaces > 0)
+  {
+    printf(" ");
+    spaces--;
+  }
+}
+
+static void print_string_value(struct string_value *val, const char *info, int spaces)
+{
+  print_tab(spaces);
+  printf("%s", info);
+  if (val)
+    printf(": %s", val->value ? val->value : "<noval>");
+  printf("\n");
+}
+
+#define PRINT_VALUE_BASIC(name_, type_) \
+  static void print_##name_##_value (type_ *val, const char *info, int spaces) \
+  { \
+    print_tab(spaces); \
+    printf("%s", info); \
+    if (val) \
+      printf(": %d", val->value); \
+    printf("\n"); \
+  }
+PRINT_VALUE_BASIC(bool, struct boolean_value)
+PRINT_VALUE_BASIC(int, struct integer_value)
+PRINT_VALUE_BASIC(protection, struct protection_kind_value)
+PRINT_VALUE_BASIC(basic_protection, struct basicprotection_kind_value)
+#undef PRINT_VALUE_BASIC
+
+static void print_domains(struct domains *domains, int spaces)
+{
+  print_tab(spaces);
+  printf("domains {\n");
+  if (domains)
+  {
+    struct domain_id_set *current = domains->domain_id_set;
+    while (current != NULL)
+    {
+      if (current->max == NULL)
+      {
+        print_int_value(current->min, "id", spaces + 3);
+      }
+      else
+      {
+        print_int_value(current->min, "min", spaces + 3);
+        print_int_value(current->max, "max", spaces + 3);
+      }
+      current = (struct domain_id_set *)current->node.next;
+    }
+  }
+  else
+  {
+    printf(" {\n");
+  }
+  print_tab(spaces);
+  printf("}\n");
+}
+
+static void print_topic_rule(struct topic_rule *rule, int spaces)
+{
+  print_tab(spaces);
+  printf("topic_rule {\n");
+  if (rule)
+  {
+    print_string_value(rule->topic_expression, "topic_expression", spaces + 3);
+    print_bool_value(rule->enable_discovery_protection, "enable_discovery_protection", spaces + 3);
+    print_bool_value(rule->enable_liveliness_protection, "enable_liveliness_protection", spaces + 3);
+    print_bool_value(rule->enable_read_access_control, "enable_read_access_control", spaces + 3);
+    print_bool_value(rule->enable_write_access_control, "enable_write_access_control", spaces + 3);
+    print_protection_value(rule->metadata_protection_kind, "metadata_protection_kind", spaces + 3);
+    print_basic_protection_value(rule->data_protection_kind, "data_protection_kind", spaces + 3);
+  }
+  else
+  {
+    printf(" {\n");
+  }
+  print_tab(spaces);
+  printf("}\n");
+}
+
+static void print_topic_access_rules(struct topic_access_rules *tar, int spaces)
+{
+  print_tab(spaces);
+  printf("topic_access_rules {\n");
+  if (tar)
+  {
+    struct topic_rule *current = tar->topic_rule;
+    while (current != NULL)
+    {
+      print_topic_rule(current, spaces + 3);
+      current = (struct topic_rule *)current->node.next;
+    }
+  }
+  else
+  {
+    printf(" {\n");
+  }
+  print_tab(spaces);
+  printf("}\n");
+}
+
+static void print_domain_rule(struct domain_rule *rule, int spaces)
+{
+  print_tab(spaces);
+  printf("domain_rule {\n");
+  if (rule)
+  {
+    print_domains(rule->domains, spaces + 3);
+    print_bool_value(rule->allow_unauthenticated_participants, "allow_unauthenticated_participants", spaces + 3);
+    print_bool_value(rule->enable_join_access_control, "enable_join_access_control", spaces + 3);
+    print_protection_value(rule->rtps_protection_kind, "rtps_protection_kind", spaces + 3);
+    print_protection_value(rule->discovery_protection_kind, "discovery_protection_kind", spaces + 3);
+    print_protection_value(rule->liveliness_protection_kind, "liveliness_protection_kind", spaces + 3);
+    print_topic_access_rules(rule->topic_access_rules, spaces + 3);
+  }
+  else
+  {
+    printf(" {\n");
+  }
+  print_tab(spaces);
+  printf("}\n");
+}
+
+static void print_domain_access_rules(struct domain_access_rules *dar, int spaces)
+{
+  print_tab(spaces);
+  printf("domain_access_rules {\n");
+  if (dar)
+  {
+    struct domain_rule *current = dar->domain_rule;
+    while (current != NULL)
+    {
+      print_domain_rule(current, spaces + 3);
+      current = (struct domain_rule *)current->node.next;
+    }
+  }
+  else
+  {
+    printf(" {\n");
+  }
+  print_tab(spaces);
+  printf("}\n");
+}
+
+static void print_governance_parser_result(struct governance_parser *parser)
+{
+  assert(parser);
+  assert(parser->dds);
+  assert(parser->dds->domain_access_rules);
+  printf("-----------------------------------------------\n");
+  print_domain_access_rules(parser->dds->domain_access_rules, 0);
+  printf("-----------------------------------------------\n");
+}
+
+static void print_topic(struct string_value *topic, int spaces)
+{
+  if (topic)
+  {
+    print_string_value(topic, "topic", spaces);
+    print_topic((struct string_value *)topic->node.next, spaces);
+  }
+}
+
+static void print_topics(struct topics *topics, int spaces)
+{
+  if (topics)
+  {
+    print_tab(spaces);
+    printf("topics {\n");
+    print_topic(topics->topic, spaces + 3);
+    print_tab(spaces);
+    printf("}\n");
+  }
+}
+
+static void print_partition(struct string_value *partition, int spaces)
+{
+  if (partition)
+  {
+    print_string_value(partition, "partition", spaces);
+    print_partition((struct string_value *)partition->node.next, spaces);
+  }
+}
+
+static void print_partitions(struct partitions *partitions, int spaces)
+{
+  if (partitions)
+  {
+    print_tab(spaces);
+    printf("partitions {\n");
+    print_partition(partitions->partition, spaces + 3);
+    print_tab(spaces);
+    printf("}\n");
+  }
+}
+
+static void print_criteria(struct criteria *criteria, int spaces)
+{
+  if (criteria)
+  {
+    struct criteria *current = criteria;
+    while (current != NULL)
+    {
+      print_tab(spaces);
+      if (current->criteria_type == SUBSCRIBE_CRITERIA)
+        printf("subscribe {\n");
+      else if (current->criteria_type == PUBLISH_CRITERIA)
+        printf("publish {\n");
+      else
+        assert(0);
+      print_topics(current->topics, spaces + 3);
+      print_partitions(current->partitions, spaces + 3);
+      print_tab(spaces);
+      printf("}\n");
+      current = (struct criteria *)current->node.next;
+    }
+  }
+}
+
+static void print_allow_deny_rule(struct allow_deny_rule *allow_deny_rule, int spaces)
+{
+  if (allow_deny_rule)
+  {
+    struct allow_deny_rule *current = allow_deny_rule;
+    while (current != NULL)
+    {
+      print_tab(spaces);
+      if (current->rule_type == ALLOW_RULE)
+        printf("allow_rule {\n");
+      else if (current->rule_type == DENY_RULE)
+        printf("deny_rule {\n");
+      else
+        assert(0);
+      print_domains(current->domains, spaces + 3);
+      print_criteria(current->criteria, spaces + 3);
+      print_tab(spaces);
+      printf("}\n");
+      current = (struct allow_deny_rule *)current->node.next;
+    }
+  }
+}
+
+static void print_permissions(struct permissions *permissions, int spaces)
+{
+  struct grant *current = permissions->grant;
+  print_tab(spaces);
+  printf("permissions {\n");
+  while (current != NULL)
+  {
+    print_tab(spaces + 3);
+    printf("grant {\n");
+    print_tab(spaces + 6);
+    printf("name: %s\n", current->name);
+    print_string_value(current->subject_name, "subject_name", spaces + 6);
+    print_string_value(current->validity->not_before, "validity_not_before", spaces + 6);
+    print_string_value(current->validity->not_after, "validity_not_after", spaces + 6);
+    print_allow_deny_rule(current->allow_deny_rule, spaces + 6);
+    print_string_value(current->default_action, "default", spaces + 6);
+    current = (struct grant *)current->node.next;
+    print_tab(spaces + 3);
+    printf("}\n");
+  }
+  print_tab(spaces);
+  printf("}\n");
+}
+
+static void print_permissions_parser_result(struct permissions_parser *parser)
+{
+  assert(parser);
+  assert(parser->dds);
+  assert(parser->dds->permissions);
+  printf("-----------------------------------------------\n");
+  print_permissions(parser->dds->permissions, 0);
+  printf("-----------------------------------------------\n");
+}
+
+#endif /* DEBUG_PARSER */
+
+static struct element *new_element(element_kind kind, struct element *parent, size_t size)
+{
+  struct element *e = ddsrt_malloc(size);
+  memset(e, 0, size);
+  e->parent = parent;
+  e->kind = kind;
+  e->next = NULL;
+  return e;
+}
+
+#define PREPARE_NODE(element_type, element_kind, element_name, parent_type, parent_kind, current) \
+  {                                                                                               \
+    xml_##parent_type *P = (xml_##parent_type *)current;                                          \
+    if (!current || current->kind != ELEMENT_KIND_##parent_kind)                                  \
+    {                                                                                             \
+      return -1;                                                                                  \
+    }                                                                                             \
+    current = new_element(ELEMENT_KIND_##element_kind, current, sizeof(xml_##element_type));      \
+    P->element_name = (xml_##element_type *)current;                                              \
+  }
+
+#define PREPARE_NODE_WITH_LIST(element_type, element_kind, element_name, parent_type, parent_kind, current) \
+  {                                                                                                         \
+    xml_##parent_type *P = (xml_##parent_type *)current;                                                    \
+    xml_element *tail;                                                                                      \
+    if (!current || current->kind != ELEMENT_KIND_##parent_kind)                                            \
+    {                                                                                                       \
+      return -1;                                                                                            \
+    }                                                                                                       \
+    tail = (xml_element *)P->element_name;                                                                  \
+    current = new_element(ELEMENT_KIND_##element_kind, current, sizeof(xml_##element_type));                \
+    if (!P->element_name)                                                                                   \
+    {                                                                                                       \
+      P->element_name = (xml_##element_type *)current;                                                      \
+    }                                                                                                       \
+    else                                                                                                    \
+    {                                                                                                       \
+      while (tail->next != NULL)                                                                            \
+      {                                                                                                     \
+        tail = tail->next;                                                                                  \
+      }                                                                                                     \
+      tail->next = current;                                                                                 \
+      tail->next->next = NULL;                                                                              \
+    }                                                                                                       \
+  }
+
+static void validate_domains(const struct domain_id_set *domains_set, DDS_Security_SecurityException *ex)
+{
+  const struct domain_id_set *domain = domains_set;
+  if (!domains_set)
+  {
+    DDS_Security_Exception_set(ex, DDS_ACCESS_CONTROL_PLUGIN_CONTEXT, DDS_SECURITY_ERR_IDENTITY_EMPTY_CODE, 0, "Found domain set in Governance file without domain ids.");
+    return;
+  }
+  while (domain != NULL && ex->code == 0)
+  {
+    if (!domain->min)
+      DDS_Security_Exception_set(ex, DDS_ACCESS_CONTROL_PLUGIN_CONTEXT, DDS_SECURITY_ERR_IDENTITY_EMPTY_CODE, 0, "Found domain range in Governance file without minimum value.");
+    else if (!domain->max)
+      ; /* The max isn't set with only an id (no range), so no error. */
+    else if (domain->max->value < domain->min->value)
+      DDS_Security_Exception_set(ex, DDS_ACCESS_CONTROL_PLUGIN_CONTEXT, DDS_SECURITY_ERR_IDENTITY_EMPTY_CODE, 0, "Found domain range in Governance file with invalid range min(%d) max(%d).", domain->min->value, domain->max->value);
+    domain = (struct domain_id_set *)domain->node.next;
+  }
+}
+
+static void validate_topic_rules(const struct topic_rule *topic_rule, DDS_Security_SecurityException *ex)
+{
+  while (topic_rule && ex->code == 0)
+  {
+    if (!topic_rule->data_protection_kind)
+      DDS_Security_Exception_set(ex, DDS_ACCESS_CONTROL_PLUGIN_CONTEXT, DDS_SECURITY_ERR_IDENTITY_EMPTY_CODE, 0, "Found topic rule in Governance file without data_protection_kind");
+    else if (!topic_rule->enable_discovery_protection)
+      DDS_Security_Exception_set(ex, DDS_ACCESS_CONTROL_PLUGIN_CONTEXT, DDS_SECURITY_ERR_IDENTITY_EMPTY_CODE, 0, "Found topic rule in Governance file without enable_discovery_protection");
+    else if (!topic_rule->enable_liveliness_protection)
+      DDS_Security_Exception_set(ex, DDS_ACCESS_CONTROL_PLUGIN_CONTEXT, DDS_SECURITY_ERR_IDENTITY_EMPTY_CODE, 0, "Found topic rule in Governance file without enable_liveliness_protection");
+    else if (!topic_rule->enable_read_access_control)
+      DDS_Security_Exception_set(ex, DDS_ACCESS_CONTROL_PLUGIN_CONTEXT, DDS_SECURITY_ERR_IDENTITY_EMPTY_CODE, 0, "Found topic rule in Governance file without enable_read_access_control");
+    else if (!topic_rule->enable_write_access_control)
+      DDS_Security_Exception_set(ex, DDS_ACCESS_CONTROL_PLUGIN_CONTEXT, DDS_SECURITY_ERR_IDENTITY_EMPTY_CODE, 0, "Found topic rule in Governance file without enable_write_access_control");
+    else if (!topic_rule->metadata_protection_kind)
+      DDS_Security_Exception_set(ex, DDS_ACCESS_CONTROL_PLUGIN_CONTEXT, DDS_SECURITY_ERR_IDENTITY_EMPTY_CODE, 0, "Found topic rule in Governance file without metadata_protection_kind");
+    else
+      topic_rule = (struct topic_rule *)topic_rule->node.next;
+  }
+}
+
+static DDS_Security_boolean validate_rules(const struct domain_rule *rule, DDS_Security_SecurityException *ex)
+{
+  while (rule && ex->code == 0)
+  {
+    if (!rule->domains)
+      DDS_Security_Exception_set(ex, DDS_ACCESS_CONTROL_PLUGIN_CONTEXT, DDS_SECURITY_ERR_IDENTITY_EMPTY_CODE, 0, "Found rule in Governance file without domain ids.");
+    else if (!rule->allow_unauthenticated_participants)
+      DDS_Security_Exception_set(ex, DDS_ACCESS_CONTROL_PLUGIN_CONTEXT, DDS_SECURITY_ERR_IDENTITY_EMPTY_CODE, 0, "Found rule in Governance file without allow_unauthenticated_participants.");
+    else if (!rule->enable_join_access_control)
+      DDS_Security_Exception_set(ex, DDS_ACCESS_CONTROL_PLUGIN_CONTEXT, DDS_SECURITY_ERR_IDENTITY_EMPTY_CODE, 0, "Found rule in Governance file without enable_join_access_control.");
+    else if (!rule->rtps_protection_kind)
+      DDS_Security_Exception_set(ex, DDS_ACCESS_CONTROL_PLUGIN_CONTEXT, DDS_SECURITY_ERR_IDENTITY_EMPTY_CODE, 0, "Found rule in Governance file without rtps_protection_kind.");
+    else if (!rule->discovery_protection_kind)
+      DDS_Security_Exception_set(ex, DDS_ACCESS_CONTROL_PLUGIN_CONTEXT, DDS_SECURITY_ERR_IDENTITY_EMPTY_CODE, 0, "Found rule in Governance file without discovery_protection_kind.");
+    else if (!rule->liveliness_protection_kind)
+      DDS_Security_Exception_set(ex, DDS_ACCESS_CONTROL_PLUGIN_CONTEXT, DDS_SECURITY_ERR_IDENTITY_EMPTY_CODE, 0, "Found rule in Governance file without liveliness_protection_kind.");
+    else
+    {
+      /* Last but not least, check the domain ids (ex is set when there's a failure) */
+      validate_domains(rule->domains->domain_id_set, ex);
+      if (!rule->topic_access_rules && rule->topic_access_rules->topic_rule)
+        DDS_Security_Exception_set(ex, DDS_ACCESS_CONTROL_PLUGIN_CONTEXT, DDS_SECURITY_ERR_IDENTITY_EMPTY_CODE, 0, "Found rule in Governance file without topic_access_rules");
+      else
+      {
+        validate_topic_rules(rule->topic_access_rules->topic_rule, ex);
+        rule = (struct domain_rule *)rule->node.next;
+      }
+    }
+  }
+  return (ex->code == 0);
+}
+
+static int validate_permissions_tree(const struct grant *grant, DDS_Security_SecurityException *ex)
+{
+  while (grant && (ex->code == 0))
+  {
+    xml_allow_deny_rule *allow_deny_rule;
+    if (!grant->subject_name || !grant->subject_name->value)
+      DDS_Security_Exception_set(ex, DDS_ACCESS_CONTROL_PLUGIN_CONTEXT, DDS_SECURITY_ERR_CAN_NOT_PARSE_PERMISSIONS_CODE, 0, "Found tree in Permissions file without subject name.");
+    else if (!grant->validity)
+      DDS_Security_Exception_set(ex, DDS_ACCESS_CONTROL_PLUGIN_CONTEXT, DDS_SECURITY_ERR_CAN_NOT_PARSE_PERMISSIONS_CODE, 0, "Found tree in Permissions file without Validity.");
+    else if (!grant->validity->not_after || !grant->validity->not_after->value)
+      DDS_Security_Exception_set(ex, DDS_ACCESS_CONTROL_PLUGIN_CONTEXT, DDS_SECURITY_ERR_CAN_NOT_PARSE_PERMISSIONS_CODE, 0, "Found tree in Permissions file without Validity/not_after.");
+    else if (!grant->validity->not_before || !grant->validity->not_before->value)
+      DDS_Security_Exception_set(ex, DDS_ACCESS_CONTROL_PLUGIN_CONTEXT, DDS_SECURITY_ERR_CAN_NOT_PARSE_PERMISSIONS_CODE, 0, "Found tree in Permissions file without Validity/not_before.");
+    else
+    {
+      /*validate partitions*/
+      allow_deny_rule = grant->allow_deny_rule;
+      while (allow_deny_rule)
+      {
+        xml_criteria *criteria = allow_deny_rule->criteria;
+        while (criteria)
+        {
+          /* set to default partition, if there is no partition specifien in the XML. (DDS Security SPEC 9.4.1.3.2.3.1.4)*/
+          if (criteria->partitions == NULL)
+          {
+            xml_element *criteria_element = &(criteria->node);
+            xml_element *partitions_element;
+            PREPARE_NODE(partitions, PARTITIONS, partitions, criteria, CRITERIA, criteria_element)
+            assert(criteria->partitions);
+            partitions_element = &(criteria->partitions->node);
+            PREPARE_NODE_WITH_LIST(string_value, STRING_VALUE, partition, partitions, PARTITIONS, partitions_element)
+            assert(criteria->partitions->partition);
+            criteria->partitions->partition->value = ddsrt_strdup("");
+          }
+          criteria = (xml_criteria *)criteria->node.next;
+        }
+        allow_deny_rule = (xml_allow_deny_rule *)allow_deny_rule->node.next;
+      }
+    }
+    grant = (struct grant *)grant->node.next;
+  }
+  return (ex->code == 0);
+}
+
+static int to_protection_kind(const char *kindStr, DDS_Security_ProtectionKind *kindEnum)
+{
+  if (strcmp(kindStr, "ENCRYPT_WITH_ORIGIN_AUTHENTICATION") == 0)
+    *kindEnum = DDS_SECURITY_PROTECTION_KIND_ENCRYPT_WITH_ORIGIN_AUTHENTICATION;
+  else if (strcmp(kindStr, "SIGN_WITH_ORIGIN_AUTHENTICATION") == 0)
+    *kindEnum = DDS_SECURITY_PROTECTION_KIND_SIGN_WITH_ORIGIN_AUTHENTICATION;
+  else if (strcmp(kindStr, "ENCRYPT") == 0)
+    *kindEnum = DDS_SECURITY_PROTECTION_KIND_ENCRYPT;
+  else if (strcmp(kindStr, "SIGN") == 0)
+    *kindEnum = DDS_SECURITY_PROTECTION_KIND_SIGN;
+  else if (strcmp(kindStr, "NONE") == 0)
+    *kindEnum = DDS_SECURITY_PROTECTION_KIND_NONE;
+  else
+    return -1;
+  return 0;
+}
+
+static int to_basic_protection_kind(const char *kindStr, DDS_Security_BasicProtectionKind *kindEnum)
+{
+  if (strcmp(kindStr, "ENCRYPT") == 0)
+    *kindEnum = DDS_SECURITY_BASICPROTECTION_KIND_ENCRYPT;
+  else if (strcmp(kindStr, "SIGN") == 0)
+    *kindEnum = DDS_SECURITY_BASICPROTECTION_KIND_SIGN;
+  else if (strcmp(kindStr, "NONE") == 0)
+    *kindEnum = DDS_SECURITY_BASICPROTECTION_KIND_NONE;
+  else
+    return -1;
+  return 0;
+}
+
+static int governance_element_open_cb(void *varg, uintptr_t parentinfo, uintptr_t *eleminfo, const char *name, int line)
+{
+  governance_parser *parser = (governance_parser *)varg;
+  DDS_Security_SecurityException ex;
+  memset(&ex, 0, sizeof(DDS_Security_SecurityException));
+  DDSRT_UNUSED_ARG(parentinfo);
+  DDSRT_UNUSED_ARG(eleminfo);
+  DDSRT_UNUSED_ARG(line);
+  if (ddsrt_strcasecmp(name, "dds") == 0)
+  {
+    /* This should be the first element. */
+    if (parser->current || parser->dds)
+      return -1;
+    parser->current = new_element(ELEMENT_KIND_DDS, NULL, sizeof(struct governance_dds));
+    parser->dds = (struct governance_dds *)parser->current;
+  }
+  else if (ddsrt_strcasecmp(name, "domain_access_rules") == 0)
+    PREPARE_NODE(domain_access_rules, DOMAIN_ACCESS_RULES, domain_access_rules, governance_dds, DDS, parser->current)
+  else if (ddsrt_strcasecmp(name, "domain_rule") == 0)
+    PREPARE_NODE_WITH_LIST(domain_rule, DOMAIN_RULE, domain_rule, domain_access_rules, DOMAIN_ACCESS_RULES, parser->current)
+  else if (ddsrt_strcasecmp(name, "domains") == 0)
+    PREPARE_NODE(domains, DOMAINS, domains, domain_rule, DOMAIN_RULE, parser->current)
+  else if (ddsrt_strcasecmp(name, "id") == 0)
+  {
+    xml_domains *domains = (xml_domains *)parser->current;
+    xml_domain_id_set *tail;
+    if (!parser->current || parser->current->kind != ELEMENT_KIND_DOMAINS)
+      return -1;
+    tail = domains->domain_id_set;
+    parser->current = new_element(ELEMENT_KIND_DOMAIN_VALUE, parser->current, sizeof(xml_integer_value));
+    if (!tail)
+    {
+      domains->domain_id_set = (xml_domain_id_set *)new_element(ELEMENT_KIND_DOMAIN_ID_SET, parser->current, sizeof(xml_domain_id_set));
+      tail = domains->domain_id_set;
+    }
+    else
+    {
+      while (tail->node.next != NULL)
+        tail = (xml_domain_id_set *)tail->node.next;
+      tail->node.next = new_element(ELEMENT_KIND_DOMAIN_ID_SET, parser->current, sizeof(xml_domain_id_set));
+      tail = (xml_domain_id_set *)tail->node.next;
+    }
+    tail->min = (xml_integer_value *)parser->current;
+    tail->max = NULL;
+  }
+  else if (ddsrt_strcasecmp(name, "id_range") == 0)
+    PREPARE_NODE_WITH_LIST(domain_id_set, DOMAIN_ID_SET, domain_id_set, domains, DOMAINS, parser->current)
+  else if (ddsrt_strcasecmp(name, "min") == 0)
+    PREPARE_NODE(integer_value, DOMAIN_VALUE, min, domain_id_set, DOMAIN_ID_SET, parser->current)
+  else if (ddsrt_strcasecmp(name, "max") == 0)
+    PREPARE_NODE(integer_value, DOMAIN_VALUE, max, domain_id_set, DOMAIN_ID_SET, parser->current)
+  else if (ddsrt_strcasecmp(name, "allow_unauthenticated_participants") == 0)
+    PREPARE_NODE(boolean_value, BOOLEAN_VALUE, allow_unauthenticated_participants, domain_rule, DOMAIN_RULE, parser->current)
+  else if (ddsrt_strcasecmp(name, "enable_join_access_control") == 0)
+    PREPARE_NODE(boolean_value, BOOLEAN_VALUE, enable_join_access_control, domain_rule, DOMAIN_RULE, parser->current)
+  else if (ddsrt_strcasecmp(name, "rtps_protection_kind") == 0)
+    PREPARE_NODE(protection_kind_value, PROTECTION_KIND_VALUE, rtps_protection_kind, domain_rule, DOMAIN_RULE, parser->current)
+  else if (ddsrt_strcasecmp(name, "discovery_protection_kind") == 0)
+    PREPARE_NODE(protection_kind_value, PROTECTION_KIND_VALUE, discovery_protection_kind, domain_rule, DOMAIN_RULE, parser->current)
+  else if (ddsrt_strcasecmp(name, "liveliness_protection_kind") == 0)
+    PREPARE_NODE(protection_kind_value, PROTECTION_KIND_VALUE, liveliness_protection_kind, domain_rule, DOMAIN_RULE, parser->current)
+  else if (ddsrt_strcasecmp(name, "topic_access_rules") == 0)
+    PREPARE_NODE(topic_access_rules, TOPIC_ACCESS_RULES, topic_access_rules, domain_rule, DOMAIN_RULE, parser->current)
+  else if (ddsrt_strcasecmp(name, "topic_rule") == 0)
+    PREPARE_NODE_WITH_LIST(topic_rule, TOPIC_RULE, topic_rule, topic_access_rules, TOPIC_ACCESS_RULES, parser->current)
+  else if (ddsrt_strcasecmp(name, "enable_read_access_control") == 0)
+    PREPARE_NODE(boolean_value, BOOLEAN_VALUE, enable_read_access_control, topic_rule, TOPIC_RULE, parser->current)
+  else if (ddsrt_strcasecmp(name, "enable_write_access_control") == 0)
+    PREPARE_NODE(boolean_value, BOOLEAN_VALUE, enable_write_access_control, topic_rule, TOPIC_RULE, parser->current)
+  else if (ddsrt_strcasecmp(name, "metadata_protection_kind") == 0)
+    PREPARE_NODE(protection_kind_value, PROTECTION_KIND_VALUE, metadata_protection_kind, topic_rule, TOPIC_RULE, parser->current)
+  else if (ddsrt_strcasecmp(name, "data_protection_kind") == 0)
+    PREPARE_NODE(basicprotection_kind_value, BASICPROTECTION_KIND_VALUE, data_protection_kind, topic_rule, TOPIC_RULE, parser->current)
+  else if (ddsrt_strcasecmp(name, "enable_liveliness_protection") == 0)
+    PREPARE_NODE(boolean_value, BOOLEAN_VALUE, enable_liveliness_protection, topic_rule, TOPIC_RULE, parser->current)
+  else if (ddsrt_strcasecmp(name, "enable_discovery_protection") == 0)
+    PREPARE_NODE(boolean_value, BOOLEAN_VALUE, enable_discovery_protection, topic_rule, TOPIC_RULE, parser->current)
+  else if (ddsrt_strcasecmp(name, "topic_expression") == 0)
+  {
+    /* Current should be topic_rule. */
+    struct topic_rule *topicRule = (struct topic_rule *)parser->current;
+    if (!parser->current || parser->current->kind != ELEMENT_KIND_TOPIC_RULE)
+      return -1;
+    parser->current = new_element(ELEMENT_KIND_STRING_VALUE, parser->current, sizeof(struct string_value));
+    topicRule->topic_expression = (struct string_value *)parser->current;
+  }
+  else
+  {
+    printf("Unknown XML element: %s\n", name);
+    return -1;
+  }
+
+  return 0;
+}
+
+/* The function that is called on each attribute captured in XML.
+ * Only the following attributes will be handled:
+ * - name : the name of an element or attribute
+ */
+static int governance_element_attr_cb(void *varg, uintptr_t eleminfo, const char *name, const char *value, int line)
+{
+  /* There is no attribute in that XML */
+  DDSRT_UNUSED_ARG(eleminfo);
+  DDSRT_UNUSED_ARG(varg);
+  DDSRT_UNUSED_ARG(value);
+  DDSRT_UNUSED_ARG(line);
+
+  if (ddsrt_strcasecmp(name, "xmlns:xsi") == 0 || ddsrt_strcasecmp(name, "xsi:noNamespaceSchemaLocation") == 0)
+    return 0;
+  return -1;
+}
+
+static bool str_to_intvalue(const char *image, int32_t *value)
+{
+  char *endptr;
+  long long l;
+  if (ddsrt_strtoll(image, &endptr, 0, &l) != DDS_RETCODE_OK)
+    return false;
+  *value = (int32_t)l;
+  if (*endptr != '\0')
+    return false;
+  return true;
+}
+
+/* The function that is called on each data item captured in XML.
+ * - data: the string value between the element tags
+ */
+static int governance_element_data_cb(void *varg, uintptr_t eleminfo, const char *data, int line)
+{
+  struct governance_parser *parser = (struct governance_parser *)varg;
+  DDSRT_UNUSED_ARG(eleminfo);
+  DDSRT_UNUSED_ARG(line);
+  if (!parser || !parser->current)
+    return -1;
+  if (parser->current->kind == ELEMENT_KIND_STRING_VALUE)
+  {
+    struct string_value *value = (struct string_value *)parser->current;
+    value->value = ddsrt_strdup(data);
+  }
+  else if (parser->current->kind == ELEMENT_KIND_DOMAIN_VALUE)
+  {
+    struct integer_value *value = (struct integer_value *)parser->current;
+    if (str_to_intvalue(data, &value->value))
+    {
+      if (value->value < 0 || value->value > 230)
+        return -1;
+    }
+    else
+    {
+      return -1;
+    }
+  }
+  else if (parser->current->kind == ELEMENT_KIND_BOOLEAN_VALUE)
+  {
+    struct boolean_value *value = (struct boolean_value *)parser->current;
+    if (ddsrt_strcasecmp("true", data) == 0 || strcmp("1", data) == 0)
+      value->value = true;
+    else if (ddsrt_strcasecmp("false", data) == 0 || strcmp("0", data) == 0)
+      value->value = false;
+    else
+      return -1;
+  }
+  else if (parser->current->kind == ELEMENT_KIND_PROTECTION_KIND_VALUE)
+  {
+    struct protection_kind_value *value = (struct protection_kind_value *)parser->current;
+    if (to_protection_kind(data, &(value->value)) != 0)
+      return -1;
+  }
+  else if (parser->current->kind == ELEMENT_KIND_BASICPROTECTION_KIND_VALUE)
+  {
+    struct basicprotection_kind_value *value = (struct basicprotection_kind_value *)parser->current;
+    if (to_basic_protection_kind(data, &(value->value)) != 0)
+      return -1;
+  }
+  else
+  {
+    return -1;
+  }
+
+  return 0;
+}
+
+static int governance_element_close_cb(void *varg, uintptr_t eleminfo, int line)
+{
+  struct governance_parser *parser = (struct governance_parser *)varg;
+  DDSRT_UNUSED_ARG(eleminfo);
+  DDSRT_UNUSED_ARG(line);
+  if (!parser->current)
+    return -1;
+  parser->current = parser->current->parent;
+  return 0;
+}
+
+static void governance_error_cb(void *varg, const char *msg, int line)
+{
+  DDSRT_UNUSED_ARG(varg);
+  printf("Failed to parse configuration file: error %d - %s\n", line, msg);
+}
+
+static void free_stringvalue(struct string_value *str)
+{
+  if (str)
+  {
+    ddsrt_free(str->value);
+    ddsrt_free(str);
+  }
+}
+
+static void free_domainid_set(struct domain_id_set *dis)
+{
+  if (dis)
+  {
+    if (dis->node.next)
+    {
+      free_domainid_set((struct domain_id_set *)dis->node.next);
+    }
+    ddsrt_free(dis->min);
+    ddsrt_free(dis->max);
+    ddsrt_free(dis);
+  }
+}
+
+static void free_domains(struct domains *domains)
+{
+  if (domains)
+  {
+    free_domainid_set(domains->domain_id_set);
+    ddsrt_free(domains);
+  }
+}
+
+static void free_topic_rule(struct topic_rule *rule)
+{
+  if (rule)
+  {
+    if (rule->node.next)
+      free_topic_rule((struct topic_rule *)rule->node.next);
+    free_stringvalue(rule->topic_expression);
+    ddsrt_free(rule->enable_discovery_protection);
+    ddsrt_free(rule->enable_liveliness_protection);
+    ddsrt_free(rule->enable_read_access_control);
+    ddsrt_free(rule->enable_write_access_control);
+    ddsrt_free(rule->metadata_protection_kind);
+    ddsrt_free(rule->data_protection_kind);
+    ddsrt_free(rule);
+  }
+}
+
+static void free_topic_access_rules(struct topic_access_rules *tar)
+{
+  if (tar)
+  {
+    struct topic_rule *current = tar->topic_rule;
+    free_topic_rule(current);
+  }
+  ddsrt_free(tar);
+}
+
+static void free_domain_rule(struct domain_rule *rule)
+{
+  if (rule)
+  {
+    if (rule->node.next)
+      free_domain_rule((struct domain_rule *)rule->node.next);
+    free_domains(rule->domains);
+    ddsrt_free(rule->allow_unauthenticated_participants);
+    ddsrt_free(rule->enable_join_access_control);
+    ddsrt_free(rule->rtps_protection_kind);
+    ddsrt_free(rule->discovery_protection_kind);
+    ddsrt_free(rule->liveliness_protection_kind);
+    free_topic_access_rules(rule->topic_access_rules);
+    ddsrt_free(rule);
+  }
+}
+
+static void free_domain_access_rules(struct domain_access_rules *dar)
+{
+  if (dar)
+  {
+    free_domain_rule(dar->domain_rule);
+    ddsrt_free(dar);
+  }
+}
+
+bool ac_parse_governance_xml(const char *xml, struct governance_parser **governance_tree, DDS_Security_SecurityException *ex)
+{
+  struct governance_parser *parser = NULL;
+  struct ddsrt_xmlp_state *st = NULL;
+  if (xml)
+  {
+    struct ddsrt_xmlp_callbacks cb;
+    cb.elem_open = governance_element_open_cb;
+    cb.elem_data = governance_element_data_cb;
+    cb.elem_close = governance_element_close_cb;
+    cb.attr = governance_element_attr_cb;
+    cb.error = governance_error_cb;
+    parser = ddsrt_malloc(sizeof(struct governance_parser));
+    parser->current = NULL;
+    parser->dds = NULL;
+    st = ddsrt_xmlp_new_string(xml, parser, &cb);
+    if (ddsrt_xmlp_parse(st) != 0)
+    {
+      DDS_Security_Exception_set(ex, DDS_ACCESS_CONTROL_PLUGIN_CONTEXT, DDS_SECURITY_ERR_CAN_NOT_PARSE_GOVERNANCE_CODE, 0, DDS_SECURITY_ERR_CAN_NOT_PARSE_GOVERNANCE_MESSAGE);
+      goto err_xml_parsing;
+    }
+#if DEBUG_PARSER
+    print_governance_parser_result(parser);
+#endif
+    if ((parser->dds != NULL) && (parser->dds->domain_access_rules != NULL) && (parser->dds->domain_access_rules->domain_rule != NULL))
+    {
+      if (!validate_rules(parser->dds->domain_access_rules->domain_rule, ex))
+        goto err_rules_validation;
+    }
+    else
+    {
+      DDS_Security_Exception_set(ex, DDS_ACCESS_CONTROL_PLUGIN_CONTEXT, DDS_SECURITY_ERR_CAN_NOT_PARSE_GOVERNANCE_CODE, 0, DDS_SECURITY_ERR_CAN_NOT_PARSE_GOVERNANCE_MESSAGE);
+      goto err_parser_content;
+    }
+    *governance_tree = parser;
+  }
+  else
+  {
+    DDS_Security_Exception_set(ex, DDS_ACCESS_CONTROL_PLUGIN_CONTEXT, DDS_SECURITY_ERR_CAN_NOT_PARSE_GOVERNANCE_CODE, 0, DDS_SECURITY_ERR_CAN_NOT_PARSE_GOVERNANCE_MESSAGE);
+    goto err_xml;
+  }
+  ddsrt_xmlp_free(st);
+  return true;
+
+err_parser_content:
+err_rules_validation:
+err_xml_parsing:
+  ddsrt_xmlp_free(st);
+  ac_return_governance_tree(parser);
+err_xml:
+  return false;
+}
+
+void ac_return_governance_tree(struct governance_parser *parser)
+{
+  if (parser)
+  {
+    if (parser->dds)
+    {
+      free_domain_access_rules(parser->dds->domain_access_rules);
+      ddsrt_free(parser->dds);
+    }
+    ddsrt_free(parser);
+  }
+}
+
+/* Permissions Callback functions */
+
+static int permissions_element_open_cb(void *varg, uintptr_t parentinfo, uintptr_t *eleminfo, const char *name, int line)
+{
+  permissions_parser *parser = (permissions_parser *)varg;
+  DDS_Security_SecurityException ex;
+  memset(&ex, 0, sizeof(DDS_Security_SecurityException));
+  DDSRT_UNUSED_ARG(parentinfo);
+  DDSRT_UNUSED_ARG(eleminfo);
+  DDSRT_UNUSED_ARG(line);
+
+  /*it may be a valid element under an ignored element */
+  if (parser->current && parser->current->kind == ELEMENT_KIND_IGNORED)
+    parser->current = new_element(ELEMENT_KIND_IGNORED, parser->current, sizeof(struct element));
+  else if (ddsrt_strcasecmp(name, "dds") == 0)
+  {
+    /* This should be the first element. */
+    if (parser->current || parser->dds)
+      return -1;
+    parser->current = new_element(ELEMENT_KIND_DDS, NULL, sizeof(struct permissions_dds));
+    parser->dds = (struct permissions_dds *)parser->current;
+  }
+  else if (ddsrt_strcasecmp(name, "permissions") == 0)
+    PREPARE_NODE(permissions, PERMISSIONS, permissions, permissions_dds, DDS, parser->current)
+  else if (ddsrt_strcasecmp(name, "grant") == 0)
+    PREPARE_NODE_WITH_LIST(grant, GRANT, grant, permissions, PERMISSIONS, parser->current)
+  else if (ddsrt_strcasecmp(name, "domains") == 0)
+    PREPARE_NODE(domains, DOMAINS, domains, allow_deny_rule, ALLOW_DENY_RULE, parser->current)
+  else if (ddsrt_strcasecmp(name, "id") == 0)
+  {
+    xml_domains *domains = (xml_domains *)parser->current;
+    xml_domain_id_set *tail;
+    if (!parser->current || parser->current->kind != ELEMENT_KIND_DOMAINS)
+      return -1;
+    tail = domains->domain_id_set;
+    parser->current = new_element(ELEMENT_KIND_DOMAIN_VALUE, parser->current, sizeof(xml_integer_value));
+    if (!tail)
+    {
+      domains->domain_id_set = (xml_domain_id_set *)new_element(ELEMENT_KIND_DOMAIN_ID_SET, parser->current, sizeof(xml_domain_id_set));
+      tail = domains->domain_id_set;
+    }
+    else
+    {
+      while (tail->node.next != NULL)
+        tail = (xml_domain_id_set *)tail->node.next;
+      tail->node.next = new_element(ELEMENT_KIND_DOMAIN_ID_SET, parser->current, sizeof(xml_domain_id_set));
+      tail = (xml_domain_id_set *)tail->node.next;
+    }
+    tail->min = (xml_integer_value *)parser->current;
+    tail->max = NULL;
+  }
+  else if (ddsrt_strcasecmp(name, "id_range") == 0)
+    PREPARE_NODE_WITH_LIST(domain_id_set, DOMAIN_ID_SET, domain_id_set, domains, DOMAINS, parser->current)
+  else if (ddsrt_strcasecmp(name, "min") == 0)
+    PREPARE_NODE(integer_value, DOMAIN_VALUE, min, domain_id_set, DOMAIN_ID_SET, parser->current)
+  else if (ddsrt_strcasecmp(name, "max") == 0)
+    PREPARE_NODE(integer_value, DOMAIN_VALUE, max, domain_id_set, DOMAIN_ID_SET, parser->current)
+  else if (ddsrt_strcasecmp(name, "subject_name") == 0)
+    PREPARE_NODE(string_value, STRING_VALUE, subject_name, grant, GRANT, parser->current)
+  else if (ddsrt_strcasecmp(name, "validity") == 0)
+    PREPARE_NODE(validity, VALIDITY, validity, grant, GRANT, parser->current)
+  else if (ddsrt_strcasecmp(name, "not_before") == 0)
+    PREPARE_NODE(string_value, STRING_VALUE, not_before, validity, VALIDITY, parser->current)
+  else if (ddsrt_strcasecmp(name, "not_after") == 0)
+    PREPARE_NODE(string_value, STRING_VALUE, not_after, validity, VALIDITY, parser->current)
+  else if (ddsrt_strcasecmp(name, "allow_rule") == 0)
+  {
+    PREPARE_NODE_WITH_LIST(allow_deny_rule, ALLOW_DENY_RULE, allow_deny_rule, grant, GRANT, parser->current)
+    ((xml_allow_deny_rule *)parser->current)->rule_type = ALLOW_RULE;
+  }
+  else if (ddsrt_strcasecmp(name, "deny_rule") == 0)
+  {
+    PREPARE_NODE_WITH_LIST(allow_deny_rule, ALLOW_DENY_RULE, allow_deny_rule, grant, GRANT, parser->current)
+    ((xml_allow_deny_rule *)parser->current)->rule_type = DENY_RULE;
+  }
+  else if (ddsrt_strcasecmp(name, "subscribe") == 0)
+  {
+    PREPARE_NODE_WITH_LIST(criteria, CRITERIA, criteria, allow_deny_rule, ALLOW_DENY_RULE, parser->current)
+    ((xml_criteria *)parser->current)->criteria_type = SUBSCRIBE_CRITERIA;
+  }
+  else if (ddsrt_strcasecmp(name, "publish") == 0)
+  {
+    PREPARE_NODE_WITH_LIST(criteria, CRITERIA, criteria, allow_deny_rule, ALLOW_DENY_RULE, parser->current)
+    ((xml_criteria *)parser->current)->criteria_type = PUBLISH_CRITERIA;
+  }
+  else if (ddsrt_strcasecmp(name, "topics") == 0)
+    PREPARE_NODE(topics, TOPICS, topics, criteria, CRITERIA, parser->current)
+  else if (ddsrt_strcasecmp(name, "topic") == 0)
+    PREPARE_NODE_WITH_LIST(string_value, STRING_VALUE, topic, topics, TOPICS, parser->current)
+  else if (ddsrt_strcasecmp(name, "partitions") == 0)
+    PREPARE_NODE(partitions, PARTITIONS, partitions, criteria, CRITERIA, parser->current)
+  else if (ddsrt_strcasecmp(name, "partition") == 0)
+    PREPARE_NODE_WITH_LIST(string_value, STRING_VALUE, partition, partitions, PARTITIONS, parser->current)
+  else if (ddsrt_strcasecmp(name, "default") == 0)
+    PREPARE_NODE(string_value, STRING_VALUE, default_action, grant, GRANT, parser->current)
+  else if (ddsrt_strcasecmp(name, "relay") == 0 ||
+           ddsrt_strcasecmp(name, "value") == 0 ||
+           ddsrt_strcasecmp(name, "name") == 0 ||
+           ddsrt_strcasecmp(name, "tag") == 0 ||
+           ddsrt_strcasecmp(name, "data_tags") == 0)
+  {
+    parser->current = new_element(ELEMENT_KIND_IGNORED, parser->current, sizeof(struct element));
+    /*if this is the first element in the IGNORED branch, then give warning for the user*/
+    if (parser->current->parent->kind != ELEMENT_KIND_IGNORED)
+      printf("Warning: Unsupported element \"%s\" has been ignored in permissions file.\n", name);
+  }
+  else
+  {
+    printf("Unknown XML element: %s\n", name);
+    return -1;
+  }
+
+  return 0;
+}
+
+/* The function that is called on each attribute captured in XML.
+ * Only the following attributes will be handled:
+ * - name : the name of an element or attribute
+ */
+static int permissions_element_attr_cb(void *varg, uintptr_t eleminfo, const char *name, const char *value, int line)
+{
+  struct permissions_parser *parser = (struct permissions_parser *)varg;
+  DDSRT_UNUSED_ARG(eleminfo);
+  DDSRT_UNUSED_ARG(line);
+  if (ddsrt_strcasecmp(name, "xmlns:xsi") == 0 || ddsrt_strcasecmp(name, "xsi:noNamespaceSchemaLocation") == 0)
+    return 0;
+  if (strcmp(name, "name") == 0)
+  {
+    /* Parent should be grants. */
+    struct grant *grant = (struct grant *)parser->current;
+    if (!parser->current || parser->current->kind != ELEMENT_KIND_GRANT)
+      return -1;
+    grant->name = ddsrt_strdup(value);
+    return 0;
+  }
+  return -1;
+}
+
+/* The function that is called on each data item captured in XML.
+ * - data: the string value between the element tags */
+static int permissions_element_data_cb(void *varg, uintptr_t eleminfo, const char *data, int line)
+{
+  struct permissions_parser *parser = (struct permissions_parser *)varg;
+  DDS_Security_SecurityException ex;
+  memset(&ex, 0, sizeof(DDS_Security_SecurityException));
+  DDSRT_UNUSED_ARG(eleminfo);
+  DDSRT_UNUSED_ARG(line);
+  if (!parser || !parser->current)
+    return -1;
+  if (parser->current->kind == ELEMENT_KIND_STRING_VALUE)
+  {
+    struct string_value *value = (struct string_value *)parser->current;
+    value->value = ddsrt_strdup(data);
+  }
+  else if (parser->current->kind == ELEMENT_KIND_DOMAIN_VALUE)
+  {
+    struct integer_value *value = (struct integer_value *)parser->current;
+    if (str_to_intvalue(data, &value->value))
+    {
+      if (value->value < 0 || value->value > 230)
+        return -1;
+    }
+    else
+      return -1;
+  }
+  else
+  {
+    if (parser->current->kind != ELEMENT_KIND_IGNORED)
+      return -1;
+  }
+  return 0;
+}
+
+static int permissions_element_close_cb(void *varg, uintptr_t eleminfo, int line)
+{
+  struct permissions_parser *parser = (struct permissions_parser *)varg;
+  struct element *parent;
+  DDSRT_UNUSED_ARG(eleminfo);
+  DDSRT_UNUSED_ARG(line);
+
+  if (!parser->current)
+    return -1;
+  parent = parser->current->parent;
+  if (parser->current->kind == ELEMENT_KIND_IGNORED)
+    ddsrt_free(parser->current);
+  parser->current = parent;
+  return 0;
+}
+
+static void permissions_error_cb(void *varg, const char *msg, int line)
+{
+  DDSRT_UNUSED_ARG(varg);
+  printf("Failed to parse configuration file: error %d - %s\n", line, msg);
+}
+
+bool ac_parse_permissions_xml(const char *xml, struct permissions_parser **permissions_tree, DDS_Security_SecurityException *ex)
+{
+  struct permissions_parser *parser = NULL;
+  struct ddsrt_xmlp_state *st = NULL;
+
+  if (xml)
+  {
+    struct ddsrt_xmlp_callbacks cb;
+    cb.elem_open = permissions_element_open_cb;
+    cb.elem_data = permissions_element_data_cb;
+    cb.elem_close = permissions_element_close_cb;
+    cb.attr = permissions_element_attr_cb;
+    cb.error = permissions_error_cb;
+    parser = ddsrt_malloc(sizeof(struct permissions_parser));
+    parser->current = NULL;
+    parser->dds = NULL;
+    st = ddsrt_xmlp_new_string(xml, parser, &cb);
+    if (ddsrt_xmlp_parse(st) != 0)
+    {
+      DDS_Security_Exception_set(ex, DDS_ACCESS_CONTROL_PLUGIN_CONTEXT, DDS_SECURITY_ERR_CAN_NOT_PARSE_PERMISSIONS_CODE, 0, DDS_SECURITY_ERR_CAN_NOT_PARSE_PERMISSIONS_MESSAGE);
+      goto err_xml_parsing;
+    }
+#if DEBUG_PARSER
+    print_permissions_parser_result(parser);
+#endif
+    if ((parser->dds != NULL) && (parser->dds->permissions != NULL) && (parser->dds->permissions->grant != NULL))
+    {
+      if (!validate_permissions_tree(parser->dds->permissions->grant, ex))
+        goto err_parser_content;
+    }
+    else
+    {
+      DDS_Security_Exception_set(ex, DDS_ACCESS_CONTROL_PLUGIN_CONTEXT, DDS_SECURITY_ERR_CAN_NOT_PARSE_PERMISSIONS_CODE, 0, DDS_SECURITY_ERR_CAN_NOT_PARSE_PERMISSIONS_MESSAGE);
+      goto err_parser_content;
+    }
+    *permissions_tree = parser;
+  }
+  else
+  {
+    DDS_Security_Exception_set(ex, DDS_ACCESS_CONTROL_PLUGIN_CONTEXT, DDS_SECURITY_ERR_CAN_NOT_PARSE_PERMISSIONS_CODE, 0, DDS_SECURITY_ERR_CAN_NOT_PARSE_PERMISSIONS_MESSAGE);
+    goto err_xml;
+  }
+  ddsrt_xmlp_free(st);
+  return true;
+
+err_parser_content:
+err_xml_parsing:
+  ddsrt_xmlp_free(st);
+  ac_return_permissions_tree(parser);
+err_xml:
+  return false;
+}
+
+static void free_topic(struct string_value *topic)
+{
+  if (topic)
+  {
+    if (topic->node.next != NULL)
+      free_topic((struct string_value *)topic->node.next);
+    free_stringvalue(topic);
+  }
+}
+
+static void free_topics(struct topics *topics)
+{
+  if (topics)
+  {
+    free_topic(topics->topic);
+    ddsrt_free(topics);
+  }
+}
+
+static void free_partition(struct string_value *partition)
+{
+  if (partition)
+  {
+    if (partition->node.next != NULL)
+      free_partition((struct string_value *)partition->node.next);
+    free_stringvalue(partition);
+  }
+}
+
+static void free_partitions(struct partitions *partitions)
+{
+  if (partitions)
+  {
+    free_partition(partitions->partition);
+    ddsrt_free(partitions);
+  }
+}
+
+static void free_validity(struct validity *validity)
+{
+  if (validity)
+  {
+    free_stringvalue(validity->not_after);
+    free_stringvalue(validity->not_before);
+    ddsrt_free(validity);
+  }
+}
+
+static void free_criteria(struct criteria *criteria)
+{
+  if (criteria)
+  {
+    if (criteria->node.next)
+      free_criteria((struct criteria *)criteria->node.next);
+    free_partitions(criteria->partitions);
+    free_topics(criteria->topics);
+    ddsrt_free(criteria);
+  }
+}
+
+static void free_allow_deny_rule(struct allow_deny_rule *rule)
+{
+  if (rule)
+  {
+    free_allow_deny_rule((struct allow_deny_rule *)rule->node.next);
+    free_domains(rule->domains);
+    free_criteria(rule->criteria);
+    ddsrt_free(rule);
+  }
+}
+
+static void free_grant(struct grant *grant)
+{
+  if (grant)
+  {
+    if (grant->node.next)
+      free_grant((struct grant *)grant->node.next);
+    ddsrt_free(grant->name);
+    free_stringvalue(grant->subject_name);
+    free_stringvalue(grant->default_action);
+    free_validity(grant->validity);
+    free_allow_deny_rule(grant->allow_deny_rule);
+    ddsrt_free(grant);
+  }
+}
+
+static void free_permissions(struct permissions *permissions)
+{
+  if (permissions)
+  {
+    free_grant(permissions->grant);
+    ddsrt_free(permissions);
+  }
+}
+
+void ac_return_permissions_tree(struct permissions_parser *parser)
+{
+  if (parser)
+  {
+    if (parser->dds)
+    {
+      free_permissions(parser->dds->permissions);
+      ddsrt_free(parser->dds);
+    }
+    ddsrt_free(parser);
+  }
+}
diff --git a/src/security/builtin_plugins/access_control/src/access_control_parser.h b/src/security/builtin_plugins/access_control/src/access_control_parser.h
new file mode 100644
index 0000000..b4ed491
--- /dev/null
+++ b/src/security/builtin_plugins/access_control/src/access_control_parser.h
@@ -0,0 +1,301 @@
+/*
+ * Copyright(c) 2006 to 2019 ADLINK Technology Limited and others
+ *
+ * This program and the accompanying materials are made available under the
+ * terms of the Eclipse Public License v. 2.0 which is available at
+ * http://www.eclipse.org/legal/epl-2.0, or the Eclipse Distribution License
+ * v. 1.0 which is available at
+ * http://www.eclipse.org/org/documents/edl-v10.php.
+ *
+ * SPDX-License-Identifier: EPL-2.0 OR BSD-3-Clause
+ */
+#ifndef ACCESS_CONTROL_PARSER_H
+#define ACCESS_CONTROL_PARSER_H
+
+#include "dds/ddsrt/types.h"
+#include "dds/security/dds_security_api.h"
+
+typedef enum
+{
+  ELEMENT_KIND_UNDEFINED,
+  ELEMENT_KIND_DDS,
+  ELEMENT_KIND_DOMAIN_ACCESS_RULES,
+  ELEMENT_KIND_DOMAIN_RULE,
+  ELEMENT_KIND_DOMAINS,
+  ELEMENT_KIND_DOMAIN_ID_SET,
+  ELEMENT_KIND_RANGE,
+  ELEMENT_KIND_ALLOW_UNAUTHENTICATED_PARTICIPANTS,
+  ELEMENT_KIND_ENABLE_JOIN_ACCESS_CONTROL,
+  ELEMENT_KIND_RTPS_PROTECTION,
+  ELEMENT_KIND_DISCOVERY_PROTECTION,
+  ELEMENT_KIND_LIVELINESS_PROTECTION,
+  ELEMENT_KIND_TOPIC_ACCESS_RULES,
+  ELEMENT_KIND_TOPIC_RULE,
+  ELEMENT_KIND_STRING_VALUE,
+  ELEMENT_KIND_BOOLEAN_VALUE,
+  ELEMENT_KIND_DOMAIN_VALUE,
+  ELEMENT_KIND_PROTECTION_KIND_VALUE,
+  ELEMENT_KIND_BASICPROTECTION_KIND_VALUE,
+  ELEMENT_KIND_PERMISSIONS,
+  ELEMENT_KIND_GRANT,
+  ELEMENT_KIND_ALLOW_DENY_RULE,
+  ELEMENT_KIND_CRITERIA,
+  ELEMENT_KIND_VALIDITY,
+  ELEMENT_KIND_TOPICS,
+  ELEMENT_KIND_PARTITIONS,
+  ELEMENT_KIND_DEFAULT,
+  ELEMENT_KIND_IGNORED
+} element_kind;
+
+typedef enum
+{
+  UNKNOWN_CRITERIA,
+  SUBSCRIBE_CRITERIA,
+  PUBLISH_CRITERIA
+} permission_criteria_type;
+
+typedef enum
+{
+  ALLOW_RULE,
+  DENY_RULE
+} permission_rule_type;
+
+typedef struct element
+{
+  struct element *parent;
+  element_kind kind;
+  struct element *next; /*used in case of string list usage */
+} xml_element;
+
+/* TODO: Change the value nodes for specific nodes for
+ * proper value parsing and validating. */
+
+typedef struct string_value
+{
+  struct element node;
+  char *value;
+} xml_string_value;
+
+typedef struct boolean_value
+{
+  struct element node;
+  bool value;
+} xml_boolean_value;
+
+typedef struct integer_value
+{
+  struct element node;
+  int32_t value;
+} xml_integer_value;
+
+typedef struct protection_kind_value
+{
+  struct element node;
+  DDS_Security_ProtectionKind value;
+} xml_protection_kind_value;
+
+typedef struct basicprotection_kind_value
+{
+  struct element node;
+  DDS_Security_BasicProtectionKind value;
+} xml_basicprotection_kind_value;
+
+typedef struct domain_id_set
+{
+  struct element node;
+  struct integer_value *min;
+  struct integer_value *max;
+} xml_domain_id_set;
+
+typedef struct domains
+{
+  struct element node;
+  struct domain_id_set *domain_id_set; /*linked list*/
+} xml_domains;
+
+typedef struct topic_rule
+{
+  struct element node;
+  struct string_value *topic_expression;
+  struct boolean_value *enable_discovery_protection;
+  struct boolean_value *enable_liveliness_protection;
+  struct boolean_value *enable_read_access_control;
+  struct boolean_value *enable_write_access_control;
+  struct protection_kind_value *metadata_protection_kind;
+  struct basicprotection_kind_value *data_protection_kind;
+} xml_topic_rule;
+
+typedef struct topic_access_rules
+{
+  struct element node;
+  struct topic_rule *topic_rule; /*linked_list*/
+} xml_topic_access_rules;
+
+typedef struct domain_rule
+{
+  struct element node;
+  struct domains *domains;
+  struct boolean_value *allow_unauthenticated_participants;
+  struct boolean_value *enable_join_access_control;
+  struct protection_kind_value *discovery_protection_kind;
+  struct protection_kind_value *liveliness_protection_kind;
+  struct protection_kind_value *rtps_protection_kind;
+  struct topic_access_rules *topic_access_rules;
+} xml_domain_rule;
+
+typedef struct domain_access_rules
+{
+  struct element node;
+  struct domain_rule *domain_rule;
+} xml_domain_access_rules;
+
+typedef struct governance_dds
+{
+  struct element node;
+  struct domain_access_rules *domain_access_rules;
+} xml_governance_dds;
+
+typedef struct governance_parser
+{
+  struct governance_dds *dds;
+  struct element *current;
+} governance_parser;
+
+/* permissions file specific types */
+typedef struct validity
+{
+  struct element node;
+  struct string_value *not_before;
+  struct string_value *not_after;
+} xml_validity;
+
+typedef struct topics
+{
+  struct element node;
+  struct string_value *topic;
+} xml_topics;
+
+typedef struct partitions
+{
+  struct element node;
+  struct string_value *partition;
+} xml_partitions;
+
+typedef struct criteria
+{
+  struct element node;
+  permission_criteria_type criteria_type;
+  struct topics *topics;
+  struct partitions *partitions;
+} xml_criteria;
+
+typedef struct allow_deny_rule
+{
+  struct element node;
+  permission_rule_type rule_type;
+  struct domains *domains;
+  struct criteria *criteria;
+} xml_allow_deny_rule;
+
+typedef struct grant
+{
+  struct element node;
+  char *name;
+  struct string_value *subject_name;
+  struct validity *validity;
+  struct allow_deny_rule *allow_deny_rule;
+  struct string_value *default_action;
+} xml_grant;
+
+typedef struct permissions
+{
+  struct element node;
+  struct grant *grant;
+} xml_permissions;
+
+typedef struct permissions_dds
+{
+  struct element node;
+  struct permissions *permissions;
+} xml_permissions_dds;
+
+typedef struct permissions_parser
+{
+  struct permissions_dds *dds;
+  struct element *current;
+} permissions_parser;
+
+bool ac_parse_governance_xml(const char *xml, struct governance_parser **governance_tree, DDS_Security_SecurityException *ex);
+bool ac_parse_permissions_xml(const char *xml, struct permissions_parser **permissions_tree, DDS_Security_SecurityException *ex);
+void ac_return_governance_tree(struct governance_parser *parser);
+void ac_return_permissions_tree(struct permissions_parser *parser);
+
+#define DDS_SECURITY_DEFAULT_GOVERNANCE "<?xml version=\"1.0\" encoding=\"utf-8\"?> \
+<dds xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\" \
+    xsi:noNamespaceSchemaLocation=\"https://www.omg.org/spec/DDS-SECURITY/20170901/omg_shared_ca_governance.xsd\"> \
+    <domain_access_rules>                                                                                               \
+        <domain_rule>                                                                                                   \
+            <domains>                                                                                                   \
+                <!-- All domains -->                                                                                    \
+                <id_range>                                                                                              \
+                    <min>0</min>                                                                                        \
+                    <max>230</max>                                                                                      \
+                </id_range>                                                                                             \
+            </domains>                                                                                                  \
+                                                                                                                        \
+            <allow_unauthenticated_participants>false</allow_unauthenticated_participants>                              \
+            <enable_join_access_control>false</enable_join_access_control>                                               \
+            <discovery_protection_kind>ENCRYPT</discovery_protection_kind>                                              \
+            <liveliness_protection_kind>ENCRYPT</liveliness_protection_kind>                                            \
+            <rtps_protection_kind>NONE</rtps_protection_kind>                                                           \
+            <topic_access_rules>                                                                                        \
+                <topic_rule>                                                                                            \
+                    <topic_expression>*</topic_expression>                                                              \
+                    <enable_liveliness_protection>true</enable_liveliness_protection>                                   \
+                    <enable_discovery_protection>true</enable_discovery_protection>                                     \
+                    <enable_read_access_control>false</enable_read_access_control>                                      \
+                    <enable_write_access_control>false</enable_write_access_control>                                    \
+                    <metadata_protection_kind>ENCRYPT</metadata_protection_kind>                                        \
+                    <data_protection_kind>ENCRYPT</data_protection_kind>                                                \
+                </topic_rule>                                                                                           \
+            </topic_access_rules>                                                                                       \
+        </domain_rule>                                                                                                  \
+    </domain_access_rules>                                                                                              \
+</dds>                                      "
+
+#define DDS_SECURITY_DEFAULT_PERMISSIONS "<?xml version=\"1.0\" encoding=\"utf-8\"?>                                    \
+<dds xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\"                                                            \
+    xsi:noNamespaceSchemaLocation=\"https://www.omg.org/spec/DDS-SECURITY/20170901/omg_shared_ca_permissions.xsd\">      \
+    <permissions>                                                                                                       \
+        <grant name=\"DEFAULT_PERMISSIONS\">                                                                            \
+            <subject_name>DEFAULT_SUBJECT</subject_name>                                                                               \
+            <validity>                                                                                                  \
+                <not_before>2015-09-15T01:00:00</not_before>                                                            \
+                <not_after>2115-09-15T01:00:00</not_after>                                                              \
+            </validity>                                                                                                 \
+            <deny_rule>                                                                                                \
+                <domains>                                                                                               \
+                    <id_range>                                                                                          \
+                        <min>0</min>                                                                                    \
+                        <max>230</max>                                                                                  \
+                    </id_range>                                                                                         \
+                </domains>                                                                                              \
+                <publish>                                                                                               \
+                    <topics>                                                                                            \
+                        <topic>*</topic>                                                                                \
+                    </topics>                                                                                           \
+                    <partitions/>                                                                                       \
+                </publish>                                                                                              \
+                <subscribe>                                                                                             \
+                    <topics>                                                                                            \
+                        <topic>*</topic>                                                                                \
+                    </topics>                                                                                           \
+                    <partitions/>                                                                                       \
+                </subscribe>                                                                                            \
+           </deny_rule>                                                                                                \
+           <default>DENY</default>                                                                                     \
+        </grant>                                                                                                        \
+    </permissions>                                                                                                      \
+</dds>                                  "
+
+#endif /* ACCESS_CONTROL_UTILS_H */
diff --git a/src/security/builtin_plugins/access_control/src/access_control_utils.c b/src/security/builtin_plugins/access_control/src/access_control_utils.c
new file mode 100644
index 0000000..6c56d9e
--- /dev/null
+++ b/src/security/builtin_plugins/access_control/src/access_control_utils.c
@@ -0,0 +1,406 @@
+/*
+ * Copyright(c) 2006 to 2019 ADLINK Technology Limited and others
+ *
+ * This program and the accompanying materials are made available under the
+ * terms of the Eclipse Public License v. 2.0 which is available at
+ * http://www.eclipse.org/legal/epl-2.0, or the Eclipse Distribution License
+ * v. 1.0 which is available at
+ * http://www.eclipse.org/org/documents/edl-v10.php.
+ *
+ * SPDX-License-Identifier: EPL-2.0 OR BSD-3-Clause
+ */
+#include <assert.h>
+#include <stdio.h>
+#include <string.h>
+#include <sys/types.h>
+#include <sys/stat.h>
+#include <openssl/x509.h>
+#include <openssl/pkcs7.h>
+#include <openssl/pem.h>
+#include <openssl/bio.h>
+#include <openssl/err.h>
+#include "dds/ddsrt/heap.h"
+#include "dds/ddsrt/misc.h"
+#include "dds/ddsrt/string.h"
+#include "dds/ddsrt/time.h"
+#include "dds/ddsrt/types.h"
+#include "dds/security/dds_security_api.h"
+#include "dds/security/core/dds_security_utils.h"
+#include "access_control_utils.h"
+
+#define SEQ_ERR -1
+#define SEQ_NOMATCH 0
+#define SEQ_MATCH 1
+
+bool ac_X509_certificate_from_data(const char *data, int len, X509 **x509Cert, DDS_Security_SecurityException *ex)
+{
+  BIO *bio;
+  assert(data);
+  assert(len >= 0);
+  assert(x509Cert);
+
+  /* load certificate in buffer */
+  if ((bio = BIO_new_mem_buf((void *)data, len)) == NULL)
+  {
+    DDS_Security_Exception_set_with_openssl_error(ex, DDS_ACCESS_CONTROL_PLUGIN_CONTEXT, DDS_SECURITY_ERR_ALLOCATION_FAILED_CODE, 0, DDS_SECURITY_ERR_ALLOCATION_FAILED_MESSAGE ": ");
+    return false;
+  }
+  if ((*x509Cert = PEM_read_bio_X509(bio, NULL, NULL, NULL)) == NULL)
+  {
+    DDS_Security_Exception_set_with_openssl_error(ex, DDS_ACCESS_CONTROL_PLUGIN_CONTEXT, DDS_SECURITY_ERR_INVALID_CERTIFICATE_CODE, 0, DDS_SECURITY_ERR_INVALID_CERTICICATE_MESSAGE ": ");
+    BIO_free(bio);
+    return false;
+  }
+  BIO_free(bio);
+  return true;
+}
+
+static bool X509_certificate_from_file(const char *filename, X509 **x509Cert, DDS_Security_SecurityException *ex)
+{
+  DDSRT_WARNING_MSVC_OFF(4996);
+  FILE *fp;
+  assert(filename);
+  assert(x509Cert);
+
+  /* Check if this is a valid file by getting its size. */
+  if (ac_regular_file_size(filename) == 0)
+  {
+    DDS_Security_Exception_set(ex, DDS_ACCESS_CONTROL_PLUGIN_CONTEXT, DDS_SECURITY_ERR_INVALID_FILE_PATH_CODE, 0, DDS_SECURITY_ERR_INVALID_FILE_PATH_MESSAGE, filename);
+    return false;
+  }
+  if ((fp = fopen(filename, "r")) == NULL)
+  {
+    DDS_Security_Exception_set(ex, DDS_ACCESS_CONTROL_PLUGIN_CONTEXT, DDS_SECURITY_ERR_INVALID_FILE_PATH_CODE, 0, DDS_SECURITY_ERR_INVALID_FILE_PATH_MESSAGE, filename);
+    return false;
+  }
+  if ((*x509Cert = PEM_read_X509(fp, NULL, NULL, NULL)) == NULL)
+  {
+    DDS_Security_Exception_set_with_openssl_error(ex, DDS_ACCESS_CONTROL_PLUGIN_CONTEXT, DDS_SECURITY_ERR_INVALID_CERTIFICATE_CODE, 0, DDS_SECURITY_ERR_INVALID_CERTICICATE_MESSAGE ": ");
+    fclose(fp);
+    return false;
+  }
+  fclose(fp);
+  return true;
+  DDSRT_WARNING_MSVC_ON(4996);
+}
+
+bool ac_X509_certificate_read(const char *data, X509 **x509Cert, DDS_Security_SecurityException *ex)
+{
+  bool result = false;
+  char *contents = NULL;
+  assert(data);
+  assert(x509Cert);
+
+  switch (DDS_Security_get_conf_item_type(data, &contents))
+  {
+  case DDS_SECURITY_CONFIG_ITEM_PREFIX_FILE:
+    result = X509_certificate_from_file(contents, x509Cert, ex);
+    break;
+  case DDS_SECURITY_CONFIG_ITEM_PREFIX_DATA:
+    result = ac_X509_certificate_from_data(contents, (int)strlen(contents), x509Cert, ex);
+    break;
+  case DDS_SECURITY_CONFIG_ITEM_PREFIX_PKCS11:
+    DDS_Security_Exception_set(
+        ex, DDS_ACCESS_CONTROL_PLUGIN_CONTEXT, DDS_SECURITY_ERR_CERTIFICATE_TYPE_NOT_SUPPORTED_CODE, 0,
+        DDS_SECURITY_ERR_CERTIFICATE_TYPE_NOT_SUPPORTED_MESSAGE " (pkcs11)");
+    break;
+  default:
+    DDS_Security_Exception_set(
+        ex, DDS_ACCESS_CONTROL_PLUGIN_CONTEXT, DDS_SECURITY_ERR_CERTIFICATE_TYPE_NOT_SUPPORTED_CODE, 0,
+        DDS_SECURITY_ERR_CERTIFICATE_TYPE_NOT_SUPPORTED_MESSAGE);
+    break;
+  }
+  ddsrt_free(contents);
+  return result;
+}
+
+char *ac_get_certificate_subject_name(X509 *cert, DDS_Security_SecurityException *ex)
+{
+  X509_NAME *name;
+  BIO *bio;
+  char *subject = NULL;
+  char *pmem;
+  size_t sz;
+  assert(cert);
+  if (!(bio = BIO_new(BIO_s_mem())))
+  {
+    DDS_Security_Exception_set_with_openssl_error(ex, DDS_ACCESS_CONTROL_PLUGIN_CONTEXT, DDS_SECURITY_ERR_ALLOCATION_FAILED_CODE, 0, DDS_SECURITY_ERR_ALLOCATION_FAILED_MESSAGE ": ");
+    goto err_bio_alloc;
+  }
+  if (!(name = X509_get_subject_name(cert)))
+  {
+    DDS_Security_Exception_set_with_openssl_error(ex, DDS_ACCESS_CONTROL_PLUGIN_CONTEXT, DDS_SECURITY_ERR_INVALID_SUBJECT_NAME_CODE, 0, DDS_SECURITY_ERR_INVALID_SUBJECT_NAME_MESSAGE ": ");
+    goto err_get_subject;
+  }
+
+  /* TODO: check if this is the correct format of the subject name: check spec */
+  X509_NAME_print_ex(bio, name, 0, XN_FLAG_RFC2253);
+
+  sz = (size_t) BIO_get_mem_data(bio, &pmem);
+  subject = ddsrt_malloc(sz + 1);
+
+  if (BIO_gets(bio, subject, (int)sz + 1) < 0)
+  {
+    DDS_Security_Exception_set_with_openssl_error(ex, DDS_ACCESS_CONTROL_PLUGIN_CONTEXT, DDS_SECURITY_ERR_INVALID_SUBJECT_NAME_CODE, 0, DDS_SECURITY_ERR_INVALID_SUBJECT_NAME_MESSAGE ": ");
+    ddsrt_free(subject);
+    subject = NULL;
+  }
+  BIO_free(bio);
+  return subject;
+
+err_get_subject:
+  BIO_free(bio);
+err_bio_alloc:
+  return NULL;
+}
+
+static bool PKCS7_document_from_data(const char *data, size_t len, PKCS7 **p7, BIO **bcont, DDS_Security_SecurityException *ex)
+{
+  BIO *bio;
+  assert(data);
+  assert(p7);
+  assert(bcont);
+
+  *bcont = NULL;
+  assert (len < INT32_MAX);
+  if ((bio = BIO_new_mem_buf((void *)data, (int)len)) == NULL)
+  {
+    DDS_Security_Exception_set_with_openssl_error(ex, DDS_ACCESS_CONTROL_PLUGIN_CONTEXT, DDS_SECURITY_ERR_ALLOCATION_FAILED_CODE, 0, DDS_SECURITY_ERR_ALLOCATION_FAILED_MESSAGE ": ");
+    return false;
+  }
+  if ((*p7 = SMIME_read_PKCS7(bio, bcont)) == NULL)
+  {
+    DDS_Security_Exception_set_with_openssl_error(ex, DDS_ACCESS_CONTROL_PLUGIN_CONTEXT, DDS_SECURITY_ERR_INVALID_SMIME_DOCUMENT_CODE, 0, DDS_SECURITY_ERR_INVALID_SMIME_DOCUMENT_MESSAGE ": ");
+    BIO_free(bio);
+    return false;
+  }
+  BIO_free(bio);
+  return true;
+}
+
+static bool PKCS7_document_verify(PKCS7 *p7, X509 *cert, BIO *inbio, BIO **outbio, DDS_Security_SecurityException *ex)
+{
+  bool result = false;
+  X509_STORE *store = NULL;
+
+  assert(p7);
+  assert(cert);
+  assert(inbio);
+  assert(outbio);
+
+  if ((*outbio = BIO_new(BIO_s_mem())) == NULL)
+    DDS_Security_Exception_set_with_openssl_error(ex, DDS_ACCESS_CONTROL_PLUGIN_CONTEXT, DDS_SECURITY_ERR_ALLOCATION_FAILED_CODE, 0, DDS_SECURITY_ERR_ALLOCATION_FAILED_MESSAGE ": ");
+  else if ((store = X509_STORE_new()) == NULL)
+    DDS_Security_Exception_set_with_openssl_error(ex, DDS_ACCESS_CONTROL_PLUGIN_CONTEXT, DDS_SECURITY_ERR_ALLOCATION_FAILED_CODE, 0, DDS_SECURITY_ERR_ALLOCATION_FAILED_MESSAGE ": ");
+  else
+  {
+    X509_STORE_add_cert(store, cert);
+    if (PKCS7_verify(p7, NULL, store, inbio, *outbio, PKCS7_TEXT) != 1)
+      DDS_Security_Exception_set_with_openssl_error(ex, DDS_ACCESS_CONTROL_PLUGIN_CONTEXT, DDS_SECURITY_ERR_INVALID_SMIME_DOCUMENT_CODE, 0, DDS_SECURITY_ERR_INVALID_SMIME_DOCUMENT_MESSAGE ": ");
+    else
+      result = true;
+  }
+  if (store)
+    X509_STORE_free(store);
+  if (!result && *outbio)
+  {
+    BIO_free(*outbio);
+    *outbio = NULL;
+  }
+  return result;
+}
+
+bool ac_PKCS7_document_check(const char *data, size_t len, X509 *cert, char **document, DDS_Security_SecurityException *ex)
+{
+  bool result = false;
+  PKCS7 *p7;
+  BIO *bcont, *bdoc;
+  char *pmem;
+  size_t sz;
+
+  assert(data);
+  assert(cert);
+  assert(document);
+
+  if (!PKCS7_document_from_data(data, len, &p7, &bcont, ex))
+    goto err_read_data;
+
+  if (!PKCS7_document_verify(p7, cert, bcont, &bdoc, ex))
+    goto err_verify;
+
+  sz = (size_t) BIO_get_mem_data(bdoc, &pmem);
+  *document = ddsrt_malloc(sz + 1);
+  memcpy(*document, pmem, sz);
+  (*document)[sz] = '\0';
+  result = true;
+  BIO_free(bdoc);
+
+err_verify:
+  PKCS7_free(p7);
+  BIO_free(bcont);
+err_read_data:
+  return result;
+}
+
+static bool string_to_properties(const char *str, DDS_Security_PropertySeq *properties)
+{
+  char *copy = ddsrt_strdup (str), *cursor = copy, *tok;
+  while ((tok = ddsrt_strsep (&cursor, ",/|")) != NULL)
+  {
+    if (strlen(tok) == 0)
+      continue;
+    char *name = ddsrt_strsep (&tok, "=");
+    if (name == NULL || tok == NULL || properties->_length >= properties->_maximum)
+    {
+      ddsrt_free (copy);
+      return false;
+    }
+    properties->_buffer[properties->_length].name = ddsrt_strdup(name);
+    properties->_buffer[properties->_length].value = ddsrt_strdup(tok);
+    properties->_length++;
+  }
+  ddsrt_free (copy);
+  return true;
+}
+
+bool ac_check_subjects_are_equal(const char *permissions_sn, const char *identity_sn)
+{
+  bool result = false;
+  char *copy_idsn = ddsrt_strdup (identity_sn), *cursor_idsn = copy_idsn, *tok_idsn;
+  DDS_Security_PropertySeq prop_pmsn;
+  prop_pmsn._length = 0;
+  prop_pmsn._maximum = 20;
+  prop_pmsn._buffer = ddsrt_malloc(prop_pmsn._maximum * sizeof(DDS_Security_Property_t));
+
+  if (!string_to_properties(permissions_sn, &prop_pmsn))
+    goto check_subj_equal_failed;
+
+  while ((tok_idsn = ddsrt_strsep (&cursor_idsn, ",/|")) != NULL)
+  {
+    char *value_pmsn;
+    char *name_idsn = ddsrt_strsep (&tok_idsn, "=");
+    if (name_idsn == NULL || tok_idsn == NULL)
+      goto check_subj_equal_failed;
+    value_pmsn = DDS_Security_Property_get_value(&prop_pmsn, name_idsn);
+    if (value_pmsn == NULL || strcmp(value_pmsn, value_pmsn) != 0)
+    {
+      ddsrt_free(value_pmsn);
+      goto check_subj_equal_failed;
+    }
+    ddsrt_free(value_pmsn);
+  }
+  result = true;
+
+check_subj_equal_failed:
+  ddsrt_free(copy_idsn);
+  DDS_Security_PropertySeq_deinit(&prop_pmsn);
+  return result;
+}
+
+size_t ac_regular_file_size(const char *filename)
+{
+  if (filename)
+  {
+#if _WIN32
+    struct _stat stat_info;
+    if (_stat (filename, &stat_info) == 0)
+      if (stat_info.st_mode & _S_IFREG)
+        return (size_t) stat_info.st_size;
+#else
+    struct stat stat_info;
+    if (stat (filename, &stat_info) == 0)
+      if (S_ISREG(stat_info.st_mode))
+        return (size_t) stat_info.st_size;
+#endif
+  }
+  return 0;
+}
+
+static int sequencematch(const char *pat, char c, char **new_pat)
+{
+  char patc = *pat;
+  char rpatc;
+  const bool neg = (patc == '!');
+  bool m = false;
+
+  if (neg)
+    ++pat;
+  for (patc = *pat; patc != ']'; pat++)
+  {
+    patc = *pat;
+    if (patc == '\0')
+      return SEQ_ERR;
+    if (*(pat + 1) == '-')
+    {
+      rpatc = *(pat + 2);
+      if (rpatc == '\0' || rpatc == ']')
+        return SEQ_ERR;
+      if ((uint8_t)patc <= (uint8_t)c && (uint8_t)c <= (uint8_t)rpatc)
+        m = true;
+      pat += 2;
+    }
+    else if (patc == c)
+      m = true;
+  }
+  *new_pat = (char *) pat;
+  return (m != neg) ? SEQ_MATCH : SEQ_NOMATCH;
+}
+
+bool ac_fnmatch(const char* pat, const char* str)
+{
+  char patc;
+  bool ret;
+  char *new_pat;
+
+  assert(pat != NULL);
+  assert(str != NULL);
+
+  for (;;)
+  {
+    switch (patc = *pat++)
+    {
+    case '\0':
+      return (*str == '\0');
+    case '?':
+      if (*str == '\0')
+        return false;
+      ++str;
+      break;
+    case '*':
+      patc = *pat;
+      while (patc == '*')
+        patc = *++pat;
+      if (patc == '\0')
+        return true;
+      while (*str != '\0')
+      {
+        ret = ac_fnmatch(pat, str);
+        if (ret)
+          return true;
+        ++str;
+      }
+      return false;
+      break;
+    case '[':
+      if (*str == '\0')
+        return false;
+      switch (sequencematch(pat, *str, &new_pat))
+      {
+      case SEQ_MATCH:
+        pat = new_pat;
+        ++str;
+        break;
+      case SEQ_NOMATCH:
+      case SEQ_ERR:
+        return false;
+      }
+      break;
+    default: /* Regular character */
+      if (*str != patc)
+        return false;
+      str++;
+      break;
+    }
+  }
+}
+
diff --git a/src/security/builtin_plugins/access_control/src/access_control_utils.h b/src/security/builtin_plugins/access_control/src/access_control_utils.h
new file mode 100644
index 0000000..008ab21
--- /dev/null
+++ b/src/security/builtin_plugins/access_control/src/access_control_utils.h
@@ -0,0 +1,30 @@
+/*
+ * Copyright(c) 2006 to 2019 ADLINK Technology Limited and others
+ *
+ * This program and the accompanying materials are made available under the
+ * terms of the Eclipse Public License v. 2.0 which is available at
+ * http://www.eclipse.org/legal/epl-2.0, or the Eclipse Distribution License
+ * v. 1.0 which is available at
+ * http://www.eclipse.org/org/documents/edl-v10.php.
+ *
+ * SPDX-License-Identifier: EPL-2.0 OR BSD-3-Clause
+ */
+#ifndef ACCESS_CONTROL_UTILS_H
+#define ACCESS_CONTROL_UTILS_H
+
+#include <openssl/x509.h>
+#include "dds/ddsrt/types.h"
+#include "dds/security/dds_security_api.h"
+#include "dds/security/export.h"
+
+#define DDS_ACCESS_CONTROL_PLUGIN_CONTEXT "Access Control"
+
+bool ac_X509_certificate_read(const char *data, X509 **x509Cert, DDS_Security_SecurityException *ex);
+bool ac_X509_certificate_from_data(const char *data, int len, X509 **x509Cert, DDS_Security_SecurityException *ex);
+char *ac_get_certificate_subject_name(X509 *cert, DDS_Security_SecurityException *ex);
+bool ac_PKCS7_document_check(const char *data, size_t len, X509 *cert, char **document, DDS_Security_SecurityException *ex);
+bool ac_check_subjects_are_equal(const char *permissions_sn, const char *identity_sn);
+size_t ac_regular_file_size(const char *filename);
+SECURITY_EXPORT bool ac_fnmatch(const char* pattern, const char* string);
+
+#endif /* ACCESS_CONTROL_UTILS_H */
diff --git a/src/security/builtin_plugins/tests/CMakeLists.txt b/src/security/builtin_plugins/tests/CMakeLists.txt
index d3250d0..d822524 100644
--- a/src/security/builtin_plugins/tests/CMakeLists.txt
+++ b/src/security/builtin_plugins/tests/CMakeLists.txt
@@ -23,6 +23,16 @@ set(security_auth_test_sources
     "validate_remote_identity/src/validate_remote_identity_utests.c"
 )
 
+set(security_ac_test_sources
+    "access_control_fnmatch/src/access_control_fnmatch_utests.c"
+    "get_permissions_credential_token/src/get_permissions_credential_token_utests.c"
+    "get_permissions_token/src/get_permissions_token_utests.c"
+    "get_xxx_sec_attributes/src/get_xxx_sec_attributes_utests.c"
+    # "listeners_access_control/src/listeners_access_control_utests.c"
+    "validate_local_permissions/src/validate_local_permissions_utests.c"
+    "validate_remote_permissions/src/validate_remote_permissions_utests.c"
+)
+
 set(security_crypto_test_sources
     "common/src/crypto_helper.c"
     "create_local_datareader_crypto_tokens/src/create_local_datareader_crypto_tokens_utests.c"
@@ -48,9 +58,21 @@ set(security_crypto_test_sources
     "set_remote_participant_crypto_tokens/src/set_remote_participant_crypto_tokens_utests.c"
 )
 
-add_cunit_executable(cunit_security_plugins ${security_auth_test_sources} ${security_crypto_test_sources})
+add_cunit_executable(cunit_security_plugins ${security_auth_test_sources} ${security_ac_test_sources} ${security_crypto_test_sources})
+target_include_directories(
+  cunit_security_plugins PRIVATE
+  "$<BUILD_INTERFACE:${CMAKE_BINARY_DIR}/src/include/>"
+  "$<BUILD_INTERFACE:$<TARGET_PROPERTY:security_api,INTERFACE_INCLUDE_DIRECTORIES>>"
+  "$<BUILD_INTERFACE:$<TARGET_PROPERTY:security_core,INTERFACE_INCLUDE_DIRECTORIES>>"
+  "$<BUILD_INTERFACE:$<TARGET_PROPERTY:ddsrt,INTERFACE_INCLUDE_DIRECTORIES>>"
+  "$<BUILD_INTERFACE:${CMAKE_CURRENT_LIST_DIR}>"
+  "$<BUILD_INTERFACE:${CMAKE_CURRENT_BINARY_DIR}>"
+)
+target_link_libraries(cunit_security_plugins PRIVATE ddsc security_api)
+
 if(OPENSSL_FOUND)
-  target_link_libraries(cunit_security_plugins PRIVATE ddsc dds_security_crypto)
+target_link_libraries(cunit_security_plugins PRIVATE ddsc dds_security_ac)
+target_link_libraries(cunit_security_plugins PRIVATE ddsc dds_security_crypto)
   target_link_libraries(cunit_security_plugins PRIVATE OpenSSL::SSL)
 else()
   message(FATAL_ERROR "To build with openssl support, set ENABLE_OPENSSL to ON")
@@ -58,6 +80,7 @@ endif()
 
 target_include_directories(
   cunit_security_plugins PRIVATE
+      "$<BUILD_INTERFACE:${CMAKE_CURRENT_LIST_DIR}/../access_control/src/>"
       "$<BUILD_INTERFACE:${CMAKE_CURRENT_LIST_DIR}/../cryptographic/src/>"
       "$<BUILD_INTERFACE:$<TARGET_PROPERTY:security_api,INTERFACE_INCLUDE_DIRECTORIES>>"
       "$<BUILD_INTERFACE:$<TARGET_PROPERTY:security_core,INTERFACE_INCLUDE_DIRECTORIES>>"
diff --git a/src/security/builtin_plugins/tests/access_control_fnmatch/src/access_control_fnmatch_utests.c b/src/security/builtin_plugins/tests/access_control_fnmatch/src/access_control_fnmatch_utests.c
new file mode 100644
index 0000000..08568a3
--- /dev/null
+++ b/src/security/builtin_plugins/tests/access_control_fnmatch/src/access_control_fnmatch_utests.c
@@ -0,0 +1,67 @@
+/*
+ * Copyright(c) 2006 to 2019 ADLINK Technology Limited and others
+ *
+ * This program and the accompanying materials are made available under the
+ * terms of the Eclipse Public License v. 2.0 which is available at
+ * http://www.eclipse.org/legal/epl-2.0, or the Eclipse Distribution License
+ * v. 1.0 which is available at
+ * http://www.eclipse.org/org/documents/edl-v10.php.
+ *
+ * SPDX-License-Identifier: EPL-2.0 OR BSD-3-Clause
+ */
+
+#include <stdio.h>
+#include <string.h>
+#include "CUnit/CUnit.h"
+#include "CUnit/Test.h"
+#include "assert.h"
+#include "access_control_utils.h"
+
+
+CU_Test(ddssec_builtin_access_control_fnmatch, basic)
+{
+  CU_ASSERT(ac_fnmatch("", ""));
+  CU_ASSERT(ac_fnmatch("abc", "abc"));
+  CU_ASSERT(!ac_fnmatch("abc", "ab"));
+  CU_ASSERT(!ac_fnmatch("", "a"));
+  CU_ASSERT(!ac_fnmatch("a", ""));
+
+  CU_ASSERT(ac_fnmatch("a?", "ab"));
+  CU_ASSERT(ac_fnmatch("?b", "ab"));
+  CU_ASSERT(ac_fnmatch("a?c", "abc"));
+  CU_ASSERT(!ac_fnmatch("a?", "abc"));
+  CU_ASSERT(!ac_fnmatch("?c", "abc"));
+
+  CU_ASSERT(ac_fnmatch("a*", "a"));
+  CU_ASSERT(ac_fnmatch("a*", "abc"));
+  CU_ASSERT(ac_fnmatch("a*c", "abc"));
+  CU_ASSERT(ac_fnmatch("a*c", "abbc"));
+  CU_ASSERT(ac_fnmatch("*c", "abc"));
+  CU_ASSERT(ac_fnmatch("*c", "c"));
+  CU_ASSERT(!ac_fnmatch("a*", ""));
+  CU_ASSERT(!ac_fnmatch("a*c", "bc"));
+
+  CU_ASSERT(ac_fnmatch("[ab]", "a"));
+  CU_ASSERT(ac_fnmatch("[ab]", "b"));
+  CU_ASSERT(ac_fnmatch("a[bc]", "ab"));
+  CU_ASSERT(ac_fnmatch("a[bc]", "ac"));
+  CU_ASSERT(ac_fnmatch("a[bc]d", "abd"));
+  CU_ASSERT(ac_fnmatch("a[b-d]", "ab"));
+  CU_ASSERT(ac_fnmatch("a[b-d]", "ac"));
+  CU_ASSERT(ac_fnmatch("a[b-d]", "ad"));
+  CU_ASSERT(ac_fnmatch("a[-b]", "ab"));
+  CU_ASSERT(ac_fnmatch("a[!b]", "ac"));
+  CU_ASSERT(ac_fnmatch("a[!bc]d", "aad"));
+  CU_ASSERT(ac_fnmatch("a]", "a]"));
+  CU_ASSERT(!ac_fnmatch("[ab]", "c"));
+  CU_ASSERT(!ac_fnmatch("a[bc]", "ad"));
+  CU_ASSERT(!ac_fnmatch("a[bc]", "abc"));
+  CU_ASSERT(!ac_fnmatch("a[b-]", "ab"));
+  CU_ASSERT(!ac_fnmatch("a[-", "a"));
+  CU_ASSERT(!ac_fnmatch("a[", "a["));
+  CU_ASSERT(!ac_fnmatch("a[-", "a[-"));
+  CU_ASSERT(!ac_fnmatch("a[!b]", "ab"));
+  CU_ASSERT(!ac_fnmatch("a[!bc]d", "abd"));
+  CU_ASSERT(!ac_fnmatch("a[!b-d]", "ac"));
+  CU_ASSERT(!ac_fnmatch("a[!-b]", "ab"));
+}
diff --git a/src/security/builtin_plugins/tests/get_permissions_credential_token/etc/Test_Governance_ok.p7s b/src/security/builtin_plugins/tests/get_permissions_credential_token/etc/Test_Governance_ok.p7s
new file mode 100644
index 0000000..c39903f
--- /dev/null
+++ b/src/security/builtin_plugins/tests/get_permissions_credential_token/etc/Test_Governance_ok.p7s
@@ -0,0 +1,114 @@
+MIME-Version: 1.0
+Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg="sha-256"; boundary="----DB94A190D9780A24156FB0E8F1E76B5F"
+
+This is an S/MIME signed message
+
+------DB94A190D9780A24156FB0E8F1E76B5F
+Content-Type: text/plain
+
+<?xml version="1.0" encoding="utf-8"?>
+<dds xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xsi:noNamespaceSchemaLocation="http://www.omg.org/spec/DDSSecurity/
+20170801/omg_shared_ca_domain_governance.xsd">
+    <domain_access_rules>
+        <domain_rule>
+            <domains>
+                <!-- All domains -->
+                <id_range>
+                    <min>0</min>
+                    <max>230</max>
+                </id_range>
+            </domains>
+
+            <!-- DomainParticipant that cann not authenticate or fail the authentication should be
+                 allowed to join the domain and see any any discovery data that are configured as "unprotected"
+                 and topics that are configured as "unprotected" -->
+            <allow_unauthenticated_participants>false</allow_unauthenticated_participants>
+
+            <!--  Only and any authenticated DomainParticipant should be allowed to join the domain and
+                  see the discovery data without checking access control  -->
+            <enable_join_access_control>true</enable_join_access_control>
+
+            <!-- Discovery information should be protected with encryption followed by MAC (Message Authentication Codes) -->
+            <discovery_protection_kind>ENCRYPT</discovery_protection_kind>
+
+            <!--  Liveliness messages are also encrypted -->
+            <liveliness_protection_kind>ENCRYPT</liveliness_protection_kind>
+
+            <!-- Whole RTPS message is not protected -->
+            <rtps_protection_kind>NONE</rtps_protection_kind>
+
+            <topic_access_rules>
+                <topic_rule>
+                    <!-- All (non-builtin) topics -->
+                    <topic_expression>*</topic_expression>
+
+                    <!-- Liveliness QoS data is protected -->
+                    <enable_liveliness_protection>true</enable_liveliness_protection>
+
+                    <!-- The discovery information on specific Topics should be sent
+                         using the secure (protected) discovery writers -->
+                    <enable_discovery_protection>true</enable_discovery_protection>
+
+                    <!-- The read access to all topics should be open to all. -->
+                    <enable_read_access_control>false</enable_read_access_control>
+
+                    <!-- The write access to all topics should be open to all. -->
+                    <enable_write_access_control>false</enable_write_access_control>
+
+                    <!-- Whole RTPS sub-message is protected. This includes metadata information
+                         like sequence numbers, heartbeats, key hashes, gaps,
+                         acknowledgment messages, etc. It also includes th possible payload. -->
+                    <metadata_protection_kind>ENCRYPT</metadata_protection_kind>
+
+                    <!-- The payload data sent on the Topic (serialized application level data) should be
+                         protected with Encrypt then MAC. -->
+                    <data_protection_kind>ENCRYPT</data_protection_kind>
+                </topic_rule>
+            </topic_access_rules>
+        </domain_rule>
+    </domain_access_rules>
+</dds>
+
+------DB94A190D9780A24156FB0E8F1E76B5F
+Content-Type: application/x-pkcs7-signature; name="smime.p7s"
+Content-Transfer-Encoding: base64
+Content-Disposition: attachment; filename="smime.p7s"
+
+MIIGSAYJKoZIhvcNAQcCoIIGOTCCBjUCAQExDzANBglghkgBZQMEAgEFADALBgkq
+hkiG9w0BBwGgggORMIIDjTCCAnWgAwIBAgIJANsr3sm0NrypMA0GCSqGSIb3DQEB
+CwUAMFwxCzAJBgNVBAYTAk5MMRMwEQYDVQQIDApTb21lLVN0YXRlMR8wHQYDVQQK
+DBZBRExJTksgVGVjaG5vbG9jeSBJbmMuMRcwFQYDVQQDDA5hZGxpbmt0ZWNoLmNv
+bTAgFw0xODA3MzAxMjQ1NTVaGA8yMTE4MDcwNjEyNDU1NVowXDELMAkGA1UEBhMC
+TkwxEzARBgNVBAgMClNvbWUtU3RhdGUxHzAdBgNVBAoMFkFETElOSyBUZWNobm9s
+b2N5IEluYy4xFzAVBgNVBAMMDmFkbGlua3RlY2guY29tMIIBIjANBgkqhkiG9w0B
+AQEFAAOCAQ8AMIIBCgKCAQEAu7jfnJ0wYVuXgG+PgNawdN38+dRpa8jceqi+blID
+ehV6XCxrnGXusTCDuFmo7HMOBVMVNDXlcBWgoGd+u5EultnOEiIeGTgtHc1O6V9w
+icp3BGSpZZax/TcONjMVORaqHCADbQ2J8wsz1FHxuKDwX6BJElYOlK77lb/x3yLs
+DFFC+a0qn2RFh37rcWBRAHy8VEASXKZElT9ZmfKd+KUq34KojhNJ4DepKStTq074
+BRDXVivx+wVD951LFNPiQXq+mgHcLj1k37KlZflTFhdP5oEMtATNsXNJPHlEymiy
+SogRWAmKhysLQudukHfNKN+r0FEQMk/hzpYcFeZSOvbfNQIDAQABo1AwTjAdBgNV
+HQ4EFgQURWMbWvBKZwJvRV1/tyc1R82k0+gwHwYDVR0jBBgwFoAURWMbWvBKZwJv
+RV1/tyc1R82k0+gwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAkPF+
+ysVtvHnk2hpu9yNDLCJ96ZzIoKOyY7uRj4ovzlAHFdpNOJQdcJihTmN8i7Trht9X
+Vh0rGoR/6nHzo3TIeiogRC80RlDtuA3PF2dDQBMVDStlZMTZPb693hfjdAjhyyw9
+yghhKHHqNDvSsAL0KfBqjG4yGfGpJylYXIT5fWuKlo/ln/yyPa5s54T5XDo+CMbt
+lLX3QnwVOmaRyzylPiTcPCDIkdLBdXmlfyJcmW6fWa6kPx+35MOxPsXZbujCo+42
++OyLqcH1rKT6XhcshjXBEf+kdgUfSClrM1pNRWsw2ChIYim0F+nry5JFy0Y+8Hbb
+6SDB340BFmtgDHbFHTGCAnswggJ3AgEBMGkwXDELMAkGA1UEBhMCTkwxEzARBgNV
+BAgMClNvbWUtU3RhdGUxHzAdBgNVBAoMFkFETElOSyBUZWNobm9sb2N5IEluYy4x
+FzAVBgNVBAMMDmFkbGlua3RlY2guY29tAgkA2yveybQ2vKkwDQYJYIZIAWUDBAIB
+BQCggeQwGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAcBgkqhkiG9w0BCQUxDxcN
+MTgwOTEzMDczOTUwWjAvBgkqhkiG9w0BCQQxIgQgXv8DkvlwebXMwHDbNc0/Pc30
+gyG3xWCnwet49TRMWFsweQYJKoZIhvcNAQkPMWwwajALBglghkgBZQMEASowCwYJ
+YIZIAWUDBAEWMAsGCWCGSAFlAwQBAjAKBggqhkiG9w0DBzAOBggqhkiG9w0DAgIC
+AIAwDQYIKoZIhvcNAwICAUAwBwYFKw4DAgcwDQYIKoZIhvcNAwICASgwDQYJKoZI
+hvcNAQEBBQAEggEANy8t0EFmv5j1n0+mMn2ut3Chu8PSJceC8gd34IiKq79uC1O3
+PbL9xgiJ2vz7QiTEEeNL2q+CG77cXOcHGUWa4nvbggr/9CqLfHEKGQxDfyXlJZfM
+8l550xIXRRBOQ7ilOGLD4QJFfbf9XA4rMuRe8WEYN3FleAaYBJag1tMPg1SS6tgA
+BBDM9b1kXHU319zYOk6kZFjlbwHv6XO22SEVRUpXrKudAI8hrGvwksF/+W0S/jS5
+NmYtj/1oMGlCGIaA5rs27H9CkgwrzoMQ3MsR98JlwEUSa4PEe8CClsIziOulQxsp
+MicBlMWL0rzpBPVfPTE4gZ/kP7hGBDEQlRzVTA==
+
+------DB94A190D9780A24156FB0E8F1E76B5F--
+
diff --git a/src/security/builtin_plugins/tests/get_permissions_credential_token/etc/Test_Permissions_ok.p7s b/src/security/builtin_plugins/tests/get_permissions_credential_token/etc/Test_Permissions_ok.p7s
new file mode 100644
index 0000000..052075b
--- /dev/null
+++ b/src/security/builtin_plugins/tests/get_permissions_credential_token/etc/Test_Permissions_ok.p7s
@@ -0,0 +1,85 @@
+MIME-Version: 1.0
+Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg="sha-256"; boundary="----6B91005B007BBA8EDE10CD1CE487DB27"
+
+This is an S/MIME signed message
+
+------6B91005B007BBA8EDE10CD1CE487DB27
+Content-Type: text/plain
+
+<?xml version="1.0" encoding="utf-8"?>
+<dds xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xsi:noNamespaceSchemaLocation="https://www.omg.org/spec/DDS-SECURITY/20170901/omg_shared_ca_permissions.xsd">
+    <permissions>
+        <grant name="OpenSplicePermissions">
+            <subject_name>CN=CHAM500 cert,O=Internet Widgits Pty Ltd,ST=Some-State,C=NL</subject_name>
+            <validity>
+                <!-- Format is CCYY-MM-DDThh:mm:ss[Z|(+|-)hh:mm] in GMT -->
+                <not_before>2015-09-15T01:00:00</not_before>
+                <not_after>2115-09-15T01:00:00</not_after>
+            </validity>
+            <allow_rule>
+                <domains>
+                    <id_range>
+                        <min>0</min>
+                        <max>230</max>
+                    </id_range>
+                </domains>
+                <publish>
+                    <topics>
+                        <topic>*</topic>
+                    </topics>
+                </publish>
+                <subscribe>
+                    <topics>
+                        <topic>*</topic>
+                    </topics>
+                </subscribe>
+            </allow_rule>
+            <default>DENY</default>
+        </grant>
+    </permissions>
+</dds>
+
+------6B91005B007BBA8EDE10CD1CE487DB27
+Content-Type: application/x-pkcs7-signature; name="smime.p7s"
+Content-Transfer-Encoding: base64
+Content-Disposition: attachment; filename="smime.p7s"
+
+MIIGXgYJKoZIhvcNAQcCoIIGTzCCBksCAQExDzANBglghkgBZQMEAgEFADALBgkq
+hkiG9w0BBwGgggORMIIDjTCCAnWgAwIBAgIJANsr3sm0NrypMA0GCSqGSIb3DQEB
+CwUAMFwxCzAJBgNVBAYTAk5MMRMwEQYDVQQIDApTb21lLVN0YXRlMR8wHQYDVQQK
+DBZBRExJTksgVGVjaG5vbG9jeSBJbmMuMRcwFQYDVQQDDA5hZGxpbmt0ZWNoLmNv
+bTAgFw0xODA3MzAxMjQ1NTVaGA8yMTE4MDcwNjEyNDU1NVowXDELMAkGA1UEBhMC
+TkwxEzARBgNVBAgMClNvbWUtU3RhdGUxHzAdBgNVBAoMFkFETElOSyBUZWNobm9s
+b2N5IEluYy4xFzAVBgNVBAMMDmFkbGlua3RlY2guY29tMIIBIjANBgkqhkiG9w0B
+AQEFAAOCAQ8AMIIBCgKCAQEAu7jfnJ0wYVuXgG+PgNawdN38+dRpa8jceqi+blID
+ehV6XCxrnGXusTCDuFmo7HMOBVMVNDXlcBWgoGd+u5EultnOEiIeGTgtHc1O6V9w
+icp3BGSpZZax/TcONjMVORaqHCADbQ2J8wsz1FHxuKDwX6BJElYOlK77lb/x3yLs
+DFFC+a0qn2RFh37rcWBRAHy8VEASXKZElT9ZmfKd+KUq34KojhNJ4DepKStTq074
+BRDXVivx+wVD951LFNPiQXq+mgHcLj1k37KlZflTFhdP5oEMtATNsXNJPHlEymiy
+SogRWAmKhysLQudukHfNKN+r0FEQMk/hzpYcFeZSOvbfNQIDAQABo1AwTjAdBgNV
+HQ4EFgQURWMbWvBKZwJvRV1/tyc1R82k0+gwHwYDVR0jBBgwFoAURWMbWvBKZwJv
+RV1/tyc1R82k0+gwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAkPF+
+ysVtvHnk2hpu9yNDLCJ96ZzIoKOyY7uRj4ovzlAHFdpNOJQdcJihTmN8i7Trht9X
+Vh0rGoR/6nHzo3TIeiogRC80RlDtuA3PF2dDQBMVDStlZMTZPb693hfjdAjhyyw9
+yghhKHHqNDvSsAL0KfBqjG4yGfGpJylYXIT5fWuKlo/ln/yyPa5s54T5XDo+CMbt
+lLX3QnwVOmaRyzylPiTcPCDIkdLBdXmlfyJcmW6fWa6kPx+35MOxPsXZbujCo+42
++OyLqcH1rKT6XhcshjXBEf+kdgUfSClrM1pNRWsw2ChIYim0F+nry5JFy0Y+8Hbb
+6SDB340BFmtgDHbFHTGCApEwggKNAgEBMGkwXDELMAkGA1UEBhMCTkwxEzARBgNV
+BAgMClNvbWUtU3RhdGUxHzAdBgNVBAoMFkFETElOSyBUZWNobm9sb2N5IEluYy4x
+FzAVBgNVBAMMDmFkbGlua3RlY2guY29tAgkA2yveybQ2vKkwDQYJYIZIAWUDBAIB
+BQCggfowGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAcBgkqhkiG9w0BCQUxDxcN
+MTkwMzI5MTMwODAzWjAvBgkqhkiG9w0BCQQxIgQgl3LfUhn9L0vG/3QRPVYptcYw
+/NH5HMN99aMe9JAT+LAwgY4GCSqGSIb3DQEJDzGBgDB+MAsGCWCGSAFlAwQBKjAI
+BgYqhQMCAgkwCAYGKoUDAgIVMAsGCWCGSAFlAwQBFjALBglghkgBZQMEAQIwCgYI
+KoZIhvcNAwcwDgYIKoZIhvcNAwICAgCAMA0GCCqGSIb3DQMCAgFAMAcGBSsOAwIH
+MA0GCCqGSIb3DQMCAgEoMA0GCSqGSIb3DQEBAQUABIIBAHe9vakfXPvbpgMeqlhG
+SW6Z3uVA3Yri9bgQDpJ9daIUsM0/TLBSQVs85twTMXvqUSntKbfSGehxDQ9F+yje
+mOEPMIwxOqcVyc2jpqoYsUWqpwiiZyk49DHUFrOfWJUx+rKdBftZWkxD05Wkovhk
+2d4hGS/65Haoho4Z0AZwcyH+F52FZMiqw7I9FKrPlhxvJfQXmhIjOKtnvWnQ+Ar7
+YYiSrBEHMCy82LF1aKzz0nkL1SYWQHuQX475qoU4LMYY1J8WsD3rSBeq4GYZrl2K
+X/JcOquMYqjfJLMYZY4fsc3FgEBkKNqJz1tDZ3ir24VMl+WsbEjVK8oXe/wt4V0U
+aNQ=
+
+------6B91005B007BBA8EDE10CD1CE487DB27--
+
diff --git a/src/security/builtin_plugins/tests/get_permissions_credential_token/src/get_permissions_credential_token_utests.c b/src/security/builtin_plugins/tests/get_permissions_credential_token/src/get_permissions_credential_token_utests.c
new file mode 100644
index 0000000..bed337f
--- /dev/null
+++ b/src/security/builtin_plugins/tests/get_permissions_credential_token/src/get_permissions_credential_token_utests.c
@@ -0,0 +1,497 @@
+/*
+ * Copyright(c) 2006 to 2019 ADLINK Technology Limited and others
+ *
+ * This program and the accompanying materials are made available under the
+ * terms of the Eclipse Public License v. 2.0 which is available at
+ * http://www.eclipse.org/legal/epl-2.0, or the Eclipse Distribution License
+ * v. 1.0 which is available at
+ * http://www.eclipse.org/org/documents/edl-v10.php.
+ *
+ * SPDX-License-Identifier: EPL-2.0 OR BSD-3-Clause
+ */
+#include <assert.h>
+#include <string.h>
+#include <openssl/evp.h>
+#include <openssl/hmac.h>
+#include <openssl/bio.h>
+#include <openssl/err.h>
+
+#include "dds/ddsrt/environ.h"
+#include "dds/ddsrt/heap.h"
+#include "dds/ddsrt/io.h"
+#include "dds/ddsrt/string.h"
+#include "dds/ddsrt/types.h"
+#include "dds/security/dds_security_api.h"
+#include "dds/security/core/dds_security_utils.h"
+#include "CUnit/CUnit.h"
+#include "CUnit/Test.h"
+#include "common/src/loader.h"
+#include "config_env.h"
+
+static const char *PERMISSIONS_FILE_NAME = "Test_Permissions_ok.p7s";
+static const char *GOVERNANCE_FILE_NAME = "Test_Governance_ok.p7s";
+
+static const char *PROPERTY_IDENTITY_CA = "dds.sec.auth.identity_ca";
+static const char *PROPERTY_PRIVATE_KEY = "dds.sec.auth.private_key";
+static const char *PROPERTY_IDENTITY_CERT = "dds.sec.auth.identity_certificate";
+static const char *PROPERTY_PERMISSIONS_CA = "dds.sec.access.permissions_ca";
+static const char *PROPERTY_PERMISSIONS = "dds.sec.access.permissions";
+static const char *PROPERTY_GOVERNANCE = "dds.sec.access.governance";
+
+static const char *RELATIVE_PATH_TO_ETC_DIR = "/get_permissions_credential_token/etc/";
+
+static const char *IDENTITY_CERTIFICATE =
+    "data:,-----BEGIN CERTIFICATE-----\n"
+    "MIIEQTCCAymgAwIBAgIINpuaAAnrQZIwDQYJKoZIhvcNAQELBQAwXzELMAkGA1UE\n"
+    "BhMCTkwxEzARBgNVBAgTClNvbWUtU3RhdGUxITAfBgNVBAoTGEludGVybmV0IFdp\n"
+    "ZGdpdHMgUHR5IEx0ZDEYMBYGA1UEAxMPQ0hBTTUwMCByb290IGNhMCAXDTE3MDIy\n"
+    "MjIyMjIwMFoYDzIyMjIwMjIyMjIyMjAwWjBcMQswCQYDVQQGEwJOTDETMBEGA1UE\n"
+    "CBMKU29tZS1TdGF0ZTEhMB8GA1UEChMYSW50ZXJuZXQgV2lkZ2l0cyBQdHkgTHRk\n"
+    "MRUwEwYDVQQDEwxDSEFNNTAwIGNlcnQwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw\n"
+    "ggEKAoIBAQDCpVhivH/wBIyu74rvQncnSZqKyspN6CvD1pmV9wft5PHhVt9jV79v\n"
+    "gSub5LADoRHAgFdv9duYgBr17Ob6uRrIY4B18CcrCjhQcC4gjx8y2jl9PeYm+qYD\n"
+    "3o44FYBrBq0QCnrQgKsb/qX9Z+Mw/VUiw65x68W876LEHQQoEgT4kxSuagwBoVRk\n"
+    "ePD6fYAKmT4XS3x+O0v+rHESTcsKF6yMadgp7h3eH1b8kJTzSx8JV9Zzq++mxjox\n"
+    "qhbBVP5nDze2hhSIeCkCvSrx7efkgKS4AQXa5/Z44GiAu1TfXXUqdic9rxwD0edn\n"
+    "ajNElnZe7sjok/0yuqvH+2hSqpNva/zpAgMBAAGjggEAMIH9MAwGA1UdDwQFAwMH\n"
+    "/4AwgewGA1UdJQSB5DCB4QYIKwYBBQUHAwEGCCsGAQUFBwMCBggrBgEFBQcDAwYI\n"
+    "KwYBBQUHAwQGCCsGAQUFBwMIBgorBgEEAYI3AgEVBgorBgEEAYI3AgEWBgorBgEE\n"
+    "AYI3CgMBBgorBgEEAYI3CgMDBgorBgEEAYI3CgMEBglghkgBhvhCBAEGCysGAQQB\n"
+    "gjcKAwQBBggrBgEFBQcDBQYIKwYBBQUHAwYGCCsGAQUFBwMHBggrBgEFBQgCAgYK\n"
+    "KwYBBAGCNxQCAgYIKwYBBQUHAwkGCCsGAQUFBwMNBggrBgEFBQcDDgYHKwYBBQID\n"
+    "BTANBgkqhkiG9w0BAQsFAAOCAQEAawdHy0Xw7nTK2ltp91Ion6fJ7hqYuj///zr7\n"
+    "Adt6uonpDh/xl3esuwcFimIJrJrHujnGkL0nLddRCikmnzuBMNDWS6yq0/Ckl/YG\n"
+    "yjNr44dlX24wo+MVAgkj3/8CyWDZ3a8kBg9QT3bs2SqbjmhTrXN1DRyf9S5vJysE\n"
+    "I7V1gTN66BeKL64hOrAlRVrEu8Ds6TWL6Q/YH+61ViZkoLTeSaPjH4nknaFr4C35\n"
+    "iji0JhkyfRHRRVPHFnaj25AkxOrSV64qVKoTMjDl5fji5iMGtjm6iJ7q05ml/qDl\n"
+    "nLotHXemZNvYhbwUmRzbt4Dls9EMH4VRbP85I94nM5TAvtHVNA==\n"
+    "-----END CERTIFICATE-----\n";
+
+static const char *IDENTITY_CA =
+    "data:,-----BEGIN CERTIFICATE-----\n"
+    "MIIEmTCCA4GgAwIBAgIIZ5gEIUFhO5wwDQYJKoZIhvcNAQELBQAwXzELMAkGA1UE\n"
+    "BhMCTkwxEzARBgNVBAgTClNvbWUtU3RhdGUxITAfBgNVBAoTGEludGVybmV0IFdp\n"
+    "ZGdpdHMgUHR5IEx0ZDEYMBYGA1UEAxMPQ0hBTTUwMCByb290IGNhMCAXDTE4MDIx\n"
+    "MjE1MDUwMFoYDzIyMjIwMjIyMjIyMjAwWjBfMQswCQYDVQQGEwJOTDETMBEGA1UE\n"
+    "CBMKU29tZS1TdGF0ZTEhMB8GA1UEChMYSW50ZXJuZXQgV2lkZ2l0cyBQdHkgTHRk\n"
+    "MRgwFgYDVQQDEw9DSEFNNTAwIHJvb3QgY2EwggEiMA0GCSqGSIb3DQEBAQUAA4IB\n"
+    "DwAwggEKAoIBAQC6Fa3TheL+UrdZCp9GhU/2WbneP2t/avUa3muwDttPxeI2XU9k\n"
+    "ZjBR95mAXme4SPXHk5+YDN319AqIje3oKhzky/ngvKH2GkoJKYxWnuDBfMEHdViz\n"
+    "2Q9/xso2ZvH50ukwWa0pfx2/EVV1wRxeQcRd/UVfq3KTJizG0M88mOYvGEAw3LFf\n"
+    "zef7k1aCuOofQmBvLukUudcYpMzfyHFp7lQqU4CcrrR5RtmfiUfrWfdGLea2iPDB\n"
+    "pJgN8ESOMwEHtOTEBDclYnH9L4t7CHQz+fXXS5IWFsDK9fCMQjnxDsDVeNrNzTYL\n"
+    "FaZrMg9S6IUQCEsQWsnq5weS8omOpVLUm9klAgMBAAGjggFVMIIBUTAMBgNVHRME\n"
+    "BTADAQH/MB0GA1UdDgQWBBQg2FZB/j8uWDVnJhjwXkX278znSTAfBgNVHSMEGDAW\n"
+    "gBQg2FZB/j8uWDVnJhjwXkX278znSTAPBgNVHQ8BAf8EBQMDB/+AMIHvBgNVHSUB\n"
+    "Af8EgeQwgeEGCCsGAQUFBwMBBggrBgEFBQcDAgYIKwYBBQUHAwMGCCsGAQUFBwME\n"
+    "BggrBgEFBQcDCAYKKwYBBAGCNwIBFQYKKwYBBAGCNwIBFgYKKwYBBAGCNwoDAQYK\n"
+    "KwYBBAGCNwoDAwYKKwYBBAGCNwoDBAYJYIZIAYb4QgQBBgsrBgEEAYI3CgMEAQYI\n"
+    "KwYBBQUHAwUGCCsGAQUFBwMGBggrBgEFBQcDBwYIKwYBBQUIAgIGCisGAQQBgjcU\n"
+    "AgIGCCsGAQUFBwMJBggrBgEFBQcDDQYIKwYBBQUHAw4GBysGAQUCAwUwDQYJKoZI\n"
+    "hvcNAQELBQADggEBAKHmwejWRwGE1wf1k2rG8SNRV/neGsZ6Qfqf6co3TpR/Wi1s\n"
+    "iZDvSeT/rbqNBS7z34xnG88NIUwu00y78e8Mfon31ZZbK4Uo7fla9/D3ukdJqPQC\n"
+    "LKdbKJjR2kH+KCukY/1rghjJ8/X+t2egBit0LCOdsFCl07Sfksb9kpGUIZSFcYYm\n"
+    "geqhjhoNwxazzHiw+QWHC5HG9248JIizBmy1aymNWuMnPudhjHAnPcsIlqMVNq3t\n"
+    "Rv9ap7S8JeCxHVRPJvJeCwXWvW3dW/v3xH52Yn/fqRblN1w9Fxz5NhopKx0gj/Jd\n"
+    "sw2N4Fk4gaOWEolFpa0bwNw8nAx7moehZpowzfw=\n"
+    "-----END CERTIFICATE-----\n";
+
+static const char *PRIVATE_KEY =
+    "data:,-----BEGIN RSA PRIVATE KEY-----\n"
+    "MIIEogIBAAKCAQEAwqVYYrx/8ASMru+K70J3J0maisrKTegrw9aZlfcH7eTx4Vbf\n"
+    "Y1e/b4Erm+SwA6ERwIBXb/XbmIAa9ezm+rkayGOAdfAnKwo4UHAuII8fMto5fT3m\n"
+    "JvqmA96OOBWAawatEAp60ICrG/6l/WfjMP1VIsOucevFvO+ixB0EKBIE+JMUrmoM\n"
+    "AaFUZHjw+n2ACpk+F0t8fjtL/qxxEk3LChesjGnYKe4d3h9W/JCU80sfCVfWc6vv\n"
+    "psY6MaoWwVT+Zw83toYUiHgpAr0q8e3n5ICkuAEF2uf2eOBogLtU3111KnYnPa8c\n"
+    "A9HnZ2ozRJZ2Xu7I6JP9Mrqrx/toUqqTb2v86QIDAQABAoIBAC1q32DKkx+yMBFx\n"
+    "m32QiLUGG6VfBC2BixS7MkMnzRXZYgcuehl4FBc0kLRjfB6cqsO8LqrVN1QyMBhK\n"
+    "GutN3c38SbE7RChqzhEW2+yE+Mao3Nk4ZEecHLiyaYT0n25ZtHAVwep823BAzwJ+\n"
+    "BykbM45VEpNKbG1VjSktjBa9faNyZiZAEJEjVyla+6R8N4kHV52LbZcLjvJv3IQ2\n"
+    "iPYRrmMyI5C23qTni0vy7yJbAXBo3CqgSlwie9FARBWT7Puu7F4mF1O1c/SnTysw\n"
+    "Tm3e5FzgfHipQbnRVn0w4rDprPMKmPxMnvf/Wkw0zVgNadp1Tc1I6Yj525DEQ07i\n"
+    "2gIn/gECgYEA4jNnY1u2Eu7x3pAQF3dRO0x35boVtuq9iwQk7q+uaZaK4RJRr+0Y\n"
+    "T68S3bPnfer6SHvcxtST89Bvs/j/Ky4SOaX037UYjFh6T7OIzPl+MzO1yb+VOBT6\n"
+    "D6FVGEJGp8ZAITU1OfJPeTYViUeEC8tHFGoKUCk50FbB6jOf1oKtv/ECgYEA3EnB\n"
+    "Y7kSbJJaUuj9ciFUL/pAno86Cim3VjegK1wKgEiyDb610bhoMErovPwfVJbtcttG\n"
+    "eKJNuwizkRcVbj+vpjDvqqaP5eMxLl6/Nd4haPMJYzGo88Z8NJpwFRNF2KEWjOpQ\n"
+    "2NEvoCeRtVulCJyka2Tpljzw8cOXkxhPOe2UhHkCgYBo3entj0QO7QXm56T+LAvV\n"
+    "0PK45xdQEO3EuCwjGAFk5C0IgUSrqeCeeIzniZMltj1IQ1wsNbtNynEu3530t8wt\n"
+    "O7oVyFBUKGSz9IjUdkpClJOPr6kPMfJoMqRPtdIpz+hFPPSrI6IikKdVWHloOlp+\n"
+    "pVaYqTQrWT1XRY2xli3VEQKBgGySmZN6Cx+h/oywswIGdUT0VdcQhq2to+QFpJba\n"
+    "VX6m1cM6hMip2Ag9U3qZ1SNPBBdBBfm9HQybHE3dj713/C2wHuAAGhpXIM1W+20k\n"
+    "X1knuC/AsSH9aQhQOf/ZMOq1crTfZBuI9q0782/sjGmzMsKPySU4QhUWruVb7OiD\n"
+    "NVkZAoGAEvihW7G+8/iOE40vGHyBqUeopAAWLciTAUIEwM/Oi3BYfNWNTWF/FWNc\n"
+    "nMvCZPYigY8C1vO+1iT2Frtd3CIU+f01Q3fJNJoRLlEiKLNZUJRF48OKUqjKSmsi\n"
+    "w6pucFO40z05YW7utApj4L82rZnOS0pd1tUI1yexqvj0i4ThJfk=\n"
+    "-----END RSA PRIVATE KEY-----\n";
+
+static const char *PERMISSIONS_CA =
+    "data:,-----BEGIN CERTIFICATE-----\n"
+    "MIIDjTCCAnWgAwIBAgIJANsr3sm0NrypMA0GCSqGSIb3DQEBCwUAMFwxCzAJBgNV\n"
+    "BAYTAk5MMRMwEQYDVQQIDApTb21lLVN0YXRlMR8wHQYDVQQKDBZBRExJTksgVGVj\n"
+    "aG5vbG9jeSBJbmMuMRcwFQYDVQQDDA5hZGxpbmt0ZWNoLmNvbTAgFw0xODA3MzAx\n"
+    "MjQ1NTVaGA8yMTE4MDcwNjEyNDU1NVowXDELMAkGA1UEBhMCTkwxEzARBgNVBAgM\n"
+    "ClNvbWUtU3RhdGUxHzAdBgNVBAoMFkFETElOSyBUZWNobm9sb2N5IEluYy4xFzAV\n"
+    "BgNVBAMMDmFkbGlua3RlY2guY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB\n"
+    "CgKCAQEAu7jfnJ0wYVuXgG+PgNawdN38+dRpa8jceqi+blIDehV6XCxrnGXusTCD\n"
+    "uFmo7HMOBVMVNDXlcBWgoGd+u5EultnOEiIeGTgtHc1O6V9wicp3BGSpZZax/TcO\n"
+    "NjMVORaqHCADbQ2J8wsz1FHxuKDwX6BJElYOlK77lb/x3yLsDFFC+a0qn2RFh37r\n"
+    "cWBRAHy8VEASXKZElT9ZmfKd+KUq34KojhNJ4DepKStTq074BRDXVivx+wVD951L\n"
+    "FNPiQXq+mgHcLj1k37KlZflTFhdP5oEMtATNsXNJPHlEymiySogRWAmKhysLQudu\n"
+    "kHfNKN+r0FEQMk/hzpYcFeZSOvbfNQIDAQABo1AwTjAdBgNVHQ4EFgQURWMbWvBK\n"
+    "ZwJvRV1/tyc1R82k0+gwHwYDVR0jBBgwFoAURWMbWvBKZwJvRV1/tyc1R82k0+gw\n"
+    "DAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAkPF+ysVtvHnk2hpu9yND\n"
+    "LCJ96ZzIoKOyY7uRj4ovzlAHFdpNOJQdcJihTmN8i7Trht9XVh0rGoR/6nHzo3TI\n"
+    "eiogRC80RlDtuA3PF2dDQBMVDStlZMTZPb693hfjdAjhyyw9yghhKHHqNDvSsAL0\n"
+    "KfBqjG4yGfGpJylYXIT5fWuKlo/ln/yyPa5s54T5XDo+CMbtlLX3QnwVOmaRyzyl\n"
+    "PiTcPCDIkdLBdXmlfyJcmW6fWa6kPx+35MOxPsXZbujCo+42+OyLqcH1rKT6Xhcs\n"
+    "hjXBEf+kdgUfSClrM1pNRWsw2ChIYim0F+nry5JFy0Y+8Hbb6SDB340BFmtgDHbF\n"
+    "HQ==\n"
+    "-----END CERTIFICATE-----\n";
+
+static char *permissions = NULL;
+static char *g_path_to_etc_dir = NULL;
+static struct plugins_hdl *plugins = NULL;
+static dds_security_authentication *auth = NULL;
+static dds_security_access_control *access_control = NULL;
+
+static DDS_Security_IdentityHandle local_identity_handle = DDS_SECURITY_HANDLE_NIL;
+static DDS_Security_PermissionsHandle local_permissions_handle = DDS_SECURITY_HANDLE_NIL;
+
+static void reset_exception(DDS_Security_SecurityException *ex)
+{
+  ex->code = 0;
+  ex->minor_code = 0;
+  ddsrt_free(ex->message);
+  ex->message = NULL;
+}
+
+static DDS_Security_Property_t *find_property(DDS_Security_DataHolder *token, const char *name)
+{
+  DDS_Security_Property_t *result = NULL;
+  uint32_t i;
+
+  for (i = 0; i < token->properties._length && !result; i++)
+    if (token->properties._buffer[i].name && (strcmp(token->properties._buffer[i].name, name) == 0))
+      result = &token->properties._buffer[i];
+  return result;
+}
+
+static void dds_security_property_init(DDS_Security_PropertySeq *seq, DDS_Security_unsigned_long size)
+{
+  seq->_length = size;
+  seq->_maximum = size;
+  seq->_buffer = ddsrt_malloc(size * sizeof(DDS_Security_Property_t));
+  memset(seq->_buffer, 0, size * sizeof(DDS_Security_Property_t));
+}
+
+static void dds_security_property_deinit(DDS_Security_PropertySeq *seq)
+{
+  uint32_t i;
+  for (i = 0; i < seq->_length; i++)
+  {
+    ddsrt_free(seq->_buffer[i].name);
+    ddsrt_free(seq->_buffer[i].value);
+  }
+  ddsrt_free(seq->_buffer);
+}
+
+static char *read_document_from_file(const char *filename)
+{
+  char *document;
+  char *normalized;
+  char *name;
+
+  /* Get proper file name. */
+  ddsrt_asprintf(&name, "%s%s", g_path_to_etc_dir, filename);
+  normalized = DDS_Security_normalize_file(name);
+  ddsrt_free(name);
+  document = load_file_contents(normalized);
+
+  ddsrt_free(normalized);
+
+  return document;
+}
+
+static void fill_participant_qos(DDS_Security_Qos *qos, const char *permission_filename, const char *governance_filename)
+{
+  char *permission_uri;
+  char *governance_uri;
+
+  ddsrt_asprintf(&permission_uri, "file:%s%s", g_path_to_etc_dir, permission_filename);
+  ddsrt_asprintf(&governance_uri, "file:%s%s", g_path_to_etc_dir, governance_filename);
+
+  memset(qos, 0, sizeof(*qos));
+  dds_security_property_init(&qos->property.value, 6);
+  qos->property.value._buffer[0].name = ddsrt_strdup(PROPERTY_IDENTITY_CERT);
+  qos->property.value._buffer[0].value = ddsrt_strdup(IDENTITY_CERTIFICATE);
+  qos->property.value._buffer[1].name = ddsrt_strdup(PROPERTY_IDENTITY_CA);
+  qos->property.value._buffer[1].value = ddsrt_strdup(IDENTITY_CA);
+  qos->property.value._buffer[2].name = ddsrt_strdup(PROPERTY_PRIVATE_KEY);
+  qos->property.value._buffer[2].value = ddsrt_strdup(PRIVATE_KEY);
+  qos->property.value._buffer[3].name = ddsrt_strdup(PROPERTY_PERMISSIONS_CA);
+  qos->property.value._buffer[3].value = ddsrt_strdup(PERMISSIONS_CA);
+  qos->property.value._buffer[4].name = ddsrt_strdup(PROPERTY_PERMISSIONS);
+  qos->property.value._buffer[4].value = ddsrt_strdup(permission_uri);
+  qos->property.value._buffer[5].name = ddsrt_strdup(PROPERTY_GOVERNANCE);
+  qos->property.value._buffer[5].value = ddsrt_strdup(governance_uri);
+
+  ddsrt_free(permission_uri);
+  ddsrt_free(governance_uri);
+}
+
+static int local_permissions_init(DDS_Security_DomainId domain_id)
+{
+  int res = 0;
+  DDS_Security_ValidationResult_t result;
+  DDS_Security_Qos participant_qos;
+  DDS_Security_GUID_t local_participant_guid;
+  DDS_Security_GUID_t candidate_participant_guid;
+  DDS_Security_SecurityException exception = {NULL, 0, 0};
+  DDS_Security_GuidPrefix_t prefix = {0xb0, 0xb1, 0xb2, 0xb3, 0xb4, 0xb5, 0xb6, 0xb7, 0xb8, 0xb9, 0xba, 0xbb};
+  DDS_Security_EntityId_t entityId = {{0xb0, 0xb1, 0xb2}, 0x1};
+
+  memset(&local_participant_guid, 0, sizeof(local_participant_guid));
+  memcpy(&candidate_participant_guid.prefix, &prefix, sizeof(prefix));
+  memcpy(&candidate_participant_guid.entityId, &entityId, sizeof(entityId));
+
+  fill_participant_qos(&participant_qos, PERMISSIONS_FILE_NAME, GOVERNANCE_FILE_NAME);
+
+  result = auth->validate_local_identity(
+      auth,
+      &local_identity_handle,
+      &local_participant_guid,
+      domain_id,
+      &participant_qos,
+      &candidate_participant_guid,
+      &exception);
+
+  if (result != DDS_SECURITY_VALIDATION_OK)
+  {
+    res = -1;
+    printf("validate_local_identity_failed: %s\n", exception.message ? exception.message : "Error message missing");
+  }
+
+  reset_exception(&exception);
+
+  if (res == 0)
+  {
+    local_permissions_handle = access_control->validate_local_permissions(
+        access_control,
+        auth,
+        local_identity_handle,
+        domain_id,
+        &participant_qos,
+        &exception);
+
+    if (local_permissions_handle == DDS_SECURITY_HANDLE_NIL)
+    {
+      res = -1;
+      printf("validate_local_permissions_failed: %s\n", exception.message ? exception.message : "Error message missing");
+    }
+  }
+
+  reset_exception(&exception);
+
+  dds_security_property_deinit(&participant_qos.property.value);
+
+  return res;
+}
+
+static void local_permissions_clean(void)
+{
+  DDS_Security_SecurityException exception = {NULL, 0, 0};
+  DDS_Security_boolean success;
+
+  if (local_permissions_handle != DDS_SECURITY_HANDLE_NIL)
+  {
+    success = access_control->return_permissions_handle(access_control, local_permissions_handle, &exception);
+    if (!success)
+    {
+      printf("return_permission_handle failed: %s\n", exception.message ? exception.message : "Error message missing");
+    }
+    reset_exception(&exception);
+  }
+
+  if (local_identity_handle != DDS_SECURITY_HANDLE_NIL)
+  {
+    success = auth->return_identity_handle(auth, local_identity_handle, &exception);
+    if (!success)
+    {
+      printf("return_identity_handle failed: %s\n", exception.message ? exception.message : "Error message missing");
+    }
+    reset_exception(&exception);
+  }
+}
+
+static void set_path_to_etc_dir(void)
+{
+  ddsrt_asprintf(&g_path_to_etc_dir, "%s%s", CONFIG_ENV_TESTS_DIR, RELATIVE_PATH_TO_ETC_DIR);
+}
+
+static void suite_get_permissions_credential_token_init(void)
+{
+  plugins = load_plugins(&access_control, &auth, NULL /* Cryptograpy */);
+  CU_ASSERT_FATAL (plugins != NULL);
+  set_path_to_etc_dir();
+  local_permissions_init(0);
+  permissions = read_document_from_file(PERMISSIONS_FILE_NAME);
+  CU_ASSERT_FATAL (permissions != NULL);
+}
+
+static void suite_get_permissions_credential_token_fini(void)
+{
+  local_permissions_clean();
+  unload_plugins(plugins);
+  ddsrt_free(g_path_to_etc_dir);
+  ddsrt_free(permissions);
+}
+
+static bool validate_permissions_token(DDS_Security_PermissionsCredentialToken *token)
+{
+  DDS_Security_Property_t *property;
+
+  if (!token->class_id || strcmp(token->class_id, "DDS:Access:PermissionsCredential") != 0)
+  {
+    CU_FAIL("PermissionsCredentialToken incorrect class_id");
+    return false;
+  }
+
+  property = find_property(token, "dds.perm.cert");
+  if (property == NULL)
+  {
+    CU_FAIL("PermissionsCredentialToken property 'dds.perm.cert' not found");
+    return false;
+  }
+  if (property->value == NULL)
+  {
+    CU_FAIL("PermissionsCredentialToken property 'dds.perm.cert' does not have a value");
+    return false;
+  }
+  if (strcmp(property->value, permissions) != 0)
+  {
+    CU_FAIL("PermissionsCredentialToken property 'dds.perm.cert' content does not match the permissions file");
+    return false;
+  }
+
+  return true;
+}
+
+CU_Test(ddssec_builtin_get_permissions_credential_token, happy_day, .init = suite_get_permissions_credential_token_init, .fini = suite_get_permissions_credential_token_fini)
+{
+  DDS_Security_PermissionsCredentialToken token;
+  DDS_Security_SecurityException exception;
+  DDS_Security_boolean result;
+
+  /* Pre-requisites. */
+  CU_ASSERT_FATAL(access_control != NULL);
+  CU_ASSERT_FATAL(access_control->get_permissions_credential_token != NULL);
+  memset(&exception, 0, sizeof(DDS_Security_SecurityException));
+  memset(&token, 0, sizeof(token));
+
+  /* Test function call. */
+  result = access_control->get_permissions_credential_token(
+      access_control,
+      &token,
+      local_permissions_handle,
+      &exception);
+  if (!result)
+  {
+    printf("get_permissions_credential_token: %s\n", exception.message ? exception.message : "Error message missing");
+  }
+  CU_ASSERT_FATAL(result);
+  CU_ASSERT(exception.code == 0);
+  CU_ASSERT(exception.message == NULL);
+
+  /* Test token contents. */
+  CU_ASSERT(validate_permissions_token(&token));
+
+  /* Post-requisites. */
+  DDS_Security_DataHolder_deinit(&token);
+  reset_exception(&exception);
+}
+
+CU_Test(ddssec_builtin_get_permissions_credential_token, invalid_args, .init = suite_get_permissions_credential_token_init, .fini = suite_get_permissions_credential_token_fini)
+{
+  DDS_Security_PermissionsCredentialToken token;
+  DDS_Security_SecurityException exception;
+  DDS_Security_boolean result;
+
+  /* Pre-requisites. */
+  CU_ASSERT_FATAL(access_control != NULL);
+  CU_ASSERT_FATAL(access_control->get_permissions_token != NULL);
+  memset(&exception, 0, sizeof(DDS_Security_SecurityException));
+  memset(&token, 0, sizeof(token));
+
+  /* Test function calls with different invalid args. */
+  result = access_control->get_permissions_credential_token(
+      NULL,
+      &token,
+      local_permissions_handle,
+      &exception);
+  if (!result)
+  {
+    printf("get_permissions_token: %s\n", exception.message ? exception.message : "Error message missing");
+  }
+  CU_ASSERT(!result);
+  CU_ASSERT(exception.code == DDS_SECURITY_ERR_INVALID_PARAMETER_CODE);
+  CU_ASSERT(exception.message != NULL);
+  reset_exception(&exception);
+
+  result = access_control->get_permissions_credential_token(
+      access_control,
+      NULL,
+      local_permissions_handle,
+      &exception);
+  if (!result)
+  {
+    printf("get_permissions_credential_token: %s\n", exception.message ? exception.message : "Error message missing");
+  }
+  CU_ASSERT(!result);
+  CU_ASSERT(exception.code == DDS_SECURITY_ERR_INVALID_PARAMETER_CODE);
+  CU_ASSERT(exception.message != NULL);
+  reset_exception(&exception);
+
+  result = access_control->get_permissions_credential_token(
+      access_control,
+      &token,
+      0,
+      &exception);
+  if (!result)
+  {
+    printf("get_permissions_credential_token: %s\n", exception.message ? exception.message : "Error message missing");
+  }
+  CU_ASSERT(!result);
+  CU_ASSERT(exception.code == DDS_SECURITY_ERR_INVALID_PARAMETER_CODE);
+  CU_ASSERT(exception.message != NULL);
+  reset_exception(&exception);
+
+  result = access_control->get_permissions_credential_token(
+      access_control,
+      &token,
+      local_permissions_handle,
+      NULL);
+  if (!result)
+  {
+    printf("get_permissions_credential_token: %s\n", exception.message ? exception.message : "Error message missing");
+  }
+  CU_ASSERT(!result);
+  CU_ASSERT(exception.code == 0);
+  CU_ASSERT(exception.message == NULL);
+  reset_exception(&exception);
+
+  result = access_control->get_permissions_credential_token(
+      access_control,
+      &token,
+      local_permissions_handle + 12345 /* invalid handle */,
+      &exception);
+  if (!result)
+  {
+    printf("get_permissions_credential_token: %s\n", exception.message ? exception.message : "Error message missing");
+  }
+  CU_ASSERT(!result);
+  CU_ASSERT(exception.code == DDS_SECURITY_ERR_INVALID_PARAMETER_CODE);
+  CU_ASSERT(exception.message != NULL);
+  reset_exception(&exception);
+}
+
diff --git a/src/security/builtin_plugins/tests/get_permissions_token/etc/Test_Governance_ok.p7s b/src/security/builtin_plugins/tests/get_permissions_token/etc/Test_Governance_ok.p7s
new file mode 100644
index 0000000..c39903f
--- /dev/null
+++ b/src/security/builtin_plugins/tests/get_permissions_token/etc/Test_Governance_ok.p7s
@@ -0,0 +1,114 @@
+MIME-Version: 1.0
+Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg="sha-256"; boundary="----DB94A190D9780A24156FB0E8F1E76B5F"
+
+This is an S/MIME signed message
+
+------DB94A190D9780A24156FB0E8F1E76B5F
+Content-Type: text/plain
+
+<?xml version="1.0" encoding="utf-8"?>
+<dds xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xsi:noNamespaceSchemaLocation="http://www.omg.org/spec/DDSSecurity/
+20170801/omg_shared_ca_domain_governance.xsd">
+    <domain_access_rules>
+        <domain_rule>
+            <domains>
+                <!-- All domains -->
+                <id_range>
+                    <min>0</min>
+                    <max>230</max>
+                </id_range>
+            </domains>
+
+            <!-- DomainParticipant that cann not authenticate or fail the authentication should be
+                 allowed to join the domain and see any any discovery data that are configured as "unprotected"
+                 and topics that are configured as "unprotected" -->
+            <allow_unauthenticated_participants>false</allow_unauthenticated_participants>
+
+            <!--  Only and any authenticated DomainParticipant should be allowed to join the domain and
+                  see the discovery data without checking access control  -->
+            <enable_join_access_control>true</enable_join_access_control>
+
+            <!-- Discovery information should be protected with encryption followed by MAC (Message Authentication Codes) -->
+            <discovery_protection_kind>ENCRYPT</discovery_protection_kind>
+
+            <!--  Liveliness messages are also encrypted -->
+            <liveliness_protection_kind>ENCRYPT</liveliness_protection_kind>
+
+            <!-- Whole RTPS message is not protected -->
+            <rtps_protection_kind>NONE</rtps_protection_kind>
+
+            <topic_access_rules>
+                <topic_rule>
+                    <!-- All (non-builtin) topics -->
+                    <topic_expression>*</topic_expression>
+
+                    <!-- Liveliness QoS data is protected -->
+                    <enable_liveliness_protection>true</enable_liveliness_protection>
+
+                    <!-- The discovery information on specific Topics should be sent
+                         using the secure (protected) discovery writers -->
+                    <enable_discovery_protection>true</enable_discovery_protection>
+
+                    <!-- The read access to all topics should be open to all. -->
+                    <enable_read_access_control>false</enable_read_access_control>
+
+                    <!-- The write access to all topics should be open to all. -->
+                    <enable_write_access_control>false</enable_write_access_control>
+
+                    <!-- Whole RTPS sub-message is protected. This includes metadata information
+                         like sequence numbers, heartbeats, key hashes, gaps,
+                         acknowledgment messages, etc. It also includes th possible payload. -->
+                    <metadata_protection_kind>ENCRYPT</metadata_protection_kind>
+
+                    <!-- The payload data sent on the Topic (serialized application level data) should be
+                         protected with Encrypt then MAC. -->
+                    <data_protection_kind>ENCRYPT</data_protection_kind>
+                </topic_rule>
+            </topic_access_rules>
+        </domain_rule>
+    </domain_access_rules>
+</dds>
+
+------DB94A190D9780A24156FB0E8F1E76B5F
+Content-Type: application/x-pkcs7-signature; name="smime.p7s"
+Content-Transfer-Encoding: base64
+Content-Disposition: attachment; filename="smime.p7s"
+
+MIIGSAYJKoZIhvcNAQcCoIIGOTCCBjUCAQExDzANBglghkgBZQMEAgEFADALBgkq
+hkiG9w0BBwGgggORMIIDjTCCAnWgAwIBAgIJANsr3sm0NrypMA0GCSqGSIb3DQEB
+CwUAMFwxCzAJBgNVBAYTAk5MMRMwEQYDVQQIDApTb21lLVN0YXRlMR8wHQYDVQQK
+DBZBRExJTksgVGVjaG5vbG9jeSBJbmMuMRcwFQYDVQQDDA5hZGxpbmt0ZWNoLmNv
+bTAgFw0xODA3MzAxMjQ1NTVaGA8yMTE4MDcwNjEyNDU1NVowXDELMAkGA1UEBhMC
+TkwxEzARBgNVBAgMClNvbWUtU3RhdGUxHzAdBgNVBAoMFkFETElOSyBUZWNobm9s
+b2N5IEluYy4xFzAVBgNVBAMMDmFkbGlua3RlY2guY29tMIIBIjANBgkqhkiG9w0B
+AQEFAAOCAQ8AMIIBCgKCAQEAu7jfnJ0wYVuXgG+PgNawdN38+dRpa8jceqi+blID
+ehV6XCxrnGXusTCDuFmo7HMOBVMVNDXlcBWgoGd+u5EultnOEiIeGTgtHc1O6V9w
+icp3BGSpZZax/TcONjMVORaqHCADbQ2J8wsz1FHxuKDwX6BJElYOlK77lb/x3yLs
+DFFC+a0qn2RFh37rcWBRAHy8VEASXKZElT9ZmfKd+KUq34KojhNJ4DepKStTq074
+BRDXVivx+wVD951LFNPiQXq+mgHcLj1k37KlZflTFhdP5oEMtATNsXNJPHlEymiy
+SogRWAmKhysLQudukHfNKN+r0FEQMk/hzpYcFeZSOvbfNQIDAQABo1AwTjAdBgNV
+HQ4EFgQURWMbWvBKZwJvRV1/tyc1R82k0+gwHwYDVR0jBBgwFoAURWMbWvBKZwJv
+RV1/tyc1R82k0+gwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAkPF+
+ysVtvHnk2hpu9yNDLCJ96ZzIoKOyY7uRj4ovzlAHFdpNOJQdcJihTmN8i7Trht9X
+Vh0rGoR/6nHzo3TIeiogRC80RlDtuA3PF2dDQBMVDStlZMTZPb693hfjdAjhyyw9
+yghhKHHqNDvSsAL0KfBqjG4yGfGpJylYXIT5fWuKlo/ln/yyPa5s54T5XDo+CMbt
+lLX3QnwVOmaRyzylPiTcPCDIkdLBdXmlfyJcmW6fWa6kPx+35MOxPsXZbujCo+42
++OyLqcH1rKT6XhcshjXBEf+kdgUfSClrM1pNRWsw2ChIYim0F+nry5JFy0Y+8Hbb
+6SDB340BFmtgDHbFHTGCAnswggJ3AgEBMGkwXDELMAkGA1UEBhMCTkwxEzARBgNV
+BAgMClNvbWUtU3RhdGUxHzAdBgNVBAoMFkFETElOSyBUZWNobm9sb2N5IEluYy4x
+FzAVBgNVBAMMDmFkbGlua3RlY2guY29tAgkA2yveybQ2vKkwDQYJYIZIAWUDBAIB
+BQCggeQwGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAcBgkqhkiG9w0BCQUxDxcN
+MTgwOTEzMDczOTUwWjAvBgkqhkiG9w0BCQQxIgQgXv8DkvlwebXMwHDbNc0/Pc30
+gyG3xWCnwet49TRMWFsweQYJKoZIhvcNAQkPMWwwajALBglghkgBZQMEASowCwYJ
+YIZIAWUDBAEWMAsGCWCGSAFlAwQBAjAKBggqhkiG9w0DBzAOBggqhkiG9w0DAgIC
+AIAwDQYIKoZIhvcNAwICAUAwBwYFKw4DAgcwDQYIKoZIhvcNAwICASgwDQYJKoZI
+hvcNAQEBBQAEggEANy8t0EFmv5j1n0+mMn2ut3Chu8PSJceC8gd34IiKq79uC1O3
+PbL9xgiJ2vz7QiTEEeNL2q+CG77cXOcHGUWa4nvbggr/9CqLfHEKGQxDfyXlJZfM
+8l550xIXRRBOQ7ilOGLD4QJFfbf9XA4rMuRe8WEYN3FleAaYBJag1tMPg1SS6tgA
+BBDM9b1kXHU319zYOk6kZFjlbwHv6XO22SEVRUpXrKudAI8hrGvwksF/+W0S/jS5
+NmYtj/1oMGlCGIaA5rs27H9CkgwrzoMQ3MsR98JlwEUSa4PEe8CClsIziOulQxsp
+MicBlMWL0rzpBPVfPTE4gZ/kP7hGBDEQlRzVTA==
+
+------DB94A190D9780A24156FB0E8F1E76B5F--
+
diff --git a/src/security/builtin_plugins/tests/get_permissions_token/etc/Test_Permissions_ok.p7s b/src/security/builtin_plugins/tests/get_permissions_token/etc/Test_Permissions_ok.p7s
new file mode 100644
index 0000000..052075b
--- /dev/null
+++ b/src/security/builtin_plugins/tests/get_permissions_token/etc/Test_Permissions_ok.p7s
@@ -0,0 +1,85 @@
+MIME-Version: 1.0
+Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg="sha-256"; boundary="----6B91005B007BBA8EDE10CD1CE487DB27"
+
+This is an S/MIME signed message
+
+------6B91005B007BBA8EDE10CD1CE487DB27
+Content-Type: text/plain
+
+<?xml version="1.0" encoding="utf-8"?>
+<dds xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xsi:noNamespaceSchemaLocation="https://www.omg.org/spec/DDS-SECURITY/20170901/omg_shared_ca_permissions.xsd">
+    <permissions>
+        <grant name="OpenSplicePermissions">
+            <subject_name>CN=CHAM500 cert,O=Internet Widgits Pty Ltd,ST=Some-State,C=NL</subject_name>
+            <validity>
+                <!-- Format is CCYY-MM-DDThh:mm:ss[Z|(+|-)hh:mm] in GMT -->
+                <not_before>2015-09-15T01:00:00</not_before>
+                <not_after>2115-09-15T01:00:00</not_after>
+            </validity>
+            <allow_rule>
+                <domains>
+                    <id_range>
+                        <min>0</min>
+                        <max>230</max>
+                    </id_range>
+                </domains>
+                <publish>
+                    <topics>
+                        <topic>*</topic>
+                    </topics>
+                </publish>
+                <subscribe>
+                    <topics>
+                        <topic>*</topic>
+                    </topics>
+                </subscribe>
+            </allow_rule>
+            <default>DENY</default>
+        </grant>
+    </permissions>
+</dds>
+
+------6B91005B007BBA8EDE10CD1CE487DB27
+Content-Type: application/x-pkcs7-signature; name="smime.p7s"
+Content-Transfer-Encoding: base64
+Content-Disposition: attachment; filename="smime.p7s"
+
+MIIGXgYJKoZIhvcNAQcCoIIGTzCCBksCAQExDzANBglghkgBZQMEAgEFADALBgkq
+hkiG9w0BBwGgggORMIIDjTCCAnWgAwIBAgIJANsr3sm0NrypMA0GCSqGSIb3DQEB
+CwUAMFwxCzAJBgNVBAYTAk5MMRMwEQYDVQQIDApTb21lLVN0YXRlMR8wHQYDVQQK
+DBZBRExJTksgVGVjaG5vbG9jeSBJbmMuMRcwFQYDVQQDDA5hZGxpbmt0ZWNoLmNv
+bTAgFw0xODA3MzAxMjQ1NTVaGA8yMTE4MDcwNjEyNDU1NVowXDELMAkGA1UEBhMC
+TkwxEzARBgNVBAgMClNvbWUtU3RhdGUxHzAdBgNVBAoMFkFETElOSyBUZWNobm9s
+b2N5IEluYy4xFzAVBgNVBAMMDmFkbGlua3RlY2guY29tMIIBIjANBgkqhkiG9w0B
+AQEFAAOCAQ8AMIIBCgKCAQEAu7jfnJ0wYVuXgG+PgNawdN38+dRpa8jceqi+blID
+ehV6XCxrnGXusTCDuFmo7HMOBVMVNDXlcBWgoGd+u5EultnOEiIeGTgtHc1O6V9w
+icp3BGSpZZax/TcONjMVORaqHCADbQ2J8wsz1FHxuKDwX6BJElYOlK77lb/x3yLs
+DFFC+a0qn2RFh37rcWBRAHy8VEASXKZElT9ZmfKd+KUq34KojhNJ4DepKStTq074
+BRDXVivx+wVD951LFNPiQXq+mgHcLj1k37KlZflTFhdP5oEMtATNsXNJPHlEymiy
+SogRWAmKhysLQudukHfNKN+r0FEQMk/hzpYcFeZSOvbfNQIDAQABo1AwTjAdBgNV
+HQ4EFgQURWMbWvBKZwJvRV1/tyc1R82k0+gwHwYDVR0jBBgwFoAURWMbWvBKZwJv
+RV1/tyc1R82k0+gwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAkPF+
+ysVtvHnk2hpu9yNDLCJ96ZzIoKOyY7uRj4ovzlAHFdpNOJQdcJihTmN8i7Trht9X
+Vh0rGoR/6nHzo3TIeiogRC80RlDtuA3PF2dDQBMVDStlZMTZPb693hfjdAjhyyw9
+yghhKHHqNDvSsAL0KfBqjG4yGfGpJylYXIT5fWuKlo/ln/yyPa5s54T5XDo+CMbt
+lLX3QnwVOmaRyzylPiTcPCDIkdLBdXmlfyJcmW6fWa6kPx+35MOxPsXZbujCo+42
++OyLqcH1rKT6XhcshjXBEf+kdgUfSClrM1pNRWsw2ChIYim0F+nry5JFy0Y+8Hbb
+6SDB340BFmtgDHbFHTGCApEwggKNAgEBMGkwXDELMAkGA1UEBhMCTkwxEzARBgNV
+BAgMClNvbWUtU3RhdGUxHzAdBgNVBAoMFkFETElOSyBUZWNobm9sb2N5IEluYy4x
+FzAVBgNVBAMMDmFkbGlua3RlY2guY29tAgkA2yveybQ2vKkwDQYJYIZIAWUDBAIB
+BQCggfowGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAcBgkqhkiG9w0BCQUxDxcN
+MTkwMzI5MTMwODAzWjAvBgkqhkiG9w0BCQQxIgQgl3LfUhn9L0vG/3QRPVYptcYw
+/NH5HMN99aMe9JAT+LAwgY4GCSqGSIb3DQEJDzGBgDB+MAsGCWCGSAFlAwQBKjAI
+BgYqhQMCAgkwCAYGKoUDAgIVMAsGCWCGSAFlAwQBFjALBglghkgBZQMEAQIwCgYI
+KoZIhvcNAwcwDgYIKoZIhvcNAwICAgCAMA0GCCqGSIb3DQMCAgFAMAcGBSsOAwIH
+MA0GCCqGSIb3DQMCAgEoMA0GCSqGSIb3DQEBAQUABIIBAHe9vakfXPvbpgMeqlhG
+SW6Z3uVA3Yri9bgQDpJ9daIUsM0/TLBSQVs85twTMXvqUSntKbfSGehxDQ9F+yje
+mOEPMIwxOqcVyc2jpqoYsUWqpwiiZyk49DHUFrOfWJUx+rKdBftZWkxD05Wkovhk
+2d4hGS/65Haoho4Z0AZwcyH+F52FZMiqw7I9FKrPlhxvJfQXmhIjOKtnvWnQ+Ar7
+YYiSrBEHMCy82LF1aKzz0nkL1SYWQHuQX475qoU4LMYY1J8WsD3rSBeq4GYZrl2K
+X/JcOquMYqjfJLMYZY4fsc3FgEBkKNqJz1tDZ3ir24VMl+WsbEjVK8oXe/wt4V0U
+aNQ=
+
+------6B91005B007BBA8EDE10CD1CE487DB27--
+
diff --git a/src/security/builtin_plugins/tests/get_permissions_token/src/get_permissions_token_utests.c b/src/security/builtin_plugins/tests/get_permissions_token/src/get_permissions_token_utests.c
new file mode 100644
index 0000000..ca4f708
--- /dev/null
+++ b/src/security/builtin_plugins/tests/get_permissions_token/src/get_permissions_token_utests.c
@@ -0,0 +1,439 @@
+/*
+ * Copyright(c) 2006 to 2019 ADLINK Technology Limited and others
+ *
+ * This program and the accompanying materials are made available under the
+ * terms of the Eclipse Public License v. 2.0 which is available at
+ * http://www.eclipse.org/legal/epl-2.0, or the Eclipse Distribution License
+ * v. 1.0 which is available at
+ * http://www.eclipse.org/org/documents/edl-v10.php.
+ *
+ * SPDX-License-Identifier: EPL-2.0 OR BSD-3-Clause
+ */
+#include <assert.h>
+#include <openssl/evp.h>
+#include <openssl/hmac.h>
+#include <openssl/bio.h>
+#include <openssl/err.h>
+
+#include "dds/ddsrt/environ.h"
+#include "dds/ddsrt/heap.h"
+#include "dds/ddsrt/io.h"
+#include "dds/ddsrt/string.h"
+#include "dds/ddsrt/types.h"
+#include "dds/security/dds_security_api.h"
+#include "dds/security/core/dds_security_utils.h"
+#include "CUnit/CUnit.h"
+#include "CUnit/Test.h"
+#include "common/src/loader.h"
+#include "config_env.h"
+
+static const char *PROPERTY_IDENTITY_CA = "dds.sec.auth.identity_ca";
+static const char *PROPERTY_PRIVATE_KEY = "dds.sec.auth.private_key";
+static const char *PROPERTY_IDENTITY_CERT = "dds.sec.auth.identity_certificate";
+static const char *PROPERTY_PERMISSIONS_CA = "dds.sec.access.permissions_ca";
+static const char *PROPERTY_PERMISSIONS = "dds.sec.access.permissions";
+static const char *PROPERTY_GOVERNANCE = "dds.sec.access.governance";
+
+static const char *RELATIVE_PATH_TO_ETC_DIR = "/get_permissions_token/etc/";
+
+static const char *IDENTITY_CERTIFICATE =
+    "data:,-----BEGIN CERTIFICATE-----\n"
+    "MIIEQTCCAymgAwIBAgIINpuaAAnrQZIwDQYJKoZIhvcNAQELBQAwXzELMAkGA1UE\n"
+    "BhMCTkwxEzARBgNVBAgTClNvbWUtU3RhdGUxITAfBgNVBAoTGEludGVybmV0IFdp\n"
+    "ZGdpdHMgUHR5IEx0ZDEYMBYGA1UEAxMPQ0hBTTUwMCByb290IGNhMCAXDTE3MDIy\n"
+    "MjIyMjIwMFoYDzIyMjIwMjIyMjIyMjAwWjBcMQswCQYDVQQGEwJOTDETMBEGA1UE\n"
+    "CBMKU29tZS1TdGF0ZTEhMB8GA1UEChMYSW50ZXJuZXQgV2lkZ2l0cyBQdHkgTHRk\n"
+    "MRUwEwYDVQQDEwxDSEFNNTAwIGNlcnQwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw\n"
+    "ggEKAoIBAQDCpVhivH/wBIyu74rvQncnSZqKyspN6CvD1pmV9wft5PHhVt9jV79v\n"
+    "gSub5LADoRHAgFdv9duYgBr17Ob6uRrIY4B18CcrCjhQcC4gjx8y2jl9PeYm+qYD\n"
+    "3o44FYBrBq0QCnrQgKsb/qX9Z+Mw/VUiw65x68W876LEHQQoEgT4kxSuagwBoVRk\n"
+    "ePD6fYAKmT4XS3x+O0v+rHESTcsKF6yMadgp7h3eH1b8kJTzSx8JV9Zzq++mxjox\n"
+    "qhbBVP5nDze2hhSIeCkCvSrx7efkgKS4AQXa5/Z44GiAu1TfXXUqdic9rxwD0edn\n"
+    "ajNElnZe7sjok/0yuqvH+2hSqpNva/zpAgMBAAGjggEAMIH9MAwGA1UdDwQFAwMH\n"
+    "/4AwgewGA1UdJQSB5DCB4QYIKwYBBQUHAwEGCCsGAQUFBwMCBggrBgEFBQcDAwYI\n"
+    "KwYBBQUHAwQGCCsGAQUFBwMIBgorBgEEAYI3AgEVBgorBgEEAYI3AgEWBgorBgEE\n"
+    "AYI3CgMBBgorBgEEAYI3CgMDBgorBgEEAYI3CgMEBglghkgBhvhCBAEGCysGAQQB\n"
+    "gjcKAwQBBggrBgEFBQcDBQYIKwYBBQUHAwYGCCsGAQUFBwMHBggrBgEFBQgCAgYK\n"
+    "KwYBBAGCNxQCAgYIKwYBBQUHAwkGCCsGAQUFBwMNBggrBgEFBQcDDgYHKwYBBQID\n"
+    "BTANBgkqhkiG9w0BAQsFAAOCAQEAawdHy0Xw7nTK2ltp91Ion6fJ7hqYuj///zr7\n"
+    "Adt6uonpDh/xl3esuwcFimIJrJrHujnGkL0nLddRCikmnzuBMNDWS6yq0/Ckl/YG\n"
+    "yjNr44dlX24wo+MVAgkj3/8CyWDZ3a8kBg9QT3bs2SqbjmhTrXN1DRyf9S5vJysE\n"
+    "I7V1gTN66BeKL64hOrAlRVrEu8Ds6TWL6Q/YH+61ViZkoLTeSaPjH4nknaFr4C35\n"
+    "iji0JhkyfRHRRVPHFnaj25AkxOrSV64qVKoTMjDl5fji5iMGtjm6iJ7q05ml/qDl\n"
+    "nLotHXemZNvYhbwUmRzbt4Dls9EMH4VRbP85I94nM5TAvtHVNA==\n"
+    "-----END CERTIFICATE-----\n";
+
+static const char *IDENTITY_CA =
+    "data:,-----BEGIN CERTIFICATE-----\n"
+    "MIIEmTCCA4GgAwIBAgIIZ5gEIUFhO5wwDQYJKoZIhvcNAQELBQAwXzELMAkGA1UE\n"
+    "BhMCTkwxEzARBgNVBAgTClNvbWUtU3RhdGUxITAfBgNVBAoTGEludGVybmV0IFdp\n"
+    "ZGdpdHMgUHR5IEx0ZDEYMBYGA1UEAxMPQ0hBTTUwMCByb290IGNhMCAXDTE4MDIx\n"
+    "MjE1MDUwMFoYDzIyMjIwMjIyMjIyMjAwWjBfMQswCQYDVQQGEwJOTDETMBEGA1UE\n"
+    "CBMKU29tZS1TdGF0ZTEhMB8GA1UEChMYSW50ZXJuZXQgV2lkZ2l0cyBQdHkgTHRk\n"
+    "MRgwFgYDVQQDEw9DSEFNNTAwIHJvb3QgY2EwggEiMA0GCSqGSIb3DQEBAQUAA4IB\n"
+    "DwAwggEKAoIBAQC6Fa3TheL+UrdZCp9GhU/2WbneP2t/avUa3muwDttPxeI2XU9k\n"
+    "ZjBR95mAXme4SPXHk5+YDN319AqIje3oKhzky/ngvKH2GkoJKYxWnuDBfMEHdViz\n"
+    "2Q9/xso2ZvH50ukwWa0pfx2/EVV1wRxeQcRd/UVfq3KTJizG0M88mOYvGEAw3LFf\n"
+    "zef7k1aCuOofQmBvLukUudcYpMzfyHFp7lQqU4CcrrR5RtmfiUfrWfdGLea2iPDB\n"
+    "pJgN8ESOMwEHtOTEBDclYnH9L4t7CHQz+fXXS5IWFsDK9fCMQjnxDsDVeNrNzTYL\n"
+    "FaZrMg9S6IUQCEsQWsnq5weS8omOpVLUm9klAgMBAAGjggFVMIIBUTAMBgNVHRME\n"
+    "BTADAQH/MB0GA1UdDgQWBBQg2FZB/j8uWDVnJhjwXkX278znSTAfBgNVHSMEGDAW\n"
+    "gBQg2FZB/j8uWDVnJhjwXkX278znSTAPBgNVHQ8BAf8EBQMDB/+AMIHvBgNVHSUB\n"
+    "Af8EgeQwgeEGCCsGAQUFBwMBBggrBgEFBQcDAgYIKwYBBQUHAwMGCCsGAQUFBwME\n"
+    "BggrBgEFBQcDCAYKKwYBBAGCNwIBFQYKKwYBBAGCNwIBFgYKKwYBBAGCNwoDAQYK\n"
+    "KwYBBAGCNwoDAwYKKwYBBAGCNwoDBAYJYIZIAYb4QgQBBgsrBgEEAYI3CgMEAQYI\n"
+    "KwYBBQUHAwUGCCsGAQUFBwMGBggrBgEFBQcDBwYIKwYBBQUIAgIGCisGAQQBgjcU\n"
+    "AgIGCCsGAQUFBwMJBggrBgEFBQcDDQYIKwYBBQUHAw4GBysGAQUCAwUwDQYJKoZI\n"
+    "hvcNAQELBQADggEBAKHmwejWRwGE1wf1k2rG8SNRV/neGsZ6Qfqf6co3TpR/Wi1s\n"
+    "iZDvSeT/rbqNBS7z34xnG88NIUwu00y78e8Mfon31ZZbK4Uo7fla9/D3ukdJqPQC\n"
+    "LKdbKJjR2kH+KCukY/1rghjJ8/X+t2egBit0LCOdsFCl07Sfksb9kpGUIZSFcYYm\n"
+    "geqhjhoNwxazzHiw+QWHC5HG9248JIizBmy1aymNWuMnPudhjHAnPcsIlqMVNq3t\n"
+    "Rv9ap7S8JeCxHVRPJvJeCwXWvW3dW/v3xH52Yn/fqRblN1w9Fxz5NhopKx0gj/Jd\n"
+    "sw2N4Fk4gaOWEolFpa0bwNw8nAx7moehZpowzfw=\n"
+    "-----END CERTIFICATE-----\n";
+
+static const char *PRIVATE_KEY =
+    "data:,-----BEGIN RSA PRIVATE KEY-----\n"
+    "MIIEogIBAAKCAQEAwqVYYrx/8ASMru+K70J3J0maisrKTegrw9aZlfcH7eTx4Vbf\n"
+    "Y1e/b4Erm+SwA6ERwIBXb/XbmIAa9ezm+rkayGOAdfAnKwo4UHAuII8fMto5fT3m\n"
+    "JvqmA96OOBWAawatEAp60ICrG/6l/WfjMP1VIsOucevFvO+ixB0EKBIE+JMUrmoM\n"
+    "AaFUZHjw+n2ACpk+F0t8fjtL/qxxEk3LChesjGnYKe4d3h9W/JCU80sfCVfWc6vv\n"
+    "psY6MaoWwVT+Zw83toYUiHgpAr0q8e3n5ICkuAEF2uf2eOBogLtU3111KnYnPa8c\n"
+    "A9HnZ2ozRJZ2Xu7I6JP9Mrqrx/toUqqTb2v86QIDAQABAoIBAC1q32DKkx+yMBFx\n"
+    "m32QiLUGG6VfBC2BixS7MkMnzRXZYgcuehl4FBc0kLRjfB6cqsO8LqrVN1QyMBhK\n"
+    "GutN3c38SbE7RChqzhEW2+yE+Mao3Nk4ZEecHLiyaYT0n25ZtHAVwep823BAzwJ+\n"
+    "BykbM45VEpNKbG1VjSktjBa9faNyZiZAEJEjVyla+6R8N4kHV52LbZcLjvJv3IQ2\n"
+    "iPYRrmMyI5C23qTni0vy7yJbAXBo3CqgSlwie9FARBWT7Puu7F4mF1O1c/SnTysw\n"
+    "Tm3e5FzgfHipQbnRVn0w4rDprPMKmPxMnvf/Wkw0zVgNadp1Tc1I6Yj525DEQ07i\n"
+    "2gIn/gECgYEA4jNnY1u2Eu7x3pAQF3dRO0x35boVtuq9iwQk7q+uaZaK4RJRr+0Y\n"
+    "T68S3bPnfer6SHvcxtST89Bvs/j/Ky4SOaX037UYjFh6T7OIzPl+MzO1yb+VOBT6\n"
+    "D6FVGEJGp8ZAITU1OfJPeTYViUeEC8tHFGoKUCk50FbB6jOf1oKtv/ECgYEA3EnB\n"
+    "Y7kSbJJaUuj9ciFUL/pAno86Cim3VjegK1wKgEiyDb610bhoMErovPwfVJbtcttG\n"
+    "eKJNuwizkRcVbj+vpjDvqqaP5eMxLl6/Nd4haPMJYzGo88Z8NJpwFRNF2KEWjOpQ\n"
+    "2NEvoCeRtVulCJyka2Tpljzw8cOXkxhPOe2UhHkCgYBo3entj0QO7QXm56T+LAvV\n"
+    "0PK45xdQEO3EuCwjGAFk5C0IgUSrqeCeeIzniZMltj1IQ1wsNbtNynEu3530t8wt\n"
+    "O7oVyFBUKGSz9IjUdkpClJOPr6kPMfJoMqRPtdIpz+hFPPSrI6IikKdVWHloOlp+\n"
+    "pVaYqTQrWT1XRY2xli3VEQKBgGySmZN6Cx+h/oywswIGdUT0VdcQhq2to+QFpJba\n"
+    "VX6m1cM6hMip2Ag9U3qZ1SNPBBdBBfm9HQybHE3dj713/C2wHuAAGhpXIM1W+20k\n"
+    "X1knuC/AsSH9aQhQOf/ZMOq1crTfZBuI9q0782/sjGmzMsKPySU4QhUWruVb7OiD\n"
+    "NVkZAoGAEvihW7G+8/iOE40vGHyBqUeopAAWLciTAUIEwM/Oi3BYfNWNTWF/FWNc\n"
+    "nMvCZPYigY8C1vO+1iT2Frtd3CIU+f01Q3fJNJoRLlEiKLNZUJRF48OKUqjKSmsi\n"
+    "w6pucFO40z05YW7utApj4L82rZnOS0pd1tUI1yexqvj0i4ThJfk=\n"
+    "-----END RSA PRIVATE KEY-----\n";
+
+static const char *PERMISSIONS_CA =
+    "data:,-----BEGIN CERTIFICATE-----\n"
+    "MIIDjTCCAnWgAwIBAgIJANsr3sm0NrypMA0GCSqGSIb3DQEBCwUAMFwxCzAJBgNV\n"
+    "BAYTAk5MMRMwEQYDVQQIDApTb21lLVN0YXRlMR8wHQYDVQQKDBZBRExJTksgVGVj\n"
+    "aG5vbG9jeSBJbmMuMRcwFQYDVQQDDA5hZGxpbmt0ZWNoLmNvbTAgFw0xODA3MzAx\n"
+    "MjQ1NTVaGA8yMTE4MDcwNjEyNDU1NVowXDELMAkGA1UEBhMCTkwxEzARBgNVBAgM\n"
+    "ClNvbWUtU3RhdGUxHzAdBgNVBAoMFkFETElOSyBUZWNobm9sb2N5IEluYy4xFzAV\n"
+    "BgNVBAMMDmFkbGlua3RlY2guY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB\n"
+    "CgKCAQEAu7jfnJ0wYVuXgG+PgNawdN38+dRpa8jceqi+blIDehV6XCxrnGXusTCD\n"
+    "uFmo7HMOBVMVNDXlcBWgoGd+u5EultnOEiIeGTgtHc1O6V9wicp3BGSpZZax/TcO\n"
+    "NjMVORaqHCADbQ2J8wsz1FHxuKDwX6BJElYOlK77lb/x3yLsDFFC+a0qn2RFh37r\n"
+    "cWBRAHy8VEASXKZElT9ZmfKd+KUq34KojhNJ4DepKStTq074BRDXVivx+wVD951L\n"
+    "FNPiQXq+mgHcLj1k37KlZflTFhdP5oEMtATNsXNJPHlEymiySogRWAmKhysLQudu\n"
+    "kHfNKN+r0FEQMk/hzpYcFeZSOvbfNQIDAQABo1AwTjAdBgNVHQ4EFgQURWMbWvBK\n"
+    "ZwJvRV1/tyc1R82k0+gwHwYDVR0jBBgwFoAURWMbWvBKZwJvRV1/tyc1R82k0+gw\n"
+    "DAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAkPF+ysVtvHnk2hpu9yND\n"
+    "LCJ96ZzIoKOyY7uRj4ovzlAHFdpNOJQdcJihTmN8i7Trht9XVh0rGoR/6nHzo3TI\n"
+    "eiogRC80RlDtuA3PF2dDQBMVDStlZMTZPb693hfjdAjhyyw9yghhKHHqNDvSsAL0\n"
+    "KfBqjG4yGfGpJylYXIT5fWuKlo/ln/yyPa5s54T5XDo+CMbtlLX3QnwVOmaRyzyl\n"
+    "PiTcPCDIkdLBdXmlfyJcmW6fWa6kPx+35MOxPsXZbujCo+42+OyLqcH1rKT6Xhcs\n"
+    "hjXBEf+kdgUfSClrM1pNRWsw2ChIYim0F+nry5JFy0Y+8Hbb6SDB340BFmtgDHbF\n"
+    "HQ==\n"
+    "-----END CERTIFICATE-----\n";
+
+static char *g_path_to_etc_dir = NULL;
+static struct plugins_hdl *plugins = NULL;
+static dds_security_authentication *auth = NULL;
+static dds_security_access_control *access_control = NULL;
+
+static DDS_Security_IdentityHandle local_identity_handle = DDS_SECURITY_HANDLE_NIL;
+static DDS_Security_PermissionsHandle local_permissions_handle = DDS_SECURITY_HANDLE_NIL;
+
+static void reset_exception(DDS_Security_SecurityException *ex)
+{
+  ex->code = 0;
+  ex->minor_code = 0;
+  ddsrt_free(ex->message);
+  ex->message = NULL;
+}
+
+static DDS_Security_Property_t *find_property(DDS_Security_DataHolder *token, const char *name)
+{
+  DDS_Security_Property_t *result = NULL;
+  uint32_t i;
+  for (i = 0; i < token->properties._length && !result; i++)
+    if (token->properties._buffer[i].name && (strcmp(token->properties._buffer[i].name, name) == 0))
+      result = &token->properties._buffer[i];
+  return result;
+}
+
+static void dds_security_property_init(DDS_Security_PropertySeq *seq, DDS_Security_unsigned_long size)
+{
+  seq->_length = size;
+  seq->_maximum = size;
+  seq->_buffer = ddsrt_malloc(size * sizeof(DDS_Security_Property_t));
+  memset(seq->_buffer, 0, size * sizeof(DDS_Security_Property_t));
+}
+
+static void dds_security_property_deinit(DDS_Security_PropertySeq *seq)
+{
+  uint32_t i;
+  for (i = 0; i < seq->_length; i++)
+  {
+    ddsrt_free(seq->_buffer[i].name);
+    ddsrt_free(seq->_buffer[i].value);
+  }
+  ddsrt_free(seq->_buffer);
+}
+
+static void fill_participant_qos(DDS_Security_Qos *qos, const char *permission_filename, const char *governance_filename)
+{
+  char *permission_uri;
+  char *governance_uri;
+
+  ddsrt_asprintf(&permission_uri, "file:%s%s", g_path_to_etc_dir, permission_filename);
+  ddsrt_asprintf(&governance_uri, "file:%s%s", g_path_to_etc_dir, governance_filename);
+
+  memset(qos, 0, sizeof(*qos));
+  dds_security_property_init(&qos->property.value, 6);
+  qos->property.value._buffer[0].name = ddsrt_strdup(PROPERTY_IDENTITY_CERT);
+  qos->property.value._buffer[0].value = ddsrt_strdup(IDENTITY_CERTIFICATE);
+  qos->property.value._buffer[1].name = ddsrt_strdup(PROPERTY_IDENTITY_CA);
+  qos->property.value._buffer[1].value = ddsrt_strdup(IDENTITY_CA);
+  qos->property.value._buffer[2].name = ddsrt_strdup(PROPERTY_PRIVATE_KEY);
+  qos->property.value._buffer[2].value = ddsrt_strdup(PRIVATE_KEY);
+  qos->property.value._buffer[3].name = ddsrt_strdup(PROPERTY_PERMISSIONS_CA);
+  qos->property.value._buffer[3].value = ddsrt_strdup(PERMISSIONS_CA);
+  qos->property.value._buffer[4].name = ddsrt_strdup(PROPERTY_PERMISSIONS);
+  qos->property.value._buffer[4].value = ddsrt_strdup(permission_uri);
+  qos->property.value._buffer[5].name = ddsrt_strdup(PROPERTY_GOVERNANCE);
+  qos->property.value._buffer[5].value = ddsrt_strdup(governance_uri);
+
+  ddsrt_free(permission_uri);
+  ddsrt_free(governance_uri);
+}
+
+static void local_permissions_init(DDS_Security_DomainId domain_id)
+{
+  DDS_Security_ValidationResult_t result;
+  DDS_Security_Qos participant_qos;
+  DDS_Security_GUID_t local_participant_guid;
+  DDS_Security_GUID_t candidate_participant_guid;
+  DDS_Security_SecurityException exception = {NULL, 0, 0};
+  DDS_Security_GuidPrefix_t prefix = {0xb0, 0xb1, 0xb2, 0xb3, 0xb4, 0xb5, 0xb6, 0xb7, 0xb8, 0xb9, 0xba, 0xbb};
+  DDS_Security_EntityId_t entityId = {{0xb0, 0xb1, 0xb2}, 0x1};
+
+  memset(&local_participant_guid, 0, sizeof(local_participant_guid));
+  memcpy(&candidate_participant_guid.prefix, &prefix, sizeof(prefix));
+  memcpy(&candidate_participant_guid.entityId, &entityId, sizeof(entityId));
+
+  fill_participant_qos(&participant_qos, "Test_Permissions_ok.p7s", "Test_Governance_ok.p7s");
+
+  result = auth->validate_local_identity(
+      auth,
+      &local_identity_handle,
+      &local_participant_guid,
+      domain_id,
+      &participant_qos,
+      &candidate_participant_guid,
+      &exception);
+
+  CU_ASSERT_EQUAL_FATAL (result, DDS_SECURITY_VALIDATION_OK);
+  reset_exception(&exception);
+  local_permissions_handle = access_control->validate_local_permissions(
+      access_control,
+      auth,
+      local_identity_handle,
+      domain_id,
+      &participant_qos,
+      &exception);
+
+  CU_ASSERT_FATAL (local_permissions_handle != DDS_SECURITY_HANDLE_NIL);
+  reset_exception(&exception);
+  dds_security_property_deinit(&participant_qos.property.value);
+}
+
+static void local_permissions_clean(void)
+{
+  DDS_Security_SecurityException exception = {NULL, 0, 0};
+  DDS_Security_boolean success;
+
+  if (local_permissions_handle != DDS_SECURITY_HANDLE_NIL)
+  {
+    success = access_control->return_permissions_handle(access_control, local_permissions_handle, &exception);
+    if (!success)
+    {
+      printf("return_permission_handle failed: %s\n", exception.message ? exception.message : "Error message missing");
+    }
+    reset_exception(&exception);
+  }
+
+  if (local_identity_handle != DDS_SECURITY_HANDLE_NIL)
+  {
+    success = auth->return_identity_handle(auth, local_identity_handle, &exception);
+    if (!success)
+    {
+      printf("return_identity_handle failed: %s\n", exception.message ? exception.message : "Error message missing");
+    }
+    reset_exception(&exception);
+  }
+}
+
+static void set_path_to_etc_dir(void)
+{
+  ddsrt_asprintf(&g_path_to_etc_dir, "%s%s", CONFIG_ENV_TESTS_DIR, RELATIVE_PATH_TO_ETC_DIR);
+}
+
+static void suite_get_permissions_token_init(void)
+{
+  plugins = load_plugins(&access_control, &auth, NULL /* Cryptograpy */);
+  CU_ASSERT_FATAL (plugins != NULL);
+  set_path_to_etc_dir();
+  local_permissions_init(0);
+}
+
+static void suite_get_permissions_token_fini(void)
+{
+  local_permissions_clean();
+  unload_plugins(plugins);
+  ddsrt_free(g_path_to_etc_dir);
+}
+
+static bool validate_permissions_token(
+    DDS_Security_PermissionsToken *token)
+{
+  if (!token->class_id || strcmp(token->class_id, "DDS:Access:Permissions:1.0") != 0)
+  {
+    CU_FAIL("PermissionsToken incorrect class_id");
+    return false;
+  }
+
+  /* Optional. */
+  if (find_property(token, "dds.perm_ca.sn") == NULL)
+    printf("Optional PermissionsToken property 'dds.perm_ca.sn' not found\n");
+  if (find_property(token, "dds.perm_ca.algo") == NULL)
+    printf("Optional PermissionsToken property 'dds.perm_ca.algo' not found\n");
+  return true;
+}
+
+CU_Test(ddssec_builtin_get_permissions_token, happy_day, .init = suite_get_permissions_token_init, .fini = suite_get_permissions_token_fini)
+{
+  DDS_Security_SecurityException exception;
+  DDS_Security_PermissionsToken token;
+  DDS_Security_boolean result;
+
+  /* Pre-requisites. */
+  CU_ASSERT_FATAL(access_control != NULL);
+  CU_ASSERT_FATAL(access_control->get_permissions_token != NULL);
+  memset(&exception, 0, sizeof(DDS_Security_SecurityException));
+  memset(&token, 0, sizeof(token));
+
+  /* Test function call. */
+  result = access_control->get_permissions_token(
+      access_control,
+      &token,
+      local_permissions_handle,
+      &exception);
+  if (!result)
+  {
+    printf("get_permissions_token: %s\n", exception.message ? exception.message : "Error message missing");
+  }
+  CU_ASSERT_FATAL(result);
+  CU_ASSERT(exception.code == 0);
+  CU_ASSERT(exception.message == NULL);
+
+  /* Test token contents. */
+  CU_ASSERT(validate_permissions_token(&token));
+
+  /* Post-requisites. */
+  DDS_Security_DataHolder_deinit(&token);
+  reset_exception(&exception);
+}
+
+CU_Test(ddssec_builtin_get_permissions_token, invalid_args, .init = suite_get_permissions_token_init, .fini = suite_get_permissions_token_fini)
+{
+  DDS_Security_SecurityException exception;
+  DDS_Security_PermissionsToken token;
+  DDS_Security_boolean result;
+
+  /* Pre-requisites. */
+  CU_ASSERT_FATAL(access_control != NULL);
+  CU_ASSERT_FATAL(access_control->get_permissions_token != NULL);
+  memset(&exception, 0, sizeof(DDS_Security_SecurityException));
+  memset(&token, 0, sizeof(token));
+
+  /* Test function calls with different invalid args. */
+  result = access_control->get_permissions_token(
+      NULL,
+      &token,
+      local_permissions_handle,
+      &exception);
+  if (!result)
+  {
+    printf("get_permissions_token: %s\n", exception.message ? exception.message : "Error message missing");
+  }
+  CU_ASSERT(!result);
+  CU_ASSERT(exception.code == DDS_SECURITY_ERR_INVALID_PARAMETER_CODE);
+  CU_ASSERT(exception.message != NULL);
+  reset_exception(&exception);
+
+  result = access_control->get_permissions_token(
+      access_control,
+      NULL,
+      local_permissions_handle,
+      &exception);
+  if (!result)
+  {
+    printf("get_permissions_token: %s\n", exception.message ? exception.message : "Error message missing");
+  }
+  CU_ASSERT(!result);
+  CU_ASSERT(exception.code == DDS_SECURITY_ERR_INVALID_PARAMETER_CODE);
+  CU_ASSERT(exception.message != NULL);
+  reset_exception(&exception);
+
+  result = access_control->get_permissions_token(
+      access_control,
+      &token,
+      0,
+      &exception);
+  if (!result)
+  {
+    printf("get_permissions_token: %s\n", exception.message ? exception.message : "Error message missing");
+  }
+  CU_ASSERT(!result);
+  CU_ASSERT(exception.code == DDS_SECURITY_ERR_INVALID_PARAMETER_CODE);
+  CU_ASSERT(exception.message != NULL);
+  reset_exception(&exception);
+
+  result = access_control->get_permissions_token(
+      access_control,
+      &token,
+      local_permissions_handle,
+      NULL);
+  if (!result)
+  {
+    printf("get_permissions_token: %s\n", exception.message ? exception.message : "Error message missing");
+  }
+  CU_ASSERT(!result);
+  CU_ASSERT(exception.code == 0);
+  CU_ASSERT(exception.message == NULL);
+  reset_exception(&exception);
+
+  result = access_control->get_permissions_token(
+      access_control,
+      &token,
+      local_permissions_handle + 12345 /* invalid handle */,
+      &exception);
+  if (!result)
+  {
+    printf("get_permissions_token: %s\n", exception.message ? exception.message : "Error message missing");
+  }
+  CU_ASSERT(!result);
+  CU_ASSERT(exception.code == DDS_SECURITY_ERR_INVALID_PARAMETER_CODE);
+  CU_ASSERT(exception.message != NULL);
+  reset_exception(&exception);
+}
diff --git a/src/security/builtin_plugins/tests/get_xxx_sec_attributes/etc/Test_Governance_full.p7s b/src/security/builtin_plugins/tests/get_xxx_sec_attributes/etc/Test_Governance_full.p7s
new file mode 100644
index 0000000..4ea8fe8
--- /dev/null
+++ b/src/security/builtin_plugins/tests/get_xxx_sec_attributes/etc/Test_Governance_full.p7s
@@ -0,0 +1,267 @@
+MIME-Version: 1.0
+Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg="sha-256"; boundary="----05DBD6F6E587875751A79EAC78048D60"
+
+This is an S/MIME signed message
+
+------05DBD6F6E587875751A79EAC78048D60
+Content-Type: text/plain
+
+<?xml version="1.0" encoding="utf-8"?>
+<dds xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xsi:noNamespaceSchemaLocation="https://www.omg.org/spec/DDS-SECURITY/20170901/omg_shared_ca_governance.xsd">
+    <domain_access_rules>
+        <domain_rule>
+            <domains>
+                <!-- All domains -->
+                <id>20</id>
+                <id_range>
+                    <min>0</min>
+                    <max>23</max>
+                </id_range>
+                <id_range>
+                    <min>100</min>
+                    <max>120</max>
+                </id_range>
+                <id>200</id>
+            </domains>
+
+            <!-- DomainParticipant that cann not authenticate or fail the authentication should be
+                 allowed to join the domain and see any any discovery data that are configured as "unprotected"
+                 and topics that are configured as "unprotected" -->
+            <allow_unauthenticated_participants>false</allow_unauthenticated_participants>
+
+            <!--  Only and any authenticated DomainParticipant should be allowed to join the domain and
+                  see the discovery data without checking access control  -->
+            <enable_join_access_control>TRUE</enable_join_access_control>
+
+            <!-- Discovery information should be protected with encryption followed by MAC (Message Authentication Codes) -->
+            <discovery_protection_kind>SIGN_WITH_ORIGIN_AUTHENTICATION</discovery_protection_kind>
+
+            <!--  Liveliness messages are also encrypted -->
+            <liveliness_protection_kind>ENCRYPT</liveliness_protection_kind>
+
+            <!-- Whole RTPS message is not protected -->
+            <rtps_protection_kind>ENCRYPT_WITH_ORIGIN_AUTHENTICATION</rtps_protection_kind>
+
+            <topic_access_rules>
+                                
+                <topic_rule>
+                    <!-- All (non-builtin) topics -->
+                    <topic_expression>OwnShip?ata</topic_expression>
+
+                    <!-- Liveliness QoS data is protected -->
+                    <enable_liveliness_protection>FALSE</enable_liveliness_protection>
+
+                    <!-- The discovery information on specific Topics should be sent
+                         using the secure (protected) discovery writers -->
+                    <enable_discovery_protection>false</enable_discovery_protection>
+
+                    <!-- The read access to all topics should be open to all. -->
+                    <enable_read_access_control>false</enable_read_access_control>
+
+                    <!-- The write access to all topics should be open to all. -->
+                    <enable_write_access_control>true</enable_write_access_control>
+
+                    <!-- Whole RTPS sub-message is protected. This includes metadata information
+                         like sequence numbers, heartbeats, key hashes, gaps,
+                         acknowledgment messages, etc. It also includes th possible payload. -->
+                    <metadata_protection_kind>SIGN</metadata_protection_kind>
+
+                    <!-- The payload data sent on the Topic (serialized application level data) should be
+                         protected with Encrypt then MAC. -->
+                    <data_protection_kind>ENCRYPT</data_protection_kind>
+                </topic_rule>
+                
+                <topic_rule>
+                    <!-- All (non-builtin) topics -->
+                    <topic_expression>Kinematics</topic_expression>
+
+                    <!-- Liveliness QoS data is protected -->
+                    <enable_liveliness_protection>true</enable_liveliness_protection>
+
+                    <!-- The discovery information on specific Topics should be sent
+                         using the secure (protected) discovery writers -->
+                    <enable_discovery_protection>true</enable_discovery_protection>
+
+                    <!-- The read access to all topics should be open to all. -->
+                    <enable_read_access_control>true</enable_read_access_control>
+
+                    <!-- The write access to all topics should be open to all. -->
+                    <enable_write_access_control>false</enable_write_access_control>
+
+                    <!-- Whole RTPS sub-message is protected. This includes metadata information
+                         like sequence numbers, heartbeats, key hashes, gaps,
+                         acknowledgment messages, etc. It also includes th possible payload. -->
+                    <metadata_protection_kind>NONE</metadata_protection_kind>
+
+                    <!-- The payload data sent on the Topic (serialized application level data) should be
+                         protected with Encrypt then MAC. -->
+                    <data_protection_kind>NONE</data_protection_kind>
+                </topic_rule>
+
+                <topic_rule>
+                    <!-- All (non-builtin) topics -->
+                    <topic_expression>*other</topic_expression>
+
+                    <!-- Liveliness QoS data is protected -->
+                    <enable_liveliness_protection>true</enable_liveliness_protection>
+
+                    <!-- The discovery information on specific Topics should be sent
+                         using the secure (protected) discovery writers -->
+                    <enable_discovery_protection>true</enable_discovery_protection>
+
+                    <!-- The read access to all topics should be open to all. -->
+                    <enable_read_access_control>true</enable_read_access_control>
+
+                    <!-- The write access to all topics should be open to all. -->
+                    <enable_write_access_control>true</enable_write_access_control>
+
+                    <!-- Whole RTPS sub-message is protected. This includes metadata information
+                         like sequence numbers, heartbeats, key hashes, gaps,
+                         acknowledgment messages, etc. It also includes th possible payload. -->
+                    <metadata_protection_kind>NONE</metadata_protection_kind>
+
+                    <!-- The payload data sent on the Topic (serialized application level data) should be
+                         protected with Encrypt then MAC. -->
+                    <data_protection_kind>NONE</data_protection_kind>
+                </topic_rule>
+
+                <topic_rule>
+                    <!-- All (non-builtin) topics -->
+                    <topic_expression>*</topic_expression>
+
+                    <!-- Liveliness QoS data is protected -->
+                    <enable_liveliness_protection>true</enable_liveliness_protection>
+
+                    <!-- The discovery information on specific Topics should be sent
+                         using the secure (protected) discovery writers -->
+                    <enable_discovery_protection>true</enable_discovery_protection>
+
+                    <!-- The read access to all topics should be open to all. -->
+                    <enable_read_access_control>false</enable_read_access_control>
+
+                    <!-- The write access to all topics should be open to all. -->
+                    <enable_write_access_control>false</enable_write_access_control>
+
+                    <!-- Whole RTPS sub-message is protected. This includes metadata information
+                         like sequence numbers, heartbeats, key hashes, gaps,
+                         acknowledgment messages, etc. It also includes th possible payload. -->
+                    <metadata_protection_kind>ENCRYPT_WITH_ORIGIN_AUTHENTICATION</metadata_protection_kind>
+
+                    <!-- The payload data sent on the Topic (serialized application level data) should be
+                         protected with Encrypt then MAC. -->
+                    <data_protection_kind>ENCRYPT</data_protection_kind>
+                </topic_rule>
+            </topic_access_rules>
+        </domain_rule>
+        <domain_rule>
+            <domains>
+                <!-- All domains -->
+                <id_range>
+                    <min>100</min>
+                    <max>120</max>
+                </id_range>
+                <id>20</id>
+                <id_range>
+                    <min>0</min>
+                    <max>23</max>
+                </id_range>                
+                <id>200</id>
+                <id>30</id>
+            </domains>
+
+            <!-- DomainParticipant that cann not authenticate or fail the authentication should be
+                 allowed to join the domain and see any any discovery data that are configured as "unprotected"
+                 and topics that are configured as "unprotected" -->
+            <allow_unauthenticated_participants>1</allow_unauthenticated_participants>
+
+            <!--  Only and any authenticated DomainParticipant should be allowed to join the domain and
+                  see the discovery data without checking access control  -->
+            <enable_join_access_control>0</enable_join_access_control>
+
+            <!-- Discovery information should be protected with encryption followed by MAC (Message Authentication Codes) -->
+            <discovery_protection_kind>SIGN</discovery_protection_kind>
+
+            <!--  Liveliness messages are also encrypted -->
+            <liveliness_protection_kind>ENCRYPT</liveliness_protection_kind>
+
+            <!-- Whole RTPS message is not protected -->
+            <rtps_protection_kind>NONE</rtps_protection_kind>
+
+            <topic_access_rules>
+                <topic_rule>
+                    <!-- All (non-builtin) topics -->
+                    <topic_expression>OwnShipData</topic_expression>
+
+                    <!-- Liveliness QoS data is protected -->
+                    <enable_liveliness_protection>true</enable_liveliness_protection>
+
+                    <!-- The discovery information on specific Topics should be sent
+                         using the secure (protected) discovery writers -->
+                    <enable_discovery_protection>true</enable_discovery_protection>
+
+                    <!-- The read access to all topics should be open to all. -->
+                    <enable_read_access_control>false</enable_read_access_control>
+
+                    <!-- The write access to all topics should be open to all. -->
+                    <enable_write_access_control>false</enable_write_access_control>
+
+                    <!-- Whole RTPS sub-message is protected. This includes metadata information
+                         like sequence numbers, heartbeats, key hashes, gaps,
+                         acknowledgment messages, etc. It also includes th possible payload. -->
+                    <metadata_protection_kind>ENCRYPT_WITH_ORIGIN_AUTHENTICATION</metadata_protection_kind>
+
+                    <!-- The payload data sent on the Topic (serialized application level data) should be
+                         protected with Encrypt then MAC. -->
+                    <data_protection_kind>ENCRYPT</data_protection_kind>
+                </topic_rule>
+                
+           
+            </topic_access_rules>
+        </domain_rule>
+    </domain_access_rules>
+</dds>
+
+------05DBD6F6E587875751A79EAC78048D60
+Content-Type: application/x-pkcs7-signature; name="smime.p7s"
+Content-Transfer-Encoding: base64
+Content-Disposition: attachment; filename="smime.p7s"
+
+MIIGXgYJKoZIhvcNAQcCoIIGTzCCBksCAQExDzANBglghkgBZQMEAgEFADALBgkq
+hkiG9w0BBwGgggORMIIDjTCCAnWgAwIBAgIJANsr3sm0NrypMA0GCSqGSIb3DQEB
+CwUAMFwxCzAJBgNVBAYTAk5MMRMwEQYDVQQIDApTb21lLVN0YXRlMR8wHQYDVQQK
+DBZBRExJTksgVGVjaG5vbG9jeSBJbmMuMRcwFQYDVQQDDA5hZGxpbmt0ZWNoLmNv
+bTAgFw0xODA3MzAxMjQ1NTVaGA8yMTE4MDcwNjEyNDU1NVowXDELMAkGA1UEBhMC
+TkwxEzARBgNVBAgMClNvbWUtU3RhdGUxHzAdBgNVBAoMFkFETElOSyBUZWNobm9s
+b2N5IEluYy4xFzAVBgNVBAMMDmFkbGlua3RlY2guY29tMIIBIjANBgkqhkiG9w0B
+AQEFAAOCAQ8AMIIBCgKCAQEAu7jfnJ0wYVuXgG+PgNawdN38+dRpa8jceqi+blID
+ehV6XCxrnGXusTCDuFmo7HMOBVMVNDXlcBWgoGd+u5EultnOEiIeGTgtHc1O6V9w
+icp3BGSpZZax/TcONjMVORaqHCADbQ2J8wsz1FHxuKDwX6BJElYOlK77lb/x3yLs
+DFFC+a0qn2RFh37rcWBRAHy8VEASXKZElT9ZmfKd+KUq34KojhNJ4DepKStTq074
+BRDXVivx+wVD951LFNPiQXq+mgHcLj1k37KlZflTFhdP5oEMtATNsXNJPHlEymiy
+SogRWAmKhysLQudukHfNKN+r0FEQMk/hzpYcFeZSOvbfNQIDAQABo1AwTjAdBgNV
+HQ4EFgQURWMbWvBKZwJvRV1/tyc1R82k0+gwHwYDVR0jBBgwFoAURWMbWvBKZwJv
+RV1/tyc1R82k0+gwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAkPF+
+ysVtvHnk2hpu9yNDLCJ96ZzIoKOyY7uRj4ovzlAHFdpNOJQdcJihTmN8i7Trht9X
+Vh0rGoR/6nHzo3TIeiogRC80RlDtuA3PF2dDQBMVDStlZMTZPb693hfjdAjhyyw9
+yghhKHHqNDvSsAL0KfBqjG4yGfGpJylYXIT5fWuKlo/ln/yyPa5s54T5XDo+CMbt
+lLX3QnwVOmaRyzylPiTcPCDIkdLBdXmlfyJcmW6fWa6kPx+35MOxPsXZbujCo+42
++OyLqcH1rKT6XhcshjXBEf+kdgUfSClrM1pNRWsw2ChIYim0F+nry5JFy0Y+8Hbb
+6SDB340BFmtgDHbFHTGCApEwggKNAgEBMGkwXDELMAkGA1UEBhMCTkwxEzARBgNV
+BAgMClNvbWUtU3RhdGUxHzAdBgNVBAoMFkFETElOSyBUZWNobm9sb2N5IEluYy4x
+FzAVBgNVBAMMDmFkbGlua3RlY2guY29tAgkA2yveybQ2vKkwDQYJYIZIAWUDBAIB
+BQCggfowGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAcBgkqhkiG9w0BCQUxDxcN
+MTkwMzI5MTMwODAzWjAvBgkqhkiG9w0BCQQxIgQg0GyBZYdNlmQT2Nv1CHrUEB6+
+C0U0yXvpmj5+mlGojPAwgY4GCSqGSIb3DQEJDzGBgDB+MAsGCWCGSAFlAwQBKjAI
+BgYqhQMCAgkwCAYGKoUDAgIVMAsGCWCGSAFlAwQBFjALBglghkgBZQMEAQIwCgYI
+KoZIhvcNAwcwDgYIKoZIhvcNAwICAgCAMA0GCCqGSIb3DQMCAgFAMAcGBSsOAwIH
+MA0GCCqGSIb3DQMCAgEoMA0GCSqGSIb3DQEBAQUABIIBAJXrVHO7KdgYM20uGGNL
+P4VRPmYVWoWIkl5/OEzZ8uirs+oGJR7tYLiFl1wzXUzPBB/03qsANmlshDpFgbmV
+thTV7AGRg3SXUDa/cG4N9PupE5VRZaVdbcbdH1DfoIZCLLp4HK3HgqUXkH9vnC92
+tdtgzxZOCrQ4A6WbGiBkWr5LtMWg2lnwPp55vrfRoh6u0qVEumD+VQi+Lroo9M1E
+659LB2dwEcNb1g1HyoodpKlUSsbGsY/JA7bbNrw/KIGVYcoXfmpgWmtzUjfpkPDj
+zVPImqr6jdxP4quGmGWRmrLHPrEYJscJqCwjNTi6naXnAvaE4nxQ4HBgveEodTuP
+8tM=
+
+------05DBD6F6E587875751A79EAC78048D60--
+
diff --git a/src/security/builtin_plugins/tests/get_xxx_sec_attributes/etc/Test_Governance_liveliness_discovery_clear.p7s b/src/security/builtin_plugins/tests/get_xxx_sec_attributes/etc/Test_Governance_liveliness_discovery_clear.p7s
new file mode 100644
index 0000000..3ef33a2
--- /dev/null
+++ b/src/security/builtin_plugins/tests/get_xxx_sec_attributes/etc/Test_Governance_liveliness_discovery_clear.p7s
@@ -0,0 +1,114 @@
+MIME-Version: 1.0
+Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg="sha-256"; boundary="----D5AADCFDEEF9EC8B0B116AC356AF41CA"
+
+This is an S/MIME signed message
+
+------D5AADCFDEEF9EC8B0B116AC356AF41CA
+Content-Type: text/plain
+
+<?xml version="1.0" encoding="utf-8"?>
+<dds xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xsi:noNamespaceSchemaLocation="https://www.omg.org/spec/DDS-SECURITY/20170901/omg_shared_ca_governance.xsd">
+    <domain_access_rules>
+        <domain_rule>
+            <domains>
+                <!-- All domains -->
+                <id_range>
+                    <min>0</min>
+                    <max>230</max>
+                </id_range>
+            </domains>
+
+            <!-- DomainParticipant that cann not authenticate or fail the authentication should be
+                 allowed to join the domain and see any any discovery data that are configured as "unprotected"
+                 and topics that are configured as "unprotected" -->
+            <allow_unauthenticated_participants>false</allow_unauthenticated_participants>
+
+            <!--  Only and any authenticated DomainParticipant should be allowed to join the domain and
+                  see the discovery data without checking access control  -->
+            <enable_join_access_control>TRUE</enable_join_access_control>
+
+            <!-- Discovery information should be protected with encryption followed by MAC (Message Authentication Codes) -->
+            <discovery_protection_kind>NONE</discovery_protection_kind>
+
+            <!--  Liveliness messages are also encrypted -->
+            <liveliness_protection_kind>NONE</liveliness_protection_kind>
+
+            <!-- Whole RTPS message is not protected -->
+            <rtps_protection_kind>NONE</rtps_protection_kind>
+
+            <topic_access_rules>
+                <topic_rule>
+                    <!-- All (non-builtin) topics -->
+                    <topic_expression>*</topic_expression>
+
+                    <!-- Liveliness QoS data is protected -->
+                    <enable_liveliness_protection>FALSE</enable_liveliness_protection>
+
+                    <!-- The discovery information on specific Topics should be sent
+                         using the secure (protected) discovery writers -->
+                    <enable_discovery_protection>false</enable_discovery_protection>
+
+                    <!-- The read access to all topics should be open to all. -->
+                    <enable_read_access_control>false</enable_read_access_control>
+
+                    <!-- The write access to all topics should be open to all. -->
+                    <enable_write_access_control>false</enable_write_access_control>
+
+                    <!-- Whole RTPS sub-message is protected. This includes metadata information
+                         like sequence numbers, heartbeats, key hashes, gaps,
+                         acknowledgment messages, etc. It also includes th possible payload. -->
+                    <metadata_protection_kind>NONE</metadata_protection_kind>
+
+                    <!-- The payload data sent on the Topic (serialized application level data) should be
+                         protected with Encrypt then MAC. -->
+                    <data_protection_kind>NONE</data_protection_kind>
+                </topic_rule>
+            </topic_access_rules>
+        </domain_rule>
+    </domain_access_rules>
+</dds>
+
+------D5AADCFDEEF9EC8B0B116AC356AF41CA
+Content-Type: application/x-pkcs7-signature; name="smime.p7s"
+Content-Transfer-Encoding: base64
+Content-Disposition: attachment; filename="smime.p7s"
+
+MIIGXgYJKoZIhvcNAQcCoIIGTzCCBksCAQExDzANBglghkgBZQMEAgEFADALBgkq
+hkiG9w0BBwGgggORMIIDjTCCAnWgAwIBAgIJANsr3sm0NrypMA0GCSqGSIb3DQEB
+CwUAMFwxCzAJBgNVBAYTAk5MMRMwEQYDVQQIDApTb21lLVN0YXRlMR8wHQYDVQQK
+DBZBRExJTksgVGVjaG5vbG9jeSBJbmMuMRcwFQYDVQQDDA5hZGxpbmt0ZWNoLmNv
+bTAgFw0xODA3MzAxMjQ1NTVaGA8yMTE4MDcwNjEyNDU1NVowXDELMAkGA1UEBhMC
+TkwxEzARBgNVBAgMClNvbWUtU3RhdGUxHzAdBgNVBAoMFkFETElOSyBUZWNobm9s
+b2N5IEluYy4xFzAVBgNVBAMMDmFkbGlua3RlY2guY29tMIIBIjANBgkqhkiG9w0B
+AQEFAAOCAQ8AMIIBCgKCAQEAu7jfnJ0wYVuXgG+PgNawdN38+dRpa8jceqi+blID
+ehV6XCxrnGXusTCDuFmo7HMOBVMVNDXlcBWgoGd+u5EultnOEiIeGTgtHc1O6V9w
+icp3BGSpZZax/TcONjMVORaqHCADbQ2J8wsz1FHxuKDwX6BJElYOlK77lb/x3yLs
+DFFC+a0qn2RFh37rcWBRAHy8VEASXKZElT9ZmfKd+KUq34KojhNJ4DepKStTq074
+BRDXVivx+wVD951LFNPiQXq+mgHcLj1k37KlZflTFhdP5oEMtATNsXNJPHlEymiy
+SogRWAmKhysLQudukHfNKN+r0FEQMk/hzpYcFeZSOvbfNQIDAQABo1AwTjAdBgNV
+HQ4EFgQURWMbWvBKZwJvRV1/tyc1R82k0+gwHwYDVR0jBBgwFoAURWMbWvBKZwJv
+RV1/tyc1R82k0+gwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAkPF+
+ysVtvHnk2hpu9yNDLCJ96ZzIoKOyY7uRj4ovzlAHFdpNOJQdcJihTmN8i7Trht9X
+Vh0rGoR/6nHzo3TIeiogRC80RlDtuA3PF2dDQBMVDStlZMTZPb693hfjdAjhyyw9
+yghhKHHqNDvSsAL0KfBqjG4yGfGpJylYXIT5fWuKlo/ln/yyPa5s54T5XDo+CMbt
+lLX3QnwVOmaRyzylPiTcPCDIkdLBdXmlfyJcmW6fWa6kPx+35MOxPsXZbujCo+42
++OyLqcH1rKT6XhcshjXBEf+kdgUfSClrM1pNRWsw2ChIYim0F+nry5JFy0Y+8Hbb
+6SDB340BFmtgDHbFHTGCApEwggKNAgEBMGkwXDELMAkGA1UEBhMCTkwxEzARBgNV
+BAgMClNvbWUtU3RhdGUxHzAdBgNVBAoMFkFETElOSyBUZWNobm9sb2N5IEluYy4x
+FzAVBgNVBAMMDmFkbGlua3RlY2guY29tAgkA2yveybQ2vKkwDQYJYIZIAWUDBAIB
+BQCggfowGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAcBgkqhkiG9w0BCQUxDxcN
+MTkwMzI5MTMwODAzWjAvBgkqhkiG9w0BCQQxIgQg1l4l1hEFvxsjc65MThWHhvCb
+YoBySw0UQA61LL+lSsEwgY4GCSqGSIb3DQEJDzGBgDB+MAsGCWCGSAFlAwQBKjAI
+BgYqhQMCAgkwCAYGKoUDAgIVMAsGCWCGSAFlAwQBFjALBglghkgBZQMEAQIwCgYI
+KoZIhvcNAwcwDgYIKoZIhvcNAwICAgCAMA0GCCqGSIb3DQMCAgFAMAcGBSsOAwIH
+MA0GCCqGSIb3DQMCAgEoMA0GCSqGSIb3DQEBAQUABIIBAF88Gg525eeqmgAtBky5
+lMnQehnA0c37pSL5uTklEcb0xwkQcdWQVerkAwKQb8CJGz4ttwvVqIde2Jn8boJP
+Tb8xYvk38HXFHOpzSEv0qAj0u6dVB+go3OnrdhcM1R7jrHfReBRgnict8pLOPb+Y
+khdlqzOMVxoTpJSiXUWdt5ucKbNvuWROG6TsNs4S5+lJ3EEvDn3++g32VRX9V3h4
+5Hni4AMGmZrjBbmL/S02iR33ltwXYqfipUQjR5S5V/HS0LHX/mjYwuiWCtHNiSIi
+s+8mqW8vNebYA9LeK7bvWXCygqnVr3qJT+ryeXUXtBl7dCTV+QVAlUzbW1wgHSuq
+wtc=
+
+------D5AADCFDEEF9EC8B0B116AC356AF41CA--
+
diff --git a/src/security/builtin_plugins/tests/get_xxx_sec_attributes/etc/Test_Governance_liveliness_discovery_clear.xml b/src/security/builtin_plugins/tests/get_xxx_sec_attributes/etc/Test_Governance_liveliness_discovery_clear.xml
new file mode 100644
index 0000000..e829911
--- /dev/null
+++ b/src/security/builtin_plugins/tests/get_xxx_sec_attributes/etc/Test_Governance_liveliness_discovery_clear.xml
@@ -0,0 +1,62 @@
+<?xml version="1.0" encoding="utf-8"?>
+<dds xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xsi:noNamespaceSchemaLocation="https://www.omg.org/spec/DDS-SECURITY/20170901/omg_shared_ca_governance.xsd">
+    <domain_access_rules>
+        <domain_rule>
+            <domains>
+                <!-- All domains -->
+                <id_range>
+                    <min>0</min>
+                    <max>230</max>
+                </id_range>
+            </domains>
+
+            <!-- DomainParticipant that cann not authenticate or fail the authentication should be
+                 allowed to join the domain and see any any discovery data that are configured as "unprotected"
+                 and topics that are configured as "unprotected" -->
+            <allow_unauthenticated_participants>false</allow_unauthenticated_participants>
+
+            <!--  Only and any authenticated DomainParticipant should be allowed to join the domain and
+                  see the discovery data without checking access control  -->
+            <enable_join_access_control>TRUE</enable_join_access_control>
+
+            <!-- Discovery information should be protected with encryption followed by MAC (Message Authentication Codes) -->
+            <discovery_protection_kind>NONE</discovery_protection_kind>
+
+            <!--  Liveliness messages are also encrypted -->
+            <liveliness_protection_kind>NONE</liveliness_protection_kind>
+
+            <!-- Whole RTPS message is not protected -->
+            <rtps_protection_kind>NONE</rtps_protection_kind>
+
+            <topic_access_rules>
+                <topic_rule>
+                    <!-- All (non-builtin) topics -->
+                    <topic_expression>*</topic_expression>
+
+                    <!-- Liveliness QoS data is protected -->
+                    <enable_liveliness_protection>FALSE</enable_liveliness_protection>
+
+                    <!-- The discovery information on specific Topics should be sent
+                         using the secure (protected) discovery writers -->
+                    <enable_discovery_protection>false</enable_discovery_protection>
+
+                    <!-- The read access to all topics should be open to all. -->
+                    <enable_read_access_control>false</enable_read_access_control>
+
+                    <!-- The write access to all topics should be open to all. -->
+                    <enable_write_access_control>false</enable_write_access_control>
+
+                    <!-- Whole RTPS sub-message is protected. This includes metadata information
+                         like sequence numbers, heartbeats, key hashes, gaps,
+                         acknowledgment messages, etc. It also includes th possible payload. -->
+                    <metadata_protection_kind>NONE</metadata_protection_kind>
+
+                    <!-- The payload data sent on the Topic (serialized application level data) should be
+                         protected with Encrypt then MAC. -->
+                    <data_protection_kind>NONE</data_protection_kind>
+                </topic_rule>
+            </topic_access_rules>
+        </domain_rule>
+    </domain_access_rules>
+</dds>
diff --git a/src/security/builtin_plugins/tests/get_xxx_sec_attributes/etc/Test_Governance_liveliness_discovery_different.p7s b/src/security/builtin_plugins/tests/get_xxx_sec_attributes/etc/Test_Governance_liveliness_discovery_different.p7s
new file mode 100644
index 0000000..38b2c26
--- /dev/null
+++ b/src/security/builtin_plugins/tests/get_xxx_sec_attributes/etc/Test_Governance_liveliness_discovery_different.p7s
@@ -0,0 +1,114 @@
+MIME-Version: 1.0
+Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg="sha-256"; boundary="----37F7530AAA327BE7C00C18ECA28FFF95"
+
+This is an S/MIME signed message
+
+------37F7530AAA327BE7C00C18ECA28FFF95
+Content-Type: text/plain
+
+<?xml version="1.0" encoding="utf-8"?>
+<dds xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xsi:noNamespaceSchemaLocation="https://www.omg.org/spec/DDS-SECURITY/20170901/omg_shared_ca_governance.xsd">
+    <domain_access_rules>
+        <domain_rule>
+            <domains>
+                <!-- All domains -->
+                <id_range>
+                    <min>0</min>
+                    <max>230</max>
+                </id_range>
+            </domains>
+
+            <!-- DomainParticipant that cann not authenticate or fail the authentication should be
+                 allowed to join the domain and see any any discovery data that are configured as "unprotected"
+                 and topics that are configured as "unprotected" -->
+            <allow_unauthenticated_participants>false</allow_unauthenticated_participants>
+
+            <!--  Only and any authenticated DomainParticipant should be allowed to join the domain and
+                  see the discovery data without checking access control  -->
+            <enable_join_access_control>TRUE</enable_join_access_control>
+
+            <!-- Discovery information should be protected with encryption followed by MAC (Message Authentication Codes) -->
+            <discovery_protection_kind>ENCRYPT</discovery_protection_kind>
+
+            <!--  Liveliness messages are also encrypted -->
+            <liveliness_protection_kind>NONE</liveliness_protection_kind>
+
+            <!-- Whole RTPS message is not protected -->
+            <rtps_protection_kind>NONE</rtps_protection_kind>
+
+            <topic_access_rules>
+                <topic_rule>
+                    <!-- All (non-builtin) topics -->
+                    <topic_expression>*</topic_expression>
+
+                    <!-- Liveliness QoS data is protected -->
+                    <enable_liveliness_protection>false</enable_liveliness_protection>
+
+                    <!-- The discovery information on specific Topics should be sent
+                         using the secure (protected) discovery writers -->
+                    <enable_discovery_protection>true</enable_discovery_protection>
+
+                    <!-- The read access to all topics should be open to all. -->
+                    <enable_read_access_control>false</enable_read_access_control>
+
+                    <!-- The write access to all topics should be open to all. -->
+                    <enable_write_access_control>false</enable_write_access_control>
+
+                    <!-- Whole RTPS sub-message is protected. This includes metadata information
+                         like sequence numbers, heartbeats, key hashes, gaps,
+                         acknowledgment messages, etc. It also includes th possible payload. -->
+                    <metadata_protection_kind>NONE</metadata_protection_kind>
+
+                    <!-- The payload data sent on the Topic (serialized application level data) should be
+                         protected with Encrypt then MAC. -->
+                    <data_protection_kind>NONE</data_protection_kind>
+                </topic_rule>
+            </topic_access_rules>
+        </domain_rule>
+    </domain_access_rules>
+</dds>
+
+------37F7530AAA327BE7C00C18ECA28FFF95
+Content-Type: application/x-pkcs7-signature; name="smime.p7s"
+Content-Transfer-Encoding: base64
+Content-Disposition: attachment; filename="smime.p7s"
+
+MIIGXgYJKoZIhvcNAQcCoIIGTzCCBksCAQExDzANBglghkgBZQMEAgEFADALBgkq
+hkiG9w0BBwGgggORMIIDjTCCAnWgAwIBAgIJANsr3sm0NrypMA0GCSqGSIb3DQEB
+CwUAMFwxCzAJBgNVBAYTAk5MMRMwEQYDVQQIDApTb21lLVN0YXRlMR8wHQYDVQQK
+DBZBRExJTksgVGVjaG5vbG9jeSBJbmMuMRcwFQYDVQQDDA5hZGxpbmt0ZWNoLmNv
+bTAgFw0xODA3MzAxMjQ1NTVaGA8yMTE4MDcwNjEyNDU1NVowXDELMAkGA1UEBhMC
+TkwxEzARBgNVBAgMClNvbWUtU3RhdGUxHzAdBgNVBAoMFkFETElOSyBUZWNobm9s
+b2N5IEluYy4xFzAVBgNVBAMMDmFkbGlua3RlY2guY29tMIIBIjANBgkqhkiG9w0B
+AQEFAAOCAQ8AMIIBCgKCAQEAu7jfnJ0wYVuXgG+PgNawdN38+dRpa8jceqi+blID
+ehV6XCxrnGXusTCDuFmo7HMOBVMVNDXlcBWgoGd+u5EultnOEiIeGTgtHc1O6V9w
+icp3BGSpZZax/TcONjMVORaqHCADbQ2J8wsz1FHxuKDwX6BJElYOlK77lb/x3yLs
+DFFC+a0qn2RFh37rcWBRAHy8VEASXKZElT9ZmfKd+KUq34KojhNJ4DepKStTq074
+BRDXVivx+wVD951LFNPiQXq+mgHcLj1k37KlZflTFhdP5oEMtATNsXNJPHlEymiy
+SogRWAmKhysLQudukHfNKN+r0FEQMk/hzpYcFeZSOvbfNQIDAQABo1AwTjAdBgNV
+HQ4EFgQURWMbWvBKZwJvRV1/tyc1R82k0+gwHwYDVR0jBBgwFoAURWMbWvBKZwJv
+RV1/tyc1R82k0+gwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAkPF+
+ysVtvHnk2hpu9yNDLCJ96ZzIoKOyY7uRj4ovzlAHFdpNOJQdcJihTmN8i7Trht9X
+Vh0rGoR/6nHzo3TIeiogRC80RlDtuA3PF2dDQBMVDStlZMTZPb693hfjdAjhyyw9
+yghhKHHqNDvSsAL0KfBqjG4yGfGpJylYXIT5fWuKlo/ln/yyPa5s54T5XDo+CMbt
+lLX3QnwVOmaRyzylPiTcPCDIkdLBdXmlfyJcmW6fWa6kPx+35MOxPsXZbujCo+42
++OyLqcH1rKT6XhcshjXBEf+kdgUfSClrM1pNRWsw2ChIYim0F+nry5JFy0Y+8Hbb
+6SDB340BFmtgDHbFHTGCApEwggKNAgEBMGkwXDELMAkGA1UEBhMCTkwxEzARBgNV
+BAgMClNvbWUtU3RhdGUxHzAdBgNVBAoMFkFETElOSyBUZWNobm9sb2N5IEluYy4x
+FzAVBgNVBAMMDmFkbGlua3RlY2guY29tAgkA2yveybQ2vKkwDQYJYIZIAWUDBAIB
+BQCggfowGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAcBgkqhkiG9w0BCQUxDxcN
+MTkwMzI5MTMwODAzWjAvBgkqhkiG9w0BCQQxIgQgqqTuijPzgi5UyYnaRmfKMSwt
+M8Mbr6egpAxWLt7vkkAwgY4GCSqGSIb3DQEJDzGBgDB+MAsGCWCGSAFlAwQBKjAI
+BgYqhQMCAgkwCAYGKoUDAgIVMAsGCWCGSAFlAwQBFjALBglghkgBZQMEAQIwCgYI
+KoZIhvcNAwcwDgYIKoZIhvcNAwICAgCAMA0GCCqGSIb3DQMCAgFAMAcGBSsOAwIH
+MA0GCCqGSIb3DQMCAgEoMA0GCSqGSIb3DQEBAQUABIIBACmMVANcUvNpeIpdG6is
+IbAJWbvoIh68B4nMLMU8gij1ZcNavWg6dDU709AJcrCU2ZbVsHKPyBvRuSctkbKe
+XHCRv5bAkcqkLsEVPc4Yu8w2hIC8nSTW1E2l1I+tChcXepcSsmrRFjZI8myDWmre
+Slzcq0nSwKayhMSkv0CJeSzhQGCHBhRnVCb7ZDJXL94VKh1OBxlqTWGLRNQcIk0p
+WXI0B2j5n8nM+neQd1gnKKuvqjSh2/IwUPariRfqpfVm1e8Mc0zNAubHOfuZ/hXj
+tDAPBcJq8gz3sKSbwvN4Rk1J7YV0AnA8pPq3nfoZWvqcUzbdExn2zvzawRgteUyf
+luw=
+
+------37F7530AAA327BE7C00C18ECA28FFF95--
+
diff --git a/src/security/builtin_plugins/tests/get_xxx_sec_attributes/etc/Test_Governance_liveliness_discovery_different.xml b/src/security/builtin_plugins/tests/get_xxx_sec_attributes/etc/Test_Governance_liveliness_discovery_different.xml
new file mode 100644
index 0000000..6f12d18
--- /dev/null
+++ b/src/security/builtin_plugins/tests/get_xxx_sec_attributes/etc/Test_Governance_liveliness_discovery_different.xml
@@ -0,0 +1,62 @@
+<?xml version="1.0" encoding="utf-8"?>
+<dds xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xsi:noNamespaceSchemaLocation="https://www.omg.org/spec/DDS-SECURITY/20170901/omg_shared_ca_governance.xsd">
+    <domain_access_rules>
+        <domain_rule>
+            <domains>
+                <!-- All domains -->
+                <id_range>
+                    <min>0</min>
+                    <max>230</max>
+                </id_range>
+            </domains>
+
+            <!-- DomainParticipant that cann not authenticate or fail the authentication should be
+                 allowed to join the domain and see any any discovery data that are configured as "unprotected"
+                 and topics that are configured as "unprotected" -->
+            <allow_unauthenticated_participants>false</allow_unauthenticated_participants>
+
+            <!--  Only and any authenticated DomainParticipant should be allowed to join the domain and
+                  see the discovery data without checking access control  -->
+            <enable_join_access_control>TRUE</enable_join_access_control>
+
+            <!-- Discovery information should be protected with encryption followed by MAC (Message Authentication Codes) -->
+            <discovery_protection_kind>ENCRYPT</discovery_protection_kind>
+
+            <!--  Liveliness messages are also encrypted -->
+            <liveliness_protection_kind>NONE</liveliness_protection_kind>
+
+            <!-- Whole RTPS message is not protected -->
+            <rtps_protection_kind>NONE</rtps_protection_kind>
+
+            <topic_access_rules>
+                <topic_rule>
+                    <!-- All (non-builtin) topics -->
+                    <topic_expression>*</topic_expression>
+
+                    <!-- Liveliness QoS data is protected -->
+                    <enable_liveliness_protection>false</enable_liveliness_protection>
+
+                    <!-- The discovery information on specific Topics should be sent
+                         using the secure (protected) discovery writers -->
+                    <enable_discovery_protection>true</enable_discovery_protection>
+
+                    <!-- The read access to all topics should be open to all. -->
+                    <enable_read_access_control>false</enable_read_access_control>
+
+                    <!-- The write access to all topics should be open to all. -->
+                    <enable_write_access_control>false</enable_write_access_control>
+
+                    <!-- Whole RTPS sub-message is protected. This includes metadata information
+                         like sequence numbers, heartbeats, key hashes, gaps,
+                         acknowledgment messages, etc. It also includes th possible payload. -->
+                    <metadata_protection_kind>NONE</metadata_protection_kind>
+
+                    <!-- The payload data sent on the Topic (serialized application level data) should be
+                         protected with Encrypt then MAC. -->
+                    <data_protection_kind>NONE</data_protection_kind>
+                </topic_rule>
+            </topic_access_rules>
+        </domain_rule>
+    </domain_access_rules>
+</dds>
diff --git a/src/security/builtin_plugins/tests/get_xxx_sec_attributes/etc/Test_Governance_liveliness_discovery_encrypted.p7s b/src/security/builtin_plugins/tests/get_xxx_sec_attributes/etc/Test_Governance_liveliness_discovery_encrypted.p7s
new file mode 100644
index 0000000..cfc92ac
--- /dev/null
+++ b/src/security/builtin_plugins/tests/get_xxx_sec_attributes/etc/Test_Governance_liveliness_discovery_encrypted.p7s
@@ -0,0 +1,114 @@
+MIME-Version: 1.0
+Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg="sha-256"; boundary="----E6FE6351D381785F2D971BF5DB266909"
+
+This is an S/MIME signed message
+
+------E6FE6351D381785F2D971BF5DB266909
+Content-Type: text/plain
+
+<?xml version="1.0" encoding="utf-8"?>
+<dds xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xsi:noNamespaceSchemaLocation="https://www.omg.org/spec/DDS-SECURITY/20170901/omg_shared_ca_governance.xsd">
+    <domain_access_rules>
+        <domain_rule>
+            <domains>
+                <!-- All domains -->
+                <id_range>
+                    <min>0</min>
+                    <max>230</max>
+                </id_range>
+            </domains>
+
+            <!-- DomainParticipant that cann not authenticate or fail the authentication should be
+                 allowed to join the domain and see any any discovery data that are configured as "unprotected"
+                 and topics that are configured as "unprotected" -->
+            <allow_unauthenticated_participants>false</allow_unauthenticated_participants>
+
+            <!--  Only and any authenticated DomainParticipant should be allowed to join the domain and
+                  see the discovery data without checking access control  -->
+            <enable_join_access_control>TRUE</enable_join_access_control>
+
+            <!-- Discovery information should be protected with encryption followed by MAC (Message Authentication Codes) -->
+            <discovery_protection_kind>ENCRYPT</discovery_protection_kind>
+
+            <!--  Liveliness messages are also encrypted -->
+            <liveliness_protection_kind>ENCRYPT</liveliness_protection_kind>
+
+            <!-- Whole RTPS message is not protected -->
+            <rtps_protection_kind>NONE</rtps_protection_kind>
+
+            <topic_access_rules>
+                <topic_rule>
+                    <!-- All (non-builtin) topics -->
+                    <topic_expression>*</topic_expression>
+
+                    <!-- Liveliness QoS data is protected -->
+                    <enable_liveliness_protection>true</enable_liveliness_protection>
+
+                    <!-- The discovery information on specific Topics should be sent
+                         using the secure (protected) discovery writers -->
+                    <enable_discovery_protection>true</enable_discovery_protection>
+
+                    <!-- The read access to all topics should be open to all. -->
+                    <enable_read_access_control>false</enable_read_access_control>
+
+                    <!-- The write access to all topics should be open to all. -->
+                    <enable_write_access_control>false</enable_write_access_control>
+
+                    <!-- Whole RTPS sub-message is protected. This includes metadata information
+                         like sequence numbers, heartbeats, key hashes, gaps,
+                         acknowledgment messages, etc. It also includes th possible payload. -->
+                    <metadata_protection_kind>NONE</metadata_protection_kind>
+
+                    <!-- The payload data sent on the Topic (serialized application level data) should be
+                         protected with Encrypt then MAC. -->
+                    <data_protection_kind>NONE</data_protection_kind>
+                </topic_rule>
+            </topic_access_rules>
+        </domain_rule>
+    </domain_access_rules>
+</dds>
+
+------E6FE6351D381785F2D971BF5DB266909
+Content-Type: application/x-pkcs7-signature; name="smime.p7s"
+Content-Transfer-Encoding: base64
+Content-Disposition: attachment; filename="smime.p7s"
+
+MIIGXgYJKoZIhvcNAQcCoIIGTzCCBksCAQExDzANBglghkgBZQMEAgEFADALBgkq
+hkiG9w0BBwGgggORMIIDjTCCAnWgAwIBAgIJANsr3sm0NrypMA0GCSqGSIb3DQEB
+CwUAMFwxCzAJBgNVBAYTAk5MMRMwEQYDVQQIDApTb21lLVN0YXRlMR8wHQYDVQQK
+DBZBRExJTksgVGVjaG5vbG9jeSBJbmMuMRcwFQYDVQQDDA5hZGxpbmt0ZWNoLmNv
+bTAgFw0xODA3MzAxMjQ1NTVaGA8yMTE4MDcwNjEyNDU1NVowXDELMAkGA1UEBhMC
+TkwxEzARBgNVBAgMClNvbWUtU3RhdGUxHzAdBgNVBAoMFkFETElOSyBUZWNobm9s
+b2N5IEluYy4xFzAVBgNVBAMMDmFkbGlua3RlY2guY29tMIIBIjANBgkqhkiG9w0B
+AQEFAAOCAQ8AMIIBCgKCAQEAu7jfnJ0wYVuXgG+PgNawdN38+dRpa8jceqi+blID
+ehV6XCxrnGXusTCDuFmo7HMOBVMVNDXlcBWgoGd+u5EultnOEiIeGTgtHc1O6V9w
+icp3BGSpZZax/TcONjMVORaqHCADbQ2J8wsz1FHxuKDwX6BJElYOlK77lb/x3yLs
+DFFC+a0qn2RFh37rcWBRAHy8VEASXKZElT9ZmfKd+KUq34KojhNJ4DepKStTq074
+BRDXVivx+wVD951LFNPiQXq+mgHcLj1k37KlZflTFhdP5oEMtATNsXNJPHlEymiy
+SogRWAmKhysLQudukHfNKN+r0FEQMk/hzpYcFeZSOvbfNQIDAQABo1AwTjAdBgNV
+HQ4EFgQURWMbWvBKZwJvRV1/tyc1R82k0+gwHwYDVR0jBBgwFoAURWMbWvBKZwJv
+RV1/tyc1R82k0+gwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAkPF+
+ysVtvHnk2hpu9yNDLCJ96ZzIoKOyY7uRj4ovzlAHFdpNOJQdcJihTmN8i7Trht9X
+Vh0rGoR/6nHzo3TIeiogRC80RlDtuA3PF2dDQBMVDStlZMTZPb693hfjdAjhyyw9
+yghhKHHqNDvSsAL0KfBqjG4yGfGpJylYXIT5fWuKlo/ln/yyPa5s54T5XDo+CMbt
+lLX3QnwVOmaRyzylPiTcPCDIkdLBdXmlfyJcmW6fWa6kPx+35MOxPsXZbujCo+42
++OyLqcH1rKT6XhcshjXBEf+kdgUfSClrM1pNRWsw2ChIYim0F+nry5JFy0Y+8Hbb
+6SDB340BFmtgDHbFHTGCApEwggKNAgEBMGkwXDELMAkGA1UEBhMCTkwxEzARBgNV
+BAgMClNvbWUtU3RhdGUxHzAdBgNVBAoMFkFETElOSyBUZWNobm9sb2N5IEluYy4x
+FzAVBgNVBAMMDmFkbGlua3RlY2guY29tAgkA2yveybQ2vKkwDQYJYIZIAWUDBAIB
+BQCggfowGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAcBgkqhkiG9w0BCQUxDxcN
+MTkwMzI5MTMwODAzWjAvBgkqhkiG9w0BCQQxIgQg7ee1YxacZ9KtXJCLUCzhZB8p
+Sv4SXMFrKtVchg886ZkwgY4GCSqGSIb3DQEJDzGBgDB+MAsGCWCGSAFlAwQBKjAI
+BgYqhQMCAgkwCAYGKoUDAgIVMAsGCWCGSAFlAwQBFjALBglghkgBZQMEAQIwCgYI
+KoZIhvcNAwcwDgYIKoZIhvcNAwICAgCAMA0GCCqGSIb3DQMCAgFAMAcGBSsOAwIH
+MA0GCCqGSIb3DQMCAgEoMA0GCSqGSIb3DQEBAQUABIIBAB3tqkFmfwnk2HXgn9H1
+Ap6Hk7I3TIYBMMQkDTZHbPj3EMOls02+QI++ztvwaBzG7bS6f7qfxhHnNgXF/52t
+Qf20nOXjxAUL82UxVxNmJjqE+FHksSTqEjtKFMy8V+wz9doVSUgdfKKD8SUOOr1I
+nakp0o/Vk/E5bbYOoWaDXJKAo7iiEssbsw33/8eZgPpVOyPS0pqk7w6d/fmo2OMm
+niCl24qiXjdQbkuUT+zuhjKIfBjxqIPRKnOxK+HheR77m/EhkNsYYbsOgLaSXQVW
+O3Kv0GmJGKg0N2KXW5VH+6FhS5KA6TL/6Xz6LzLZFsSyAmhWsBK0l1Ted+z4Tgw3
+fP8=
+
+------E6FE6351D381785F2D971BF5DB266909--
+
diff --git a/src/security/builtin_plugins/tests/get_xxx_sec_attributes/etc/Test_Governance_liveliness_discovery_encrypted.xml b/src/security/builtin_plugins/tests/get_xxx_sec_attributes/etc/Test_Governance_liveliness_discovery_encrypted.xml
new file mode 100644
index 0000000..01b2d20
--- /dev/null
+++ b/src/security/builtin_plugins/tests/get_xxx_sec_attributes/etc/Test_Governance_liveliness_discovery_encrypted.xml
@@ -0,0 +1,62 @@
+<?xml version="1.0" encoding="utf-8"?>
+<dds xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xsi:noNamespaceSchemaLocation="https://www.omg.org/spec/DDS-SECURITY/20170901/omg_shared_ca_governance.xsd">
+    <domain_access_rules>
+        <domain_rule>
+            <domains>
+                <!-- All domains -->
+                <id_range>
+                    <min>0</min>
+                    <max>230</max>
+                </id_range>
+            </domains>
+
+            <!-- DomainParticipant that cann not authenticate or fail the authentication should be
+                 allowed to join the domain and see any any discovery data that are configured as "unprotected"
+                 and topics that are configured as "unprotected" -->
+            <allow_unauthenticated_participants>false</allow_unauthenticated_participants>
+
+            <!--  Only and any authenticated DomainParticipant should be allowed to join the domain and
+                  see the discovery data without checking access control  -->
+            <enable_join_access_control>TRUE</enable_join_access_control>
+
+            <!-- Discovery information should be protected with encryption followed by MAC (Message Authentication Codes) -->
+            <discovery_protection_kind>ENCRYPT</discovery_protection_kind>
+
+            <!--  Liveliness messages are also encrypted -->
+            <liveliness_protection_kind>ENCRYPT</liveliness_protection_kind>
+
+            <!-- Whole RTPS message is not protected -->
+            <rtps_protection_kind>NONE</rtps_protection_kind>
+
+            <topic_access_rules>
+                <topic_rule>
+                    <!-- All (non-builtin) topics -->
+                    <topic_expression>*</topic_expression>
+
+                    <!-- Liveliness QoS data is protected -->
+                    <enable_liveliness_protection>true</enable_liveliness_protection>
+
+                    <!-- The discovery information on specific Topics should be sent
+                         using the secure (protected) discovery writers -->
+                    <enable_discovery_protection>true</enable_discovery_protection>
+
+                    <!-- The read access to all topics should be open to all. -->
+                    <enable_read_access_control>false</enable_read_access_control>
+
+                    <!-- The write access to all topics should be open to all. -->
+                    <enable_write_access_control>false</enable_write_access_control>
+
+                    <!-- Whole RTPS sub-message is protected. This includes metadata information
+                         like sequence numbers, heartbeats, key hashes, gaps,
+                         acknowledgment messages, etc. It also includes th possible payload. -->
+                    <metadata_protection_kind>NONE</metadata_protection_kind>
+
+                    <!-- The payload data sent on the Topic (serialized application level data) should be
+                         protected with Encrypt then MAC. -->
+                    <data_protection_kind>NONE</data_protection_kind>
+                </topic_rule>
+            </topic_access_rules>
+        </domain_rule>
+    </domain_access_rules>
+</dds>
diff --git a/src/security/builtin_plugins/tests/get_xxx_sec_attributes/etc/Test_Governance_liveliness_discovery_encrypted_and_authenticated.p7s b/src/security/builtin_plugins/tests/get_xxx_sec_attributes/etc/Test_Governance_liveliness_discovery_encrypted_and_authenticated.p7s
new file mode 100644
index 0000000..c604b13
--- /dev/null
+++ b/src/security/builtin_plugins/tests/get_xxx_sec_attributes/etc/Test_Governance_liveliness_discovery_encrypted_and_authenticated.p7s
@@ -0,0 +1,114 @@
+MIME-Version: 1.0
+Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg="sha-256"; boundary="----4375434DF6819FB7435B04810D502609"
+
+This is an S/MIME signed message
+
+------4375434DF6819FB7435B04810D502609
+Content-Type: text/plain
+
+<?xml version="1.0" encoding="utf-8"?>
+<dds xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xsi:noNamespaceSchemaLocation="https://www.omg.org/spec/DDS-SECURITY/20170901/omg_shared_ca_governance.xsd">
+    <domain_access_rules>
+        <domain_rule>
+            <domains>
+                <!-- All domains -->
+                <id_range>
+                    <min>0</min>
+                    <max>230</max>
+                </id_range>
+            </domains>
+
+            <!-- DomainParticipant that cann not authenticate or fail the authentication should be
+                 allowed to join the domain and see any any discovery data that are configured as "unprotected"
+                 and topics that are configured as "unprotected" -->
+            <allow_unauthenticated_participants>false</allow_unauthenticated_participants>
+
+            <!--  Only and any authenticated DomainParticipant should be allowed to join the domain and
+                  see the discovery data without checking access control  -->
+            <enable_join_access_control>TRUE</enable_join_access_control>
+
+            <!-- Discovery information should be protected with encryption followed by MAC (Message Authentication Codes) -->
+            <discovery_protection_kind>ENCRYPT_WITH_ORIGIN_AUTHENTICATION</discovery_protection_kind>
+
+            <!--  Liveliness messages are also encrypted -->
+            <liveliness_protection_kind>ENCRYPT_WITH_ORIGIN_AUTHENTICATION</liveliness_protection_kind>
+
+            <!-- Whole RTPS message is not protected -->
+            <rtps_protection_kind>NONE</rtps_protection_kind>
+
+            <topic_access_rules>
+                <topic_rule>
+                    <!-- All (non-builtin) topics -->
+                    <topic_expression>*</topic_expression>
+
+                    <!-- Liveliness QoS data is protected -->
+                    <enable_liveliness_protection>true</enable_liveliness_protection>
+
+                    <!-- The discovery information on specific Topics should be sent
+                         using the secure (protected) discovery writers -->
+                    <enable_discovery_protection>true</enable_discovery_protection>
+
+                    <!-- The read access to all topics should be open to all. -->
+                    <enable_read_access_control>false</enable_read_access_control>
+
+                    <!-- The write access to all topics should be open to all. -->
+                    <enable_write_access_control>false</enable_write_access_control>
+
+                    <!-- Whole RTPS sub-message is protected. This includes metadata information
+                         like sequence numbers, heartbeats, key hashes, gaps,
+                         acknowledgment messages, etc. It also includes th possible payload. -->
+                    <metadata_protection_kind>NONE</metadata_protection_kind>
+
+                    <!-- The payload data sent on the Topic (serialized application level data) should be
+                         protected with Encrypt then MAC. -->
+                    <data_protection_kind>NONE</data_protection_kind>
+                </topic_rule>
+            </topic_access_rules>
+        </domain_rule>
+    </domain_access_rules>
+</dds>
+
+------4375434DF6819FB7435B04810D502609
+Content-Type: application/x-pkcs7-signature; name="smime.p7s"
+Content-Transfer-Encoding: base64
+Content-Disposition: attachment; filename="smime.p7s"
+
+MIIGXgYJKoZIhvcNAQcCoIIGTzCCBksCAQExDzANBglghkgBZQMEAgEFADALBgkq
+hkiG9w0BBwGgggORMIIDjTCCAnWgAwIBAgIJANsr3sm0NrypMA0GCSqGSIb3DQEB
+CwUAMFwxCzAJBgNVBAYTAk5MMRMwEQYDVQQIDApTb21lLVN0YXRlMR8wHQYDVQQK
+DBZBRExJTksgVGVjaG5vbG9jeSBJbmMuMRcwFQYDVQQDDA5hZGxpbmt0ZWNoLmNv
+bTAgFw0xODA3MzAxMjQ1NTVaGA8yMTE4MDcwNjEyNDU1NVowXDELMAkGA1UEBhMC
+TkwxEzARBgNVBAgMClNvbWUtU3RhdGUxHzAdBgNVBAoMFkFETElOSyBUZWNobm9s
+b2N5IEluYy4xFzAVBgNVBAMMDmFkbGlua3RlY2guY29tMIIBIjANBgkqhkiG9w0B
+AQEFAAOCAQ8AMIIBCgKCAQEAu7jfnJ0wYVuXgG+PgNawdN38+dRpa8jceqi+blID
+ehV6XCxrnGXusTCDuFmo7HMOBVMVNDXlcBWgoGd+u5EultnOEiIeGTgtHc1O6V9w
+icp3BGSpZZax/TcONjMVORaqHCADbQ2J8wsz1FHxuKDwX6BJElYOlK77lb/x3yLs
+DFFC+a0qn2RFh37rcWBRAHy8VEASXKZElT9ZmfKd+KUq34KojhNJ4DepKStTq074
+BRDXVivx+wVD951LFNPiQXq+mgHcLj1k37KlZflTFhdP5oEMtATNsXNJPHlEymiy
+SogRWAmKhysLQudukHfNKN+r0FEQMk/hzpYcFeZSOvbfNQIDAQABo1AwTjAdBgNV
+HQ4EFgQURWMbWvBKZwJvRV1/tyc1R82k0+gwHwYDVR0jBBgwFoAURWMbWvBKZwJv
+RV1/tyc1R82k0+gwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAkPF+
+ysVtvHnk2hpu9yNDLCJ96ZzIoKOyY7uRj4ovzlAHFdpNOJQdcJihTmN8i7Trht9X
+Vh0rGoR/6nHzo3TIeiogRC80RlDtuA3PF2dDQBMVDStlZMTZPb693hfjdAjhyyw9
+yghhKHHqNDvSsAL0KfBqjG4yGfGpJylYXIT5fWuKlo/ln/yyPa5s54T5XDo+CMbt
+lLX3QnwVOmaRyzylPiTcPCDIkdLBdXmlfyJcmW6fWa6kPx+35MOxPsXZbujCo+42
++OyLqcH1rKT6XhcshjXBEf+kdgUfSClrM1pNRWsw2ChIYim0F+nry5JFy0Y+8Hbb
+6SDB340BFmtgDHbFHTGCApEwggKNAgEBMGkwXDELMAkGA1UEBhMCTkwxEzARBgNV
+BAgMClNvbWUtU3RhdGUxHzAdBgNVBAoMFkFETElOSyBUZWNobm9sb2N5IEluYy4x
+FzAVBgNVBAMMDmFkbGlua3RlY2guY29tAgkA2yveybQ2vKkwDQYJYIZIAWUDBAIB
+BQCggfowGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAcBgkqhkiG9w0BCQUxDxcN
+MTkwMzI5MTMwODAzWjAvBgkqhkiG9w0BCQQxIgQglibSNHDswKA0PDJrsz8tZiXT
+1UrMUhYJJbXsLdvTGVowgY4GCSqGSIb3DQEJDzGBgDB+MAsGCWCGSAFlAwQBKjAI
+BgYqhQMCAgkwCAYGKoUDAgIVMAsGCWCGSAFlAwQBFjALBglghkgBZQMEAQIwCgYI
+KoZIhvcNAwcwDgYIKoZIhvcNAwICAgCAMA0GCCqGSIb3DQMCAgFAMAcGBSsOAwIH
+MA0GCCqGSIb3DQMCAgEoMA0GCSqGSIb3DQEBAQUABIIBACLqhHS8kapMUhLBjAfI
+17FuvzGjgJ2CSy7/yJDz1+OsUdbCofV8jA1rxxPIGv9Koq/BaKHtJdtzpLaag/CD
+SITepCjU+rRoGnZ5vOeSgaHJlDWcRBtAoFME3NrgdYT7ldUABuiPngR5HuwNAUTA
+aY2rPaSds2eWluqH6WJqO+qvRvSZEsypy+OSpRAu954rDfkFGyZ00aQnTpzJTVJT
+MLF8rXziOY9CAHXFN0w6jEBy7Y4pBjnp/bQQFmE41NH9KuATEGPLChInQOYEEeNK
+2rr96Z/rgfhcBE1qyZdt4RNgGNFNCRzeGIX5Kti/jTeas1430sQ+DYJypObVhrhY
+S/M=
+
+------4375434DF6819FB7435B04810D502609--
+
diff --git a/src/security/builtin_plugins/tests/get_xxx_sec_attributes/etc/Test_Governance_liveliness_discovery_encrypted_and_authenticated.xml b/src/security/builtin_plugins/tests/get_xxx_sec_attributes/etc/Test_Governance_liveliness_discovery_encrypted_and_authenticated.xml
new file mode 100644
index 0000000..d011e9c
--- /dev/null
+++ b/src/security/builtin_plugins/tests/get_xxx_sec_attributes/etc/Test_Governance_liveliness_discovery_encrypted_and_authenticated.xml
@@ -0,0 +1,62 @@
+<?xml version="1.0" encoding="utf-8"?>
+<dds xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xsi:noNamespaceSchemaLocation="https://www.omg.org/spec/DDS-SECURITY/20170901/omg_shared_ca_governance.xsd">
+    <domain_access_rules>
+        <domain_rule>
+            <domains>
+                <!-- All domains -->
+                <id_range>
+                    <min>0</min>
+                    <max>230</max>
+                </id_range>
+            </domains>
+
+            <!-- DomainParticipant that cann not authenticate or fail the authentication should be
+                 allowed to join the domain and see any any discovery data that are configured as "unprotected"
+                 and topics that are configured as "unprotected" -->
+            <allow_unauthenticated_participants>false</allow_unauthenticated_participants>
+
+            <!--  Only and any authenticated DomainParticipant should be allowed to join the domain and
+                  see the discovery data without checking access control  -->
+            <enable_join_access_control>TRUE</enable_join_access_control>
+
+            <!-- Discovery information should be protected with encryption followed by MAC (Message Authentication Codes) -->
+            <discovery_protection_kind>ENCRYPT_WITH_ORIGIN_AUTHENTICATION</discovery_protection_kind>
+
+            <!--  Liveliness messages are also encrypted -->
+            <liveliness_protection_kind>ENCRYPT_WITH_ORIGIN_AUTHENTICATION</liveliness_protection_kind>
+
+            <!-- Whole RTPS message is not protected -->
+            <rtps_protection_kind>NONE</rtps_protection_kind>
+
+            <topic_access_rules>
+                <topic_rule>
+                    <!-- All (non-builtin) topics -->
+                    <topic_expression>*</topic_expression>
+
+                    <!-- Liveliness QoS data is protected -->
+                    <enable_liveliness_protection>true</enable_liveliness_protection>
+
+                    <!-- The discovery information on specific Topics should be sent
+                         using the secure (protected) discovery writers -->
+                    <enable_discovery_protection>true</enable_discovery_protection>
+
+                    <!-- The read access to all topics should be open to all. -->
+                    <enable_read_access_control>false</enable_read_access_control>
+
+                    <!-- The write access to all topics should be open to all. -->
+                    <enable_write_access_control>false</enable_write_access_control>
+
+                    <!-- Whole RTPS sub-message is protected. This includes metadata information
+                         like sequence numbers, heartbeats, key hashes, gaps,
+                         acknowledgment messages, etc. It also includes th possible payload. -->
+                    <metadata_protection_kind>NONE</metadata_protection_kind>
+
+                    <!-- The payload data sent on the Topic (serialized application level data) should be
+                         protected with Encrypt then MAC. -->
+                    <data_protection_kind>NONE</data_protection_kind>
+                </topic_rule>
+            </topic_access_rules>
+        </domain_rule>
+    </domain_access_rules>
+</dds>
diff --git a/src/security/builtin_plugins/tests/get_xxx_sec_attributes/etc/Test_Governance_liveliness_discovery_signed.p7s b/src/security/builtin_plugins/tests/get_xxx_sec_attributes/etc/Test_Governance_liveliness_discovery_signed.p7s
new file mode 100644
index 0000000..55cf899
--- /dev/null
+++ b/src/security/builtin_plugins/tests/get_xxx_sec_attributes/etc/Test_Governance_liveliness_discovery_signed.p7s
@@ -0,0 +1,114 @@
+MIME-Version: 1.0
+Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg="sha-256"; boundary="----CAAC97AAFA02CB29461AE6EEFCBDADE0"
+
+This is an S/MIME signed message
+
+------CAAC97AAFA02CB29461AE6EEFCBDADE0
+Content-Type: text/plain
+
+<?xml version="1.0" encoding="utf-8"?>
+<dds xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xsi:noNamespaceSchemaLocation="https://www.omg.org/spec/DDS-SECURITY/20170901/omg_shared_ca_governance.xsd">
+    <domain_access_rules>
+        <domain_rule>
+            <domains>
+                <!-- All domains -->
+                <id_range>
+                    <min>0</min>
+                    <max>230</max>
+                </id_range>
+            </domains>
+
+            <!-- DomainParticipant that cann not authenticate or fail the authentication should be
+                 allowed to join the domain and see any any discovery data that are configured as "unprotected"
+                 and topics that are configured as "unprotected" -->
+            <allow_unauthenticated_participants>false</allow_unauthenticated_participants>
+
+            <!--  Only and any authenticated DomainParticipant should be allowed to join the domain and
+                  see the discovery data without checking access control  -->
+            <enable_join_access_control>TRUE</enable_join_access_control>
+
+            <!-- Discovery information should be protected with encryption followed by MAC (Message Authentication Codes) -->
+            <discovery_protection_kind>SIGN</discovery_protection_kind>
+
+            <!--  Liveliness messages are also encrypted -->
+            <liveliness_protection_kind>SIGN</liveliness_protection_kind>
+
+            <!-- Whole RTPS message is not protected -->
+            <rtps_protection_kind>NONE</rtps_protection_kind>
+
+            <topic_access_rules>
+                <topic_rule>
+                    <!-- All (non-builtin) topics -->
+                    <topic_expression>*</topic_expression>
+
+                    <!-- Liveliness QoS data is protected -->
+                    <enable_liveliness_protection>true</enable_liveliness_protection>
+
+                    <!-- The discovery information on specific Topics should be sent
+                         using the secure (protected) discovery writers -->
+                    <enable_discovery_protection>true</enable_discovery_protection>
+
+                    <!-- The read access to all topics should be open to all. -->
+                    <enable_read_access_control>false</enable_read_access_control>
+
+                    <!-- The write access to all topics should be open to all. -->
+                    <enable_write_access_control>false</enable_write_access_control>
+
+                    <!-- Whole RTPS sub-message is protected. This includes metadata information
+                         like sequence numbers, heartbeats, key hashes, gaps,
+                         acknowledgment messages, etc. It also includes th possible payload. -->
+                    <metadata_protection_kind>NONE</metadata_protection_kind>
+
+                    <!-- The payload data sent on the Topic (serialized application level data) should be
+                         protected with Encrypt then MAC. -->
+                    <data_protection_kind>NONE</data_protection_kind>
+                </topic_rule>
+            </topic_access_rules>
+        </domain_rule>
+    </domain_access_rules>
+</dds>
+
+------CAAC97AAFA02CB29461AE6EEFCBDADE0
+Content-Type: application/x-pkcs7-signature; name="smime.p7s"
+Content-Transfer-Encoding: base64
+Content-Disposition: attachment; filename="smime.p7s"
+
+MIIGXgYJKoZIhvcNAQcCoIIGTzCCBksCAQExDzANBglghkgBZQMEAgEFADALBgkq
+hkiG9w0BBwGgggORMIIDjTCCAnWgAwIBAgIJANsr3sm0NrypMA0GCSqGSIb3DQEB
+CwUAMFwxCzAJBgNVBAYTAk5MMRMwEQYDVQQIDApTb21lLVN0YXRlMR8wHQYDVQQK
+DBZBRExJTksgVGVjaG5vbG9jeSBJbmMuMRcwFQYDVQQDDA5hZGxpbmt0ZWNoLmNv
+bTAgFw0xODA3MzAxMjQ1NTVaGA8yMTE4MDcwNjEyNDU1NVowXDELMAkGA1UEBhMC
+TkwxEzARBgNVBAgMClNvbWUtU3RhdGUxHzAdBgNVBAoMFkFETElOSyBUZWNobm9s
+b2N5IEluYy4xFzAVBgNVBAMMDmFkbGlua3RlY2guY29tMIIBIjANBgkqhkiG9w0B
+AQEFAAOCAQ8AMIIBCgKCAQEAu7jfnJ0wYVuXgG+PgNawdN38+dRpa8jceqi+blID
+ehV6XCxrnGXusTCDuFmo7HMOBVMVNDXlcBWgoGd+u5EultnOEiIeGTgtHc1O6V9w
+icp3BGSpZZax/TcONjMVORaqHCADbQ2J8wsz1FHxuKDwX6BJElYOlK77lb/x3yLs
+DFFC+a0qn2RFh37rcWBRAHy8VEASXKZElT9ZmfKd+KUq34KojhNJ4DepKStTq074
+BRDXVivx+wVD951LFNPiQXq+mgHcLj1k37KlZflTFhdP5oEMtATNsXNJPHlEymiy
+SogRWAmKhysLQudukHfNKN+r0FEQMk/hzpYcFeZSOvbfNQIDAQABo1AwTjAdBgNV
+HQ4EFgQURWMbWvBKZwJvRV1/tyc1R82k0+gwHwYDVR0jBBgwFoAURWMbWvBKZwJv
+RV1/tyc1R82k0+gwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAkPF+
+ysVtvHnk2hpu9yNDLCJ96ZzIoKOyY7uRj4ovzlAHFdpNOJQdcJihTmN8i7Trht9X
+Vh0rGoR/6nHzo3TIeiogRC80RlDtuA3PF2dDQBMVDStlZMTZPb693hfjdAjhyyw9
+yghhKHHqNDvSsAL0KfBqjG4yGfGpJylYXIT5fWuKlo/ln/yyPa5s54T5XDo+CMbt
+lLX3QnwVOmaRyzylPiTcPCDIkdLBdXmlfyJcmW6fWa6kPx+35MOxPsXZbujCo+42
++OyLqcH1rKT6XhcshjXBEf+kdgUfSClrM1pNRWsw2ChIYim0F+nry5JFy0Y+8Hbb
+6SDB340BFmtgDHbFHTGCApEwggKNAgEBMGkwXDELMAkGA1UEBhMCTkwxEzARBgNV
+BAgMClNvbWUtU3RhdGUxHzAdBgNVBAoMFkFETElOSyBUZWNobm9sb2N5IEluYy4x
+FzAVBgNVBAMMDmFkbGlua3RlY2guY29tAgkA2yveybQ2vKkwDQYJYIZIAWUDBAIB
+BQCggfowGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAcBgkqhkiG9w0BCQUxDxcN
+MTkwMzI5MTMwODAzWjAvBgkqhkiG9w0BCQQxIgQgUQGGQlfgFH2GTdp8QcQHAf7c
+ytQO0EMxvnsXNDiWmfcwgY4GCSqGSIb3DQEJDzGBgDB+MAsGCWCGSAFlAwQBKjAI
+BgYqhQMCAgkwCAYGKoUDAgIVMAsGCWCGSAFlAwQBFjALBglghkgBZQMEAQIwCgYI
+KoZIhvcNAwcwDgYIKoZIhvcNAwICAgCAMA0GCCqGSIb3DQMCAgFAMAcGBSsOAwIH
+MA0GCCqGSIb3DQMCAgEoMA0GCSqGSIb3DQEBAQUABIIBABl+6OuVlW5UltPGg+9c
+6DlnX12Ah1feD0c/cmOkWjKW9A/soc+5npXvLcbxlkO/+MEkHlH00QKQmX7uY+3Z
+NybUU/2KbzEeqo8WwkqJPFBBPrjbHTAuIIPDHFcSq9oY6zUWMcHDFVjaXcNOfyiA
+clECqfcXesxfwGNXv5x58y0rJdxGiyptryLvJnZozwjNJ08ggY6d2mnitxbtSowY
+InQ02I95vWHYquonVAihvKX9NhaCSDEMyJb/ckL8tJuzQ3qUsEfc5DJVUSOEyCo8
+C7cZbfCpM9R+ZwyhRQOaleHs4kLvli7Q8OkpH8ecUBeg9gQmriju1G2/irvTg4t+
+Tlw=
+
+------CAAC97AAFA02CB29461AE6EEFCBDADE0--
+
diff --git a/src/security/builtin_plugins/tests/get_xxx_sec_attributes/etc/Test_Governance_liveliness_discovery_signed.xml b/src/security/builtin_plugins/tests/get_xxx_sec_attributes/etc/Test_Governance_liveliness_discovery_signed.xml
new file mode 100644
index 0000000..63ee9e4
--- /dev/null
+++ b/src/security/builtin_plugins/tests/get_xxx_sec_attributes/etc/Test_Governance_liveliness_discovery_signed.xml
@@ -0,0 +1,62 @@
+<?xml version="1.0" encoding="utf-8"?>
+<dds xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xsi:noNamespaceSchemaLocation="https://www.omg.org/spec/DDS-SECURITY/20170901/omg_shared_ca_governance.xsd">
+    <domain_access_rules>
+        <domain_rule>
+            <domains>
+                <!-- All domains -->
+                <id_range>
+                    <min>0</min>
+                    <max>230</max>
+                </id_range>
+            </domains>
+
+            <!-- DomainParticipant that cann not authenticate or fail the authentication should be
+                 allowed to join the domain and see any any discovery data that are configured as "unprotected"
+                 and topics that are configured as "unprotected" -->
+            <allow_unauthenticated_participants>false</allow_unauthenticated_participants>
+
+            <!--  Only and any authenticated DomainParticipant should be allowed to join the domain and
+                  see the discovery data without checking access control  -->
+            <enable_join_access_control>TRUE</enable_join_access_control>
+
+            <!-- Discovery information should be protected with encryption followed by MAC (Message Authentication Codes) -->
+            <discovery_protection_kind>SIGN</discovery_protection_kind>
+
+            <!--  Liveliness messages are also encrypted -->
+            <liveliness_protection_kind>SIGN</liveliness_protection_kind>
+
+            <!-- Whole RTPS message is not protected -->
+            <rtps_protection_kind>NONE</rtps_protection_kind>
+
+            <topic_access_rules>
+                <topic_rule>
+                    <!-- All (non-builtin) topics -->
+                    <topic_expression>*</topic_expression>
+
+                    <!-- Liveliness QoS data is protected -->
+                    <enable_liveliness_protection>true</enable_liveliness_protection>
+
+                    <!-- The discovery information on specific Topics should be sent
+                         using the secure (protected) discovery writers -->
+                    <enable_discovery_protection>true</enable_discovery_protection>
+
+                    <!-- The read access to all topics should be open to all. -->
+                    <enable_read_access_control>false</enable_read_access_control>
+
+                    <!-- The write access to all topics should be open to all. -->
+                    <enable_write_access_control>false</enable_write_access_control>
+
+                    <!-- Whole RTPS sub-message is protected. This includes metadata information
+                         like sequence numbers, heartbeats, key hashes, gaps,
+                         acknowledgment messages, etc. It also includes th possible payload. -->
+                    <metadata_protection_kind>NONE</metadata_protection_kind>
+
+                    <!-- The payload data sent on the Topic (serialized application level data) should be
+                         protected with Encrypt then MAC. -->
+                    <data_protection_kind>NONE</data_protection_kind>
+                </topic_rule>
+            </topic_access_rules>
+        </domain_rule>
+    </domain_access_rules>
+</dds>
diff --git a/src/security/builtin_plugins/tests/get_xxx_sec_attributes/etc/Test_Governance_liveliness_discovery_signed_and_authenticated.p7s b/src/security/builtin_plugins/tests/get_xxx_sec_attributes/etc/Test_Governance_liveliness_discovery_signed_and_authenticated.p7s
new file mode 100644
index 0000000..6273245
--- /dev/null
+++ b/src/security/builtin_plugins/tests/get_xxx_sec_attributes/etc/Test_Governance_liveliness_discovery_signed_and_authenticated.p7s
@@ -0,0 +1,114 @@
+MIME-Version: 1.0
+Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg="sha-256"; boundary="----7D08A7D2B4B01785900B9A7208F12A69"
+
+This is an S/MIME signed message
+
+------7D08A7D2B4B01785900B9A7208F12A69
+Content-Type: text/plain
+
+<?xml version="1.0" encoding="utf-8"?>
+<dds xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xsi:noNamespaceSchemaLocation="https://www.omg.org/spec/DDS-SECURITY/20170901/omg_shared_ca_governance.xsd">
+    <domain_access_rules>
+        <domain_rule>
+            <domains>
+                <!-- All domains -->
+                <id_range>
+                    <min>0</min>
+                    <max>230</max>
+                </id_range>
+            </domains>
+
+            <!-- DomainParticipant that cann not authenticate or fail the authentication should be
+                 allowed to join the domain and see any any discovery data that are configured as "unprotected"
+                 and topics that are configured as "unprotected" -->
+            <allow_unauthenticated_participants>false</allow_unauthenticated_participants>
+
+            <!--  Only and any authenticated DomainParticipant should be allowed to join the domain and
+                  see the discovery data without checking access control  -->
+            <enable_join_access_control>TRUE</enable_join_access_control>
+
+            <!-- Discovery information should be protected with encryption followed by MAC (Message Authentication Codes) -->
+            <discovery_protection_kind>SIGN_WITH_ORIGIN_AUTHENTICATION</discovery_protection_kind>
+
+            <!--  Liveliness messages are also encrypted -->
+            <liveliness_protection_kind>SIGN_WITH_ORIGIN_AUTHENTICATION</liveliness_protection_kind>
+
+            <!-- Whole RTPS message is not protected -->
+            <rtps_protection_kind>NONE</rtps_protection_kind>
+
+            <topic_access_rules>
+                <topic_rule>
+                    <!-- All (non-builtin) topics -->
+                    <topic_expression>*</topic_expression>
+
+                    <!-- Liveliness QoS data is protected -->
+                    <enable_liveliness_protection>true</enable_liveliness_protection>
+
+                    <!-- The discovery information on specific Topics should be sent
+                         using the secure (protected) discovery writers -->
+                    <enable_discovery_protection>true</enable_discovery_protection>
+
+                    <!-- The read access to all topics should be open to all. -->
+                    <enable_read_access_control>false</enable_read_access_control>
+
+                    <!-- The write access to all topics should be open to all. -->
+                    <enable_write_access_control>false</enable_write_access_control>
+
+                    <!-- Whole RTPS sub-message is protected. This includes metadata information
+                         like sequence numbers, heartbeats, key hashes, gaps,
+                         acknowledgment messages, etc. It also includes th possible payload. -->
+                    <metadata_protection_kind>NONE</metadata_protection_kind>
+
+                    <!-- The payload data sent on the Topic (serialized application level data) should be
+                         protected with Encrypt then MAC. -->
+                    <data_protection_kind>NONE</data_protection_kind>
+                </topic_rule>
+            </topic_access_rules>
+        </domain_rule>
+    </domain_access_rules>
+</dds>
+
+------7D08A7D2B4B01785900B9A7208F12A69
+Content-Type: application/x-pkcs7-signature; name="smime.p7s"
+Content-Transfer-Encoding: base64
+Content-Disposition: attachment; filename="smime.p7s"
+
+MIIGXgYJKoZIhvcNAQcCoIIGTzCCBksCAQExDzANBglghkgBZQMEAgEFADALBgkq
+hkiG9w0BBwGgggORMIIDjTCCAnWgAwIBAgIJANsr3sm0NrypMA0GCSqGSIb3DQEB
+CwUAMFwxCzAJBgNVBAYTAk5MMRMwEQYDVQQIDApTb21lLVN0YXRlMR8wHQYDVQQK
+DBZBRExJTksgVGVjaG5vbG9jeSBJbmMuMRcwFQYDVQQDDA5hZGxpbmt0ZWNoLmNv
+bTAgFw0xODA3MzAxMjQ1NTVaGA8yMTE4MDcwNjEyNDU1NVowXDELMAkGA1UEBhMC
+TkwxEzARBgNVBAgMClNvbWUtU3RhdGUxHzAdBgNVBAoMFkFETElOSyBUZWNobm9s
+b2N5IEluYy4xFzAVBgNVBAMMDmFkbGlua3RlY2guY29tMIIBIjANBgkqhkiG9w0B
+AQEFAAOCAQ8AMIIBCgKCAQEAu7jfnJ0wYVuXgG+PgNawdN38+dRpa8jceqi+blID
+ehV6XCxrnGXusTCDuFmo7HMOBVMVNDXlcBWgoGd+u5EultnOEiIeGTgtHc1O6V9w
+icp3BGSpZZax/TcONjMVORaqHCADbQ2J8wsz1FHxuKDwX6BJElYOlK77lb/x3yLs
+DFFC+a0qn2RFh37rcWBRAHy8VEASXKZElT9ZmfKd+KUq34KojhNJ4DepKStTq074
+BRDXVivx+wVD951LFNPiQXq+mgHcLj1k37KlZflTFhdP5oEMtATNsXNJPHlEymiy
+SogRWAmKhysLQudukHfNKN+r0FEQMk/hzpYcFeZSOvbfNQIDAQABo1AwTjAdBgNV
+HQ4EFgQURWMbWvBKZwJvRV1/tyc1R82k0+gwHwYDVR0jBBgwFoAURWMbWvBKZwJv
+RV1/tyc1R82k0+gwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAkPF+
+ysVtvHnk2hpu9yNDLCJ96ZzIoKOyY7uRj4ovzlAHFdpNOJQdcJihTmN8i7Trht9X
+Vh0rGoR/6nHzo3TIeiogRC80RlDtuA3PF2dDQBMVDStlZMTZPb693hfjdAjhyyw9
+yghhKHHqNDvSsAL0KfBqjG4yGfGpJylYXIT5fWuKlo/ln/yyPa5s54T5XDo+CMbt
+lLX3QnwVOmaRyzylPiTcPCDIkdLBdXmlfyJcmW6fWa6kPx+35MOxPsXZbujCo+42
++OyLqcH1rKT6XhcshjXBEf+kdgUfSClrM1pNRWsw2ChIYim0F+nry5JFy0Y+8Hbb
+6SDB340BFmtgDHbFHTGCApEwggKNAgEBMGkwXDELMAkGA1UEBhMCTkwxEzARBgNV
+BAgMClNvbWUtU3RhdGUxHzAdBgNVBAoMFkFETElOSyBUZWNobm9sb2N5IEluYy4x
+FzAVBgNVBAMMDmFkbGlua3RlY2guY29tAgkA2yveybQ2vKkwDQYJYIZIAWUDBAIB
+BQCggfowGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAcBgkqhkiG9w0BCQUxDxcN
+MTkwMzI5MTMwODAzWjAvBgkqhkiG9w0BCQQxIgQgu4lTESCOlPw4ua2e8RFY0V80
+KDwe7OyvA7k5OJvb70MwgY4GCSqGSIb3DQEJDzGBgDB+MAsGCWCGSAFlAwQBKjAI
+BgYqhQMCAgkwCAYGKoUDAgIVMAsGCWCGSAFlAwQBFjALBglghkgBZQMEAQIwCgYI
+KoZIhvcNAwcwDgYIKoZIhvcNAwICAgCAMA0GCCqGSIb3DQMCAgFAMAcGBSsOAwIH
+MA0GCCqGSIb3DQMCAgEoMA0GCSqGSIb3DQEBAQUABIIBAE6icR4lmUwDahVEA4BA
+QIl2Pp+WGo1wDLHRdR1YnKt9narfgi6YHlt37sppOuKYPZSrjkcE07nlj9IN3PNR
+2RxeUogt5fLHPll2E+GIfXRkPq5MtCscko+7MyrPkaMOPCv0pQ8e+nEvDkLeKqvS
+jinelekFzICvUd8vg9UozxyUQciPLvjmEVwe+czFiM0oFqN9O9d1y5n985HXc/T5
+RfhSXpXUk2KBPvU+tN9UtdInMylPs8PK8wbONTem7uG9nP/tKL7VCjLiTQm5zAuo
+ecEvLybuALPVwylTppB2a8jMwb3Qt3ERY/do9s9RyFszvMOqBXsDOpSGtjBHT2uU
+Bhs=
+
+------7D08A7D2B4B01785900B9A7208F12A69--
+
diff --git a/src/security/builtin_plugins/tests/get_xxx_sec_attributes/etc/Test_Governance_liveliness_discovery_signed_and_authenticated.xml b/src/security/builtin_plugins/tests/get_xxx_sec_attributes/etc/Test_Governance_liveliness_discovery_signed_and_authenticated.xml
new file mode 100644
index 0000000..3930f88
--- /dev/null
+++ b/src/security/builtin_plugins/tests/get_xxx_sec_attributes/etc/Test_Governance_liveliness_discovery_signed_and_authenticated.xml
@@ -0,0 +1,62 @@
+<?xml version="1.0" encoding="utf-8"?>
+<dds xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xsi:noNamespaceSchemaLocation="https://www.omg.org/spec/DDS-SECURITY/20170901/omg_shared_ca_governance.xsd">
+    <domain_access_rules>
+        <domain_rule>
+            <domains>
+                <!-- All domains -->
+                <id_range>
+                    <min>0</min>
+                    <max>230</max>
+                </id_range>
+            </domains>
+
+            <!-- DomainParticipant that cann not authenticate or fail the authentication should be
+                 allowed to join the domain and see any any discovery data that are configured as "unprotected"
+                 and topics that are configured as "unprotected" -->
+            <allow_unauthenticated_participants>false</allow_unauthenticated_participants>
+
+            <!--  Only and any authenticated DomainParticipant should be allowed to join the domain and
+                  see the discovery data without checking access control  -->
+            <enable_join_access_control>TRUE</enable_join_access_control>
+
+            <!-- Discovery information should be protected with encryption followed by MAC (Message Authentication Codes) -->
+            <discovery_protection_kind>SIGN_WITH_ORIGIN_AUTHENTICATION</discovery_protection_kind>
+
+            <!--  Liveliness messages are also encrypted -->
+            <liveliness_protection_kind>SIGN_WITH_ORIGIN_AUTHENTICATION</liveliness_protection_kind>
+
+            <!-- Whole RTPS message is not protected -->
+            <rtps_protection_kind>NONE</rtps_protection_kind>
+
+            <topic_access_rules>
+                <topic_rule>
+                    <!-- All (non-builtin) topics -->
+                    <topic_expression>*</topic_expression>
+
+                    <!-- Liveliness QoS data is protected -->
+                    <enable_liveliness_protection>true</enable_liveliness_protection>
+
+                    <!-- The discovery information on specific Topics should be sent
+                         using the secure (protected) discovery writers -->
+                    <enable_discovery_protection>true</enable_discovery_protection>
+
+                    <!-- The read access to all topics should be open to all. -->
+                    <enable_read_access_control>false</enable_read_access_control>
+
+                    <!-- The write access to all topics should be open to all. -->
+                    <enable_write_access_control>false</enable_write_access_control>
+
+                    <!-- Whole RTPS sub-message is protected. This includes metadata information
+                         like sequence numbers, heartbeats, key hashes, gaps,
+                         acknowledgment messages, etc. It also includes th possible payload. -->
+                    <metadata_protection_kind>NONE</metadata_protection_kind>
+
+                    <!-- The payload data sent on the Topic (serialized application level data) should be
+                         protected with Encrypt then MAC. -->
+                    <data_protection_kind>NONE</data_protection_kind>
+                </topic_rule>
+            </topic_access_rules>
+        </domain_rule>
+    </domain_access_rules>
+</dds>
diff --git a/src/security/builtin_plugins/tests/get_xxx_sec_attributes/etc/Test_Permissions_ok.p7s b/src/security/builtin_plugins/tests/get_xxx_sec_attributes/etc/Test_Permissions_ok.p7s
new file mode 100644
index 0000000..052075b
--- /dev/null
+++ b/src/security/builtin_plugins/tests/get_xxx_sec_attributes/etc/Test_Permissions_ok.p7s
@@ -0,0 +1,85 @@
+MIME-Version: 1.0
+Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg="sha-256"; boundary="----6B91005B007BBA8EDE10CD1CE487DB27"
+
+This is an S/MIME signed message
+
+------6B91005B007BBA8EDE10CD1CE487DB27
+Content-Type: text/plain
+
+<?xml version="1.0" encoding="utf-8"?>
+<dds xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xsi:noNamespaceSchemaLocation="https://www.omg.org/spec/DDS-SECURITY/20170901/omg_shared_ca_permissions.xsd">
+    <permissions>
+        <grant name="OpenSplicePermissions">
+            <subject_name>CN=CHAM500 cert,O=Internet Widgits Pty Ltd,ST=Some-State,C=NL</subject_name>
+            <validity>
+                <!-- Format is CCYY-MM-DDThh:mm:ss[Z|(+|-)hh:mm] in GMT -->
+                <not_before>2015-09-15T01:00:00</not_before>
+                <not_after>2115-09-15T01:00:00</not_after>
+            </validity>
+            <allow_rule>
+                <domains>
+                    <id_range>
+                        <min>0</min>
+                        <max>230</max>
+                    </id_range>
+                </domains>
+                <publish>
+                    <topics>
+                        <topic>*</topic>
+                    </topics>
+                </publish>
+                <subscribe>
+                    <topics>
+                        <topic>*</topic>
+                    </topics>
+                </subscribe>
+            </allow_rule>
+            <default>DENY</default>
+        </grant>
+    </permissions>
+</dds>
+
+------6B91005B007BBA8EDE10CD1CE487DB27
+Content-Type: application/x-pkcs7-signature; name="smime.p7s"
+Content-Transfer-Encoding: base64
+Content-Disposition: attachment; filename="smime.p7s"
+
+MIIGXgYJKoZIhvcNAQcCoIIGTzCCBksCAQExDzANBglghkgBZQMEAgEFADALBgkq
+hkiG9w0BBwGgggORMIIDjTCCAnWgAwIBAgIJANsr3sm0NrypMA0GCSqGSIb3DQEB
+CwUAMFwxCzAJBgNVBAYTAk5MMRMwEQYDVQQIDApTb21lLVN0YXRlMR8wHQYDVQQK
+DBZBRExJTksgVGVjaG5vbG9jeSBJbmMuMRcwFQYDVQQDDA5hZGxpbmt0ZWNoLmNv
+bTAgFw0xODA3MzAxMjQ1NTVaGA8yMTE4MDcwNjEyNDU1NVowXDELMAkGA1UEBhMC
+TkwxEzARBgNVBAgMClNvbWUtU3RhdGUxHzAdBgNVBAoMFkFETElOSyBUZWNobm9s
+b2N5IEluYy4xFzAVBgNVBAMMDmFkbGlua3RlY2guY29tMIIBIjANBgkqhkiG9w0B
+AQEFAAOCAQ8AMIIBCgKCAQEAu7jfnJ0wYVuXgG+PgNawdN38+dRpa8jceqi+blID
+ehV6XCxrnGXusTCDuFmo7HMOBVMVNDXlcBWgoGd+u5EultnOEiIeGTgtHc1O6V9w
+icp3BGSpZZax/TcONjMVORaqHCADbQ2J8wsz1FHxuKDwX6BJElYOlK77lb/x3yLs
+DFFC+a0qn2RFh37rcWBRAHy8VEASXKZElT9ZmfKd+KUq34KojhNJ4DepKStTq074
+BRDXVivx+wVD951LFNPiQXq+mgHcLj1k37KlZflTFhdP5oEMtATNsXNJPHlEymiy
+SogRWAmKhysLQudukHfNKN+r0FEQMk/hzpYcFeZSOvbfNQIDAQABo1AwTjAdBgNV
+HQ4EFgQURWMbWvBKZwJvRV1/tyc1R82k0+gwHwYDVR0jBBgwFoAURWMbWvBKZwJv
+RV1/tyc1R82k0+gwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAkPF+
+ysVtvHnk2hpu9yNDLCJ96ZzIoKOyY7uRj4ovzlAHFdpNOJQdcJihTmN8i7Trht9X
+Vh0rGoR/6nHzo3TIeiogRC80RlDtuA3PF2dDQBMVDStlZMTZPb693hfjdAjhyyw9
+yghhKHHqNDvSsAL0KfBqjG4yGfGpJylYXIT5fWuKlo/ln/yyPa5s54T5XDo+CMbt
+lLX3QnwVOmaRyzylPiTcPCDIkdLBdXmlfyJcmW6fWa6kPx+35MOxPsXZbujCo+42
++OyLqcH1rKT6XhcshjXBEf+kdgUfSClrM1pNRWsw2ChIYim0F+nry5JFy0Y+8Hbb
+6SDB340BFmtgDHbFHTGCApEwggKNAgEBMGkwXDELMAkGA1UEBhMCTkwxEzARBgNV
+BAgMClNvbWUtU3RhdGUxHzAdBgNVBAoMFkFETElOSyBUZWNobm9sb2N5IEluYy4x
+FzAVBgNVBAMMDmFkbGlua3RlY2guY29tAgkA2yveybQ2vKkwDQYJYIZIAWUDBAIB
+BQCggfowGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAcBgkqhkiG9w0BCQUxDxcN
+MTkwMzI5MTMwODAzWjAvBgkqhkiG9w0BCQQxIgQgl3LfUhn9L0vG/3QRPVYptcYw
+/NH5HMN99aMe9JAT+LAwgY4GCSqGSIb3DQEJDzGBgDB+MAsGCWCGSAFlAwQBKjAI
+BgYqhQMCAgkwCAYGKoUDAgIVMAsGCWCGSAFlAwQBFjALBglghkgBZQMEAQIwCgYI
+KoZIhvcNAwcwDgYIKoZIhvcNAwICAgCAMA0GCCqGSIb3DQMCAgFAMAcGBSsOAwIH
+MA0GCCqGSIb3DQMCAgEoMA0GCSqGSIb3DQEBAQUABIIBAHe9vakfXPvbpgMeqlhG
+SW6Z3uVA3Yri9bgQDpJ9daIUsM0/TLBSQVs85twTMXvqUSntKbfSGehxDQ9F+yje
+mOEPMIwxOqcVyc2jpqoYsUWqpwiiZyk49DHUFrOfWJUx+rKdBftZWkxD05Wkovhk
+2d4hGS/65Haoho4Z0AZwcyH+F52FZMiqw7I9FKrPlhxvJfQXmhIjOKtnvWnQ+Ar7
+YYiSrBEHMCy82LF1aKzz0nkL1SYWQHuQX475qoU4LMYY1J8WsD3rSBeq4GYZrl2K
+X/JcOquMYqjfJLMYZY4fsc3FgEBkKNqJz1tDZ3ir24VMl+WsbEjVK8oXe/wt4V0U
+aNQ=
+
+------6B91005B007BBA8EDE10CD1CE487DB27--
+
diff --git a/src/security/builtin_plugins/tests/get_xxx_sec_attributes/src/get_xxx_sec_attributes_utests.c b/src/security/builtin_plugins/tests/get_xxx_sec_attributes/src/get_xxx_sec_attributes_utests.c
new file mode 100644
index 0000000..91381aa
--- /dev/null
+++ b/src/security/builtin_plugins/tests/get_xxx_sec_attributes/src/get_xxx_sec_attributes_utests.c
@@ -0,0 +1,1649 @@
+/*
+ * Copyright(c) 2006 to 2019 ADLINK Technology Limited and others
+ *
+ * This program and the accompanying materials are made available under the
+ * terms of the Eclipse Public License v. 2.0 which is available at
+ * http://www.eclipse.org/legal/epl-2.0, or the Eclipse Distribution License
+ * v. 1.0 which is available at
+ * http://www.eclipse.org/org/documents/edl-v10.php.
+ *
+ * SPDX-License-Identifier: EPL-2.0 OR BSD-3-Clause
+ */
+#include <assert.h>
+#include <openssl/evp.h>
+#include <openssl/hmac.h>
+#include <openssl/bio.h>
+#include <openssl/err.h>
+
+#include "dds/ddsrt/environ.h"
+#include "dds/ddsrt/heap.h"
+#include "dds/ddsrt/io.h"
+#include "dds/ddsrt/string.h"
+#include "dds/ddsrt/types.h"
+#include "dds/security/dds_security_api.h"
+#include "dds/security/core/dds_security_utils.h"
+#include "CUnit/CUnit.h"
+#include "CUnit/Test.h"
+#include "common/src/loader.h"
+#include "config_env.h"
+
+#if OPENSLL_VERSION_NUMBER >= 0x10002000L
+#define AUTH_INCLUDE_EC
+#endif
+
+static const char *RELATIVE_PATH_TO_ETC_DIR = "/get_xxx_sec_attributes/etc/";
+
+static const char *PROPERTY_IDENTITY_CA = "dds.sec.auth.identity_ca";
+static const char *PROPERTY_PRIVATE_KEY = "dds.sec.auth.private_key";
+static const char *PROPERTY_IDENTITY_CERT = "dds.sec.auth.identity_certificate";
+static const char *PROPERTY_PERMISSIONS_CA = "dds.sec.access.permissions_ca";
+static const char *PROPERTY_PERMISSIONS = "dds.sec.access.permissions";
+static const char *PROPERTY_GOVERNANCE = "dds.sec.access.governance";
+
+static const char *IDENTITY_CERTIFICATE =
+    "data:,-----BEGIN CERTIFICATE-----\n"
+    "MIIEQTCCAymgAwIBAgIINpuaAAnrQZIwDQYJKoZIhvcNAQELBQAwXzELMAkGA1UE\n"
+    "BhMCTkwxEzARBgNVBAgTClNvbWUtU3RhdGUxITAfBgNVBAoTGEludGVybmV0IFdp\n"
+    "ZGdpdHMgUHR5IEx0ZDEYMBYGA1UEAxMPQ0hBTTUwMCByb290IGNhMCAXDTE3MDIy\n"
+    "MjIyMjIwMFoYDzIyMjIwMjIyMjIyMjAwWjBcMQswCQYDVQQGEwJOTDETMBEGA1UE\n"
+    "CBMKU29tZS1TdGF0ZTEhMB8GA1UEChMYSW50ZXJuZXQgV2lkZ2l0cyBQdHkgTHRk\n"
+    "MRUwEwYDVQQDEwxDSEFNNTAwIGNlcnQwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw\n"
+    "ggEKAoIBAQDCpVhivH/wBIyu74rvQncnSZqKyspN6CvD1pmV9wft5PHhVt9jV79v\n"
+    "gSub5LADoRHAgFdv9duYgBr17Ob6uRrIY4B18CcrCjhQcC4gjx8y2jl9PeYm+qYD\n"
+    "3o44FYBrBq0QCnrQgKsb/qX9Z+Mw/VUiw65x68W876LEHQQoEgT4kxSuagwBoVRk\n"
+    "ePD6fYAKmT4XS3x+O0v+rHESTcsKF6yMadgp7h3eH1b8kJTzSx8JV9Zzq++mxjox\n"
+    "qhbBVP5nDze2hhSIeCkCvSrx7efkgKS4AQXa5/Z44GiAu1TfXXUqdic9rxwD0edn\n"
+    "ajNElnZe7sjok/0yuqvH+2hSqpNva/zpAgMBAAGjggEAMIH9MAwGA1UdDwQFAwMH\n"
+    "/4AwgewGA1UdJQSB5DCB4QYIKwYBBQUHAwEGCCsGAQUFBwMCBggrBgEFBQcDAwYI\n"
+    "KwYBBQUHAwQGCCsGAQUFBwMIBgorBgEEAYI3AgEVBgorBgEEAYI3AgEWBgorBgEE\n"
+    "AYI3CgMBBgorBgEEAYI3CgMDBgorBgEEAYI3CgMEBglghkgBhvhCBAEGCysGAQQB\n"
+    "gjcKAwQBBggrBgEFBQcDBQYIKwYBBQUHAwYGCCsGAQUFBwMHBggrBgEFBQgCAgYK\n"
+    "KwYBBAGCNxQCAgYIKwYBBQUHAwkGCCsGAQUFBwMNBggrBgEFBQcDDgYHKwYBBQID\n"
+    "BTANBgkqhkiG9w0BAQsFAAOCAQEAawdHy0Xw7nTK2ltp91Ion6fJ7hqYuj///zr7\n"
+    "Adt6uonpDh/xl3esuwcFimIJrJrHujnGkL0nLddRCikmnzuBMNDWS6yq0/Ckl/YG\n"
+    "yjNr44dlX24wo+MVAgkj3/8CyWDZ3a8kBg9QT3bs2SqbjmhTrXN1DRyf9S5vJysE\n"
+    "I7V1gTN66BeKL64hOrAlRVrEu8Ds6TWL6Q/YH+61ViZkoLTeSaPjH4nknaFr4C35\n"
+    "iji0JhkyfRHRRVPHFnaj25AkxOrSV64qVKoTMjDl5fji5iMGtjm6iJ7q05ml/qDl\n"
+    "nLotHXemZNvYhbwUmRzbt4Dls9EMH4VRbP85I94nM5TAvtHVNA==\n"
+    "-----END CERTIFICATE-----\n";
+
+static const char *IDENTITY_CA =
+    "data:,-----BEGIN CERTIFICATE-----\n"
+    "MIIEmTCCA4GgAwIBAgIIZ5gEIUFhO5wwDQYJKoZIhvcNAQELBQAwXzELMAkGA1UE\n"
+    "BhMCTkwxEzARBgNVBAgTClNvbWUtU3RhdGUxITAfBgNVBAoTGEludGVybmV0IFdp\n"
+    "ZGdpdHMgUHR5IEx0ZDEYMBYGA1UEAxMPQ0hBTTUwMCByb290IGNhMCAXDTE4MDIx\n"
+    "MjE1MDUwMFoYDzIyMjIwMjIyMjIyMjAwWjBfMQswCQYDVQQGEwJOTDETMBEGA1UE\n"
+    "CBMKU29tZS1TdGF0ZTEhMB8GA1UEChMYSW50ZXJuZXQgV2lkZ2l0cyBQdHkgTHRk\n"
+    "MRgwFgYDVQQDEw9DSEFNNTAwIHJvb3QgY2EwggEiMA0GCSqGSIb3DQEBAQUAA4IB\n"
+    "DwAwggEKAoIBAQC6Fa3TheL+UrdZCp9GhU/2WbneP2t/avUa3muwDttPxeI2XU9k\n"
+    "ZjBR95mAXme4SPXHk5+YDN319AqIje3oKhzky/ngvKH2GkoJKYxWnuDBfMEHdViz\n"
+    "2Q9/xso2ZvH50ukwWa0pfx2/EVV1wRxeQcRd/UVfq3KTJizG0M88mOYvGEAw3LFf\n"
+    "zef7k1aCuOofQmBvLukUudcYpMzfyHFp7lQqU4CcrrR5RtmfiUfrWfdGLea2iPDB\n"
+    "pJgN8ESOMwEHtOTEBDclYnH9L4t7CHQz+fXXS5IWFsDK9fCMQjnxDsDVeNrNzTYL\n"
+    "FaZrMg9S6IUQCEsQWsnq5weS8omOpVLUm9klAgMBAAGjggFVMIIBUTAMBgNVHRME\n"
+    "BTADAQH/MB0GA1UdDgQWBBQg2FZB/j8uWDVnJhjwXkX278znSTAfBgNVHSMEGDAW\n"
+    "gBQg2FZB/j8uWDVnJhjwXkX278znSTAPBgNVHQ8BAf8EBQMDB/+AMIHvBgNVHSUB\n"
+    "Af8EgeQwgeEGCCsGAQUFBwMBBggrBgEFBQcDAgYIKwYBBQUHAwMGCCsGAQUFBwME\n"
+    "BggrBgEFBQcDCAYKKwYBBAGCNwIBFQYKKwYBBAGCNwIBFgYKKwYBBAGCNwoDAQYK\n"
+    "KwYBBAGCNwoDAwYKKwYBBAGCNwoDBAYJYIZIAYb4QgQBBgsrBgEEAYI3CgMEAQYI\n"
+    "KwYBBQUHAwUGCCsGAQUFBwMGBggrBgEFBQcDBwYIKwYBBQUIAgIGCisGAQQBgjcU\n"
+    "AgIGCCsGAQUFBwMJBggrBgEFBQcDDQYIKwYBBQUHAw4GBysGAQUCAwUwDQYJKoZI\n"
+    "hvcNAQELBQADggEBAKHmwejWRwGE1wf1k2rG8SNRV/neGsZ6Qfqf6co3TpR/Wi1s\n"
+    "iZDvSeT/rbqNBS7z34xnG88NIUwu00y78e8Mfon31ZZbK4Uo7fla9/D3ukdJqPQC\n"
+    "LKdbKJjR2kH+KCukY/1rghjJ8/X+t2egBit0LCOdsFCl07Sfksb9kpGUIZSFcYYm\n"
+    "geqhjhoNwxazzHiw+QWHC5HG9248JIizBmy1aymNWuMnPudhjHAnPcsIlqMVNq3t\n"
+    "Rv9ap7S8JeCxHVRPJvJeCwXWvW3dW/v3xH52Yn/fqRblN1w9Fxz5NhopKx0gj/Jd\n"
+    "sw2N4Fk4gaOWEolFpa0bwNw8nAx7moehZpowzfw=\n"
+    "-----END CERTIFICATE-----\n";
+
+static const char *PRIVATE_KEY =
+    "data:,-----BEGIN RSA PRIVATE KEY-----\n"
+    "MIIEogIBAAKCAQEAwqVYYrx/8ASMru+K70J3J0maisrKTegrw9aZlfcH7eTx4Vbf\n"
+    "Y1e/b4Erm+SwA6ERwIBXb/XbmIAa9ezm+rkayGOAdfAnKwo4UHAuII8fMto5fT3m\n"
+    "JvqmA96OOBWAawatEAp60ICrG/6l/WfjMP1VIsOucevFvO+ixB0EKBIE+JMUrmoM\n"
+    "AaFUZHjw+n2ACpk+F0t8fjtL/qxxEk3LChesjGnYKe4d3h9W/JCU80sfCVfWc6vv\n"
+    "psY6MaoWwVT+Zw83toYUiHgpAr0q8e3n5ICkuAEF2uf2eOBogLtU3111KnYnPa8c\n"
+    "A9HnZ2ozRJZ2Xu7I6JP9Mrqrx/toUqqTb2v86QIDAQABAoIBAC1q32DKkx+yMBFx\n"
+    "m32QiLUGG6VfBC2BixS7MkMnzRXZYgcuehl4FBc0kLRjfB6cqsO8LqrVN1QyMBhK\n"
+    "GutN3c38SbE7RChqzhEW2+yE+Mao3Nk4ZEecHLiyaYT0n25ZtHAVwep823BAzwJ+\n"
+    "BykbM45VEpNKbG1VjSktjBa9faNyZiZAEJEjVyla+6R8N4kHV52LbZcLjvJv3IQ2\n"
+    "iPYRrmMyI5C23qTni0vy7yJbAXBo3CqgSlwie9FARBWT7Puu7F4mF1O1c/SnTysw\n"
+    "Tm3e5FzgfHipQbnRVn0w4rDprPMKmPxMnvf/Wkw0zVgNadp1Tc1I6Yj525DEQ07i\n"
+    "2gIn/gECgYEA4jNnY1u2Eu7x3pAQF3dRO0x35boVtuq9iwQk7q+uaZaK4RJRr+0Y\n"
+    "T68S3bPnfer6SHvcxtST89Bvs/j/Ky4SOaX037UYjFh6T7OIzPl+MzO1yb+VOBT6\n"
+    "D6FVGEJGp8ZAITU1OfJPeTYViUeEC8tHFGoKUCk50FbB6jOf1oKtv/ECgYEA3EnB\n"
+    "Y7kSbJJaUuj9ciFUL/pAno86Cim3VjegK1wKgEiyDb610bhoMErovPwfVJbtcttG\n"
+    "eKJNuwizkRcVbj+vpjDvqqaP5eMxLl6/Nd4haPMJYzGo88Z8NJpwFRNF2KEWjOpQ\n"
+    "2NEvoCeRtVulCJyka2Tpljzw8cOXkxhPOe2UhHkCgYBo3entj0QO7QXm56T+LAvV\n"
+    "0PK45xdQEO3EuCwjGAFk5C0IgUSrqeCeeIzniZMltj1IQ1wsNbtNynEu3530t8wt\n"
+    "O7oVyFBUKGSz9IjUdkpClJOPr6kPMfJoMqRPtdIpz+hFPPSrI6IikKdVWHloOlp+\n"
+    "pVaYqTQrWT1XRY2xli3VEQKBgGySmZN6Cx+h/oywswIGdUT0VdcQhq2to+QFpJba\n"
+    "VX6m1cM6hMip2Ag9U3qZ1SNPBBdBBfm9HQybHE3dj713/C2wHuAAGhpXIM1W+20k\n"
+    "X1knuC/AsSH9aQhQOf/ZMOq1crTfZBuI9q0782/sjGmzMsKPySU4QhUWruVb7OiD\n"
+    "NVkZAoGAEvihW7G+8/iOE40vGHyBqUeopAAWLciTAUIEwM/Oi3BYfNWNTWF/FWNc\n"
+    "nMvCZPYigY8C1vO+1iT2Frtd3CIU+f01Q3fJNJoRLlEiKLNZUJRF48OKUqjKSmsi\n"
+    "w6pucFO40z05YW7utApj4L82rZnOS0pd1tUI1yexqvj0i4ThJfk=\n"
+    "-----END RSA PRIVATE KEY-----\n";
+
+static const char *PERMISSIONS_CA =
+    "data:,-----BEGIN CERTIFICATE-----\n"
+    "MIIDjTCCAnWgAwIBAgIJANsr3sm0NrypMA0GCSqGSIb3DQEBCwUAMFwxCzAJBgNV\n"
+    "BAYTAk5MMRMwEQYDVQQIDApTb21lLVN0YXRlMR8wHQYDVQQKDBZBRExJTksgVGVj\n"
+    "aG5vbG9jeSBJbmMuMRcwFQYDVQQDDA5hZGxpbmt0ZWNoLmNvbTAgFw0xODA3MzAx\n"
+    "MjQ1NTVaGA8yMTE4MDcwNjEyNDU1NVowXDELMAkGA1UEBhMCTkwxEzARBgNVBAgM\n"
+    "ClNvbWUtU3RhdGUxHzAdBgNVBAoMFkFETElOSyBUZWNobm9sb2N5IEluYy4xFzAV\n"
+    "BgNVBAMMDmFkbGlua3RlY2guY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB\n"
+    "CgKCAQEAu7jfnJ0wYVuXgG+PgNawdN38+dRpa8jceqi+blIDehV6XCxrnGXusTCD\n"
+    "uFmo7HMOBVMVNDXlcBWgoGd+u5EultnOEiIeGTgtHc1O6V9wicp3BGSpZZax/TcO\n"
+    "NjMVORaqHCADbQ2J8wsz1FHxuKDwX6BJElYOlK77lb/x3yLsDFFC+a0qn2RFh37r\n"
+    "cWBRAHy8VEASXKZElT9ZmfKd+KUq34KojhNJ4DepKStTq074BRDXVivx+wVD951L\n"
+    "FNPiQXq+mgHcLj1k37KlZflTFhdP5oEMtATNsXNJPHlEymiySogRWAmKhysLQudu\n"
+    "kHfNKN+r0FEQMk/hzpYcFeZSOvbfNQIDAQABo1AwTjAdBgNVHQ4EFgQURWMbWvBK\n"
+    "ZwJvRV1/tyc1R82k0+gwHwYDVR0jBBgwFoAURWMbWvBKZwJvRV1/tyc1R82k0+gw\n"
+    "DAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAkPF+ysVtvHnk2hpu9yND\n"
+    "LCJ96ZzIoKOyY7uRj4ovzlAHFdpNOJQdcJihTmN8i7Trht9XVh0rGoR/6nHzo3TI\n"
+    "eiogRC80RlDtuA3PF2dDQBMVDStlZMTZPb693hfjdAjhyyw9yghhKHHqNDvSsAL0\n"
+    "KfBqjG4yGfGpJylYXIT5fWuKlo/ln/yyPa5s54T5XDo+CMbtlLX3QnwVOmaRyzyl\n"
+    "PiTcPCDIkdLBdXmlfyJcmW6fWa6kPx+35MOxPsXZbujCo+42+OyLqcH1rKT6Xhcs\n"
+    "hjXBEf+kdgUfSClrM1pNRWsw2ChIYim0F+nry5JFy0Y+8Hbb6SDB340BFmtgDHbF\n"
+    "HQ==\n"
+    "-----END CERTIFICATE-----\n";
+
+static struct plugins_hdl *plugins = NULL;
+static dds_security_access_control *access_control = NULL;
+static dds_security_authentication *auth = NULL;
+static DDS_Security_IdentityHandle local_identity_handle = DDS_SECURITY_HANDLE_NIL;
+static DDS_Security_PermissionsHandle local_permissions_handle = DDS_SECURITY_HANDLE_NIL;
+static DDS_Security_GUID_t local_participant_guid;
+static char *g_path_to_etc_dir = NULL;
+
+typedef enum SEC_TOPIC_NAME
+{
+  SEC_TOPIC_DCPSPARTICIPANTSECURE,
+  SEC_TOPIC_DCPSPUBLICATIONSSECURE,
+  SEC_TOPIC_DCPSSUBSCRIPTIONSSECURE,
+  SEC_TOPIC_DCPSPARTICIPANTMESSAGESECURE,
+  SEC_TOPIC_DCPSPARTICIPANTSTATELESSMESSAGE,
+  SEC_TOPIC_DCPSPARTICIPANTVOLATILEMESSAGESECURE,
+  SEC_TOPIC_DCPS_KINEMATICS,
+  SEC_TOPIC_DCPS_OWNSHIPDATA,
+  SEC_TOPIC_DCPS_SHAPE
+} SEC_TOPIC_TYPE;
+
+const char *TOPIC_NAMES[] = {"DCPSParticipantsSecure",
+                             "DCPSPublicationsSecure",
+                             "DCPSSubscriptionsSecure",
+                             "DCPSParticipantMessageSecure",
+                             "DCPSParticipantStatelessMessage",
+                             "DCPSParticipantVolatileMessageSecure",
+                             "Kinematics",
+                             "OwnShipData",
+                             "Shape"
+
+};
+
+static DDS_Security_EndpointSecurityAttributes ATTRIBUTE_CHECKLIST[9];
+
+static void reset_exception(DDS_Security_SecurityException *ex)
+{
+  ex->code = 0;
+  ex->minor_code = 0;
+  ddsrt_free(ex->message);
+  ex->message = NULL;
+}
+
+static void dds_security_property_init(DDS_Security_PropertySeq *seq, DDS_Security_unsigned_long size)
+{
+  seq->_length = size;
+  seq->_maximum = size;
+  seq->_buffer = ddsrt_malloc(size * sizeof(DDS_Security_Property_t));
+  memset(seq->_buffer, 0, size * sizeof(DDS_Security_Property_t));
+}
+
+static void dds_security_property_deinit(DDS_Security_PropertySeq *seq)
+{
+  uint32_t i;
+  for (i = 0; i < seq->_length; i++)
+  {
+    ddsrt_free(seq->_buffer[i].name);
+    ddsrt_free(seq->_buffer[i].value);
+  }
+  ddsrt_free(seq->_buffer);
+}
+
+static void fill_participant_qos(DDS_Security_Qos *qos, const char *permission_filename,
+                                 const char *governance_filename)
+{
+  char *permission_uri;
+  char *governance_uri;
+
+  ddsrt_asprintf(&permission_uri, "file:%s%s", g_path_to_etc_dir, permission_filename);
+  ddsrt_asprintf(&governance_uri, "file:%s%s", g_path_to_etc_dir, governance_filename);
+
+  memset(qos, 0, sizeof(*qos));
+  dds_security_property_init(&qos->property.value, 6);
+  qos->property.value._buffer[0].name = ddsrt_strdup(PROPERTY_IDENTITY_CERT);
+  qos->property.value._buffer[0].value = ddsrt_strdup(IDENTITY_CERTIFICATE);
+  qos->property.value._buffer[1].name = ddsrt_strdup(PROPERTY_IDENTITY_CA);
+  qos->property.value._buffer[1].value = ddsrt_strdup(IDENTITY_CA);
+  qos->property.value._buffer[2].name = ddsrt_strdup(PROPERTY_PRIVATE_KEY);
+  qos->property.value._buffer[2].value = ddsrt_strdup(PRIVATE_KEY);
+  qos->property.value._buffer[3].name = ddsrt_strdup(PROPERTY_PERMISSIONS_CA);
+  qos->property.value._buffer[3].value = ddsrt_strdup(PERMISSIONS_CA);
+  qos->property.value._buffer[4].name = ddsrt_strdup(PROPERTY_PERMISSIONS);
+  qos->property.value._buffer[4].value = ddsrt_strdup(permission_uri);
+  qos->property.value._buffer[5].name = ddsrt_strdup(PROPERTY_GOVERNANCE);
+  qos->property.value._buffer[5].value = ddsrt_strdup(governance_uri);
+
+  ddsrt_free(permission_uri);
+  ddsrt_free(governance_uri);
+}
+
+static bool create_local_identity(DDS_Security_DomainId domain_id, const char *governance_file)
+{
+  DDS_Security_ValidationResult_t result;
+  DDS_Security_Qos participant_qos;
+  DDS_Security_GUID_t candidate_participant_guid;
+  DDS_Security_SecurityException exception = {NULL, 0, 0};
+  DDS_Security_GuidPrefix_t prefix = {0xb0, 0xb1, 0xb2, 0xb3, 0xb4, 0xb5, 0xb6, 0xb7, 0xb8, 0xb9, 0xba, 0xbb};
+  DDS_Security_EntityId_t entityId = {{0xb0, 0xb1, 0xb2}, 0x1};
+
+  memset(&local_participant_guid, 0, sizeof(local_participant_guid));
+  memcpy(&candidate_participant_guid.prefix, &prefix, sizeof(prefix));
+  memcpy(&candidate_participant_guid.entityId, &entityId, sizeof(entityId));
+
+  fill_participant_qos(&participant_qos, "Test_Permissions_ok.p7s", governance_file);
+
+  /* Now call the function. */
+  result = auth->validate_local_identity(
+      auth,
+      &local_identity_handle,
+      &local_participant_guid,
+      domain_id,
+      &participant_qos,
+      &candidate_participant_guid,
+      &exception);
+
+  if (result != DDS_SECURITY_VALIDATION_OK)
+  {
+    printf("[ERROR] validate_local_identity_failed: %s\n", exception.message ? exception.message : "Error message missing");
+    return false;
+  }
+
+  local_permissions_handle = access_control->validate_local_permissions(
+      access_control,
+      auth,
+      local_identity_handle,
+      domain_id,
+      &participant_qos,
+      &exception);
+
+  if (local_permissions_handle == DDS_SECURITY_HANDLE_NIL)
+  {
+    printf("[ERROR] validate_local_identity_failed: %s\n", exception.message ? exception.message : "Error message missing");
+    return false;
+  }
+
+  dds_security_property_deinit(&participant_qos.property.value);
+
+  return true;
+}
+
+static void clear_local_identity(void)
+{
+  DDS_Security_SecurityException exception = {NULL, 0, 0};
+  DDS_Security_boolean success;
+
+  if (local_identity_handle != DDS_SECURITY_HANDLE_NIL)
+  {
+    success = auth->return_identity_handle(auth, local_identity_handle, &exception);
+    if (!success)
+    {
+      printf("return_identity_handle failed: %s\n", exception.message ? exception.message : "Error message missing");
+    }
+    reset_exception(&exception);
+  }
+
+  if (local_permissions_handle != DDS_SECURITY_HANDLE_NIL)
+  {
+    success = access_control->return_permissions_handle(access_control, local_permissions_handle, &exception);
+    if (!success)
+    {
+      printf("return_permissions_handle failed: %s\n", exception.message ? exception.message : "Error message missing");
+    }
+    reset_exception(&exception);
+  }
+
+  local_identity_handle = DDS_SECURITY_HANDLE_NIL;
+  local_permissions_handle = DDS_SECURITY_HANDLE_NIL;
+}
+
+static void set_path_to_etc_dir(void)
+{
+  ddsrt_asprintf(&g_path_to_etc_dir, "%s%s", CONFIG_ENV_TESTS_DIR, RELATIVE_PATH_TO_ETC_DIR);
+}
+
+static DDS_Security_PluginEndpointSecurityAttributesMask get_plugin_endpoint_security_attributes_mask(DDS_Security_boolean is_payload_encrypted, DDS_Security_boolean is_submessage_encrypted, DDS_Security_boolean is_submessage_origin_authenticated)
+{
+  DDS_Security_PluginEndpointSecurityAttributesMask mask = DDS_SECURITY_ENDPOINT_ATTRIBUTES_FLAG_IS_VALID;
+  if (is_submessage_encrypted)
+    mask |= DDS_SECURITY_PLUGIN_ENDPOINT_ATTRIBUTES_FLAG_IS_SUBMESSAGE_ENCRYPTED;
+  if (is_payload_encrypted)
+    mask |= DDS_SECURITY_PLUGIN_ENDPOINT_ATTRIBUTES_FLAG_IS_PAYLOAD_ENCRYPTED;
+  if (is_submessage_origin_authenticated)
+    mask |= DDS_SECURITY_PLUGIN_ENDPOINT_ATTRIBUTES_FLAG_IS_SUBMESSAGE_ORIGIN_AUTHENTICATED;
+  return mask;
+}
+
+static void suite_get_xxx_sec_attributes_init(void)
+{
+  set_path_to_etc_dir();
+
+  ATTRIBUTE_CHECKLIST[SEC_TOPIC_DCPSPARTICIPANTSECURE].is_read_protected =
+      ATTRIBUTE_CHECKLIST[SEC_TOPIC_DCPSPUBLICATIONSSECURE].is_read_protected =
+          ATTRIBUTE_CHECKLIST[SEC_TOPIC_DCPSSUBSCRIPTIONSSECURE].is_read_protected =
+              ATTRIBUTE_CHECKLIST[SEC_TOPIC_DCPSPARTICIPANTMESSAGESECURE].is_read_protected =
+                  ATTRIBUTE_CHECKLIST[SEC_TOPIC_DCPSPARTICIPANTSTATELESSMESSAGE].is_read_protected =
+                      ATTRIBUTE_CHECKLIST[SEC_TOPIC_DCPSPARTICIPANTVOLATILEMESSAGESECURE].is_read_protected = false;
+
+  ATTRIBUTE_CHECKLIST[SEC_TOPIC_DCPSPARTICIPANTSECURE].is_write_protected =
+      ATTRIBUTE_CHECKLIST[SEC_TOPIC_DCPSPUBLICATIONSSECURE].is_write_protected =
+          ATTRIBUTE_CHECKLIST[SEC_TOPIC_DCPSSUBSCRIPTIONSSECURE].is_write_protected =
+              ATTRIBUTE_CHECKLIST[SEC_TOPIC_DCPSPARTICIPANTMESSAGESECURE].is_write_protected =
+                  ATTRIBUTE_CHECKLIST[SEC_TOPIC_DCPSPARTICIPANTSTATELESSMESSAGE].is_write_protected =
+                      ATTRIBUTE_CHECKLIST[SEC_TOPIC_DCPSPARTICIPANTVOLATILEMESSAGESECURE].is_write_protected = false;
+
+  ATTRIBUTE_CHECKLIST[SEC_TOPIC_DCPSPARTICIPANTSECURE].is_payload_protected =
+      ATTRIBUTE_CHECKLIST[SEC_TOPIC_DCPSPUBLICATIONSSECURE].is_payload_protected =
+          ATTRIBUTE_CHECKLIST[SEC_TOPIC_DCPSSUBSCRIPTIONSSECURE].is_payload_protected =
+              ATTRIBUTE_CHECKLIST[SEC_TOPIC_DCPSPARTICIPANTMESSAGESECURE].is_payload_protected =
+                  ATTRIBUTE_CHECKLIST[SEC_TOPIC_DCPSPARTICIPANTSTATELESSMESSAGE].is_payload_protected =
+                      ATTRIBUTE_CHECKLIST[SEC_TOPIC_DCPSPARTICIPANTVOLATILEMESSAGESECURE].is_payload_protected = false;
+
+  ATTRIBUTE_CHECKLIST[SEC_TOPIC_DCPSPARTICIPANTSECURE].is_key_protected =
+      ATTRIBUTE_CHECKLIST[SEC_TOPIC_DCPSPUBLICATIONSSECURE].is_key_protected =
+          ATTRIBUTE_CHECKLIST[SEC_TOPIC_DCPSSUBSCRIPTIONSSECURE].is_key_protected =
+              ATTRIBUTE_CHECKLIST[SEC_TOPIC_DCPSPARTICIPANTMESSAGESECURE].is_key_protected =
+                  ATTRIBUTE_CHECKLIST[SEC_TOPIC_DCPSPARTICIPANTSTATELESSMESSAGE].is_key_protected =
+                      ATTRIBUTE_CHECKLIST[SEC_TOPIC_DCPSPARTICIPANTVOLATILEMESSAGESECURE].is_key_protected = false;
+
+  ATTRIBUTE_CHECKLIST[SEC_TOPIC_DCPSPARTICIPANTSECURE].is_submessage_protected =
+      ATTRIBUTE_CHECKLIST[SEC_TOPIC_DCPSPUBLICATIONSSECURE].is_submessage_protected =
+          ATTRIBUTE_CHECKLIST[SEC_TOPIC_DCPSSUBSCRIPTIONSSECURE].is_submessage_protected =
+              ATTRIBUTE_CHECKLIST[SEC_TOPIC_DCPSPARTICIPANTMESSAGESECURE].is_submessage_protected = true;
+
+  ATTRIBUTE_CHECKLIST[SEC_TOPIC_DCPSPARTICIPANTSTATELESSMESSAGE].is_submessage_protected = false;
+  ATTRIBUTE_CHECKLIST[SEC_TOPIC_DCPSPARTICIPANTVOLATILEMESSAGESECURE].is_submessage_protected = true;
+
+  ATTRIBUTE_CHECKLIST[SEC_TOPIC_DCPS_KINEMATICS].is_read_protected = true;
+  ATTRIBUTE_CHECKLIST[SEC_TOPIC_DCPS_KINEMATICS].is_write_protected = false;
+  ATTRIBUTE_CHECKLIST[SEC_TOPIC_DCPS_KINEMATICS].is_discovery_protected = true;
+  ATTRIBUTE_CHECKLIST[SEC_TOPIC_DCPS_KINEMATICS].is_liveliness_protected = true;
+  ATTRIBUTE_CHECKLIST[SEC_TOPIC_DCPS_KINEMATICS].is_submessage_protected = false;
+  ATTRIBUTE_CHECKLIST[SEC_TOPIC_DCPS_KINEMATICS].is_payload_protected = false;
+  ATTRIBUTE_CHECKLIST[SEC_TOPIC_DCPS_KINEMATICS].is_key_protected = false;
+
+  ATTRIBUTE_CHECKLIST[SEC_TOPIC_DCPS_KINEMATICS].plugin_endpoint_attributes =
+      get_plugin_endpoint_security_attributes_mask(false, false, false);
+
+  ATTRIBUTE_CHECKLIST[SEC_TOPIC_DCPS_OWNSHIPDATA].is_read_protected = false;
+  ATTRIBUTE_CHECKLIST[SEC_TOPIC_DCPS_OWNSHIPDATA].is_write_protected = true;
+  ATTRIBUTE_CHECKLIST[SEC_TOPIC_DCPS_OWNSHIPDATA].is_discovery_protected = false;
+  ATTRIBUTE_CHECKLIST[SEC_TOPIC_DCPS_OWNSHIPDATA].is_liveliness_protected = false;
+  ATTRIBUTE_CHECKLIST[SEC_TOPIC_DCPS_OWNSHIPDATA].is_submessage_protected = true;
+  ATTRIBUTE_CHECKLIST[SEC_TOPIC_DCPS_OWNSHIPDATA].is_payload_protected = true;
+  ATTRIBUTE_CHECKLIST[SEC_TOPIC_DCPS_OWNSHIPDATA].is_key_protected = true;
+
+  ATTRIBUTE_CHECKLIST[SEC_TOPIC_DCPS_OWNSHIPDATA].plugin_endpoint_attributes =
+      get_plugin_endpoint_security_attributes_mask(true, false, false);
+
+  ATTRIBUTE_CHECKLIST[SEC_TOPIC_DCPS_SHAPE].is_read_protected = false;
+  ATTRIBUTE_CHECKLIST[SEC_TOPIC_DCPS_SHAPE].is_write_protected = false;
+  ATTRIBUTE_CHECKLIST[SEC_TOPIC_DCPS_SHAPE].is_discovery_protected = true;
+  ATTRIBUTE_CHECKLIST[SEC_TOPIC_DCPS_SHAPE].is_liveliness_protected = true;
+  ATTRIBUTE_CHECKLIST[SEC_TOPIC_DCPS_SHAPE].is_submessage_protected = true;
+  ATTRIBUTE_CHECKLIST[SEC_TOPIC_DCPS_SHAPE].is_payload_protected = true;
+  ATTRIBUTE_CHECKLIST[SEC_TOPIC_DCPS_SHAPE].is_key_protected = true;
+
+  ATTRIBUTE_CHECKLIST[SEC_TOPIC_DCPS_SHAPE].plugin_endpoint_attributes =
+      get_plugin_endpoint_security_attributes_mask(true, true, true);
+}
+
+static void suite_get_xxx_sec_attributes_fini(void)
+{
+  ddsrt_free(g_path_to_etc_dir);
+}
+
+static bool plugins_init(void)
+{
+  /* Checking AccessControl, but needing Authentication to setup local identity. */
+  plugins = load_plugins(&access_control, &auth, NULL /* Cryptograpy */);
+  return plugins ? true : false;
+}
+
+static void plugins_fini(void)
+{
+  unload_plugins(plugins);
+}
+
+static bool
+verify_endpoint_attributes(SEC_TOPIC_TYPE topic_type, DDS_Security_EndpointSecurityAttributes *attributes)
+{
+  bool result = true;
+  if (attributes->is_read_protected != ATTRIBUTE_CHECKLIST[topic_type].is_read_protected ||
+      attributes->is_write_protected != ATTRIBUTE_CHECKLIST[topic_type].is_write_protected ||
+      attributes->is_submessage_protected != ATTRIBUTE_CHECKLIST[topic_type].is_submessage_protected ||
+      attributes->is_payload_protected != ATTRIBUTE_CHECKLIST[topic_type].is_payload_protected ||
+      attributes->is_key_protected != ATTRIBUTE_CHECKLIST[topic_type].is_key_protected)
+  {
+
+    result = false;
+  }
+  if (topic_type == SEC_TOPIC_DCPS_KINEMATICS || topic_type == SEC_TOPIC_DCPS_SHAPE)
+  {
+    if (attributes->is_discovery_protected != ATTRIBUTE_CHECKLIST[topic_type].is_discovery_protected ||
+        attributes->is_liveliness_protected != ATTRIBUTE_CHECKLIST[topic_type].is_liveliness_protected ||
+        attributes->plugin_endpoint_attributes != ATTRIBUTE_CHECKLIST[topic_type].plugin_endpoint_attributes)
+    {
+      result = false;
+    }
+  }
+
+  if (!result)
+  {
+    printf("Invalid attribute for Topic: %s\n", TOPIC_NAMES[topic_type]);
+    printf("is_read_protected: EXPECTED: %d ACTUAL: %d\n"
+           "is_write_protected: EXPECTED: %d ACTUAL: %d\n"
+           "is_discovery_protected: EXPECTED: %d ACTUAL: %d\n"
+           "is_liveliness_protected: EXPECTED: %d ACTUAL: %d\n"
+           "is_submessage_protected: EXPECTED: %d ACTUAL: %d\n"
+           "is_payload_protected: EXPECTED: %d ACTUAL: %d\n"
+           "is_key_protected: EXPECTED: %d ACTUAL: %d\n",
+           ATTRIBUTE_CHECKLIST[topic_type].is_read_protected, attributes->is_read_protected,
+           ATTRIBUTE_CHECKLIST[topic_type].is_write_protected, attributes->is_write_protected,
+           ATTRIBUTE_CHECKLIST[topic_type].is_discovery_protected, attributes->is_discovery_protected,
+           ATTRIBUTE_CHECKLIST[topic_type].is_liveliness_protected, attributes->is_liveliness_protected,
+           ATTRIBUTE_CHECKLIST[topic_type].is_submessage_protected, attributes->is_submessage_protected,
+           ATTRIBUTE_CHECKLIST[topic_type].is_payload_protected, attributes->is_payload_protected,
+           ATTRIBUTE_CHECKLIST[topic_type].is_key_protected, attributes->is_key_protected);
+  }
+
+  return result;
+}
+
+static bool verify_topic_attributes(SEC_TOPIC_TYPE topic_type, DDS_Security_TopicSecurityAttributes *attributes)
+{
+  bool result = true;
+  if (attributes->is_read_protected != ATTRIBUTE_CHECKLIST[topic_type].is_read_protected ||
+      attributes->is_write_protected != ATTRIBUTE_CHECKLIST[topic_type].is_write_protected ||
+      attributes->is_discovery_protected != ATTRIBUTE_CHECKLIST[topic_type].is_discovery_protected ||
+      attributes->is_liveliness_protected != ATTRIBUTE_CHECKLIST[topic_type].is_liveliness_protected)
+  {
+    result = false;
+  }
+
+  if (!result)
+  {
+    printf("Invalid attribute for Topic: %s\n", TOPIC_NAMES[topic_type]);
+    printf("is_read_protected: EXPECTED: %d ACTUAL: %d\n"
+           "is_write_protected: EXPECTED: %d ACTUAL: %d\n"
+           "is_discovery_protected: EXPECTED: %d ACTUAL: %d\n"
+           "is_liveliness_protected: EXPECTED: %d ACTUAL: %d\n",
+           ATTRIBUTE_CHECKLIST[topic_type].is_read_protected, attributes->is_read_protected,
+           ATTRIBUTE_CHECKLIST[topic_type].is_write_protected, attributes->is_write_protected,
+           ATTRIBUTE_CHECKLIST[topic_type].is_discovery_protected, attributes->is_discovery_protected,
+           ATTRIBUTE_CHECKLIST[topic_type].is_liveliness_protected, attributes->is_liveliness_protected);
+  }
+
+  return result;
+}
+
+CU_Test(ddssec_builtin_get_xxx_sec_attributes, participant_happy_day, .init = suite_get_xxx_sec_attributes_init, .fini = suite_get_xxx_sec_attributes_fini)
+{
+  DDS_Security_SecurityException exception = {NULL, 0, 0};
+  DDS_Security_ParticipantSecurityAttributes attributes;
+  bool result;
+
+  result = plugins_init();
+  CU_ASSERT_FATAL(result);
+  CU_ASSERT_FATAL(access_control != NULL);
+  CU_ASSERT_FATAL(access_control->get_participant_sec_attributes != NULL);
+
+  result = create_local_identity(0, "Test_Governance_full.p7s");
+  CU_ASSERT_FATAL(result);
+
+  memset(&attributes, 0, sizeof(attributes));
+
+  result = access_control->get_participant_sec_attributes(
+      access_control,
+      local_permissions_handle,
+      &attributes,
+      &exception);
+  CU_ASSERT(result);
+
+  /*
+     * Expect these values based on these options, which is the 1st domain rule
+     * in the Test_Governance_full.p7s (selected because of domain id 0):
+     *
+     *    <allow_unauthenticated_participants>false</allow_unauthenticated_participants>
+     *    <enable_join_access_control>true</enable_join_access_control>
+     *    <discovery_protection_kind>SIGN_WITH_ORIGIN_AUTHENTICATION</discovery_protection_kind>
+     *    <liveliness_protection_kind>ENCRYPT</liveliness_protection_kind>
+     *    <rtps_protection_kind>ENCRYPT_WITH_ORIGIN_AUTHENTICATION</rtps_protection_kind>
+     */
+  CU_ASSERT(attributes.allow_unauthenticated_participants == false);
+  CU_ASSERT(attributes.is_access_protected == true);
+  CU_ASSERT(attributes.is_discovery_protected == true);
+  CU_ASSERT(attributes.is_liveliness_protected == true);
+  CU_ASSERT(attributes.is_rtps_protected == true);
+  CU_ASSERT((attributes.plugin_participant_attributes & DDS_SECURITY_PLUGIN_PARTICIPANT_ATTRIBUTES_FLAG_IS_RTPS_ENCRYPTED) == DDS_SECURITY_PLUGIN_PARTICIPANT_ATTRIBUTES_FLAG_IS_RTPS_ENCRYPTED);
+  CU_ASSERT((attributes.plugin_participant_attributes & DDS_SECURITY_PLUGIN_PARTICIPANT_ATTRIBUTES_FLAG_IS_DISCOVERY_ENCRYPTED) == 0);
+  CU_ASSERT((attributes.plugin_participant_attributes & DDS_SECURITY_PLUGIN_PARTICIPANT_ATTRIBUTES_FLAG_IS_LIVELINESS_ENCRYPTED) == DDS_SECURITY_PLUGIN_PARTICIPANT_ATTRIBUTES_FLAG_IS_LIVELINESS_ENCRYPTED);
+  CU_ASSERT((attributes.plugin_participant_attributes & DDS_SECURITY_PLUGIN_PARTICIPANT_ATTRIBUTES_FLAG_IS_RTPS_AUTHENTICATED) == DDS_SECURITY_PLUGIN_PARTICIPANT_ATTRIBUTES_FLAG_IS_RTPS_AUTHENTICATED);
+  CU_ASSERT((attributes.plugin_participant_attributes & DDS_SECURITY_PLUGIN_PARTICIPANT_ATTRIBUTES_FLAG_IS_DISCOVERY_AUTHENTICATED) == DDS_SECURITY_PLUGIN_PARTICIPANT_ATTRIBUTES_FLAG_IS_DISCOVERY_AUTHENTICATED);
+  CU_ASSERT((attributes.plugin_participant_attributes & DDS_SECURITY_PLUGIN_PARTICIPANT_ATTRIBUTES_FLAG_IS_LIVELINESS_AUTHENTICATED) == 0);
+  CU_ASSERT((attributes.plugin_participant_attributes & DDS_SECURITY_PARTICIPANT_ATTRIBUTES_FLAG_IS_VALID) != 0);
+
+  result = access_control->return_participant_sec_attributes(
+      access_control,
+      &attributes,
+      &exception);
+  CU_ASSERT(result);
+
+  clear_local_identity();
+  plugins_fini();
+}
+
+CU_Test(ddssec_builtin_get_xxx_sec_attributes, datawriter_happy_day, .init = suite_get_xxx_sec_attributes_init, .fini = suite_get_xxx_sec_attributes_fini)
+{
+  DDS_Security_SecurityException exception = {NULL, 0, 0};
+  DDS_Security_PartitionQosPolicy *partition = NULL;
+  DDS_Security_DataTagQosPolicy data_tag;
+  DDS_Security_EndpointSecurityAttributes attributes;
+  bool result;
+  unsigned i;
+
+  result = plugins_init();
+  CU_ASSERT_FATAL(result);
+  CU_ASSERT_FATAL(access_control != NULL);
+  CU_ASSERT_FATAL(access_control->get_datawriter_sec_attributes != NULL);
+
+  result = create_local_identity(0, "Test_Governance_full.p7s");
+  CU_ASSERT_FATAL(result);
+
+  memset(&attributes, 0, sizeof(attributes));
+
+  /*Test for each builtin topics:
+     "DCPSParticipantsSecure", "DCPSPublicationsSecure", "DCPSSubscriptionsSecure"
+     "DCPSParticipantMessageSecure", "DCPSParticipantStatelessMessage", "DCPSParticipantVolatileMessageSecure"
+    and a sample DCPS topic*/
+
+  /* Now call the function. */
+  for (i = SEC_TOPIC_DCPSPARTICIPANTSECURE; i <= SEC_TOPIC_DCPS_SHAPE; ++i)
+  {
+
+    result = access_control->get_datawriter_sec_attributes(
+        access_control,
+        local_permissions_handle,
+        TOPIC_NAMES[i],
+        partition,
+        &data_tag,
+        &attributes,
+        &exception);
+
+    CU_ASSERT_FATAL(result);
+
+    CU_ASSERT_FATAL(exception.code == DDS_SECURITY_ERR_OK_CODE);
+    CU_ASSERT_FATAL(verify_endpoint_attributes(i, &attributes));
+
+    //reset control values
+    memset(&attributes, 0, sizeof(attributes));
+    reset_exception(&exception);
+  }
+
+  plugins_fini();
+}
+
+CU_Test(ddssec_builtin_get_xxx_sec_attributes, datawriter_non_existing_topic, .init = suite_get_xxx_sec_attributes_init, .fini = suite_get_xxx_sec_attributes_fini)
+{
+  DDS_Security_SecurityException exception = {NULL, 0, 0};
+  DDS_Security_PartitionQosPolicy *partition = NULL;
+  DDS_Security_DataTagQosPolicy data_tag;
+  DDS_Security_EndpointSecurityAttributes attributes;
+  bool result;
+
+  result = plugins_init();
+  CU_ASSERT_FATAL(result);
+  CU_ASSERT_FATAL(access_control != NULL);
+  CU_ASSERT_FATAL(access_control->get_datawriter_sec_attributes != NULL);
+
+  /* use a different domain(30) to get non matching topic result */
+  result = create_local_identity(30, "Test_Governance_full.p7s");
+  CU_ASSERT_FATAL(result);
+
+  memset(&attributes, 0, sizeof(attributes));
+
+  /* Now call the function. */
+  result = access_control->get_datawriter_sec_attributes(
+      access_control,
+      local_permissions_handle,
+      TOPIC_NAMES[SEC_TOPIC_DCPS_SHAPE],
+      partition,
+      &data_tag,
+      &attributes,
+      &exception);
+
+  CU_ASSERT_FATAL(!result);
+
+  CU_ASSERT_FATAL(exception.code == DDS_SECURITY_ERR_CAN_NOT_FIND_TOPIC_IN_DOMAIN_CODE);
+
+  //reset control values
+  memset(&attributes, 0, sizeof(attributes));
+  reset_exception(&exception);
+
+  plugins_fini();
+}
+
+CU_Test(ddssec_builtin_get_xxx_sec_attributes, datareader_happy_day, .init = suite_get_xxx_sec_attributes_init, .fini = suite_get_xxx_sec_attributes_fini)
+{
+  DDS_Security_SecurityException exception = {NULL, 0, 0};
+  DDS_Security_PartitionQosPolicy *partition = NULL;
+  DDS_Security_DataTagQosPolicy data_tag;
+  DDS_Security_EndpointSecurityAttributes attributes;
+  bool result;
+  unsigned i;
+
+  result = plugins_init();
+  CU_ASSERT_FATAL(result);
+  CU_ASSERT_FATAL(access_control != NULL);
+  CU_ASSERT_FATAL(access_control->get_datareader_sec_attributes != NULL);
+
+  result = create_local_identity(0, "Test_Governance_full.p7s");
+  CU_ASSERT_FATAL(result);
+
+  memset(&attributes, 0, sizeof(attributes));
+
+  /*Test for each builtin topics:
+     "DCPSParticipantSecure", "DCPSPublicationsSecure", "DCPSSubscriptionsSecure"
+     "DCPSParticipantMessageSecure", "DCPSParticipantStatelessMessage", "DCPSParticipantVolatileMessageSecure"
+     and a sample DCPS topic*/
+
+  /* Now call the function. */
+  for (i = SEC_TOPIC_DCPSPARTICIPANTSECURE; i <= SEC_TOPIC_DCPS_SHAPE; ++i)
+  {
+
+    result = access_control->get_datareader_sec_attributes(
+        access_control,
+        local_permissions_handle,
+        TOPIC_NAMES[i],
+        partition,
+        &data_tag,
+        &attributes,
+        &exception);
+
+    CU_ASSERT_FATAL(result);
+
+    CU_ASSERT_FATAL(exception.code == DDS_SECURITY_ERR_OK_CODE);
+    CU_ASSERT_FATAL(verify_endpoint_attributes(i, &attributes) == true);
+
+    //reset control values
+    memset(&attributes, 0, sizeof(attributes));
+    reset_exception(&exception);
+  }
+
+  plugins_fini();
+}
+
+CU_Test(ddssec_builtin_get_xxx_sec_attributes, datareader_non_existing_topic, .init = suite_get_xxx_sec_attributes_init, .fini = suite_get_xxx_sec_attributes_fini)
+{
+  DDS_Security_SecurityException exception = {NULL, 0, 0};
+  DDS_Security_PartitionQosPolicy *partition = NULL;
+  DDS_Security_DataTagQosPolicy data_tag;
+  DDS_Security_EndpointSecurityAttributes attributes;
+  bool result;
+
+  result = plugins_init();
+  CU_ASSERT_FATAL(result);
+  CU_ASSERT_FATAL(access_control != NULL);
+  CU_ASSERT_FATAL(access_control->get_datawriter_sec_attributes != NULL);
+
+  /* use a different domain (30) to get non matching topic result */
+  result = create_local_identity(30, "Test_Governance_full.p7s");
+  CU_ASSERT_FATAL(result);
+
+  memset(&attributes, 0, sizeof(attributes));
+
+  result = access_control->get_datareader_sec_attributes(
+      access_control,
+      local_permissions_handle,
+      TOPIC_NAMES[SEC_TOPIC_DCPS_SHAPE],
+      partition,
+      &data_tag,
+      &attributes,
+      &exception);
+
+  CU_ASSERT_FATAL(!result);
+
+  CU_ASSERT_FATAL(exception.code == DDS_SECURITY_ERR_CAN_NOT_FIND_TOPIC_IN_DOMAIN_CODE);
+
+  //reset control values
+  memset(&attributes, 0, sizeof(attributes));
+  reset_exception(&exception);
+
+  plugins_fini();
+}
+
+CU_Test(ddssec_builtin_get_xxx_sec_attributes, participant_invalid_param, .init = suite_get_xxx_sec_attributes_init, .fini = suite_get_xxx_sec_attributes_fini)
+{
+  DDS_Security_SecurityException exception = {NULL, 0, 0};
+  DDS_Security_ParticipantSecurityAttributes attributes;
+  bool result;
+
+  memset(&attributes, 0, sizeof(attributes));
+
+  result = plugins_init();
+  CU_ASSERT_FATAL(result);
+  CU_ASSERT_FATAL(access_control != NULL);
+  CU_ASSERT_FATAL(access_control->get_participant_sec_attributes != NULL);
+
+  result = access_control->get_participant_sec_attributes(
+      NULL,
+      local_permissions_handle,
+      &attributes,
+      &exception);
+  CU_ASSERT(!result);
+  CU_ASSERT(exception.code == DDS_SECURITY_ERR_INVALID_PARAMETER_CODE);
+  memset(&attributes, 0, sizeof(attributes));
+  reset_exception(&exception);
+
+  result = access_control->get_participant_sec_attributes(
+      access_control,
+      0,
+      &attributes,
+      &exception);
+  CU_ASSERT(!result);
+  CU_ASSERT(exception.code == DDS_SECURITY_ERR_INVALID_PARAMETER_CODE);
+  memset(&attributes, 0, sizeof(attributes));
+  reset_exception(&exception);
+
+  result = access_control->get_participant_sec_attributes(
+      access_control,
+      local_permissions_handle,
+      NULL,
+      &exception);
+  CU_ASSERT(!result);
+  CU_ASSERT(exception.code == DDS_SECURITY_ERR_INVALID_PARAMETER_CODE);
+  memset(&attributes, 0, sizeof(attributes));
+  reset_exception(&exception);
+
+  result = access_control->get_participant_sec_attributes(
+      access_control,
+      local_permissions_handle + 12345,
+      &attributes,
+      &exception);
+  CU_ASSERT(!result);
+  CU_ASSERT(exception.code == DDS_SECURITY_ERR_INVALID_PARAMETER_CODE);
+  memset(&attributes, 0, sizeof(attributes));
+  reset_exception(&exception);
+
+  plugins_fini();
+}
+
+CU_Test(ddssec_builtin_get_xxx_sec_attributes, datareader_invalid_param, .init = suite_get_xxx_sec_attributes_init, .fini = suite_get_xxx_sec_attributes_fini)
+{
+  DDS_Security_SecurityException exception = {NULL, 0, 0};
+  DDS_Security_PartitionQosPolicy *partition = NULL;
+  DDS_Security_DataTagQosPolicy data_tag;
+  DDS_Security_EndpointSecurityAttributes attributes;
+  bool result;
+
+  result = plugins_init();
+  CU_ASSERT_FATAL(result);
+  CU_ASSERT_FATAL(access_control != NULL);
+  CU_ASSERT_FATAL(access_control->get_datareader_sec_attributes != NULL);
+
+  memset(&attributes, 0, sizeof(attributes));
+
+  /* Now call the function. */
+
+  result = access_control->get_datareader_sec_attributes(
+      access_control,
+      local_permissions_handle,
+      NULL,
+      partition,
+      &data_tag,
+      &attributes,
+      &exception);
+
+  CU_ASSERT_FATAL(!result);
+  CU_ASSERT_FATAL(exception.code == DDS_SECURITY_ERR_INVALID_PARAMETER_CODE);
+
+  //reset control values
+  memset(&attributes, 0, sizeof(attributes));
+  reset_exception(&exception);
+
+  result = access_control->get_datareader_sec_attributes(
+      access_control,
+      local_permissions_handle,
+      "",
+      partition,
+      &data_tag,
+      &attributes,
+      &exception);
+
+  CU_ASSERT_FATAL(!result);
+  CU_ASSERT_FATAL(exception.code == DDS_SECURITY_ERR_INVALID_PARAMETER_CODE);
+
+  //reset control values
+  memset(&attributes, 0, sizeof(attributes));
+  reset_exception(&exception);
+
+  result = access_control->get_datareader_sec_attributes(
+      access_control,
+      local_permissions_handle,
+      "Shape",
+      partition,
+      &data_tag,
+      NULL,
+      &exception);
+
+  CU_ASSERT_FATAL(!result);
+  CU_ASSERT_FATAL(exception.code == DDS_SECURITY_ERR_INVALID_PARAMETER_CODE);
+
+  //reset control values
+  memset(&attributes, 0, sizeof(attributes));
+  reset_exception(&exception);
+
+  result = access_control->get_datareader_sec_attributes(
+      access_control,
+      local_permissions_handle + 12345,
+      "Shape",
+      partition,
+      &data_tag,
+      &attributes,
+      &exception);
+
+  CU_ASSERT_FATAL(!result);
+  CU_ASSERT_FATAL(exception.code == DDS_SECURITY_ERR_INVALID_PARAMETER_CODE);
+
+  //reset control values
+  memset(&attributes, 0, sizeof(attributes));
+  reset_exception(&exception);
+
+  plugins_fini();
+}
+
+CU_Test(ddssec_builtin_get_xxx_sec_attributes, datawriter_invalid_param, .init = suite_get_xxx_sec_attributes_init, .fini = suite_get_xxx_sec_attributes_fini)
+{
+  DDS_Security_SecurityException exception = {NULL, 0, 0};
+  DDS_Security_PartitionQosPolicy *partition = NULL;
+  DDS_Security_DataTagQosPolicy data_tag;
+  DDS_Security_EndpointSecurityAttributes attributes;
+  bool result;
+
+  result = plugins_init();
+  CU_ASSERT_FATAL(result);
+  CU_ASSERT_FATAL(access_control != NULL);
+  CU_ASSERT_FATAL(access_control->get_datawriter_sec_attributes != NULL);
+
+  memset(&attributes, 0, sizeof(attributes));
+
+  /* Now call the function. */
+
+  result = access_control->get_datawriter_sec_attributes(
+      access_control,
+      local_permissions_handle,
+      NULL,
+      partition,
+      &data_tag,
+      &attributes,
+      &exception);
+
+  CU_ASSERT_FATAL(!result);
+  CU_ASSERT_FATAL(exception.code == DDS_SECURITY_ERR_INVALID_PARAMETER_CODE);
+
+  //reset control values
+  memset(&attributes, 0, sizeof(attributes));
+  reset_exception(&exception);
+
+  result = access_control->get_datawriter_sec_attributes(
+      access_control,
+      local_permissions_handle,
+      "",
+      partition,
+      &data_tag,
+      &attributes,
+      &exception);
+
+  CU_ASSERT_FATAL(!result);
+  CU_ASSERT_FATAL(exception.code == DDS_SECURITY_ERR_INVALID_PARAMETER_CODE);
+
+  //reset control values
+  memset(&attributes, 0, sizeof(attributes));
+  reset_exception(&exception);
+
+  result = access_control->get_datawriter_sec_attributes(
+      access_control,
+      local_permissions_handle,
+      "Shape",
+      partition,
+      &data_tag,
+      NULL,
+      &exception);
+
+  CU_ASSERT_FATAL(!result);
+  CU_ASSERT_FATAL(exception.code == DDS_SECURITY_ERR_INVALID_PARAMETER_CODE);
+
+  //reset control values
+  memset(&attributes, 0, sizeof(attributes));
+  reset_exception(&exception);
+
+  result = access_control->get_datawriter_sec_attributes(
+      access_control,
+      local_permissions_handle + 12345,
+      "Shape",
+      partition,
+      &data_tag,
+      &attributes,
+      &exception);
+
+  CU_ASSERT_FATAL(!result);
+  CU_ASSERT_FATAL(exception.code == DDS_SECURITY_ERR_INVALID_PARAMETER_CODE);
+
+  //reset control values
+  memset(&attributes, 0, sizeof(attributes));
+  reset_exception(&exception);
+
+  plugins_fini();
+}
+
+CU_Test(ddssec_builtin_get_xxx_sec_attributes, topic_happy_day, .init = suite_get_xxx_sec_attributes_init, .fini = suite_get_xxx_sec_attributes_fini)
+{
+  DDS_Security_SecurityException exception = {NULL, 0, 0};
+  DDS_Security_TopicSecurityAttributes attributes;
+  bool result;
+  unsigned i;
+
+  result = plugins_init();
+  CU_ASSERT_FATAL(result);
+  CU_ASSERT_FATAL(access_control != NULL);
+  CU_ASSERT_FATAL(access_control->get_topic_sec_attributes != NULL);
+
+  result = create_local_identity(0, "Test_Governance_full.p7s");
+  CU_ASSERT_FATAL(result);
+
+  memset(&attributes, 0, sizeof(attributes));
+
+  /*Test for each builtin topics:
+     "DCPSParticipantsSecure", "DCPSPublicationsSecure", "DCPSSubscriptionsSecure"
+     "DCPSParticipantMessageSecure", "DCPSParticipantStatelessMessage", "DCPSParticipantVolatileMessageSecure"
+    and a sample DCPS topic*/
+
+  /* Now call the function. */
+  for (i = SEC_TOPIC_DCPS_KINEMATICS; i <= SEC_TOPIC_DCPS_SHAPE; ++i)
+  {
+
+    result = access_control->get_topic_sec_attributes(
+        access_control,
+        local_permissions_handle,
+        TOPIC_NAMES[i],
+        &attributes,
+        &exception);
+
+    CU_ASSERT_FATAL(result);
+
+    CU_ASSERT_FATAL(exception.code == DDS_SECURITY_ERR_OK_CODE);
+    CU_ASSERT_FATAL(verify_topic_attributes(i, &attributes));
+
+    //reset control values
+    memset(&attributes, 0, sizeof(attributes));
+    reset_exception(&exception);
+  }
+
+  plugins_fini();
+}
+
+CU_Test(ddssec_builtin_get_xxx_sec_attributes, topic_non_existing_topic, .init = suite_get_xxx_sec_attributes_init, .fini = suite_get_xxx_sec_attributes_fini)
+{
+  DDS_Security_SecurityException exception = {NULL, 0, 0};
+  DDS_Security_TopicSecurityAttributes attributes;
+  bool result;
+
+  result = plugins_init();
+  CU_ASSERT_FATAL(result);
+  CU_ASSERT_FATAL(access_control != NULL);
+  CU_ASSERT_FATAL(access_control->get_topic_sec_attributes != NULL);
+
+  result = create_local_identity(30, "Test_Governance_full.p7s");
+  CU_ASSERT_FATAL(result);
+
+  memset(&attributes, 0, sizeof(attributes));
+
+  /*Test for each builtin topics:
+     "DCPSParticipantsSecure", "DCPSPublicationsSecure", "DCPSSubscriptionsSecure"
+     "DCPSParticipantMessageSecure", "DCPSParticipantStatelessMessage", "DCPSParticipantVolatileMessageSecure"
+    and a sample DCPS topic*/
+
+  /* Now call the function. */
+  result = access_control->get_topic_sec_attributes(
+      access_control,
+      local_permissions_handle,
+      TOPIC_NAMES[SEC_TOPIC_DCPS_SHAPE],
+      &attributes,
+      &exception);
+
+  CU_ASSERT_FATAL(!result);
+
+  CU_ASSERT_FATAL(exception.code == DDS_SECURITY_ERR_CAN_NOT_FIND_TOPIC_IN_DOMAIN_CODE);
+
+  //reset control values
+  memset(&attributes, 0, sizeof(attributes));
+  reset_exception(&exception);
+
+  plugins_fini();
+}
+
+CU_Test(ddssec_builtin_get_xxx_sec_attributes, topic_invalid_param, .init = suite_get_xxx_sec_attributes_init, .fini = suite_get_xxx_sec_attributes_fini)
+{
+  DDS_Security_SecurityException exception = {NULL, 0, 0};
+  DDS_Security_TopicSecurityAttributes attributes;
+  bool result;
+
+  result = plugins_init();
+  CU_ASSERT_FATAL(result);
+  CU_ASSERT_FATAL(access_control != NULL);
+  CU_ASSERT_FATAL(access_control->get_topic_sec_attributes != NULL);
+
+  result = create_local_identity(0, "Test_Governance_full.p7s");
+  CU_ASSERT_FATAL(result);
+
+  memset(&attributes, 0, sizeof(attributes));
+
+  /* Now call the function. */
+
+  result = access_control->get_topic_sec_attributes(
+      access_control,
+      local_permissions_handle,
+      NULL,
+      &attributes,
+      &exception);
+
+  CU_ASSERT_FATAL(!result);
+  CU_ASSERT_FATAL(exception.code == DDS_SECURITY_ERR_INVALID_PARAMETER_CODE);
+
+  //reset control values
+  memset(&attributes, 0, sizeof(attributes));
+  reset_exception(&exception);
+
+  result = access_control->get_topic_sec_attributes(
+      access_control,
+      local_permissions_handle,
+      "",
+      &attributes,
+      &exception);
+
+  CU_ASSERT_FATAL(!result);
+  CU_ASSERT_FATAL(exception.code == DDS_SECURITY_ERR_INVALID_PARAMETER_CODE);
+
+  //reset control values
+  memset(&attributes, 0, sizeof(attributes));
+  reset_exception(&exception);
+
+  result = access_control->get_topic_sec_attributes(
+      access_control,
+      local_permissions_handle,
+      "Shape",
+      NULL,
+      &exception);
+
+  CU_ASSERT_FATAL(!result);
+  CU_ASSERT_FATAL(exception.code == DDS_SECURITY_ERR_INVALID_PARAMETER_CODE);
+
+  //reset control values
+  memset(&attributes, 0, sizeof(attributes));
+  reset_exception(&exception);
+
+  result = access_control->get_topic_sec_attributes(
+      access_control,
+      local_permissions_handle + 12345,
+      "Shape",
+      &attributes,
+      &exception);
+
+  CU_ASSERT_FATAL(!result);
+  CU_ASSERT_FATAL(exception.code == DDS_SECURITY_ERR_INVALID_PARAMETER_CODE);
+
+  //reset control values
+  memset(&attributes, 0, sizeof(attributes));
+  reset_exception(&exception);
+
+  plugins_fini();
+}
+
+CU_Test(ddssec_builtin_get_xxx_sec_attributes, participant_2nd_rule, .init = suite_get_xxx_sec_attributes_init, .fini = suite_get_xxx_sec_attributes_fini)
+{
+  DDS_Security_SecurityException exception = {NULL, 0, 0};
+  DDS_Security_ParticipantSecurityAttributes attributes;
+  bool result;
+
+  result = plugins_init();
+  CU_ASSERT_FATAL(result);
+  CU_ASSERT_FATAL(access_control != NULL);
+  CU_ASSERT_FATAL(access_control->get_participant_sec_attributes != NULL);
+
+  result = create_local_identity(30, "Test_Governance_full.p7s");
+  CU_ASSERT_FATAL(result);
+
+  memset(&attributes, 0, sizeof(attributes));
+
+  result = access_control->get_participant_sec_attributes(
+      access_control,
+      local_permissions_handle,
+      &attributes,
+      &exception);
+  CU_ASSERT(result);
+
+  /*
+     * Expect these values based on these options, which is the 2nd domain rule
+     * in the Test_Governance_full.p7s (selected because of domain id 30):
+     *
+     *    <allow_unauthenticated_participants>1</allow_unauthenticated_participants>
+     *    <enable_join_access_control>0</enable_join_access_control>
+     *    <discovery_protection_kind>SIGN</discovery_protection_kind>
+     *    <liveliness_protection_kind>ENCRYPT</liveliness_protection_kind>
+     *    <rtps_protection_kind>NONE</rtps_protection_kind>
+     */
+  CU_ASSERT(attributes.allow_unauthenticated_participants == true);
+  CU_ASSERT(attributes.is_access_protected == false);
+  CU_ASSERT(attributes.is_discovery_protected == true);
+  CU_ASSERT(attributes.is_liveliness_protected == true);
+  CU_ASSERT(attributes.is_rtps_protected == false);
+  CU_ASSERT((attributes.plugin_participant_attributes & DDS_SECURITY_PLUGIN_PARTICIPANT_ATTRIBUTES_FLAG_IS_RTPS_ENCRYPTED) ==
+            0);
+  CU_ASSERT((attributes.plugin_participant_attributes & DDS_SECURITY_PLUGIN_PARTICIPANT_ATTRIBUTES_FLAG_IS_DISCOVERY_ENCRYPTED) ==
+            0);
+  CU_ASSERT((attributes.plugin_participant_attributes & DDS_SECURITY_PLUGIN_PARTICIPANT_ATTRIBUTES_FLAG_IS_LIVELINESS_ENCRYPTED) ==
+            DDS_SECURITY_PLUGIN_PARTICIPANT_ATTRIBUTES_FLAG_IS_LIVELINESS_ENCRYPTED);
+  CU_ASSERT((attributes.plugin_participant_attributes & DDS_SECURITY_PLUGIN_PARTICIPANT_ATTRIBUTES_FLAG_IS_RTPS_AUTHENTICATED) ==
+            0);
+  CU_ASSERT((attributes.plugin_participant_attributes & DDS_SECURITY_PLUGIN_PARTICIPANT_ATTRIBUTES_FLAG_IS_DISCOVERY_AUTHENTICATED) ==
+            0);
+  CU_ASSERT((attributes.plugin_participant_attributes & DDS_SECURITY_PLUGIN_PARTICIPANT_ATTRIBUTES_FLAG_IS_LIVELINESS_AUTHENTICATED) ==
+            0);
+
+  result = access_control->return_participant_sec_attributes(
+      access_control,
+      &attributes,
+      &exception);
+  CU_ASSERT(result);
+
+  clear_local_identity();
+  plugins_fini();
+}
+
+static void test_liveliness_discovery_participant_attr(
+    DDS_Security_PermissionsHandle hdl,
+    bool liveliness_protected,
+    DDS_Security_unsigned_long liveliness_mask,
+    bool discovery_protected,
+    DDS_Security_unsigned_long discovery_mask)
+{
+  DDS_Security_unsigned_long mask = DDS_SECURITY_PARTICIPANT_ATTRIBUTES_FLAG_IS_VALID |
+                                    liveliness_mask |
+                                    discovery_mask;
+  DDS_Security_SecurityException exception = {NULL, 0, 0};
+  DDS_Security_ParticipantSecurityAttributes attr;
+  bool result;
+
+  CU_ASSERT_FATAL(access_control->get_participant_sec_attributes != NULL);
+
+  memset(&attr, 0, sizeof(attr));
+
+  result = access_control->get_participant_sec_attributes(
+      access_control,
+      hdl,
+      &attr,
+      &exception);
+  CU_ASSERT(result);
+
+  CU_ASSERT(attr.allow_unauthenticated_participants == false);
+  CU_ASSERT(attr.is_access_protected == true);
+  CU_ASSERT(attr.is_discovery_protected == discovery_protected);
+  CU_ASSERT(attr.is_liveliness_protected == liveliness_protected);
+  CU_ASSERT(attr.is_rtps_protected == false);
+  CU_ASSERT(attr.plugin_participant_attributes == mask);
+
+  result = access_control->return_participant_sec_attributes(
+      access_control,
+      &attr,
+      &exception);
+  CU_ASSERT(result);
+}
+
+static void test_liveliness_discovery_writer_attr(
+    const char *topic_name,
+    DDS_Security_PermissionsHandle hdl,
+    bool liveliness_protected,
+    bool discovery_protected,
+    bool submsg_protected,
+    DDS_Security_unsigned_long submsg_mask)
+{
+  DDS_Security_unsigned_long mask = DDS_SECURITY_PARTICIPANT_ATTRIBUTES_FLAG_IS_VALID | submsg_mask;
+  DDS_Security_SecurityException exception = {NULL, 0, 0};
+  DDS_Security_EndpointSecurityAttributes attr;
+  DDS_Security_DataTagQosPolicy data_tag;
+  DDS_Security_PartitionQosPolicy *partition = NULL;
+  bool result;
+
+  CU_ASSERT_FATAL(access_control->get_datawriter_sec_attributes != NULL);
+
+  memset(&attr, 0, sizeof(attr));
+
+  result = access_control->get_datawriter_sec_attributes(
+      access_control,
+      hdl,
+      topic_name,
+      partition,
+      &data_tag,
+      &attr,
+      &exception);
+  CU_ASSERT_FATAL(result);
+
+  CU_ASSERT(attr.is_read_protected == false);
+  CU_ASSERT(attr.is_write_protected == false);
+  CU_ASSERT(attr.is_submessage_protected == submsg_protected);
+  CU_ASSERT(attr.is_payload_protected == false);
+  CU_ASSERT(attr.is_key_protected == false);
+  CU_ASSERT(attr.is_discovery_protected == discovery_protected);
+  CU_ASSERT(attr.is_liveliness_protected == liveliness_protected);
+  CU_ASSERT(attr.plugin_endpoint_attributes == mask);
+
+  result = access_control->return_datawriter_sec_attributes(
+      access_control,
+      &attr,
+      &exception);
+  CU_ASSERT(result);
+}
+
+static void test_liveliness_discovery_reader_attr(
+    const char *topic_name,
+    DDS_Security_PermissionsHandle hdl,
+    bool liveliness_protected,
+    bool discovery_protected,
+    bool submsg_protected,
+    DDS_Security_unsigned_long submsg_mask)
+{
+  DDS_Security_unsigned_long mask = DDS_SECURITY_PARTICIPANT_ATTRIBUTES_FLAG_IS_VALID | submsg_mask;
+  DDS_Security_SecurityException exception = {NULL, 0, 0};
+  DDS_Security_EndpointSecurityAttributes attr;
+  DDS_Security_DataTagQosPolicy data_tag;
+  DDS_Security_PartitionQosPolicy *partition = NULL;
+  bool result;
+  return;
+  CU_ASSERT_FATAL(access_control->get_datareader_sec_attributes != NULL);
+
+  memset(&attr, 0, sizeof(attr));
+
+  result = access_control->get_datareader_sec_attributes(
+      access_control,
+      hdl,
+      topic_name,
+      partition,
+      &data_tag,
+      &attr,
+      &exception);
+  CU_ASSERT_FATAL(result);
+
+  CU_ASSERT(attr.is_read_protected == false);
+  CU_ASSERT(attr.is_write_protected == false);
+  CU_ASSERT(attr.is_submessage_protected == submsg_protected);
+  CU_ASSERT(attr.is_payload_protected == false);
+  CU_ASSERT(attr.is_key_protected == false);
+  CU_ASSERT(attr.is_discovery_protected == discovery_protected);
+  CU_ASSERT(attr.is_liveliness_protected == liveliness_protected);
+  CU_ASSERT(attr.plugin_endpoint_attributes == mask);
+
+  result = access_control->return_datareader_sec_attributes(
+      access_control,
+      &attr,
+      &exception);
+  CU_ASSERT(result);
+}
+
+static void test_liveliness_discovery_attr(
+    const char *governance,
+    bool liveliness_protected,
+    DDS_Security_unsigned_long liveliness_mask,
+    bool discovery_protected,
+    DDS_Security_unsigned_long discovery_mask)
+{
+  DDS_Security_unsigned_long submsg_liveliness_mask = 0;
+  DDS_Security_unsigned_long submsg_discovery_mask = 0;
+  bool result;
+
+  result = plugins_init();
+  CU_ASSERT_FATAL(result);
+  CU_ASSERT_FATAL(access_control != NULL);
+
+  result = create_local_identity(0, governance);
+  CU_ASSERT_FATAL(result);
+
+  /* For some endpoints, the submsg encryption mask depends on either the
+     * discovery or liveliness mask. */
+  if (liveliness_mask & DDS_SECURITY_PLUGIN_PARTICIPANT_ATTRIBUTES_FLAG_IS_LIVELINESS_ENCRYPTED)
+  {
+    submsg_liveliness_mask |= DDS_SECURITY_PLUGIN_ENDPOINT_ATTRIBUTES_FLAG_IS_SUBMESSAGE_ENCRYPTED;
+  }
+  if (liveliness_mask & DDS_SECURITY_PLUGIN_PARTICIPANT_ATTRIBUTES_FLAG_IS_LIVELINESS_AUTHENTICATED)
+  {
+    submsg_liveliness_mask |= DDS_SECURITY_PLUGIN_ENDPOINT_ATTRIBUTES_FLAG_IS_SUBMESSAGE_ORIGIN_AUTHENTICATED;
+  }
+  if (discovery_mask & DDS_SECURITY_PLUGIN_PARTICIPANT_ATTRIBUTES_FLAG_IS_DISCOVERY_ENCRYPTED)
+  {
+    submsg_discovery_mask |= DDS_SECURITY_PLUGIN_ENDPOINT_ATTRIBUTES_FLAG_IS_SUBMESSAGE_ENCRYPTED;
+  }
+  if (discovery_mask & DDS_SECURITY_PLUGIN_PARTICIPANT_ATTRIBUTES_FLAG_IS_DISCOVERY_AUTHENTICATED)
+  {
+    submsg_discovery_mask |= DDS_SECURITY_PLUGIN_ENDPOINT_ATTRIBUTES_FLAG_IS_SUBMESSAGE_ORIGIN_AUTHENTICATED;
+  }
+
+  /* Participant attributes */
+
+  test_liveliness_discovery_participant_attr(
+      local_permissions_handle,
+      liveliness_protected,
+      liveliness_mask,
+      discovery_protected,
+      discovery_mask);
+
+  /* Writer attributes */
+
+  /* User topic. */
+  test_liveliness_discovery_writer_attr(
+      "Kinematics",
+      local_permissions_handle,
+      liveliness_protected,
+      discovery_protected,
+      false /* submsg_protected     */,
+      0 /* submsg_mask          */);
+
+  /* Builtin topic. */
+  test_liveliness_discovery_writer_attr(
+      "DCPSPublication",
+      local_permissions_handle,
+      false /* liveliness_protected */,
+      false /* discovery_protected  */,
+      false /* submsg_protected     */,
+      0 /* submsg_mask          */);
+
+  /* Security (normal) builtin topic. */
+  test_liveliness_discovery_writer_attr(
+      "DCPSPublicationsSecure",
+      local_permissions_handle,
+      false /* liveliness_protected */,
+      false /* discovery_protected  */,
+      discovery_protected /* submsg_protected     */,
+      submsg_discovery_mask /* submsg_mask          */);
+
+  /* Security (liveliness affected) builtin topic. */
+  test_liveliness_discovery_writer_attr(
+      "DCPSParticipantMessageSecure",
+      local_permissions_handle,
+      false /* liveliness_protected */,
+      false /* discovery_protected  */,
+      liveliness_protected /* submsg_protected     */,
+      submsg_liveliness_mask /* submsg_mask          */);
+
+  /* Reader attributes */
+
+  /* User topic. */
+  test_liveliness_discovery_reader_attr(
+      "Kinematics",
+      local_permissions_handle,
+      liveliness_protected,
+      discovery_protected,
+      false /* submsg_protected     */,
+      false /* submsg_mask          */);
+
+  /* Builtin topic. */
+  test_liveliness_discovery_reader_attr(
+      "DCPSPublication",
+      local_permissions_handle,
+      false /* liveliness_protected */,
+      false /* discovery_protected  */,
+      false /* submsg_protected     */,
+      0 /* submsg_mask          */);
+
+  /* Security (normal) builtin topic. */
+  test_liveliness_discovery_reader_attr(
+      "DCPSPublicationsSecure",
+      local_permissions_handle,
+      false /* liveliness_protected */,
+      false /* discovery_protected  */,
+      discovery_protected /* submsg_protected     */,
+      submsg_discovery_mask /* submsg_mask          */);
+
+  /* Security (liveliness affected) builtin topic. */
+  test_liveliness_discovery_reader_attr(
+      "DCPSParticipantMessageSecure",
+      local_permissions_handle,
+      false /* liveliness_protected */,
+      false /* discovery_protected  */,
+      liveliness_protected /* submsg_protected     */,
+      submsg_liveliness_mask /* submsg_mask          */);
+
+  clear_local_identity();
+  plugins_fini();
+}
+
+CU_Test(ddssec_builtin_get_xxx_sec_attributes, liveliness_discovery_clear, .init = suite_get_xxx_sec_attributes_init, .fini = suite_get_xxx_sec_attributes_fini)
+{
+  /*
+     * Expect these values based on these options, which is the 1st domain rule
+     * in the Test_Governance_liveliness_discovery_clear.p7s (selected because of domain id 0):
+     *
+     *   <allow_unauthenticated_participants>false</allow_unauthenticated_participants>
+     *   <enable_join_access_control>true</enable_join_access_control>
+     *   <discovery_protection_kind>NONE</discovery_protection_kind>
+     *   <liveliness_protection_kind>NONE</liveliness_protection_kind>
+     *   <rtps_protection_kind>NONE</rtps_protection_kind>
+     *   <topic_access_rules>
+     *       <topic_rule>
+     *           <topic_expression>*</topic_expression>
+     *           <enable_liveliness_protection>false</enable_liveliness_protection>
+     *           <enable_discovery_protection>false</enable_discovery_protection>
+     *           <enable_read_access_control>false</enable_read_access_control>
+     *           <enable_write_access_control>false</enable_write_access_control>
+     *           <metadata_protection_kind>NONE</metadata_protection_kind>
+     *           <data_protection_kind>NONE</data_protection_kind>
+     *       </topic_rule>
+     *   </topic_access_rules>
+     */
+  test_liveliness_discovery_attr(
+      "Test_Governance_liveliness_discovery_clear.p7s",
+      /* liveliness_protected */
+      false,
+      /* liveliness_mask      */
+      0,
+      /* discovery_protected  */
+      false,
+      /* discovery_mask       */
+      0);
+}
+
+CU_Test(ddssec_builtin_get_xxx_sec_attributes, liveliness_discovery_encrypted, .init = suite_get_xxx_sec_attributes_init, .fini = suite_get_xxx_sec_attributes_fini)
+{
+  /*
+     * Expect these values based on these options, which is the 1st domain rule
+     * in the Test_Governance_liveliness_discovery_clear.p7s (selected because of domain id 0):
+     *
+     *   <allow_unauthenticated_participants>false</allow_unauthenticated_participants>
+     *   <enable_join_access_control>true</enable_join_access_control>
+     *   <discovery_protection_kind>ENCRYPT</discovery_protection_kind>
+     *   <liveliness_protection_kind>ENCRYPT</liveliness_protection_kind>
+     *   <rtps_protection_kind>NONE</rtps_protection_kind>
+     *   <topic_access_rules>
+     *       <topic_rule>
+     *           <topic_expression>*</topic_expression>
+     *           <enable_liveliness_protection>true</enable_liveliness_protection>
+     *           <enable_discovery_protection>true</enable_discovery_protection>
+     *           <enable_read_access_control>false</enable_read_access_control>
+     *           <enable_write_access_control>false</enable_write_access_control>
+     *           <metadata_protection_kind>NONE</metadata_protection_kind>
+     *           <data_protection_kind>NONE</data_protection_kind>
+     *       </topic_rule>
+     *   </topic_access_rules>
+     */
+  test_liveliness_discovery_attr(
+      "Test_Governance_liveliness_discovery_encrypted.p7s",
+      /* liveliness_protected */
+      true,
+      /* liveliness_mask      */
+      DDS_SECURITY_PLUGIN_PARTICIPANT_ATTRIBUTES_FLAG_IS_LIVELINESS_ENCRYPTED,
+      /* discovery_protected  */
+      true,
+      /* discovery_mask       */
+      DDS_SECURITY_PLUGIN_PARTICIPANT_ATTRIBUTES_FLAG_IS_DISCOVERY_ENCRYPTED);
+}
+
+CU_Test(ddssec_builtin_get_xxx_sec_attributes, liveliness_discovery_signed, .init = suite_get_xxx_sec_attributes_init, .fini = suite_get_xxx_sec_attributes_fini)
+{
+  /*
+     * Expect these values based on these options, which is the 1st domain rule
+     * in the Test_Governance_liveliness_discovery_clear.p7s (selected because of domain id 0):
+     *
+     *   <allow_unauthenticated_participants>false</allow_unauthenticated_participants>
+     *   <enable_join_access_control>true</enable_join_access_control>
+     *   <discovery_protection_kind>SIGN</discovery_protection_kind>
+     *   <liveliness_protection_kind>SIGN</liveliness_protection_kind>
+     *   <rtps_protection_kind>NONE</rtps_protection_kind>
+     *   <topic_access_rules>
+     *       <topic_rule>
+     *           <topic_expression>*</topic_expression>
+     *           <enable_liveliness_protection>true</enable_liveliness_protection>
+     *           <enable_discovery_protection>true</enable_discovery_protection>
+     *           <enable_read_access_control>false</enable_read_access_control>
+     *           <enable_write_access_control>false</enable_write_access_control>
+     *           <metadata_protection_kind>NONE</metadata_protection_kind>
+     *           <data_protection_kind>NONE</data_protection_kind>
+     *       </topic_rule>
+     *   </topic_access_rules>
+     */
+  test_liveliness_discovery_attr(
+      "Test_Governance_liveliness_discovery_signed.p7s",
+      /* liveliness_protected */
+      true,
+      /* liveliness_mask      */
+      0,
+      /* discovery_protected  */
+      true,
+      /* discovery_mask       */
+      0);
+}
+
+CU_Test(ddssec_builtin_get_xxx_sec_attributes, liveliness_discovery_encrypted_and_authenticated, .init = suite_get_xxx_sec_attributes_init, .fini = suite_get_xxx_sec_attributes_fini)
+{
+  /*
+     * Expect these values based on these options, which is the 1st domain rule
+     * in the Test_Governance_liveliness_discovery_clear.p7s (selected because of domain id 0):
+     *
+     *   <allow_unauthenticated_participants>false</allow_unauthenticated_participants>
+     *   <enable_join_access_control>true</enable_join_access_control>
+     *   <discovery_protection_kind>ENCRYPT_WITH_ORIGIN_AUTHENTICATION</discovery_protection_kind>
+     *   <liveliness_protection_kind>ENCRYPT_WITH_ORIGIN_AUTHENTICATION</liveliness_protection_kind>
+     *   <rtps_protection_kind>NONE</rtps_protection_kind>
+     *   <topic_access_rules>
+     *       <topic_rule>
+     *           <topic_expression>*</topic_expression>
+     *           <enable_liveliness_protection>true</enable_liveliness_protection>
+     *           <enable_discovery_protection>true</enable_discovery_protection>
+     *           <enable_read_access_control>false</enable_read_access_control>
+     *           <enable_write_access_control>false</enable_write_access_control>
+     *           <metadata_protection_kind>NONE</metadata_protection_kind>
+     *           <data_protection_kind>NONE</data_protection_kind>
+     *       </topic_rule>
+     *   </topic_access_rules>
+     */
+  test_liveliness_discovery_attr(
+      "Test_Governance_liveliness_discovery_encrypted_and_authenticated.p7s",
+      /* liveliness_protected */
+      true,
+      /* liveliness_mask      */
+      DDS_SECURITY_PLUGIN_PARTICIPANT_ATTRIBUTES_FLAG_IS_LIVELINESS_ENCRYPTED |
+          DDS_SECURITY_PLUGIN_PARTICIPANT_ATTRIBUTES_FLAG_IS_LIVELINESS_AUTHENTICATED,
+      /* discovery_protected  */
+      true,
+      /* discovery_mask       */
+      DDS_SECURITY_PLUGIN_PARTICIPANT_ATTRIBUTES_FLAG_IS_DISCOVERY_ENCRYPTED |
+          DDS_SECURITY_PLUGIN_PARTICIPANT_ATTRIBUTES_FLAG_IS_DISCOVERY_AUTHENTICATED);
+}
+
+CU_Test(ddssec_builtin_get_xxx_sec_attributes, liveliness_discovery_signed_and_authenticated, .init = suite_get_xxx_sec_attributes_init, .fini = suite_get_xxx_sec_attributes_fini)
+{
+  /*
+     * Expect these values based on these options, which is the 1st domain rule
+     * in the Test_Governance_liveliness_discovery_clear.p7s (selected because of domain id 0):
+     *
+     *   <allow_unauthenticated_participants>false</allow_unauthenticated_participants>
+     *   <enable_join_access_control>true</enable_join_access_control>
+     *   <discovery_protection_kind>SIGN_WITH_ORIGIN_AUTHENTICATION</discovery_protection_kind>
+     *   <liveliness_protection_kind>SIGN_WITH_ORIGIN_AUTHENTICATION</liveliness_protection_kind>
+     *   <rtps_protection_kind>NONE</rtps_protection_kind>
+     *   <topic_access_rules>
+     *       <topic_rule>
+     *           <topic_expression>*</topic_expression>
+     *           <enable_liveliness_protection>true</enable_liveliness_protection>
+     *           <enable_discovery_protection>true</enable_discovery_protection>
+     *           <enable_read_access_control>false</enable_read_access_control>
+     *           <enable_write_access_control>false</enable_write_access_control>
+     *           <metadata_protection_kind>NONE</metadata_protection_kind>
+     *           <data_protection_kind>NONE</data_protection_kind>
+     *       </topic_rule>
+     *   </topic_access_rules>
+     */
+  test_liveliness_discovery_attr(
+      "Test_Governance_liveliness_discovery_signed_and_authenticated.p7s",
+      /* liveliness_protected */
+      true,
+      /* liveliness_mask      */
+      DDS_SECURITY_PLUGIN_PARTICIPANT_ATTRIBUTES_FLAG_IS_LIVELINESS_AUTHENTICATED,
+      /* discovery_protected  */
+      true,
+      /* discovery_mask       */
+      DDS_SECURITY_PLUGIN_PARTICIPANT_ATTRIBUTES_FLAG_IS_DISCOVERY_AUTHENTICATED);
+}
+
+CU_Test(ddssec_builtin_get_xxx_sec_attributes, liveliness_discovery_different, .init = suite_get_xxx_sec_attributes_init, .fini = suite_get_xxx_sec_attributes_fini)
+{
+  /*
+     * Expect these values based on these options, which is the 1st domain rule
+     * in the Test_Governance_liveliness_discovery_clear.p7s (selected because of domain id 0):
+     *
+     *   <allow_unauthenticated_participants>false</allow_unauthenticated_participants>
+     *   <enable_join_access_control>true</enable_join_access_control>
+     *   <discovery_protection_kind>ENCRYPT</discovery_protection_kind>
+     *   <liveliness_protection_kind>NONE</liveliness_protection_kind>
+     *   <rtps_protection_kind>NONE</rtps_protection_kind>
+     *   <topic_access_rules>
+     *       <topic_rule>
+     *           <topic_expression>*</topic_expression>
+     *           <enable_liveliness_protection>false</enable_liveliness_protection>
+     *           <enable_discovery_protection>true</enable_discovery_protection>
+     *           <enable_read_access_control>false</enable_read_access_control>
+     *           <enable_write_access_control>false</enable_write_access_control>
+     *           <metadata_protection_kind>NONE</metadata_protection_kind>
+     *           <data_protection_kind>NONE</data_protection_kind>
+     *       </topic_rule>
+     *   </topic_access_rules>
+     */
+  test_liveliness_discovery_attr(
+      "Test_Governance_liveliness_discovery_different.p7s",
+      /* liveliness_protected */
+      false,
+      /* liveliness_mask      */
+      0,
+      /* discovery_protected  */
+      true,
+      /* discovery_mask       */
+      DDS_SECURITY_PLUGIN_PARTICIPANT_ATTRIBUTES_FLAG_IS_DISCOVERY_ENCRYPTED);
+}
diff --git a/src/security/builtin_plugins/tests/listeners_access_control/etc/Test_Governance_ok.p7s b/src/security/builtin_plugins/tests/listeners_access_control/etc/Test_Governance_ok.p7s
new file mode 100644
index 0000000..c39903f
--- /dev/null
+++ b/src/security/builtin_plugins/tests/listeners_access_control/etc/Test_Governance_ok.p7s
@@ -0,0 +1,114 @@
+MIME-Version: 1.0
+Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg="sha-256"; boundary="----DB94A190D9780A24156FB0E8F1E76B5F"
+
+This is an S/MIME signed message
+
+------DB94A190D9780A24156FB0E8F1E76B5F
+Content-Type: text/plain
+
+<?xml version="1.0" encoding="utf-8"?>
+<dds xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xsi:noNamespaceSchemaLocation="http://www.omg.org/spec/DDSSecurity/
+20170801/omg_shared_ca_domain_governance.xsd">
+    <domain_access_rules>
+        <domain_rule>
+            <domains>
+                <!-- All domains -->
+                <id_range>
+                    <min>0</min>
+                    <max>230</max>
+                </id_range>
+            </domains>
+
+            <!-- DomainParticipant that cann not authenticate or fail the authentication should be
+                 allowed to join the domain and see any any discovery data that are configured as "unprotected"
+                 and topics that are configured as "unprotected" -->
+            <allow_unauthenticated_participants>false</allow_unauthenticated_participants>
+
+            <!--  Only and any authenticated DomainParticipant should be allowed to join the domain and
+                  see the discovery data without checking access control  -->
+            <enable_join_access_control>true</enable_join_access_control>
+
+            <!-- Discovery information should be protected with encryption followed by MAC (Message Authentication Codes) -->
+            <discovery_protection_kind>ENCRYPT</discovery_protection_kind>
+
+            <!--  Liveliness messages are also encrypted -->
+            <liveliness_protection_kind>ENCRYPT</liveliness_protection_kind>
+
+            <!-- Whole RTPS message is not protected -->
+            <rtps_protection_kind>NONE</rtps_protection_kind>
+
+            <topic_access_rules>
+                <topic_rule>
+                    <!-- All (non-builtin) topics -->
+                    <topic_expression>*</topic_expression>
+
+                    <!-- Liveliness QoS data is protected -->
+                    <enable_liveliness_protection>true</enable_liveliness_protection>
+
+                    <!-- The discovery information on specific Topics should be sent
+                         using the secure (protected) discovery writers -->
+                    <enable_discovery_protection>true</enable_discovery_protection>
+
+                    <!-- The read access to all topics should be open to all. -->
+                    <enable_read_access_control>false</enable_read_access_control>
+
+                    <!-- The write access to all topics should be open to all. -->
+                    <enable_write_access_control>false</enable_write_access_control>
+
+                    <!-- Whole RTPS sub-message is protected. This includes metadata information
+                         like sequence numbers, heartbeats, key hashes, gaps,
+                         acknowledgment messages, etc. It also includes th possible payload. -->
+                    <metadata_protection_kind>ENCRYPT</metadata_protection_kind>
+
+                    <!-- The payload data sent on the Topic (serialized application level data) should be
+                         protected with Encrypt then MAC. -->
+                    <data_protection_kind>ENCRYPT</data_protection_kind>
+                </topic_rule>
+            </topic_access_rules>
+        </domain_rule>
+    </domain_access_rules>
+</dds>
+
+------DB94A190D9780A24156FB0E8F1E76B5F
+Content-Type: application/x-pkcs7-signature; name="smime.p7s"
+Content-Transfer-Encoding: base64
+Content-Disposition: attachment; filename="smime.p7s"
+
+MIIGSAYJKoZIhvcNAQcCoIIGOTCCBjUCAQExDzANBglghkgBZQMEAgEFADALBgkq
+hkiG9w0BBwGgggORMIIDjTCCAnWgAwIBAgIJANsr3sm0NrypMA0GCSqGSIb3DQEB
+CwUAMFwxCzAJBgNVBAYTAk5MMRMwEQYDVQQIDApTb21lLVN0YXRlMR8wHQYDVQQK
+DBZBRExJTksgVGVjaG5vbG9jeSBJbmMuMRcwFQYDVQQDDA5hZGxpbmt0ZWNoLmNv
+bTAgFw0xODA3MzAxMjQ1NTVaGA8yMTE4MDcwNjEyNDU1NVowXDELMAkGA1UEBhMC
+TkwxEzARBgNVBAgMClNvbWUtU3RhdGUxHzAdBgNVBAoMFkFETElOSyBUZWNobm9s
+b2N5IEluYy4xFzAVBgNVBAMMDmFkbGlua3RlY2guY29tMIIBIjANBgkqhkiG9w0B
+AQEFAAOCAQ8AMIIBCgKCAQEAu7jfnJ0wYVuXgG+PgNawdN38+dRpa8jceqi+blID
+ehV6XCxrnGXusTCDuFmo7HMOBVMVNDXlcBWgoGd+u5EultnOEiIeGTgtHc1O6V9w
+icp3BGSpZZax/TcONjMVORaqHCADbQ2J8wsz1FHxuKDwX6BJElYOlK77lb/x3yLs
+DFFC+a0qn2RFh37rcWBRAHy8VEASXKZElT9ZmfKd+KUq34KojhNJ4DepKStTq074
+BRDXVivx+wVD951LFNPiQXq+mgHcLj1k37KlZflTFhdP5oEMtATNsXNJPHlEymiy
+SogRWAmKhysLQudukHfNKN+r0FEQMk/hzpYcFeZSOvbfNQIDAQABo1AwTjAdBgNV
+HQ4EFgQURWMbWvBKZwJvRV1/tyc1R82k0+gwHwYDVR0jBBgwFoAURWMbWvBKZwJv
+RV1/tyc1R82k0+gwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAkPF+
+ysVtvHnk2hpu9yNDLCJ96ZzIoKOyY7uRj4ovzlAHFdpNOJQdcJihTmN8i7Trht9X
+Vh0rGoR/6nHzo3TIeiogRC80RlDtuA3PF2dDQBMVDStlZMTZPb693hfjdAjhyyw9
+yghhKHHqNDvSsAL0KfBqjG4yGfGpJylYXIT5fWuKlo/ln/yyPa5s54T5XDo+CMbt
+lLX3QnwVOmaRyzylPiTcPCDIkdLBdXmlfyJcmW6fWa6kPx+35MOxPsXZbujCo+42
++OyLqcH1rKT6XhcshjXBEf+kdgUfSClrM1pNRWsw2ChIYim0F+nry5JFy0Y+8Hbb
+6SDB340BFmtgDHbFHTGCAnswggJ3AgEBMGkwXDELMAkGA1UEBhMCTkwxEzARBgNV
+BAgMClNvbWUtU3RhdGUxHzAdBgNVBAoMFkFETElOSyBUZWNobm9sb2N5IEluYy4x
+FzAVBgNVBAMMDmFkbGlua3RlY2guY29tAgkA2yveybQ2vKkwDQYJYIZIAWUDBAIB
+BQCggeQwGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAcBgkqhkiG9w0BCQUxDxcN
+MTgwOTEzMDczOTUwWjAvBgkqhkiG9w0BCQQxIgQgXv8DkvlwebXMwHDbNc0/Pc30
+gyG3xWCnwet49TRMWFsweQYJKoZIhvcNAQkPMWwwajALBglghkgBZQMEASowCwYJ
+YIZIAWUDBAEWMAsGCWCGSAFlAwQBAjAKBggqhkiG9w0DBzAOBggqhkiG9w0DAgIC
+AIAwDQYIKoZIhvcNAwICAUAwBwYFKw4DAgcwDQYIKoZIhvcNAwICASgwDQYJKoZI
+hvcNAQEBBQAEggEANy8t0EFmv5j1n0+mMn2ut3Chu8PSJceC8gd34IiKq79uC1O3
+PbL9xgiJ2vz7QiTEEeNL2q+CG77cXOcHGUWa4nvbggr/9CqLfHEKGQxDfyXlJZfM
+8l550xIXRRBOQ7ilOGLD4QJFfbf9XA4rMuRe8WEYN3FleAaYBJag1tMPg1SS6tgA
+BBDM9b1kXHU319zYOk6kZFjlbwHv6XO22SEVRUpXrKudAI8hrGvwksF/+W0S/jS5
+NmYtj/1oMGlCGIaA5rs27H9CkgwrzoMQ3MsR98JlwEUSa4PEe8CClsIziOulQxsp
+MicBlMWL0rzpBPVfPTE4gZ/kP7hGBDEQlRzVTA==
+
+------DB94A190D9780A24156FB0E8F1E76B5F--
+
diff --git a/src/security/builtin_plugins/tests/listeners_access_control/etc/Test_Permissions_ca.pem b/src/security/builtin_plugins/tests/listeners_access_control/etc/Test_Permissions_ca.pem
new file mode 100644
index 0000000..2372ae0
--- /dev/null
+++ b/src/security/builtin_plugins/tests/listeners_access_control/etc/Test_Permissions_ca.pem
@@ -0,0 +1,22 @@
+-----BEGIN CERTIFICATE-----
+MIIDjTCCAnWgAwIBAgIJANsr3sm0NrypMA0GCSqGSIb3DQEBCwUAMFwxCzAJBgNV
+BAYTAk5MMRMwEQYDVQQIDApTb21lLVN0YXRlMR8wHQYDVQQKDBZBRExJTksgVGVj
+aG5vbG9jeSBJbmMuMRcwFQYDVQQDDA5hZGxpbmt0ZWNoLmNvbTAgFw0xODA3MzAx
+MjQ1NTVaGA8yMTE4MDcwNjEyNDU1NVowXDELMAkGA1UEBhMCTkwxEzARBgNVBAgM
+ClNvbWUtU3RhdGUxHzAdBgNVBAoMFkFETElOSyBUZWNobm9sb2N5IEluYy4xFzAV
+BgNVBAMMDmFkbGlua3RlY2guY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB
+CgKCAQEAu7jfnJ0wYVuXgG+PgNawdN38+dRpa8jceqi+blIDehV6XCxrnGXusTCD
+uFmo7HMOBVMVNDXlcBWgoGd+u5EultnOEiIeGTgtHc1O6V9wicp3BGSpZZax/TcO
+NjMVORaqHCADbQ2J8wsz1FHxuKDwX6BJElYOlK77lb/x3yLsDFFC+a0qn2RFh37r
+cWBRAHy8VEASXKZElT9ZmfKd+KUq34KojhNJ4DepKStTq074BRDXVivx+wVD951L
+FNPiQXq+mgHcLj1k37KlZflTFhdP5oEMtATNsXNJPHlEymiySogRWAmKhysLQudu
+kHfNKN+r0FEQMk/hzpYcFeZSOvbfNQIDAQABo1AwTjAdBgNVHQ4EFgQURWMbWvBK
+ZwJvRV1/tyc1R82k0+gwHwYDVR0jBBgwFoAURWMbWvBKZwJvRV1/tyc1R82k0+gw
+DAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAkPF+ysVtvHnk2hpu9yND
+LCJ96ZzIoKOyY7uRj4ovzlAHFdpNOJQdcJihTmN8i7Trht9XVh0rGoR/6nHzo3TI
+eiogRC80RlDtuA3PF2dDQBMVDStlZMTZPb693hfjdAjhyyw9yghhKHHqNDvSsAL0
+KfBqjG4yGfGpJylYXIT5fWuKlo/ln/yyPa5s54T5XDo+CMbtlLX3QnwVOmaRyzyl
+PiTcPCDIkdLBdXmlfyJcmW6fWa6kPx+35MOxPsXZbujCo+42+OyLqcH1rKT6Xhcs
+hjXBEf+kdgUfSClrM1pNRWsw2ChIYim0F+nry5JFy0Y+8Hbb6SDB340BFmtgDHbF
+HQ==
+-----END CERTIFICATE-----
diff --git a/src/security/builtin_plugins/tests/listeners_access_control/etc/Test_Permissions_ca_key.pem b/src/security/builtin_plugins/tests/listeners_access_control/etc/Test_Permissions_ca_key.pem
new file mode 100644
index 0000000..22fac8b
--- /dev/null
+++ b/src/security/builtin_plugins/tests/listeners_access_control/etc/Test_Permissions_ca_key.pem
@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEpAIBAAKCAQEAu7jfnJ0wYVuXgG+PgNawdN38+dRpa8jceqi+blIDehV6XCxr
+nGXusTCDuFmo7HMOBVMVNDXlcBWgoGd+u5EultnOEiIeGTgtHc1O6V9wicp3BGSp
+ZZax/TcONjMVORaqHCADbQ2J8wsz1FHxuKDwX6BJElYOlK77lb/x3yLsDFFC+a0q
+n2RFh37rcWBRAHy8VEASXKZElT9ZmfKd+KUq34KojhNJ4DepKStTq074BRDXVivx
++wVD951LFNPiQXq+mgHcLj1k37KlZflTFhdP5oEMtATNsXNJPHlEymiySogRWAmK
+hysLQudukHfNKN+r0FEQMk/hzpYcFeZSOvbfNQIDAQABAoIBABWqhMSCr+7Mr3O3
+bIymOr+CT4xWI8S47hmKGFCLTrNsfy7cQZ9PdHkm7Ez+rCx+KwQaTrwz7EM/e8aH
+q2zimMn4YXxeS7MFdM+Xvp/Y0BhXMd1j8Nk0x14+WHmQ88YfA4szdrHDekR+6oB6
+5Lc2fAfNbCGdpRksCQWDndrvIOda1swKW1RsGWHPGtSM1qOg09A4CeASqbsxZfdL
+9MgI7aJKYnvJrUhqsNZU3fuOrLDNl7/JvdI08nYLnNkEvbDYbdfH0Q/4laKsSJcp
+0jM6tPrxbHMDmBEwullVPrVqJX+n6Hvz3E8C9QiZq8NWbJUc5FntLx8ynbiJg6Lb
+1w49WxECgYEA8yVky++3v0ZMKZeSeGj3MuKuEJ2q3UdmsKXA+Pyq0rL/hh7r2oUY
+dQDs23BIuaHeIZxAGaMeMjoYQBi+G50XfwHZSMqivxX/yYkXxOJfPQvVLDbqCIWS
+94qU4/xo50IkCNxpvRwfpKG2ce5YG7jrQkfb5I6TfKUWAaXpmaQnbYsCgYEAxaVn
+Hzw3OdY7q6kURSY6a8KqtcuN0lNKeUb68vZemmZ0FNKmyh+xGVFXXlvmJpQgr5Zm
+2W2a1C1oPq2DEdvSKt/aTHVIazG9TtFK1WAXpLxmlXlyqWRv+IvdVkph+p/3dIT0
+Ilaglgbndth4xk0c1zqy3g4VlAgWgKKi5owZ/j8CgYEAndsFGbHEJZZKFCannSzo
+cEzinT7/kzGr5bt3ES9Y5/n2Euk4TmJignPbUowPaxU/1apPo1VXYVx+Kf7mTZ8r
+hfV5T9ze1BhAPGOY3uXo1wU7nLz6LBYsWDHMgEd7A8jZBDe1HmWH1aZ3gHgxE652
+bk2g4T3/WskDBIbmpi0AvAkCgYBKAfFnRMj5IzscwCcS7YmaqD377MiiJQYR+34k
+VBSAhDSbR3Wk4dESxd6NOqQndff3R74jVGNRZ99M+PPHUCSWYVQApToEyY81YDFB
+TMYNrW5MMjm5LB6xVs3+bcPacOPcAZzY7s8a3mL1oYE339AY16X6eBOkZpLmf/+3
+jGZ/SQKBgQDkyxymL4xJGV8HCDontJZiBStD954GH1AgqEAOdQxU5vW4ySQ7yRoT
+ajb8tH052yWW11Mxd0TRW9qbVI0/4/4lR86sODYLFbgrHAMBl7mxJ8Qwi4zdI9Am
+FXGkj5SX2bYrf2f0YvCHNUbELTd4mF6kAH0Eg6kHRXLsSbhtWC7D3Q==
+-----END RSA PRIVATE KEY-----
diff --git a/src/security/builtin_plugins/tests/listeners_access_control/etc/Test_Permissions_listener.p7s b/src/security/builtin_plugins/tests/listeners_access_control/etc/Test_Permissions_listener.p7s
new file mode 100644
index 0000000..08434a9
--- /dev/null
+++ b/src/security/builtin_plugins/tests/listeners_access_control/etc/Test_Permissions_listener.p7s
@@ -0,0 +1,51 @@
+MIME-Version: 1.0
+Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg="sha-256"; boundary="----3900963D3572093F6AEC654A72CAEE5A"
+
+This is an S/MIME signed message
+
+------3900963D3572093F6AEC654A72CAEE5A
+Content-Type: text/plain
+
+<?xml version="1.0" encoding="utf-8"?>                                    <dds xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"                                                                xsi:noNamespaceSchemaLocation="https://www.omg.org/spec/DDS-SECURITY/20170901/omg_shared_ca_permissions.xsd">          <permissions>                                                                                                               <grant name="DEFAULT_PERMISSIONS">                                                                                        <subject_name>/C=NL/ST=Some-State/O=Internet Widgits Pty Ltd/CN=CHAM500 cert</subject_name>                                                                                           <validity>                                                                                                                  <not_before>2015-09-15T01:00:00</not_before>                                                                            <not_after>2019-11-18T11:48:49</not_after>                                                                          </validity>                                                                                                             <deny_rule>                                                                                                                <domains>                                                                                                                   <id_range>                                                                                                                  <min>0</min>                                                                                                            <max>230</max>                                                                                                      </id_range>                                                                                                         </domains>                                                                                                              <publish>                                                                                                                   <topics>                                                                                                                    <topic>*</topic>                                                                                                    </topics>                                                                                                               <partitions/>                                                                                                       </publish>                                                                                                              <subscribe>                                                                                                                 <topics>                                                                                                                    <topic>*</topic>                                                                                                    </topics>                                                                                                               <partitions/>                                                                                                       </subscribe>                                                                                                       </deny_rule>                                                                                                           <default>DENY</default>                                                                                             </grant>                                                                                                            </permissions>                                                                                                      </dds>                                  
+------3900963D3572093F6AEC654A72CAEE5A
+Content-Type: application/x-pkcs7-signature; name="smime.p7s"
+Content-Transfer-Encoding: base64
+Content-Disposition: attachment; filename="smime.p7s"
+
+MIIGSAYJKoZIhvcNAQcCoIIGOTCCBjUCAQExDzANBglghkgBZQMEAgEFADALBgkq
+hkiG9w0BBwGgggORMIIDjTCCAnWgAwIBAgIJANsr3sm0NrypMA0GCSqGSIb3DQEB
+CwUAMFwxCzAJBgNVBAYTAk5MMRMwEQYDVQQIDApTb21lLVN0YXRlMR8wHQYDVQQK
+DBZBRExJTksgVGVjaG5vbG9jeSBJbmMuMRcwFQYDVQQDDA5hZGxpbmt0ZWNoLmNv
+bTAgFw0xODA3MzAxMjQ1NTVaGA8yMTE4MDcwNjEyNDU1NVowXDELMAkGA1UEBhMC
+TkwxEzARBgNVBAgMClNvbWUtU3RhdGUxHzAdBgNVBAoMFkFETElOSyBUZWNobm9s
+b2N5IEluYy4xFzAVBgNVBAMMDmFkbGlua3RlY2guY29tMIIBIjANBgkqhkiG9w0B
+AQEFAAOCAQ8AMIIBCgKCAQEAu7jfnJ0wYVuXgG+PgNawdN38+dRpa8jceqi+blID
+ehV6XCxrnGXusTCDuFmo7HMOBVMVNDXlcBWgoGd+u5EultnOEiIeGTgtHc1O6V9w
+icp3BGSpZZax/TcONjMVORaqHCADbQ2J8wsz1FHxuKDwX6BJElYOlK77lb/x3yLs
+DFFC+a0qn2RFh37rcWBRAHy8VEASXKZElT9ZmfKd+KUq34KojhNJ4DepKStTq074
+BRDXVivx+wVD951LFNPiQXq+mgHcLj1k37KlZflTFhdP5oEMtATNsXNJPHlEymiy
+SogRWAmKhysLQudukHfNKN+r0FEQMk/hzpYcFeZSOvbfNQIDAQABo1AwTjAdBgNV
+HQ4EFgQURWMbWvBKZwJvRV1/tyc1R82k0+gwHwYDVR0jBBgwFoAURWMbWvBKZwJv
+RV1/tyc1R82k0+gwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAkPF+
+ysVtvHnk2hpu9yNDLCJ96ZzIoKOyY7uRj4ovzlAHFdpNOJQdcJihTmN8i7Trht9X
+Vh0rGoR/6nHzo3TIeiogRC80RlDtuA3PF2dDQBMVDStlZMTZPb693hfjdAjhyyw9
+yghhKHHqNDvSsAL0KfBqjG4yGfGpJylYXIT5fWuKlo/ln/yyPa5s54T5XDo+CMbt
+lLX3QnwVOmaRyzylPiTcPCDIkdLBdXmlfyJcmW6fWa6kPx+35MOxPsXZbujCo+42
++OyLqcH1rKT6XhcshjXBEf+kdgUfSClrM1pNRWsw2ChIYim0F+nry5JFy0Y+8Hbb
+6SDB340BFmtgDHbFHTGCAnswggJ3AgEBMGkwXDELMAkGA1UEBhMCTkwxEzARBgNV
+BAgMClNvbWUtU3RhdGUxHzAdBgNVBAoMFkFETElOSyBUZWNobm9sb2N5IEluYy4x
+FzAVBgNVBAMMDmFkbGlua3RlY2guY29tAgkA2yveybQ2vKkwDQYJYIZIAWUDBAIB
+BQCggeQwGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAcBgkqhkiG9w0BCQUxDxcN
+MTkxMTE4MTE0ODQ4WjAvBgkqhkiG9w0BCQQxIgQgaLNNlFwfVR0PrziT9wCAy5bM
+qCZJX9yO3xJgut3/o7EweQYJKoZIhvcNAQkPMWwwajALBglghkgBZQMEASowCwYJ
+YIZIAWUDBAEWMAsGCWCGSAFlAwQBAjAKBggqhkiG9w0DBzAOBggqhkiG9w0DAgIC
+AIAwDQYIKoZIhvcNAwICAUAwBwYFKw4DAgcwDQYIKoZIhvcNAwICASgwDQYJKoZI
+hvcNAQEBBQAEggEAWCFrUIvdYKBeT0lmpkRdmYJuvdmQ/Ro7k9iyreVofpB1/70B
+hVOEeRjrlmhv/TUjSgQyli56wmXFmexcNRzSzpPNycz0gjwP9kX5BMnhAkKd08fC
+4rgoirScmNxvxEkj5+wyq7s7rBEJOgVQ9ofwiZXEBVDMVvW2ENZhVF3FyoNulDQe
+6BjXkuLw/QrJLWjywPy5naSSda2T7V3+Ssdu5/2vEjXPIJMM+xPOCaqGHJsSb72s
+KiP48jZ95Wruvj3QAlpGxDaazWPTgn7tfThYrY3Kgiz5zyZM7FhFyIqxRF/89Ngo
+hbu2mWzcXFF7wBLy+CvK5Foajro9t/PzD8uNuA==
+
+------3900963D3572093F6AEC654A72CAEE5A--
+
diff --git a/src/security/builtin_plugins/tests/listeners_access_control/src/listeners_access_control_utests.c b/src/security/builtin_plugins/tests/listeners_access_control/src/listeners_access_control_utests.c
new file mode 100644
index 0000000..5f32d09
--- /dev/null
+++ b/src/security/builtin_plugins/tests/listeners_access_control/src/listeners_access_control_utests.c
@@ -0,0 +1,671 @@
+/*
+ * Copyright(c) 2006 to 2019 ADLINK Technology Limited and others
+ *
+ * This program and the accompanying materials are made available under the
+ * terms of the Eclipse Public License v. 2.0 which is available at
+ * http://www.eclipse.org/legal/epl-2.0, or the Eclipse Distribution License
+ * v. 1.0 which is available at
+ * http://www.eclipse.org/org/documents/edl-v10.php.
+ *
+ * SPDX-License-Identifier: EPL-2.0 OR BSD-3-Clause
+ */
+#include <assert.h>
+#include <openssl/evp.h>
+#include <openssl/hmac.h>
+#include <openssl/bio.h>
+#include <openssl/err.h>
+#include <openssl/pkcs7.h>
+#include <openssl/pem.h>
+
+#include "dds/ddsrt/environ.h"
+#include "dds/ddsrt/heap.h"
+#include "dds/ddsrt/io.h"
+#include "dds/ddsrt/misc.h"
+#include "dds/ddsrt/string.h"
+#include "dds/ddsrt/types.h"
+#include "dds/security/dds_security_api.h"
+#include "dds/security/core/dds_security_utils.h"
+#include "CUnit/CUnit.h"
+#include "CUnit/Test.h"
+#include "common/src/loader.h"
+#include "config_env.h"
+
+#if OPENSSL_VERSION_NUMBER >= 0x10000000L && OPENSSL_VERSION_NUMBER < 0x10100000L
+#define REMOVE_THREAD_STATE() ERR_remove_thread_state(NULL);
+#elif OPENSSL_VERSION_NUMBER < 0x10000000L
+#define REMOVE_THREAD_STATE() ERR_remove_state(0);
+#else
+#define REMOVE_THREAD_STATE()
+#endif
+
+static const char *ACCESS_PERMISSIONS_TOKEN_ID = "DDS:Access:Permissions:1.0";
+static const char *AUTH_PROTOCOL_CLASS_ID = "DDS:Auth:PKI-DH:1.0";
+
+static const char *PROPERTY_IDENTITY_CA = "dds.sec.auth.identity_ca";
+static const char *PROPERTY_PRIVATE_KEY = "dds.sec.auth.private_key";
+static const char *PROPERTY_IDENTITY_CERT = "dds.sec.auth.identity_certificate";
+static const char *PROPERTY_PERMISSIONS_CA = "dds.sec.access.permissions_ca";
+static const char *PROPERTY_PERMISSIONS = "dds.sec.access.permissions";
+static const char *PROPERTY_GOVERNANCE = "dds.sec.access.governance";
+
+static const char *PROPERTY_PERMISSIONS_CA_SN = "dds.perm_ca.sn";
+static const char *PROPERTY_PERMISSIONS_CA_ALGO = "dds.perm_ca.algo";
+static const char *PROPERTY_C_ID = "c.id";
+static const char *PROPERTY_C_PERM = "c.perm";
+
+static const char *SUBJECT_NAME_PERMISSIONS_CA = "C=NL, ST=Some-State, O=ADLINK Technolocy Inc., CN=adlinktech.com";
+static const char *RSA_2048_ALGORITHM_NAME = "RSA-2048";
+
+static const char *RELATIVE_PATH_TO_ETC_DIR = "/listeners_access_control/etc/";
+static const char *PERMISSIONS_CA_CERT_FILE = "Test_Permissions_ca.pem";
+static const char *PERMISSIONS_CA_KEY_FILE = "Test_Permissions_ca_key.pem";
+static const char *PERMISSIONS_FILE = "Test_Permissions_listener.p7s";
+static dds_security_access_control_listener ac_listener;
+
+static const char *identity_certificate =
+    "data:,-----BEGIN CERTIFICATE-----\n"
+    "MIIEQTCCAymgAwIBAgIINpuaAAnrQZIwDQYJKoZIhvcNAQELBQAwXzELMAkGA1UE\n"
+    "BhMCTkwxEzARBgNVBAgTClNvbWUtU3RhdGUxITAfBgNVBAoTGEludGVybmV0IFdp\n"
+    "ZGdpdHMgUHR5IEx0ZDEYMBYGA1UEAxMPQ0hBTTUwMCByb290IGNhMCAXDTE3MDIy\n"
+    "MjIyMjIwMFoYDzIyMjIwMjIyMjIyMjAwWjBcMQswCQYDVQQGEwJOTDETMBEGA1UE\n"
+    "CBMKU29tZS1TdGF0ZTEhMB8GA1UEChMYSW50ZXJuZXQgV2lkZ2l0cyBQdHkgTHRk\n"
+    "MRUwEwYDVQQDEwxDSEFNNTAwIGNlcnQwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw\n"
+    "ggEKAoIBAQDCpVhivH/wBIyu74rvQncnSZqKyspN6CvD1pmV9wft5PHhVt9jV79v\n"
+    "gSub5LADoRHAgFdv9duYgBr17Ob6uRrIY4B18CcrCjhQcC4gjx8y2jl9PeYm+qYD\n"
+    "3o44FYBrBq0QCnrQgKsb/qX9Z+Mw/VUiw65x68W876LEHQQoEgT4kxSuagwBoVRk\n"
+    "ePD6fYAKmT4XS3x+O0v+rHESTcsKF6yMadgp7h3eH1b8kJTzSx8JV9Zzq++mxjox\n"
+    "qhbBVP5nDze2hhSIeCkCvSrx7efkgKS4AQXa5/Z44GiAu1TfXXUqdic9rxwD0edn\n"
+    "ajNElnZe7sjok/0yuqvH+2hSqpNva/zpAgMBAAGjggEAMIH9MAwGA1UdDwQFAwMH\n"
+    "/4AwgewGA1UdJQSB5DCB4QYIKwYBBQUHAwEGCCsGAQUFBwMCBggrBgEFBQcDAwYI\n"
+    "KwYBBQUHAwQGCCsGAQUFBwMIBgorBgEEAYI3AgEVBgorBgEEAYI3AgEWBgorBgEE\n"
+    "AYI3CgMBBgorBgEEAYI3CgMDBgorBgEEAYI3CgMEBglghkgBhvhCBAEGCysGAQQB\n"
+    "gjcKAwQBBggrBgEFBQcDBQYIKwYBBQUHAwYGCCsGAQUFBwMHBggrBgEFBQgCAgYK\n"
+    "KwYBBAGCNxQCAgYIKwYBBQUHAwkGCCsGAQUFBwMNBggrBgEFBQcDDgYHKwYBBQID\n"
+    "BTANBgkqhkiG9w0BAQsFAAOCAQEAawdHy0Xw7nTK2ltp91Ion6fJ7hqYuj///zr7\n"
+    "Adt6uonpDh/xl3esuwcFimIJrJrHujnGkL0nLddRCikmnzuBMNDWS6yq0/Ckl/YG\n"
+    "yjNr44dlX24wo+MVAgkj3/8CyWDZ3a8kBg9QT3bs2SqbjmhTrXN1DRyf9S5vJysE\n"
+    "I7V1gTN66BeKL64hOrAlRVrEu8Ds6TWL6Q/YH+61ViZkoLTeSaPjH4nknaFr4C35\n"
+    "iji0JhkyfRHRRVPHFnaj25AkxOrSV64qVKoTMjDl5fji5iMGtjm6iJ7q05ml/qDl\n"
+    "nLotHXemZNvYhbwUmRzbt4Dls9EMH4VRbP85I94nM5TAvtHVNA==\n"
+    "-----END CERTIFICATE-----\n";
+
+static const char *identity_ca =
+    "data:,-----BEGIN CERTIFICATE-----\n"
+    "MIIEmTCCA4GgAwIBAgIIZ5gEIUFhO5wwDQYJKoZIhvcNAQELBQAwXzELMAkGA1UE\n"
+    "BhMCTkwxEzARBgNVBAgTClNvbWUtU3RhdGUxITAfBgNVBAoTGEludGVybmV0IFdp\n"
+    "ZGdpdHMgUHR5IEx0ZDEYMBYGA1UEAxMPQ0hBTTUwMCByb290IGNhMCAXDTE4MDIx\n"
+    "MjE1MDUwMFoYDzIyMjIwMjIyMjIyMjAwWjBfMQswCQYDVQQGEwJOTDETMBEGA1UE\n"
+    "CBMKU29tZS1TdGF0ZTEhMB8GA1UEChMYSW50ZXJuZXQgV2lkZ2l0cyBQdHkgTHRk\n"
+    "MRgwFgYDVQQDEw9DSEFNNTAwIHJvb3QgY2EwggEiMA0GCSqGSIb3DQEBAQUAA4IB\n"
+    "DwAwggEKAoIBAQC6Fa3TheL+UrdZCp9GhU/2WbneP2t/avUa3muwDttPxeI2XU9k\n"
+    "ZjBR95mAXme4SPXHk5+YDN319AqIje3oKhzky/ngvKH2GkoJKYxWnuDBfMEHdViz\n"
+    "2Q9/xso2ZvH50ukwWa0pfx2/EVV1wRxeQcRd/UVfq3KTJizG0M88mOYvGEAw3LFf\n"
+    "zef7k1aCuOofQmBvLukUudcYpMzfyHFp7lQqU4CcrrR5RtmfiUfrWfdGLea2iPDB\n"
+    "pJgN8ESOMwEHtOTEBDclYnH9L4t7CHQz+fXXS5IWFsDK9fCMQjnxDsDVeNrNzTYL\n"
+    "FaZrMg9S6IUQCEsQWsnq5weS8omOpVLUm9klAgMBAAGjggFVMIIBUTAMBgNVHRME\n"
+    "BTADAQH/MB0GA1UdDgQWBBQg2FZB/j8uWDVnJhjwXkX278znSTAfBgNVHSMEGDAW\n"
+    "gBQg2FZB/j8uWDVnJhjwXkX278znSTAPBgNVHQ8BAf8EBQMDB/+AMIHvBgNVHSUB\n"
+    "Af8EgeQwgeEGCCsGAQUFBwMBBggrBgEFBQcDAgYIKwYBBQUHAwMGCCsGAQUFBwME\n"
+    "BggrBgEFBQcDCAYKKwYBBAGCNwIBFQYKKwYBBAGCNwIBFgYKKwYBBAGCNwoDAQYK\n"
+    "KwYBBAGCNwoDAwYKKwYBBAGCNwoDBAYJYIZIAYb4QgQBBgsrBgEEAYI3CgMEAQYI\n"
+    "KwYBBQUHAwUGCCsGAQUFBwMGBggrBgEFBQcDBwYIKwYBBQUIAgIGCisGAQQBgjcU\n"
+    "AgIGCCsGAQUFBwMJBggrBgEFBQcDDQYIKwYBBQUHAw4GBysGAQUCAwUwDQYJKoZI\n"
+    "hvcNAQELBQADggEBAKHmwejWRwGE1wf1k2rG8SNRV/neGsZ6Qfqf6co3TpR/Wi1s\n"
+    "iZDvSeT/rbqNBS7z34xnG88NIUwu00y78e8Mfon31ZZbK4Uo7fla9/D3ukdJqPQC\n"
+    "LKdbKJjR2kH+KCukY/1rghjJ8/X+t2egBit0LCOdsFCl07Sfksb9kpGUIZSFcYYm\n"
+    "geqhjhoNwxazzHiw+QWHC5HG9248JIizBmy1aymNWuMnPudhjHAnPcsIlqMVNq3t\n"
+    "Rv9ap7S8JeCxHVRPJvJeCwXWvW3dW/v3xH52Yn/fqRblN1w9Fxz5NhopKx0gj/Jd\n"
+    "sw2N4Fk4gaOWEolFpa0bwNw8nAx7moehZpowzfw=\n"
+    "-----END CERTIFICATE-----\n";
+
+static const char *private_key =
+    "data:,-----BEGIN RSA PRIVATE KEY-----\n"
+    "MIIEogIBAAKCAQEAwqVYYrx/8ASMru+K70J3J0maisrKTegrw9aZlfcH7eTx4Vbf\n"
+    "Y1e/b4Erm+SwA6ERwIBXb/XbmIAa9ezm+rkayGOAdfAnKwo4UHAuII8fMto5fT3m\n"
+    "JvqmA96OOBWAawatEAp60ICrG/6l/WfjMP1VIsOucevFvO+ixB0EKBIE+JMUrmoM\n"
+    "AaFUZHjw+n2ACpk+F0t8fjtL/qxxEk3LChesjGnYKe4d3h9W/JCU80sfCVfWc6vv\n"
+    "psY6MaoWwVT+Zw83toYUiHgpAr0q8e3n5ICkuAEF2uf2eOBogLtU3111KnYnPa8c\n"
+    "A9HnZ2ozRJZ2Xu7I6JP9Mrqrx/toUqqTb2v86QIDAQABAoIBAC1q32DKkx+yMBFx\n"
+    "m32QiLUGG6VfBC2BixS7MkMnzRXZYgcuehl4FBc0kLRjfB6cqsO8LqrVN1QyMBhK\n"
+    "GutN3c38SbE7RChqzhEW2+yE+Mao3Nk4ZEecHLiyaYT0n25ZtHAVwep823BAzwJ+\n"
+    "BykbM45VEpNKbG1VjSktjBa9faNyZiZAEJEjVyla+6R8N4kHV52LbZcLjvJv3IQ2\n"
+    "iPYRrmMyI5C23qTni0vy7yJbAXBo3CqgSlwie9FARBWT7Puu7F4mF1O1c/SnTysw\n"
+    "Tm3e5FzgfHipQbnRVn0w4rDprPMKmPxMnvf/Wkw0zVgNadp1Tc1I6Yj525DEQ07i\n"
+    "2gIn/gECgYEA4jNnY1u2Eu7x3pAQF3dRO0x35boVtuq9iwQk7q+uaZaK4RJRr+0Y\n"
+    "T68S3bPnfer6SHvcxtST89Bvs/j/Ky4SOaX037UYjFh6T7OIzPl+MzO1yb+VOBT6\n"
+    "D6FVGEJGp8ZAITU1OfJPeTYViUeEC8tHFGoKUCk50FbB6jOf1oKtv/ECgYEA3EnB\n"
+    "Y7kSbJJaUuj9ciFUL/pAno86Cim3VjegK1wKgEiyDb610bhoMErovPwfVJbtcttG\n"
+    "eKJNuwizkRcVbj+vpjDvqqaP5eMxLl6/Nd4haPMJYzGo88Z8NJpwFRNF2KEWjOpQ\n"
+    "2NEvoCeRtVulCJyka2Tpljzw8cOXkxhPOe2UhHkCgYBo3entj0QO7QXm56T+LAvV\n"
+    "0PK45xdQEO3EuCwjGAFk5C0IgUSrqeCeeIzniZMltj1IQ1wsNbtNynEu3530t8wt\n"
+    "O7oVyFBUKGSz9IjUdkpClJOPr6kPMfJoMqRPtdIpz+hFPPSrI6IikKdVWHloOlp+\n"
+    "pVaYqTQrWT1XRY2xli3VEQKBgGySmZN6Cx+h/oywswIGdUT0VdcQhq2to+QFpJba\n"
+    "VX6m1cM6hMip2Ag9U3qZ1SNPBBdBBfm9HQybHE3dj713/C2wHuAAGhpXIM1W+20k\n"
+    "X1knuC/AsSH9aQhQOf/ZMOq1crTfZBuI9q0782/sjGmzMsKPySU4QhUWruVb7OiD\n"
+    "NVkZAoGAEvihW7G+8/iOE40vGHyBqUeopAAWLciTAUIEwM/Oi3BYfNWNTWF/FWNc\n"
+    "nMvCZPYigY8C1vO+1iT2Frtd3CIU+f01Q3fJNJoRLlEiKLNZUJRF48OKUqjKSmsi\n"
+    "w6pucFO40z05YW7utApj4L82rZnOS0pd1tUI1yexqvj0i4ThJfk=\n"
+    "-----END RSA PRIVATE KEY-----\n";
+
+static const char *permissions_ca = /*Test_Permissions_ca.pem */
+    "data:,-----BEGIN CERTIFICATE-----\n"
+    "MIIDjTCCAnWgAwIBAgIJANsr3sm0NrypMA0GCSqGSIb3DQEBCwUAMFwxCzAJBgNV\n"
+    "BAYTAk5MMRMwEQYDVQQIDApTb21lLVN0YXRlMR8wHQYDVQQKDBZBRExJTksgVGVj\n"
+    "aG5vbG9jeSBJbmMuMRcwFQYDVQQDDA5hZGxpbmt0ZWNoLmNvbTAgFw0xODA3MzAx\n"
+    "MjQ1NTVaGA8yMTE4MDcwNjEyNDU1NVowXDELMAkGA1UEBhMCTkwxEzARBgNVBAgM\n"
+    "ClNvbWUtU3RhdGUxHzAdBgNVBAoMFkFETElOSyBUZWNobm9sb2N5IEluYy4xFzAV\n"
+    "BgNVBAMMDmFkbGlua3RlY2guY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB\n"
+    "CgKCAQEAu7jfnJ0wYVuXgG+PgNawdN38+dRpa8jceqi+blIDehV6XCxrnGXusTCD\n"
+    "uFmo7HMOBVMVNDXlcBWgoGd+u5EultnOEiIeGTgtHc1O6V9wicp3BGSpZZax/TcO\n"
+    "NjMVORaqHCADbQ2J8wsz1FHxuKDwX6BJElYOlK77lb/x3yLsDFFC+a0qn2RFh37r\n"
+    "cWBRAHy8VEASXKZElT9ZmfKd+KUq34KojhNJ4DepKStTq074BRDXVivx+wVD951L\n"
+    "FNPiQXq+mgHcLj1k37KlZflTFhdP5oEMtATNsXNJPHlEymiySogRWAmKhysLQudu\n"
+    "kHfNKN+r0FEQMk/hzpYcFeZSOvbfNQIDAQABo1AwTjAdBgNVHQ4EFgQURWMbWvBK\n"
+    "ZwJvRV1/tyc1R82k0+gwHwYDVR0jBBgwFoAURWMbWvBKZwJvRV1/tyc1R82k0+gw\n"
+    "DAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAkPF+ysVtvHnk2hpu9yND\n"
+    "LCJ96ZzIoKOyY7uRj4ovzlAHFdpNOJQdcJihTmN8i7Trht9XVh0rGoR/6nHzo3TI\n"
+    "eiogRC80RlDtuA3PF2dDQBMVDStlZMTZPb693hfjdAjhyyw9yghhKHHqNDvSsAL0\n"
+    "KfBqjG4yGfGpJylYXIT5fWuKlo/ln/yyPa5s54T5XDo+CMbtlLX3QnwVOmaRyzyl\n"
+    "PiTcPCDIkdLBdXmlfyJcmW6fWa6kPx+35MOxPsXZbujCo+42+OyLqcH1rKT6Xhcs\n"
+    "hjXBEf+kdgUfSClrM1pNRWsw2ChIYim0F+nry5JFy0Y+8Hbb6SDB340BFmtgDHbF\n"
+    "HQ==\n"
+    "-----END CERTIFICATE-----\n";
+
+#define PERMISSIONS_DOCUMENT "<?xml version=\"1.0\" encoding=\"utf-8\"?>                                    \
+<dds xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\"                                                            \
+    xsi:noNamespaceSchemaLocation=\"https://www.omg.org/spec/DDS-SECURITY/20170901/omg_shared_ca_permissions.xsd\">      \
+    <permissions>                                                                                                       \
+        <grant name=\"DEFAULT_PERMISSIONS\">                                                                            \
+            <subject_name>/C=NL/ST=Some-State/O=Internet Widgits Pty Ltd/CN=CHAM500 cert</subject_name>                                                                               \
+            <validity>                                                                                                  \
+                <not_before>2015-09-15T01:00:00</not_before>                                                            \
+                <not_after>PERMISSION_EXPIRY_DATE</not_after>                                                              \
+            </validity>                                                                                                 \
+            <deny_rule>                                                                                                \
+                <domains>                                                                                               \
+                    <id_range>                                                                                          \
+                        <min>0</min>                                                                                    \
+                        <max>230</max>                                                                                  \
+                    </id_range>                                                                                         \
+                </domains>                                                                                              \
+                <publish>                                                                                               \
+                    <topics>                                                                                            \
+                        <topic>*</topic>                                                                                \
+                    </topics>                                                                                           \
+                    <partitions/>                                                                                       \
+                </publish>                                                                                              \
+                <subscribe>                                                                                             \
+                    <topics>                                                                                            \
+                        <topic>*</topic>                                                                                \
+                    </topics>                                                                                           \
+                    <partitions/>                                                                                       \
+                </subscribe>                                                                                            \
+           </deny_rule>                                                                                                \
+           <default>DENY</default>                                                                                     \
+        </grant>                                                                                                        \
+    </permissions>                                                                                                      \
+</dds>                                  "
+
+static struct plugins_hdl *plugins = NULL;
+static dds_security_authentication *auth = NULL;
+static dds_security_access_control *access_control = NULL;
+static DDS_Security_IdentityHandle local_identity_handle = DDS_SECURITY_HANDLE_NIL;
+static DDS_Security_IdentityHandle remote_identity_handle = DDS_SECURITY_HANDLE_NIL;
+static DDS_Security_PermissionsHandle local_permissions_handle = DDS_SECURITY_HANDLE_NIL;
+static DDS_Security_PermissionsHandle remote_permissions_handle = DDS_SECURITY_HANDLE_NIL;
+static DDS_Security_GUID_t local_participant_guid;
+static char *g_path_to_etc_dir = NULL;
+static DDS_Security_PermissionsHandle permission_handle_for_callback1 = DDS_SECURITY_HANDLE_NIL;
+static DDS_Security_PermissionsHandle permission_handle_for_callback2 = DDS_SECURITY_HANDLE_NIL;
+static dds_time_t local_expiry_date;
+static dds_time_t remote_expiry_date;
+
+static void dds_security_property_init(DDS_Security_PropertySeq *seq, DDS_Security_unsigned_long size)
+{
+  seq->_length = size;
+  seq->_maximum = size;
+  seq->_buffer = ddsrt_malloc(size * sizeof(DDS_Security_Property_t));
+  memset(seq->_buffer, 0, size * sizeof(DDS_Security_Property_t));
+}
+
+static void dds_security_property_deinit(DDS_Security_PropertySeq *seq)
+{
+  uint32_t i;
+
+  for (i = 0; i < seq->_length; i++)
+  {
+    ddsrt_free(seq->_buffer[i].name);
+    ddsrt_free(seq->_buffer[i].value);
+  }
+  ddsrt_free(seq->_buffer);
+}
+
+static void reset_exception(DDS_Security_SecurityException *ex)
+{
+  ex->code = 0;
+  ex->minor_code = 0;
+  ddsrt_free(ex->message);
+  ex->message = NULL;
+}
+
+static void get_future_xsdate(char *str, size_t len, int32_t delta)
+{
+  time_t rawtime;
+  struct tm *future;
+
+  /* Get future time. */
+  rawtime = time(NULL) + delta;
+  future = gmtime(&rawtime);
+
+  /* Put the future time in a xsDate format. */
+  strftime(str, len, "%Y-%m-%dT%H:%M:%S", future);
+}
+
+static int smime_sign(const char *certificate_file, const char *key_file, const char *data, const char *out_file)
+{
+  BIO *in = NULL, *out = NULL, *tbio = NULL, *keybio = NULL;
+  X509 *scert = NULL;
+  EVP_PKEY *skey = NULL;
+  PKCS7 *p7 = NULL;
+  int ret = 1;
+  int flags = PKCS7_DETACHED | PKCS7_STREAM | PKCS7_TEXT;
+
+  /* Read in signer certificate and private key */
+  tbio = BIO_new_file(certificate_file, "r");
+  if (!tbio)
+    goto err;
+  scert = PEM_read_bio_X509(tbio, NULL, 0, NULL);
+
+  keybio = BIO_new_file(key_file, "r");
+  if (!keybio)
+    goto err;
+
+  skey = PEM_read_bio_PrivateKey(keybio, NULL, 0, NULL);
+  if (!scert || !skey)
+    goto err;
+
+  /* Open content being signed */
+  in = BIO_new_mem_buf(data, (int)strlen(data));
+  if (!in)
+    goto err;
+  /* Sign content */
+  p7 = PKCS7_sign(scert, skey, NULL, in, flags);
+  if (!p7)
+    goto err;
+  out = BIO_new_file(out_file, "w");
+  if (!out)
+    goto err;
+
+  //if (!(flags & PKCS7_STREAM))
+  //    BIO_reset(in);
+
+  /* Write out S/MIME message */
+  if (!SMIME_write_PKCS7(out, p7, in, flags))
+    goto err;
+  ret = 0;
+err:
+  if (ret)
+  {
+    fprintf(stderr, "Error Signing Data\n");
+    ERR_print_errors_fp(stderr);
+  }
+  if (p7)
+    PKCS7_free(p7);
+  if (scert)
+    X509_free(scert);
+  if (skey)
+    EVP_PKEY_free(skey);
+  if (in)
+    BIO_free(in);
+  if (keybio)
+    BIO_free(keybio);
+  if (out)
+    BIO_free(out);
+  if (tbio)
+    BIO_free(tbio);
+
+  return ret;
+}
+
+static void fill_participant_qos(DDS_Security_Qos *qos, int32_t permission_expiry, const char *governance_filename)
+{
+  char *permission_uri;
+  char *governance_uri;
+  char *permissions_ca_cert_file;
+  char *permissions_ca_key_file;
+  char *permissions_file;
+  char *permissions_xml_with_expiry;
+  char permission_expiry_date_str[30];
+
+  /*get time in future */
+  get_future_xsdate(permission_expiry_date_str, 30, permission_expiry);
+  local_expiry_date = DDS_Security_parse_xml_date(permission_expiry_date_str);
+
+  permissions_xml_with_expiry = ddsrt_str_replace(PERMISSIONS_DOCUMENT, "PERMISSION_EXPIRY_DATE", permission_expiry_date_str, 1);
+
+  ddsrt_asprintf(&permissions_ca_cert_file, "%s%s", g_path_to_etc_dir, PERMISSIONS_CA_CERT_FILE);
+  ddsrt_asprintf(&permissions_ca_key_file, "%s%s", g_path_to_etc_dir, PERMISSIONS_CA_KEY_FILE);
+  ddsrt_asprintf(&permissions_file, "%s%s", g_path_to_etc_dir, PERMISSIONS_FILE);
+
+  smime_sign(permissions_ca_cert_file, permissions_ca_key_file, permissions_xml_with_expiry, permissions_file);
+
+  //check sign result
+  ddsrt_asprintf(&permission_uri, "file:%s", permissions_file);
+  ddsrt_asprintf(&governance_uri, "file:%s%s", g_path_to_etc_dir, governance_filename);
+
+  memset(qos, 0, sizeof(*qos));
+  dds_security_property_init(&qos->property.value, 6);
+  qos->property.value._buffer[0].name = ddsrt_strdup(PROPERTY_IDENTITY_CERT);
+  qos->property.value._buffer[0].value = ddsrt_strdup(identity_certificate);
+  qos->property.value._buffer[1].name = ddsrt_strdup(PROPERTY_IDENTITY_CA);
+  qos->property.value._buffer[1].value = ddsrt_strdup(identity_ca);
+  qos->property.value._buffer[2].name = ddsrt_strdup(PROPERTY_PRIVATE_KEY);
+  qos->property.value._buffer[2].value = ddsrt_strdup(private_key);
+  qos->property.value._buffer[3].name = ddsrt_strdup(PROPERTY_PERMISSIONS_CA);
+  qos->property.value._buffer[3].value = ddsrt_strdup(permissions_ca);
+  qos->property.value._buffer[4].name = ddsrt_strdup(PROPERTY_PERMISSIONS);
+  qos->property.value._buffer[4].value = ddsrt_strdup(permission_uri);
+  qos->property.value._buffer[5].name = ddsrt_strdup(PROPERTY_GOVERNANCE);
+  qos->property.value._buffer[5].value = ddsrt_strdup(governance_uri);
+
+  ddsrt_free(permission_uri);
+  ddsrt_free(governance_uri);
+  ddsrt_free(permissions_xml_with_expiry);
+  ddsrt_free(permissions_ca_key_file);
+  ddsrt_free(permissions_ca_cert_file);
+  ddsrt_free(permissions_file);
+}
+
+static void fill_permissions_token(DDS_Security_PermissionsToken *token)
+{
+  memset(token, 0, sizeof(DDS_Security_PermissionsToken));
+
+  token->class_id = ddsrt_strdup(ACCESS_PERMISSIONS_TOKEN_ID);
+  token->properties._length = token->properties._maximum = 2;
+  token->properties._buffer = DDS_Security_PropertySeq_allocbuf(2);
+
+  token->properties._buffer[0].name = ddsrt_strdup(PROPERTY_PERMISSIONS_CA_SN);
+  token->properties._buffer[0].value = ddsrt_strdup(SUBJECT_NAME_PERMISSIONS_CA);
+
+  token->properties._buffer[1].name = ddsrt_strdup(PROPERTY_PERMISSIONS_CA_ALGO);
+  token->properties._buffer[1].value = ddsrt_strdup(RSA_2048_ALGORITHM_NAME);
+}
+
+static int fill_peer_credential_token(DDS_Security_AuthenticatedPeerCredentialToken *token, int32_t permission_expiry)
+{
+  int result = 1;
+  char *permission_data;
+
+  char *permissions_ca_cert_file;
+  char *permissions_ca_key_file;
+  char *permissions_file;
+  char *permissions_xml_with_expiry;
+  char permission_expiry_date_str[30];
+
+  /*get time in future */
+  get_future_xsdate(permission_expiry_date_str, 30, permission_expiry);
+  remote_expiry_date = DDS_Security_parse_xml_date(permission_expiry_date_str);
+  permissions_xml_with_expiry = ddsrt_str_replace(PERMISSIONS_DOCUMENT, "PERMISSION_EXPIRY_DATE", permission_expiry_date_str, 1);
+
+  ddsrt_asprintf(permissions_ca_cert_file, "%s%s", g_path_to_etc_dir, PERMISSIONS_CA_CERT_FILE);
+  ddsrt_asprintf(permissions_ca_key_file, "%s%s", g_path_to_etc_dir, PERMISSIONS_CA_KEY_FILE);
+  ddsrt_asprintf(permissions_file, "%s%s", g_path_to_etc_dir, PERMISSIONS_FILE);
+
+  smime_sign(permissions_ca_cert_file, permissions_ca_key_file, permissions_xml_with_expiry, permissions_file);
+
+  memset(token, 0, sizeof(DDS_Security_AuthenticatedPeerCredentialToken));
+
+  permission_data = load_file_contents(permissions_file);
+
+  if (permission_data)
+  {
+    token->class_id = ddsrt_strdup(AUTH_PROTOCOL_CLASS_ID);
+    token->properties._length = token->properties._maximum = 2;
+    token->properties._buffer = DDS_Security_PropertySeq_allocbuf(2);
+
+    token->properties._buffer[0].name = ddsrt_strdup(PROPERTY_C_ID);
+    token->properties._buffer[0].value = ddsrt_strdup(&identity_certificate[6]);
+
+    token->properties._buffer[1].name = ddsrt_strdup(PROPERTY_C_PERM);
+    token->properties._buffer[1].value = permission_data;
+  }
+  else
+  {
+    ddsrt_free(permission_data);
+    result = 0;
+  }
+
+  ddsrt_free(permissions_xml_with_expiry);
+  ddsrt_free(permissions_ca_key_file);
+  ddsrt_free(permissions_ca_cert_file);
+  ddsrt_free(permissions_file);
+  return result;
+}
+
+static DDS_Security_long
+validate_local_identity_and_permissions(int32_t permission_expiry)
+{
+  DDS_Security_long res = DDS_SECURITY_ERR_OK_CODE;
+  DDS_Security_ValidationResult_t result;
+  DDS_Security_DomainId domain_id = 0;
+  DDS_Security_Qos participant_qos;
+  DDS_Security_GUID_t candidate_participant_guid;
+  DDS_Security_SecurityException exception = {NULL, 0, 0};
+  DDS_Security_GuidPrefix_t prefix = {0xb0, 0xb1, 0xb2, 0xb3, 0xb4, 0xb5, 0xb6, 0xb7, 0xb8, 0xb9, 0xba, 0xbb};
+  DDS_Security_EntityId_t entityId = {{0xb0, 0xb1, 0xb2}, 0x1};
+
+  memset(&local_participant_guid, 0, sizeof(local_participant_guid));
+  memcpy(&candidate_participant_guid.prefix, &prefix, sizeof(prefix));
+  memcpy(&candidate_participant_guid.entityId, &entityId, sizeof(entityId));
+
+  fill_participant_qos(&participant_qos, permission_expiry, "Test_Governance_ok.p7s");
+
+  /* Now call the function. */
+  result = auth->validate_local_identity(
+      auth,
+      &local_identity_handle,
+      &local_participant_guid,
+      domain_id,
+      &participant_qos,
+      &candidate_participant_guid,
+      &exception);
+
+  if (result != DDS_SECURITY_VALIDATION_OK)
+  {
+    res = DDS_SECURITY_ERR_UNDEFINED_CODE;
+    printf("validate_local_identity_failed: (%d) %s\n", (int)exception.code, exception.message ? exception.message : "Error message missing");
+  }
+
+  reset_exception(&exception);
+
+  if (res == 0)
+  {
+    local_permissions_handle = access_control->validate_local_permissions(
+        access_control,
+        auth,
+        local_identity_handle,
+        0,
+        &participant_qos,
+        &exception);
+
+    if (local_permissions_handle == DDS_SECURITY_HANDLE_NIL)
+    {
+      printf("validate_local_permissions_failed: (%d) %s\n", (int)exception.code, exception.message ? exception.message : "Error message missing");
+      if (exception.code == DDS_SECURITY_ERR_VALIDITY_PERIOD_EXPIRED_CODE)
+        /* This can happen on very slow platforms or when doing a valgrind run. */
+        res = DDS_SECURITY_ERR_VALIDITY_PERIOD_EXPIRED_CODE;
+      else
+        res = DDS_SECURITY_ERR_UNDEFINED_CODE;
+    }
+  }
+
+  dds_security_property_deinit(&participant_qos.property.value);
+  ddsrt_free(exception.message);
+
+  return res;
+}
+
+static void clear_local_identity_and_permissions(void)
+{
+  DDS_Security_SecurityException exception = {NULL, 0, 0};
+  DDS_Security_boolean success;
+
+  if (local_permissions_handle != DDS_SECURITY_HANDLE_NIL)
+  {
+    success = access_control->return_permissions_handle(access_control, local_permissions_handle, &exception);
+    if (!success)
+      printf("return_permission_handle failed: %s\n", exception.message ? exception.message : "Error message missing");
+    reset_exception(&exception);
+  }
+
+  if (local_identity_handle != DDS_SECURITY_HANDLE_NIL)
+  {
+    success = auth->return_identity_handle(auth, local_identity_handle, &exception);
+    if (!success)
+      printf("return_identity_handle failed: %s\n", exception.message ? exception.message : "Error message missing");
+    reset_exception(&exception);
+  }
+}
+
+static void set_path_to_etc_dir(void)
+{
+  ddsrt_asprintf(&g_path_to_etc_dir, "%s%s", CONFIG_ENV_TESTS_DIR, RELATIVE_PATH_TO_ETC_DIR);
+}
+
+static void suite_listeners_access_control_init(void)
+{
+  plugins = load_plugins(&access_control, &auth, NULL /* Cryptograpy */);
+  CU_ASSERT_FATAL(plugins != NULL);
+  set_path_to_etc_dir();
+  OpenSSL_add_all_algorithms();
+  ERR_load_crypto_strings();
+}
+
+static void suite_listeners_access_control_fini(void)
+{
+  unload_plugins(plugins);
+  ddsrt_free(g_path_to_etc_dir);
+  EVP_cleanup();
+  CRYPTO_cleanup_all_ex_data();
+  REMOVE_THREAD_STATE();
+  ERR_free_strings();
+}
+
+static DDS_Security_boolean on_revoke_permissions_cb(dds_security_access_control_listener *instance, const dds_security_access_control *plugin, const DDS_Security_PermissionsHandle handle)
+{
+  DDSRT_UNUSED_ARG(instance);
+  DDSRT_UNUSED_ARG(plugin);
+  if (permission_handle_for_callback1 == DDS_SECURITY_HANDLE_NIL)
+    permission_handle_for_callback1 = handle;
+  else if (permission_handle_for_callback2 == DDS_SECURITY_HANDLE_NIL)
+    permission_handle_for_callback2 = handle;
+  printf("Listener called for handle: %lld  Local:%ld Remote:%ld\n", (long long)handle, local_permissions_handle, remote_permissions_handle);
+  return true;
+}
+
+CU_Test(ddssec_builtin_listeners_access_control, local_2secs, .init = suite_listeners_access_control_init, .fini = suite_listeners_access_control_fini)
+{
+  DDS_Security_PermissionsHandle result;
+  DDS_Security_PermissionsToken permissions_token;
+  DDS_Security_AuthenticatedPeerCredentialToken credential_token;
+  DDS_Security_SecurityException exception = {NULL, 0, 0};
+  DDS_Security_long valid;
+  int r;
+  dds_duration_t time_left = DDS_MSECS(10000);
+  bool local_expired = false;
+  bool remote_expired = false;
+
+  local_expiry_date = 0;
+  remote_expiry_date = 0;
+
+  ac_listener.on_revoke_permissions = &on_revoke_permissions_cb;
+
+  valid = validate_local_identity_and_permissions(2);
+  if (valid == DDS_SECURITY_ERR_VALIDITY_PERIOD_EXPIRED_CODE)
+  {
+    /* This can happen on very slow platforms or when doing a valgrind run.
+         * Just take our losses and quit, simulating a success. */
+    return;
+  }
+  CU_ASSERT_FATAL(valid == DDS_SECURITY_ERR_OK_CODE);
+
+  /* Check if we actually have validate_remote_permissions function. */
+  CU_ASSERT_FATAL(access_control != NULL);
+  CU_ASSERT_FATAL(local_identity_handle != DDS_SECURITY_HANDLE_NIL);
+  CU_ASSERT_FATAL(access_control->validate_remote_permissions != NULL);
+  CU_ASSERT_FATAL(access_control->return_permissions_handle != NULL);
+
+  fill_permissions_token(&permissions_token);
+  r = fill_peer_credential_token(&credential_token, 1);
+  CU_ASSERT_FATAL(r);
+
+  remote_identity_handle++;
+
+  access_control->set_listener(access_control, &ac_listener, &exception);
+
+  result = access_control->validate_remote_permissions(
+      access_control,
+      auth,
+      local_identity_handle,
+      remote_identity_handle,
+      &permissions_token,
+      &credential_token,
+      &exception);
+
+  if (result == 0)
+  {
+    printf("validate_remote_permissions_failed: %s\n", exception.message ? exception.message : "Error message missing");
+    /* Expiry can happen on very slow platforms or when doing a valgrind run.
+         * Just take our losses and quit, simulating a success. */
+    CU_ASSERT(exception.code == DDS_SECURITY_ERR_VALIDITY_PERIOD_EXPIRED_CODE);
+    goto end;
+  }
+
+  remote_permissions_handle = result;
+
+  reset_exception(&exception);
+
+  while (time_left > 0 && (!local_expired || !remote_expired))
+  {
+    /* Normally, it is expected that the remote expiry is triggered before the
+         * local one. However, that can change on slow platforms. */
+    if (remote_expiry_date < local_expiry_date)
+    {
+      if (permission_handle_for_callback1 == remote_permissions_handle)
+      {
+        remote_expired = true;
+      }
+      if (permission_handle_for_callback2 == local_permissions_handle)
+      {
+        local_expired = true;
+      }
+    }
+    else
+    {
+      if (permission_handle_for_callback2 == remote_permissions_handle)
+      {
+        remote_expired = true;
+      }
+      if (permission_handle_for_callback1 == local_permissions_handle)
+      {
+        local_expired = true;
+      }
+    }
+
+    dds_sleepfor(DDS_MSECS(100));
+    time_left -= DDS_MSECS(100);
+  }
+
+  CU_ASSERT(local_expired);
+  CU_ASSERT(remote_expired);
+
+  access_control->return_permissions_handle(access_control, result, &exception);
+
+end:
+  reset_exception(&exception);
+
+  DDS_Security_DataHolder_deinit((DDS_Security_DataHolder *)&permissions_token);
+  DDS_Security_DataHolder_deinit((DDS_Security_DataHolder *)&credential_token);
+
+  clear_local_identity_and_permissions();
+}
diff --git a/src/security/builtin_plugins/tests/validate_local_permissions/etc/Test_File_empty.txt b/src/security/builtin_plugins/tests/validate_local_permissions/etc/Test_File_empty.txt
new file mode 100644
index 0000000..e69de29
diff --git a/src/security/builtin_plugins/tests/validate_local_permissions/etc/Test_File_text.txt b/src/security/builtin_plugins/tests/validate_local_permissions/etc/Test_File_text.txt
new file mode 100644
index 0000000..c1991b0
--- /dev/null
+++ b/src/security/builtin_plugins/tests/validate_local_permissions/etc/Test_File_text.txt
@@ -0,0 +1,3 @@
+This is just a file to see how the Security Plugin
+reacts when it receives a file that doesn't contain
+expected content, but just some text.
diff --git a/src/security/builtin_plugins/tests/validate_local_permissions/etc/Test_Governance_check_create_participant.p7s b/src/security/builtin_plugins/tests/validate_local_permissions/etc/Test_Governance_check_create_participant.p7s
new file mode 100644
index 0000000..8992b03
--- /dev/null
+++ b/src/security/builtin_plugins/tests/validate_local_permissions/etc/Test_Governance_check_create_participant.p7s
@@ -0,0 +1,199 @@
+MIME-Version: 1.0
+Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg="sha-256"; boundary="----988CFBB47A225358D7A5B33A4CA9AD64"
+
+This is an S/MIME signed message
+
+------988CFBB47A225358D7A5B33A4CA9AD64
+Content-Type: text/plain
+
+<?xml version="1.0" encoding="utf-8"?>
+<dds xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xsi:noNamespaceSchemaLocation="https://www.omg.org/spec/DDS-SECURITY/20170901/omg_shared_ca_governance.xsd">
+    <domain_access_rules>
+        <domain_rule>
+            <!-- No access control by any topic and participant is access protected -->
+            <domains>
+                <id>1</id>
+            </domains>
+            <allow_unauthenticated_participants>1</allow_unauthenticated_participants>
+            <rtps_protection_kind>NONE</rtps_protection_kind>
+            <discovery_protection_kind>SIGN</discovery_protection_kind>
+            <liveliness_protection_kind>ENCRYPT</liveliness_protection_kind>
+            <!--  Only and any authenticated DomainParticipant should be allowed to join the domain and
+                  see the discovery data without checking access control  -->
+            <enable_join_access_control>TRUE</enable_join_access_control>
+
+            <topic_access_rules>
+                <topic_rule>
+                    <enable_liveliness_protection>FALSE</enable_liveliness_protection>
+                    <data_protection_kind>ENCRYPT</data_protection_kind>
+                    <enable_discovery_protection>TRUE</enable_discovery_protection>
+                    <metadata_protection_kind>SIGN</metadata_protection_kind>
+                    <topic_expression>Topic1</topic_expression>
+                    <!-- The read access to all topics should be open to all. -->
+                    <enable_read_access_control>true</enable_read_access_control>
+                    <!-- The write access to all topics should be open to all. -->
+                    <enable_write_access_control>true</enable_write_access_control>
+                </topic_rule>
+                <topic_rule>
+                    <enable_liveliness_protection>FALSE</enable_liveliness_protection>
+                    <data_protection_kind>ENCRYPT</data_protection_kind>
+                    <enable_discovery_protection>TRUE</enable_discovery_protection>
+                    <metadata_protection_kind>SIGN</metadata_protection_kind>
+                    <topic_expression>Topic2</topic_expression>
+                    <!-- The read access to all topics should be open to all. -->
+                    <enable_read_access_control>true</enable_read_access_control>
+                    <!-- The write access to all topics should be open to all. -->
+                    <enable_write_access_control>true</enable_write_access_control>
+                </topic_rule>
+            </topic_access_rules>
+        </domain_rule>
+        <domain_rule>
+            <!-- No write access control by one topic -->
+            <domains>
+                <id>2</id>
+            </domains>
+            <allow_unauthenticated_participants>1</allow_unauthenticated_participants>
+            <rtps_protection_kind>NONE</rtps_protection_kind>
+            <discovery_protection_kind>SIGN</discovery_protection_kind>
+            <liveliness_protection_kind>ENCRYPT</liveliness_protection_kind>
+            <!--  Only and any authenticated DomainParticipant should be allowed to join the domain and
+                  see the discovery data without checking access control  -->
+            <enable_join_access_control>TRUE</enable_join_access_control>
+
+            <topic_access_rules>
+                <topic_rule>
+                    <enable_liveliness_protection>FALSE</enable_liveliness_protection>
+                    <data_protection_kind>ENCRYPT</data_protection_kind>
+                    <enable_discovery_protection>TRUE</enable_discovery_protection>
+                    <metadata_protection_kind>SIGN</metadata_protection_kind>
+                    <topic_expression>Topic1</topic_expression>
+                    <!-- The read access to all topics should be open to all. -->
+                    <enable_read_access_control>true</enable_read_access_control>
+                    <!-- The write access to all topics should be open to all. -->
+                    <enable_write_access_control>false</enable_write_access_control>
+                </topic_rule>
+                <topic_rule>
+                    <enable_liveliness_protection>FALSE</enable_liveliness_protection>
+                    <data_protection_kind>ENCRYPT</data_protection_kind>
+                    <enable_discovery_protection>TRUE</enable_discovery_protection>
+                    <metadata_protection_kind>SIGN</metadata_protection_kind>
+                    <topic_expression>Topic2</topic_expression>
+                    <!-- The read access to all topics should be open to all. -->
+                    <enable_read_access_control>true</enable_read_access_control>
+                    <!-- The write access to all topics should be open to all. -->
+                    <enable_write_access_control>true</enable_write_access_control>
+                </topic_rule>
+            </topic_access_rules>
+        </domain_rule> 
+        <domain_rule>
+            <!-- No write and read access control by all topic -->
+            <domains>
+                <id>3</id>
+            </domains>
+            <allow_unauthenticated_participants>1</allow_unauthenticated_participants>
+            <rtps_protection_kind>NONE</rtps_protection_kind>
+            <discovery_protection_kind>SIGN</discovery_protection_kind>
+            <liveliness_protection_kind>ENCRYPT</liveliness_protection_kind>
+            <!--  Only and any authenticated DomainParticipant should be allowed to join the domain and
+                  see the discovery data without checking access control  -->
+            <enable_join_access_control>TRUE</enable_join_access_control>
+
+            <topic_access_rules>
+                <topic_rule>
+                    <enable_liveliness_protection>FALSE</enable_liveliness_protection>
+                    <data_protection_kind>ENCRYPT</data_protection_kind>
+                    <enable_discovery_protection>TRUE</enable_discovery_protection>
+                    <metadata_protection_kind>SIGN</metadata_protection_kind>
+                    <topic_expression>Topic1</topic_expression>
+                    <!-- The read access to all topics should be open to all. -->
+                    <enable_read_access_control>false</enable_read_access_control>
+                    <!-- The write access to all topics should be open to all. -->
+                    <enable_write_access_control>false</enable_write_access_control>
+                </topic_rule>
+                <topic_rule>
+                    <enable_liveliness_protection>FALSE</enable_liveliness_protection>
+                    <data_protection_kind>ENCRYPT</data_protection_kind>
+                    <enable_discovery_protection>TRUE</enable_discovery_protection>
+                    <metadata_protection_kind>SIGN</metadata_protection_kind>
+                    <topic_expression>Topic2</topic_expression>
+                    <!-- The read access to all topics should be open to all. -->
+                    <enable_read_access_control>false</enable_read_access_control>
+                    <!-- The write access to all topics should be open to all. -->
+                    <enable_write_access_control>false</enable_write_access_control>
+                </topic_rule>
+            </topic_access_rules>
+        </domain_rule>                  
+        <domain_rule>
+            <!-- Participant is access protected -->
+            <domains>
+                <id>4</id>
+            </domains>
+            <allow_unauthenticated_participants>1</allow_unauthenticated_participants>
+            <rtps_protection_kind>NONE</rtps_protection_kind>
+            <discovery_protection_kind>SIGN</discovery_protection_kind>
+            <liveliness_protection_kind>ENCRYPT</liveliness_protection_kind>
+            <!--  Only and any authenticated DomainParticipant should be allowed to join the domain and
+                  see the discovery data without checking access control  -->
+            <enable_join_access_control>FALSE</enable_join_access_control>
+
+            <topic_access_rules>
+                <topic_rule>
+                    <enable_liveliness_protection>FALSE</enable_liveliness_protection>
+                    <data_protection_kind>ENCRYPT</data_protection_kind>
+                    <enable_discovery_protection>TRUE</enable_discovery_protection>
+                    <metadata_protection_kind>SIGN</metadata_protection_kind>
+                    <topic_expression>Topic1</topic_expression>
+                    <!-- The read access to all topics should be open to all. -->
+                    <enable_read_access_control>true</enable_read_access_control>
+                    <!-- The write access to all topics should be open to all. -->
+                    <enable_write_access_control>true</enable_write_access_control>
+                </topic_rule>
+            </topic_access_rules>
+        </domain_rule>
+    </domain_access_rules>
+</dds>
+
+------988CFBB47A225358D7A5B33A4CA9AD64
+Content-Type: application/x-pkcs7-signature; name="smime.p7s"
+Content-Transfer-Encoding: base64
+Content-Disposition: attachment; filename="smime.p7s"
+
+MIIGXgYJKoZIhvcNAQcCoIIGTzCCBksCAQExDzANBglghkgBZQMEAgEFADALBgkq
+hkiG9w0BBwGgggORMIIDjTCCAnWgAwIBAgIJANsr3sm0NrypMA0GCSqGSIb3DQEB
+CwUAMFwxCzAJBgNVBAYTAk5MMRMwEQYDVQQIDApTb21lLVN0YXRlMR8wHQYDVQQK
+DBZBRExJTksgVGVjaG5vbG9jeSBJbmMuMRcwFQYDVQQDDA5hZGxpbmt0ZWNoLmNv
+bTAgFw0xODA3MzAxMjQ1NTVaGA8yMTE4MDcwNjEyNDU1NVowXDELMAkGA1UEBhMC
+TkwxEzARBgNVBAgMClNvbWUtU3RhdGUxHzAdBgNVBAoMFkFETElOSyBUZWNobm9s
+b2N5IEluYy4xFzAVBgNVBAMMDmFkbGlua3RlY2guY29tMIIBIjANBgkqhkiG9w0B
+AQEFAAOCAQ8AMIIBCgKCAQEAu7jfnJ0wYVuXgG+PgNawdN38+dRpa8jceqi+blID
+ehV6XCxrnGXusTCDuFmo7HMOBVMVNDXlcBWgoGd+u5EultnOEiIeGTgtHc1O6V9w
+icp3BGSpZZax/TcONjMVORaqHCADbQ2J8wsz1FHxuKDwX6BJElYOlK77lb/x3yLs
+DFFC+a0qn2RFh37rcWBRAHy8VEASXKZElT9ZmfKd+KUq34KojhNJ4DepKStTq074
+BRDXVivx+wVD951LFNPiQXq+mgHcLj1k37KlZflTFhdP5oEMtATNsXNJPHlEymiy
+SogRWAmKhysLQudukHfNKN+r0FEQMk/hzpYcFeZSOvbfNQIDAQABo1AwTjAdBgNV
+HQ4EFgQURWMbWvBKZwJvRV1/tyc1R82k0+gwHwYDVR0jBBgwFoAURWMbWvBKZwJv
+RV1/tyc1R82k0+gwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAkPF+
+ysVtvHnk2hpu9yNDLCJ96ZzIoKOyY7uRj4ovzlAHFdpNOJQdcJihTmN8i7Trht9X
+Vh0rGoR/6nHzo3TIeiogRC80RlDtuA3PF2dDQBMVDStlZMTZPb693hfjdAjhyyw9
+yghhKHHqNDvSsAL0KfBqjG4yGfGpJylYXIT5fWuKlo/ln/yyPa5s54T5XDo+CMbt
+lLX3QnwVOmaRyzylPiTcPCDIkdLBdXmlfyJcmW6fWa6kPx+35MOxPsXZbujCo+42
++OyLqcH1rKT6XhcshjXBEf+kdgUfSClrM1pNRWsw2ChIYim0F+nry5JFy0Y+8Hbb
+6SDB340BFmtgDHbFHTGCApEwggKNAgEBMGkwXDELMAkGA1UEBhMCTkwxEzARBgNV
+BAgMClNvbWUtU3RhdGUxHzAdBgNVBAoMFkFETElOSyBUZWNobm9sb2N5IEluYy4x
+FzAVBgNVBAMMDmFkbGlua3RlY2guY29tAgkA2yveybQ2vKkwDQYJYIZIAWUDBAIB
+BQCggfowGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAcBgkqhkiG9w0BCQUxDxcN
+MTkwMzI5MTMwODAyWjAvBgkqhkiG9w0BCQQxIgQg9ZheySVcKVr9eNKQTeuBdR0z
+Cbgnm4HbSvO8/V0a7CAwgY4GCSqGSIb3DQEJDzGBgDB+MAsGCWCGSAFlAwQBKjAI
+BgYqhQMCAgkwCAYGKoUDAgIVMAsGCWCGSAFlAwQBFjALBglghkgBZQMEAQIwCgYI
+KoZIhvcNAwcwDgYIKoZIhvcNAwICAgCAMA0GCCqGSIb3DQMCAgFAMAcGBSsOAwIH
+MA0GCCqGSIb3DQMCAgEoMA0GCSqGSIb3DQEBAQUABIIBACn66JQOghwlIQUMDQ0s
+vMCGMl7OcZtxDdNQ2BYajufv+JGaf46xP6TWk4+c+bDq+9XTDFoTr/KY2XP7vKVD
+RSAm9nlqChzzsKF/7yYdzOP8hILF644PT837mP+E5ss4EYPoPByQLVPWr1B52xWB
+N/kixmZcMxe4btXqE8LGlSsPNioniZsDBRlDOcdFjxTL/3Ksgv6fX2gSEJgYVBH/
+xZ+Cpf4TsdtVDrQwUynck1+BogRtcofnkBFuKozqzwvzDQoLfW2fMnct5Jd7KPwM
+6kN/bRvOEMGYTKYRgfJVdM4rZqbfdRlVnCj+pza4dIHmf5BDSOlsbRqWyJPRmQ8S
+JkM=
+
+------988CFBB47A225358D7A5B33A4CA9AD64--
+
diff --git a/src/security/builtin_plugins/tests/validate_local_permissions/etc/Test_Governance_check_create_participant.xml b/src/security/builtin_plugins/tests/validate_local_permissions/etc/Test_Governance_check_create_participant.xml
new file mode 100644
index 0000000..37749a3
--- /dev/null
+++ b/src/security/builtin_plugins/tests/validate_local_permissions/etc/Test_Governance_check_create_participant.xml
@@ -0,0 +1,147 @@
+<?xml version="1.0" encoding="utf-8"?>
+<dds xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xsi:noNamespaceSchemaLocation="https://www.omg.org/spec/DDS-SECURITY/20170901/omg_shared_ca_governance.xsd">
+    <domain_access_rules>
+        <domain_rule>
+            <!-- No access control by any topic and participant is access protected -->
+            <domains>
+                <id>1</id>
+            </domains>
+            <allow_unauthenticated_participants>1</allow_unauthenticated_participants>
+            <rtps_protection_kind>NONE</rtps_protection_kind>
+            <discovery_protection_kind>SIGN</discovery_protection_kind>
+            <liveliness_protection_kind>ENCRYPT</liveliness_protection_kind>
+            <!--  Only and any authenticated DomainParticipant should be allowed to join the domain and
+                  see the discovery data without checking access control  -->
+            <enable_join_access_control>TRUE</enable_join_access_control>
+
+            <topic_access_rules>
+                <topic_rule>
+                    <enable_liveliness_protection>FALSE</enable_liveliness_protection>
+                    <data_protection_kind>ENCRYPT</data_protection_kind>
+                    <enable_discovery_protection>TRUE</enable_discovery_protection>
+                    <metadata_protection_kind>SIGN</metadata_protection_kind>
+                    <topic_expression>Topic1</topic_expression>
+                    <!-- The read access to all topics should be open to all. -->
+                    <enable_read_access_control>true</enable_read_access_control>
+                    <!-- The write access to all topics should be open to all. -->
+                    <enable_write_access_control>true</enable_write_access_control>
+                </topic_rule>
+                <topic_rule>
+                    <enable_liveliness_protection>FALSE</enable_liveliness_protection>
+                    <data_protection_kind>ENCRYPT</data_protection_kind>
+                    <enable_discovery_protection>TRUE</enable_discovery_protection>
+                    <metadata_protection_kind>SIGN</metadata_protection_kind>
+                    <topic_expression>Topic2</topic_expression>
+                    <!-- The read access to all topics should be open to all. -->
+                    <enable_read_access_control>true</enable_read_access_control>
+                    <!-- The write access to all topics should be open to all. -->
+                    <enable_write_access_control>true</enable_write_access_control>
+                </topic_rule>
+            </topic_access_rules>
+        </domain_rule>
+        <domain_rule>
+            <!-- No write access control by one topic -->
+            <domains>
+                <id>2</id>
+            </domains>
+            <allow_unauthenticated_participants>1</allow_unauthenticated_participants>
+            <rtps_protection_kind>NONE</rtps_protection_kind>
+            <discovery_protection_kind>SIGN</discovery_protection_kind>
+            <liveliness_protection_kind>ENCRYPT</liveliness_protection_kind>
+            <!--  Only and any authenticated DomainParticipant should be allowed to join the domain and
+                  see the discovery data without checking access control  -->
+            <enable_join_access_control>TRUE</enable_join_access_control>
+
+            <topic_access_rules>
+                <topic_rule>
+                    <enable_liveliness_protection>FALSE</enable_liveliness_protection>
+                    <data_protection_kind>ENCRYPT</data_protection_kind>
+                    <enable_discovery_protection>TRUE</enable_discovery_protection>
+                    <metadata_protection_kind>SIGN</metadata_protection_kind>
+                    <topic_expression>Topic1</topic_expression>
+                    <!-- The read access to all topics should be open to all. -->
+                    <enable_read_access_control>true</enable_read_access_control>
+                    <!-- The write access to all topics should be open to all. -->
+                    <enable_write_access_control>false</enable_write_access_control>
+                </topic_rule>
+                <topic_rule>
+                    <enable_liveliness_protection>FALSE</enable_liveliness_protection>
+                    <data_protection_kind>ENCRYPT</data_protection_kind>
+                    <enable_discovery_protection>TRUE</enable_discovery_protection>
+                    <metadata_protection_kind>SIGN</metadata_protection_kind>
+                    <topic_expression>Topic2</topic_expression>
+                    <!-- The read access to all topics should be open to all. -->
+                    <enable_read_access_control>true</enable_read_access_control>
+                    <!-- The write access to all topics should be open to all. -->
+                    <enable_write_access_control>true</enable_write_access_control>
+                </topic_rule>
+            </topic_access_rules>
+        </domain_rule> 
+        <domain_rule>
+            <!-- No write and read access control by all topic -->
+            <domains>
+                <id>3</id>
+            </domains>
+            <allow_unauthenticated_participants>1</allow_unauthenticated_participants>
+            <rtps_protection_kind>NONE</rtps_protection_kind>
+            <discovery_protection_kind>SIGN</discovery_protection_kind>
+            <liveliness_protection_kind>ENCRYPT</liveliness_protection_kind>
+            <!--  Only and any authenticated DomainParticipant should be allowed to join the domain and
+                  see the discovery data without checking access control  -->
+            <enable_join_access_control>TRUE</enable_join_access_control>
+
+            <topic_access_rules>
+                <topic_rule>
+                    <enable_liveliness_protection>FALSE</enable_liveliness_protection>
+                    <data_protection_kind>ENCRYPT</data_protection_kind>
+                    <enable_discovery_protection>TRUE</enable_discovery_protection>
+                    <metadata_protection_kind>SIGN</metadata_protection_kind>
+                    <topic_expression>Topic1</topic_expression>
+                    <!-- The read access to all topics should be open to all. -->
+                    <enable_read_access_control>false</enable_read_access_control>
+                    <!-- The write access to all topics should be open to all. -->
+                    <enable_write_access_control>false</enable_write_access_control>
+                </topic_rule>
+                <topic_rule>
+                    <enable_liveliness_protection>FALSE</enable_liveliness_protection>
+                    <data_protection_kind>ENCRYPT</data_protection_kind>
+                    <enable_discovery_protection>TRUE</enable_discovery_protection>
+                    <metadata_protection_kind>SIGN</metadata_protection_kind>
+                    <topic_expression>Topic2</topic_expression>
+                    <!-- The read access to all topics should be open to all. -->
+                    <enable_read_access_control>false</enable_read_access_control>
+                    <!-- The write access to all topics should be open to all. -->
+                    <enable_write_access_control>false</enable_write_access_control>
+                </topic_rule>
+            </topic_access_rules>
+        </domain_rule>                  
+        <domain_rule>
+            <!-- Participant is access protected -->
+            <domains>
+                <id>4</id>
+            </domains>
+            <allow_unauthenticated_participants>1</allow_unauthenticated_participants>
+            <rtps_protection_kind>NONE</rtps_protection_kind>
+            <discovery_protection_kind>SIGN</discovery_protection_kind>
+            <liveliness_protection_kind>ENCRYPT</liveliness_protection_kind>
+            <!--  Only and any authenticated DomainParticipant should be allowed to join the domain and
+                  see the discovery data without checking access control  -->
+            <enable_join_access_control>FALSE</enable_join_access_control>
+
+            <topic_access_rules>
+                <topic_rule>
+                    <enable_liveliness_protection>FALSE</enable_liveliness_protection>
+                    <data_protection_kind>ENCRYPT</data_protection_kind>
+                    <enable_discovery_protection>TRUE</enable_discovery_protection>
+                    <metadata_protection_kind>SIGN</metadata_protection_kind>
+                    <topic_expression>Topic1</topic_expression>
+                    <!-- The read access to all topics should be open to all. -->
+                    <enable_read_access_control>true</enable_read_access_control>
+                    <!-- The write access to all topics should be open to all. -->
+                    <enable_write_access_control>true</enable_write_access_control>
+                </topic_rule>
+            </topic_access_rules>
+        </domain_rule>
+    </domain_access_rules>
+</dds>
diff --git a/src/security/builtin_plugins/tests/validate_local_permissions/etc/Test_Governance_full.p7s b/src/security/builtin_plugins/tests/validate_local_permissions/etc/Test_Governance_full.p7s
new file mode 100644
index 0000000..4ea8fe8
--- /dev/null
+++ b/src/security/builtin_plugins/tests/validate_local_permissions/etc/Test_Governance_full.p7s
@@ -0,0 +1,267 @@
+MIME-Version: 1.0
+Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg="sha-256"; boundary="----05DBD6F6E587875751A79EAC78048D60"
+
+This is an S/MIME signed message
+
+------05DBD6F6E587875751A79EAC78048D60
+Content-Type: text/plain
+
+<?xml version="1.0" encoding="utf-8"?>
+<dds xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xsi:noNamespaceSchemaLocation="https://www.omg.org/spec/DDS-SECURITY/20170901/omg_shared_ca_governance.xsd">
+    <domain_access_rules>
+        <domain_rule>
+            <domains>
+                <!-- All domains -->
+                <id>20</id>
+                <id_range>
+                    <min>0</min>
+                    <max>23</max>
+                </id_range>
+                <id_range>
+                    <min>100</min>
+                    <max>120</max>
+                </id_range>
+                <id>200</id>
+            </domains>
+
+            <!-- DomainParticipant that cann not authenticate or fail the authentication should be
+                 allowed to join the domain and see any any discovery data that are configured as "unprotected"
+                 and topics that are configured as "unprotected" -->
+            <allow_unauthenticated_participants>false</allow_unauthenticated_participants>
+
+            <!--  Only and any authenticated DomainParticipant should be allowed to join the domain and
+                  see the discovery data without checking access control  -->
+            <enable_join_access_control>TRUE</enable_join_access_control>
+
+            <!-- Discovery information should be protected with encryption followed by MAC (Message Authentication Codes) -->
+            <discovery_protection_kind>SIGN_WITH_ORIGIN_AUTHENTICATION</discovery_protection_kind>
+
+            <!--  Liveliness messages are also encrypted -->
+            <liveliness_protection_kind>ENCRYPT</liveliness_protection_kind>
+
+            <!-- Whole RTPS message is not protected -->
+            <rtps_protection_kind>ENCRYPT_WITH_ORIGIN_AUTHENTICATION</rtps_protection_kind>
+
+            <topic_access_rules>
+                                
+                <topic_rule>
+                    <!-- All (non-builtin) topics -->
+                    <topic_expression>OwnShip?ata</topic_expression>
+
+                    <!-- Liveliness QoS data is protected -->
+                    <enable_liveliness_protection>FALSE</enable_liveliness_protection>
+
+                    <!-- The discovery information on specific Topics should be sent
+                         using the secure (protected) discovery writers -->
+                    <enable_discovery_protection>false</enable_discovery_protection>
+
+                    <!-- The read access to all topics should be open to all. -->
+                    <enable_read_access_control>false</enable_read_access_control>
+
+                    <!-- The write access to all topics should be open to all. -->
+                    <enable_write_access_control>true</enable_write_access_control>
+
+                    <!-- Whole RTPS sub-message is protected. This includes metadata information
+                         like sequence numbers, heartbeats, key hashes, gaps,
+                         acknowledgment messages, etc. It also includes th possible payload. -->
+                    <metadata_protection_kind>SIGN</metadata_protection_kind>
+
+                    <!-- The payload data sent on the Topic (serialized application level data) should be
+                         protected with Encrypt then MAC. -->
+                    <data_protection_kind>ENCRYPT</data_protection_kind>
+                </topic_rule>
+                
+                <topic_rule>
+                    <!-- All (non-builtin) topics -->
+                    <topic_expression>Kinematics</topic_expression>
+
+                    <!-- Liveliness QoS data is protected -->
+                    <enable_liveliness_protection>true</enable_liveliness_protection>
+
+                    <!-- The discovery information on specific Topics should be sent
+                         using the secure (protected) discovery writers -->
+                    <enable_discovery_protection>true</enable_discovery_protection>
+
+                    <!-- The read access to all topics should be open to all. -->
+                    <enable_read_access_control>true</enable_read_access_control>
+
+                    <!-- The write access to all topics should be open to all. -->
+                    <enable_write_access_control>false</enable_write_access_control>
+
+                    <!-- Whole RTPS sub-message is protected. This includes metadata information
+                         like sequence numbers, heartbeats, key hashes, gaps,
+                         acknowledgment messages, etc. It also includes th possible payload. -->
+                    <metadata_protection_kind>NONE</metadata_protection_kind>
+
+                    <!-- The payload data sent on the Topic (serialized application level data) should be
+                         protected with Encrypt then MAC. -->
+                    <data_protection_kind>NONE</data_protection_kind>
+                </topic_rule>
+
+                <topic_rule>
+                    <!-- All (non-builtin) topics -->
+                    <topic_expression>*other</topic_expression>
+
+                    <!-- Liveliness QoS data is protected -->
+                    <enable_liveliness_protection>true</enable_liveliness_protection>
+
+                    <!-- The discovery information on specific Topics should be sent
+                         using the secure (protected) discovery writers -->
+                    <enable_discovery_protection>true</enable_discovery_protection>
+
+                    <!-- The read access to all topics should be open to all. -->
+                    <enable_read_access_control>true</enable_read_access_control>
+
+                    <!-- The write access to all topics should be open to all. -->
+                    <enable_write_access_control>true</enable_write_access_control>
+
+                    <!-- Whole RTPS sub-message is protected. This includes metadata information
+                         like sequence numbers, heartbeats, key hashes, gaps,
+                         acknowledgment messages, etc. It also includes th possible payload. -->
+                    <metadata_protection_kind>NONE</metadata_protection_kind>
+
+                    <!-- The payload data sent on the Topic (serialized application level data) should be
+                         protected with Encrypt then MAC. -->
+                    <data_protection_kind>NONE</data_protection_kind>
+                </topic_rule>
+
+                <topic_rule>
+                    <!-- All (non-builtin) topics -->
+                    <topic_expression>*</topic_expression>
+
+                    <!-- Liveliness QoS data is protected -->
+                    <enable_liveliness_protection>true</enable_liveliness_protection>
+
+                    <!-- The discovery information on specific Topics should be sent
+                         using the secure (protected) discovery writers -->
+                    <enable_discovery_protection>true</enable_discovery_protection>
+
+                    <!-- The read access to all topics should be open to all. -->
+                    <enable_read_access_control>false</enable_read_access_control>
+
+                    <!-- The write access to all topics should be open to all. -->
+                    <enable_write_access_control>false</enable_write_access_control>
+
+                    <!-- Whole RTPS sub-message is protected. This includes metadata information
+                         like sequence numbers, heartbeats, key hashes, gaps,
+                         acknowledgment messages, etc. It also includes th possible payload. -->
+                    <metadata_protection_kind>ENCRYPT_WITH_ORIGIN_AUTHENTICATION</metadata_protection_kind>
+
+                    <!-- The payload data sent on the Topic (serialized application level data) should be
+                         protected with Encrypt then MAC. -->
+                    <data_protection_kind>ENCRYPT</data_protection_kind>
+                </topic_rule>
+            </topic_access_rules>
+        </domain_rule>
+        <domain_rule>
+            <domains>
+                <!-- All domains -->
+                <id_range>
+                    <min>100</min>
+                    <max>120</max>
+                </id_range>
+                <id>20</id>
+                <id_range>
+                    <min>0</min>
+                    <max>23</max>
+                </id_range>                
+                <id>200</id>
+                <id>30</id>
+            </domains>
+
+            <!-- DomainParticipant that cann not authenticate or fail the authentication should be
+                 allowed to join the domain and see any any discovery data that are configured as "unprotected"
+                 and topics that are configured as "unprotected" -->
+            <allow_unauthenticated_participants>1</allow_unauthenticated_participants>
+
+            <!--  Only and any authenticated DomainParticipant should be allowed to join the domain and
+                  see the discovery data without checking access control  -->
+            <enable_join_access_control>0</enable_join_access_control>
+
+            <!-- Discovery information should be protected with encryption followed by MAC (Message Authentication Codes) -->
+            <discovery_protection_kind>SIGN</discovery_protection_kind>
+
+            <!--  Liveliness messages are also encrypted -->
+            <liveliness_protection_kind>ENCRYPT</liveliness_protection_kind>
+
+            <!-- Whole RTPS message is not protected -->
+            <rtps_protection_kind>NONE</rtps_protection_kind>
+
+            <topic_access_rules>
+                <topic_rule>
+                    <!-- All (non-builtin) topics -->
+                    <topic_expression>OwnShipData</topic_expression>
+
+                    <!-- Liveliness QoS data is protected -->
+                    <enable_liveliness_protection>true</enable_liveliness_protection>
+
+                    <!-- The discovery information on specific Topics should be sent
+                         using the secure (protected) discovery writers -->
+                    <enable_discovery_protection>true</enable_discovery_protection>
+
+                    <!-- The read access to all topics should be open to all. -->
+                    <enable_read_access_control>false</enable_read_access_control>
+
+                    <!-- The write access to all topics should be open to all. -->
+                    <enable_write_access_control>false</enable_write_access_control>
+
+                    <!-- Whole RTPS sub-message is protected. This includes metadata information
+                         like sequence numbers, heartbeats, key hashes, gaps,
+                         acknowledgment messages, etc. It also includes th possible payload. -->
+                    <metadata_protection_kind>ENCRYPT_WITH_ORIGIN_AUTHENTICATION</metadata_protection_kind>
+
+                    <!-- The payload data sent on the Topic (serialized application level data) should be
+                         protected with Encrypt then MAC. -->
+                    <data_protection_kind>ENCRYPT</data_protection_kind>
+                </topic_rule>
+                
+           
+            </topic_access_rules>
+        </domain_rule>
+    </domain_access_rules>
+</dds>
+
+------05DBD6F6E587875751A79EAC78048D60
+Content-Type: application/x-pkcs7-signature; name="smime.p7s"
+Content-Transfer-Encoding: base64
+Content-Disposition: attachment; filename="smime.p7s"
+
+MIIGXgYJKoZIhvcNAQcCoIIGTzCCBksCAQExDzANBglghkgBZQMEAgEFADALBgkq
+hkiG9w0BBwGgggORMIIDjTCCAnWgAwIBAgIJANsr3sm0NrypMA0GCSqGSIb3DQEB
+CwUAMFwxCzAJBgNVBAYTAk5MMRMwEQYDVQQIDApTb21lLVN0YXRlMR8wHQYDVQQK
+DBZBRExJTksgVGVjaG5vbG9jeSBJbmMuMRcwFQYDVQQDDA5hZGxpbmt0ZWNoLmNv
+bTAgFw0xODA3MzAxMjQ1NTVaGA8yMTE4MDcwNjEyNDU1NVowXDELMAkGA1UEBhMC
+TkwxEzARBgNVBAgMClNvbWUtU3RhdGUxHzAdBgNVBAoMFkFETElOSyBUZWNobm9s
+b2N5IEluYy4xFzAVBgNVBAMMDmFkbGlua3RlY2guY29tMIIBIjANBgkqhkiG9w0B
+AQEFAAOCAQ8AMIIBCgKCAQEAu7jfnJ0wYVuXgG+PgNawdN38+dRpa8jceqi+blID
+ehV6XCxrnGXusTCDuFmo7HMOBVMVNDXlcBWgoGd+u5EultnOEiIeGTgtHc1O6V9w
+icp3BGSpZZax/TcONjMVORaqHCADbQ2J8wsz1FHxuKDwX6BJElYOlK77lb/x3yLs
+DFFC+a0qn2RFh37rcWBRAHy8VEASXKZElT9ZmfKd+KUq34KojhNJ4DepKStTq074
+BRDXVivx+wVD951LFNPiQXq+mgHcLj1k37KlZflTFhdP5oEMtATNsXNJPHlEymiy
+SogRWAmKhysLQudukHfNKN+r0FEQMk/hzpYcFeZSOvbfNQIDAQABo1AwTjAdBgNV
+HQ4EFgQURWMbWvBKZwJvRV1/tyc1R82k0+gwHwYDVR0jBBgwFoAURWMbWvBKZwJv
+RV1/tyc1R82k0+gwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAkPF+
+ysVtvHnk2hpu9yNDLCJ96ZzIoKOyY7uRj4ovzlAHFdpNOJQdcJihTmN8i7Trht9X
+Vh0rGoR/6nHzo3TIeiogRC80RlDtuA3PF2dDQBMVDStlZMTZPb693hfjdAjhyyw9
+yghhKHHqNDvSsAL0KfBqjG4yGfGpJylYXIT5fWuKlo/ln/yyPa5s54T5XDo+CMbt
+lLX3QnwVOmaRyzylPiTcPCDIkdLBdXmlfyJcmW6fWa6kPx+35MOxPsXZbujCo+42
++OyLqcH1rKT6XhcshjXBEf+kdgUfSClrM1pNRWsw2ChIYim0F+nry5JFy0Y+8Hbb
+6SDB340BFmtgDHbFHTGCApEwggKNAgEBMGkwXDELMAkGA1UEBhMCTkwxEzARBgNV
+BAgMClNvbWUtU3RhdGUxHzAdBgNVBAoMFkFETElOSyBUZWNobm9sb2N5IEluYy4x
+FzAVBgNVBAMMDmFkbGlua3RlY2guY29tAgkA2yveybQ2vKkwDQYJYIZIAWUDBAIB
+BQCggfowGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAcBgkqhkiG9w0BCQUxDxcN
+MTkwMzI5MTMwODAzWjAvBgkqhkiG9w0BCQQxIgQg0GyBZYdNlmQT2Nv1CHrUEB6+
+C0U0yXvpmj5+mlGojPAwgY4GCSqGSIb3DQEJDzGBgDB+MAsGCWCGSAFlAwQBKjAI
+BgYqhQMCAgkwCAYGKoUDAgIVMAsGCWCGSAFlAwQBFjALBglghkgBZQMEAQIwCgYI
+KoZIhvcNAwcwDgYIKoZIhvcNAwICAgCAMA0GCCqGSIb3DQMCAgFAMAcGBSsOAwIH
+MA0GCCqGSIb3DQMCAgEoMA0GCSqGSIb3DQEBAQUABIIBAJXrVHO7KdgYM20uGGNL
+P4VRPmYVWoWIkl5/OEzZ8uirs+oGJR7tYLiFl1wzXUzPBB/03qsANmlshDpFgbmV
+thTV7AGRg3SXUDa/cG4N9PupE5VRZaVdbcbdH1DfoIZCLLp4HK3HgqUXkH9vnC92
+tdtgzxZOCrQ4A6WbGiBkWr5LtMWg2lnwPp55vrfRoh6u0qVEumD+VQi+Lroo9M1E
+659LB2dwEcNb1g1HyoodpKlUSsbGsY/JA7bbNrw/KIGVYcoXfmpgWmtzUjfpkPDj
+zVPImqr6jdxP4quGmGWRmrLHPrEYJscJqCwjNTi6naXnAvaE4nxQ4HBgveEodTuP
+8tM=
+
+------05DBD6F6E587875751A79EAC78048D60--
+
diff --git a/src/security/builtin_plugins/tests/validate_local_permissions/etc/Test_Governance_full.xml b/src/security/builtin_plugins/tests/validate_local_permissions/etc/Test_Governance_full.xml
new file mode 100644
index 0000000..4ff15ab
--- /dev/null
+++ b/src/security/builtin_plugins/tests/validate_local_permissions/etc/Test_Governance_full.xml
@@ -0,0 +1,215 @@
+<?xml version="1.0" encoding="utf-8"?>
+<dds xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xsi:noNamespaceSchemaLocation="https://www.omg.org/spec/DDS-SECURITY/20170901/omg_shared_ca_governance.xsd">
+    <domain_access_rules>
+        <domain_rule>
+            <domains>
+                <!-- All domains -->
+                <id>20</id>
+                <id_range>
+                    <min>0</min>
+                    <max>23</max>
+                </id_range>
+                <id_range>
+                    <min>100</min>
+                    <max>120</max>
+                </id_range>
+                <id>200</id>
+            </domains>
+
+            <!-- DomainParticipant that cann not authenticate or fail the authentication should be
+                 allowed to join the domain and see any any discovery data that are configured as "unprotected"
+                 and topics that are configured as "unprotected" -->
+            <allow_unauthenticated_participants>false</allow_unauthenticated_participants>
+
+            <!--  Only and any authenticated DomainParticipant should be allowed to join the domain and
+                  see the discovery data without checking access control  -->
+            <enable_join_access_control>TRUE</enable_join_access_control>
+
+            <!-- Discovery information should be protected with encryption followed by MAC (Message Authentication Codes) -->
+            <discovery_protection_kind>SIGN_WITH_ORIGIN_AUTHENTICATION</discovery_protection_kind>
+
+            <!--  Liveliness messages are also encrypted -->
+            <liveliness_protection_kind>ENCRYPT</liveliness_protection_kind>
+
+            <!-- Whole RTPS message is not protected -->
+            <rtps_protection_kind>ENCRYPT_WITH_ORIGIN_AUTHENTICATION</rtps_protection_kind>
+
+            <topic_access_rules>
+                                
+                <topic_rule>
+                    <!-- All (non-builtin) topics -->
+                    <topic_expression>OwnShip?ata</topic_expression>
+
+                    <!-- Liveliness QoS data is protected -->
+                    <enable_liveliness_protection>FALSE</enable_liveliness_protection>
+
+                    <!-- The discovery information on specific Topics should be sent
+                         using the secure (protected) discovery writers -->
+                    <enable_discovery_protection>false</enable_discovery_protection>
+
+                    <!-- The read access to all topics should be open to all. -->
+                    <enable_read_access_control>false</enable_read_access_control>
+
+                    <!-- The write access to all topics should be open to all. -->
+                    <enable_write_access_control>true</enable_write_access_control>
+
+                    <!-- Whole RTPS sub-message is protected. This includes metadata information
+                         like sequence numbers, heartbeats, key hashes, gaps,
+                         acknowledgment messages, etc. It also includes th possible payload. -->
+                    <metadata_protection_kind>SIGN</metadata_protection_kind>
+
+                    <!-- The payload data sent on the Topic (serialized application level data) should be
+                         protected with Encrypt then MAC. -->
+                    <data_protection_kind>ENCRYPT</data_protection_kind>
+                </topic_rule>
+                
+                <topic_rule>
+                    <!-- All (non-builtin) topics -->
+                    <topic_expression>Kinematics</topic_expression>
+
+                    <!-- Liveliness QoS data is protected -->
+                    <enable_liveliness_protection>true</enable_liveliness_protection>
+
+                    <!-- The discovery information on specific Topics should be sent
+                         using the secure (protected) discovery writers -->
+                    <enable_discovery_protection>true</enable_discovery_protection>
+
+                    <!-- The read access to all topics should be open to all. -->
+                    <enable_read_access_control>true</enable_read_access_control>
+
+                    <!-- The write access to all topics should be open to all. -->
+                    <enable_write_access_control>false</enable_write_access_control>
+
+                    <!-- Whole RTPS sub-message is protected. This includes metadata information
+                         like sequence numbers, heartbeats, key hashes, gaps,
+                         acknowledgment messages, etc. It also includes th possible payload. -->
+                    <metadata_protection_kind>NONE</metadata_protection_kind>
+
+                    <!-- The payload data sent on the Topic (serialized application level data) should be
+                         protected with Encrypt then MAC. -->
+                    <data_protection_kind>NONE</data_protection_kind>
+                </topic_rule>
+
+                <topic_rule>
+                    <!-- All (non-builtin) topics -->
+                    <topic_expression>*other</topic_expression>
+
+                    <!-- Liveliness QoS data is protected -->
+                    <enable_liveliness_protection>true</enable_liveliness_protection>
+
+                    <!-- The discovery information on specific Topics should be sent
+                         using the secure (protected) discovery writers -->
+                    <enable_discovery_protection>true</enable_discovery_protection>
+
+                    <!-- The read access to all topics should be open to all. -->
+                    <enable_read_access_control>true</enable_read_access_control>
+
+                    <!-- The write access to all topics should be open to all. -->
+                    <enable_write_access_control>true</enable_write_access_control>
+
+                    <!-- Whole RTPS sub-message is protected. This includes metadata information
+                         like sequence numbers, heartbeats, key hashes, gaps,
+                         acknowledgment messages, etc. It also includes th possible payload. -->
+                    <metadata_protection_kind>NONE</metadata_protection_kind>
+
+                    <!-- The payload data sent on the Topic (serialized application level data) should be
+                         protected with Encrypt then MAC. -->
+                    <data_protection_kind>NONE</data_protection_kind>
+                </topic_rule>
+
+                <topic_rule>
+                    <!-- All (non-builtin) topics -->
+                    <topic_expression>*</topic_expression>
+
+                    <!-- Liveliness QoS data is protected -->
+                    <enable_liveliness_protection>true</enable_liveliness_protection>
+
+                    <!-- The discovery information on specific Topics should be sent
+                         using the secure (protected) discovery writers -->
+                    <enable_discovery_protection>true</enable_discovery_protection>
+
+                    <!-- The read access to all topics should be open to all. -->
+                    <enable_read_access_control>false</enable_read_access_control>
+
+                    <!-- The write access to all topics should be open to all. -->
+                    <enable_write_access_control>false</enable_write_access_control>
+
+                    <!-- Whole RTPS sub-message is protected. This includes metadata information
+                         like sequence numbers, heartbeats, key hashes, gaps,
+                         acknowledgment messages, etc. It also includes th possible payload. -->
+                    <metadata_protection_kind>ENCRYPT_WITH_ORIGIN_AUTHENTICATION</metadata_protection_kind>
+
+                    <!-- The payload data sent on the Topic (serialized application level data) should be
+                         protected with Encrypt then MAC. -->
+                    <data_protection_kind>ENCRYPT</data_protection_kind>
+                </topic_rule>
+            </topic_access_rules>
+        </domain_rule>
+        <domain_rule>
+            <domains>
+                <!-- All domains -->
+                <id_range>
+                    <min>100</min>
+                    <max>120</max>
+                </id_range>
+                <id>20</id>
+                <id_range>
+                    <min>0</min>
+                    <max>23</max>
+                </id_range>                
+                <id>200</id>
+                <id>30</id>
+            </domains>
+
+            <!-- DomainParticipant that cann not authenticate or fail the authentication should be
+                 allowed to join the domain and see any any discovery data that are configured as "unprotected"
+                 and topics that are configured as "unprotected" -->
+            <allow_unauthenticated_participants>1</allow_unauthenticated_participants>
+
+            <!--  Only and any authenticated DomainParticipant should be allowed to join the domain and
+                  see the discovery data without checking access control  -->
+            <enable_join_access_control>0</enable_join_access_control>
+
+            <!-- Discovery information should be protected with encryption followed by MAC (Message Authentication Codes) -->
+            <discovery_protection_kind>SIGN</discovery_protection_kind>
+
+            <!--  Liveliness messages are also encrypted -->
+            <liveliness_protection_kind>ENCRYPT</liveliness_protection_kind>
+
+            <!-- Whole RTPS message is not protected -->
+            <rtps_protection_kind>NONE</rtps_protection_kind>
+
+            <topic_access_rules>
+                <topic_rule>
+                    <!-- All (non-builtin) topics -->
+                    <topic_expression>OwnShipData</topic_expression>
+
+                    <!-- Liveliness QoS data is protected -->
+                    <enable_liveliness_protection>true</enable_liveliness_protection>
+
+                    <!-- The discovery information on specific Topics should be sent
+                         using the secure (protected) discovery writers -->
+                    <enable_discovery_protection>true</enable_discovery_protection>
+
+                    <!-- The read access to all topics should be open to all. -->
+                    <enable_read_access_control>false</enable_read_access_control>
+
+                    <!-- The write access to all topics should be open to all. -->
+                    <enable_write_access_control>false</enable_write_access_control>
+
+                    <!-- Whole RTPS sub-message is protected. This includes metadata information
+                         like sequence numbers, heartbeats, key hashes, gaps,
+                         acknowledgment messages, etc. It also includes th possible payload. -->
+                    <metadata_protection_kind>ENCRYPT_WITH_ORIGIN_AUTHENTICATION</metadata_protection_kind>
+
+                    <!-- The payload data sent on the Topic (serialized application level data) should be
+                         protected with Encrypt then MAC. -->
+                    <data_protection_kind>ENCRYPT</data_protection_kind>
+                </topic_rule>
+                
+           
+            </topic_access_rules>
+        </domain_rule>
+    </domain_access_rules>
+</dds>
diff --git a/src/security/builtin_plugins/tests/validate_local_permissions/etc/Test_Governance_invalid_data.p7s b/src/security/builtin_plugins/tests/validate_local_permissions/etc/Test_Governance_invalid_data.p7s
new file mode 100644
index 0000000..ba75bfe
--- /dev/null
+++ b/src/security/builtin_plugins/tests/validate_local_permissions/etc/Test_Governance_invalid_data.p7s
@@ -0,0 +1,175 @@
+MIME-Version: 1.0
+Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg="sha-256"; boundary="----1A6607CDB3CA97628720C3874B28523D"
+
+This is an S/MIME signed message
+
+------1A6607CDB3CA97628720C3874B28523D
+Content-Type: text/plain
+
+<?xml version="1.0" encoding="utf-8"?>
+<dds xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xsi:noNamespaceSchemaLocation="https://www.omg.org/spec/DDS-SECURITY/20170901/omg_shared_ca_governance.xsd">
+    <domain_access_rules>
+        <domain_rule>
+            <domains>
+                <!-- All domains -->
+                <id>20</id>
+                <id>30</id>
+                <id_range>
+                    <min>0</min>
+                    <max>23</max>
+                </id_range>
+                <id_range>
+                    <min>100</min>
+                    <max>120</max>
+                </id_range>
+                <id>200</id>
+            </domains>
+
+            <!-- DomainParticipant that cann not authenticate or fail the authentication should be
+                 allowed to join the domain and see any any discovery data that are configured as "unprotected"
+                 and topics that are configured as "unprotected" -->
+            <allow_unauthenticated_participants>false</allow_unauthenticated_participants>
+
+            <!--  Only and any authenticated DomainParticipant should be allowed to join the domain and
+                  see the discovery data without checking access control  -->
+            <enable_join_access_control>TRUE</enable_join_access_control>
+
+            <!-- Discovery information should be protected with encryption followed by MAC (Message Authentication Codes) -->
+            <discovery_protection_kind>SIGN_WITH_ORIGIN_AUTHENTICATION</discovery_protection_kind>
+
+            <!--  Liveliness messages are also encrypted -->
+            <liveliness_protection_kind>ENCRYPT</liveliness_protection_kind>
+
+            <!-- Whole RTPS message is not protected -->
+            <rtps_protection_kind>ENCRYPT_WITH_ORIGIN_AUTHENTICATION</rtps_protection_kind>
+
+            <topic_access_rules>
+                <topic_rule>
+                    <!-- All (non-builtin) topics -->
+                    <topic_expression>*</topic_expression>
+
+                    <!-- Liveliness QoS data is protected -->
+                    <enable_liveliness_protection>true</enable_liveliness_protection>
+
+                    <!-- The discovery information on specific Topics should be sent
+                         using the secure (protected) discovery writers -->
+                    <enable_discovery_protection>true</enable_discovery_protection>
+
+                    <!-- The read access to all topics should be open to all. -->
+                    <enable_read_access_control>false</enable_read_access_control>
+
+                    <!-- The write access to all topics should be open to all. -->
+                    <enable_write_access_control>false</enable_write_access_control>
+
+                    <!-- Whole RTPS sub-message is protected. This includes metadata information
+                         like sequence numbers, heartbeats, key hashes, gaps,
+                         acknowledgment messages, etc. It also includes th possible payload. -->
+                    <metadata_protection_kind>ENCRYPT_WITH_</metadata_protection_kind>
+
+                    <!-- The payload data sent on the Topic (serialized application level data) should be
+                         protected with Encrypt then MAC. -->
+                    <data_protection_kind>ENCRYPT</data_protection_kind>
+                </topic_rule>
+                
+                <topic_rule>
+                    <!-- All (non-builtin) topics -->
+                    <topic_expression>OwnShip?ata</topic_expression>
+
+                    <!-- Liveliness QoS data is protected -->
+                    <enable_liveliness_protection>FALSE</enable_liveliness_protection>
+
+                    <!-- The discovery information on specific Topics should be sent
+                         using the secure (protected) discovery writers -->
+                    <enable_discovery_protection>false</enable_discovery_protection>
+
+                    <!-- The read access to all topics should be open to all. -->
+                    <enable_read_access_control>false</enable_read_access_control>
+
+                    <!-- The write access to all topics should be open to all. -->
+                    <enable_write_access_control>true</enable_write_access_control>
+
+                    <!-- Whole RTPS sub-message is protected. This includes metadata information
+                         like sequence numbers, heartbeats, key hashes, gaps,
+                         acknowledgment messages, etc. It also includes th possible payload. -->
+                    <metadata_protection_kind>SIGN</metadata_protection_kind>
+
+                    <!-- The payload data sent on the Topic (serialized application level data) should be
+                         protected with Encrypt then MAC. -->
+                    <data_protection_kind>ENCRYPT</data_protection_kind>
+                </topic_rule>
+                
+                <topic_rule>
+                    <!-- All (non-builtin) topics -->
+                    <topic_expression>Kinematics</topic_expression>
+
+                    <!-- Liveliness QoS data is protected -->
+                    <enable_liveliness_protection>true</enable_liveliness_protection>
+
+                    <!-- The discovery information on specific Topics should be sent
+                         using the secure (protected) discovery writers -->
+                    <enable_discovery_protection>true</enable_discovery_protection>
+
+                    <!-- The read access to all topics should be open to all. -->
+                    <enable_read_access_control>true</enable_read_access_control>
+
+                    <!-- The write access to all topics should be open to all. -->
+                    <enable_write_access_control>false</enable_write_access_control>
+
+                    <!-- Whole RTPS sub-message is protected. This includes metadata information
+                         like sequence numbers, heartbeats, key hashes, gaps,
+                         acknowledgment messages, etc. It also includes th possible payload. -->
+                    <metadata_protection_kind>NONE</metadata_protection_kind>
+
+                    <!-- The payload data sent on the Topic (serialized application level data) should be
+                         protected with Encrypt then MAC. -->
+                    <data_protection_kind>NONE</data_protection_kind>
+                </topic_rule>
+            </topic_access_rules>
+        </domain_rule>
+    </domain_access_rules>
+</dds>
+
+------1A6607CDB3CA97628720C3874B28523D
+Content-Type: application/x-pkcs7-signature; name="smime.p7s"
+Content-Transfer-Encoding: base64
+Content-Disposition: attachment; filename="smime.p7s"
+
+MIIGXgYJKoZIhvcNAQcCoIIGTzCCBksCAQExDzANBglghkgBZQMEAgEFADALBgkq
+hkiG9w0BBwGgggORMIIDjTCCAnWgAwIBAgIJANsr3sm0NrypMA0GCSqGSIb3DQEB
+CwUAMFwxCzAJBgNVBAYTAk5MMRMwEQYDVQQIDApTb21lLVN0YXRlMR8wHQYDVQQK
+DBZBRExJTksgVGVjaG5vbG9jeSBJbmMuMRcwFQYDVQQDDA5hZGxpbmt0ZWNoLmNv
+bTAgFw0xODA3MzAxMjQ1NTVaGA8yMTE4MDcwNjEyNDU1NVowXDELMAkGA1UEBhMC
+TkwxEzARBgNVBAgMClNvbWUtU3RhdGUxHzAdBgNVBAoMFkFETElOSyBUZWNobm9s
+b2N5IEluYy4xFzAVBgNVBAMMDmFkbGlua3RlY2guY29tMIIBIjANBgkqhkiG9w0B
+AQEFAAOCAQ8AMIIBCgKCAQEAu7jfnJ0wYVuXgG+PgNawdN38+dRpa8jceqi+blID
+ehV6XCxrnGXusTCDuFmo7HMOBVMVNDXlcBWgoGd+u5EultnOEiIeGTgtHc1O6V9w
+icp3BGSpZZax/TcONjMVORaqHCADbQ2J8wsz1FHxuKDwX6BJElYOlK77lb/x3yLs
+DFFC+a0qn2RFh37rcWBRAHy8VEASXKZElT9ZmfKd+KUq34KojhNJ4DepKStTq074
+BRDXVivx+wVD951LFNPiQXq+mgHcLj1k37KlZflTFhdP5oEMtATNsXNJPHlEymiy
+SogRWAmKhysLQudukHfNKN+r0FEQMk/hzpYcFeZSOvbfNQIDAQABo1AwTjAdBgNV
+HQ4EFgQURWMbWvBKZwJvRV1/tyc1R82k0+gwHwYDVR0jBBgwFoAURWMbWvBKZwJv
+RV1/tyc1R82k0+gwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAkPF+
+ysVtvHnk2hpu9yNDLCJ96ZzIoKOyY7uRj4ovzlAHFdpNOJQdcJihTmN8i7Trht9X
+Vh0rGoR/6nHzo3TIeiogRC80RlDtuA3PF2dDQBMVDStlZMTZPb693hfjdAjhyyw9
+yghhKHHqNDvSsAL0KfBqjG4yGfGpJylYXIT5fWuKlo/ln/yyPa5s54T5XDo+CMbt
+lLX3QnwVOmaRyzylPiTcPCDIkdLBdXmlfyJcmW6fWa6kPx+35MOxPsXZbujCo+42
++OyLqcH1rKT6XhcshjXBEf+kdgUfSClrM1pNRWsw2ChIYim0F+nry5JFy0Y+8Hbb
+6SDB340BFmtgDHbFHTGCApEwggKNAgEBMGkwXDELMAkGA1UEBhMCTkwxEzARBgNV
+BAgMClNvbWUtU3RhdGUxHzAdBgNVBAoMFkFETElOSyBUZWNobm9sb2N5IEluYy4x
+FzAVBgNVBAMMDmFkbGlua3RlY2guY29tAgkA2yveybQ2vKkwDQYJYIZIAWUDBAIB
+BQCggfowGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAcBgkqhkiG9w0BCQUxDxcN
+MTkwMzI5MTMwODAzWjAvBgkqhkiG9w0BCQQxIgQg16RVkhnhbWczLVFXDHVD6lPy
+G5w7StRkpXgPtz/r+5MwgY4GCSqGSIb3DQEJDzGBgDB+MAsGCWCGSAFlAwQBKjAI
+BgYqhQMCAgkwCAYGKoUDAgIVMAsGCWCGSAFlAwQBFjALBglghkgBZQMEAQIwCgYI
+KoZIhvcNAwcwDgYIKoZIhvcNAwICAgCAMA0GCCqGSIb3DQMCAgFAMAcGBSsOAwIH
+MA0GCCqGSIb3DQMCAgEoMA0GCSqGSIb3DQEBAQUABIIBAJsBPV85r3vm0jr/YWKo
+J1j054f+gdqnrfH9kv6dvhg/IAK67mfWDHYUUah6D/1HFJve5KMR8tBu2j770M42
+rDjUBVQADqwWc+9ymiGcIjav9r1+YVTzOCHZnASJyqWPakCwwrdMthb2bB//ASmL
+rHOxsJZs68r0ci8ZC4bPbe0m8gAC8lkAvfhIr0/WLO4zhdhVaSrKNKptEjTVGRan
+KcjoHAiNOhxWZfwZ+OVEp6Rnax4xcpGK3oyCcg9v8zGKj9rDX917K3VfW9Guo+Px
+fZ1u+ukL2GgvzPMdJuU0Uw6mPbWMPeAKbIFwLR9P8iXtKuj2HHqteFVbcyIQXZSE
+nRM=
+
+------1A6607CDB3CA97628720C3874B28523D--
+
diff --git a/src/security/builtin_plugins/tests/validate_local_permissions/etc/Test_Governance_invalid_data.xml b/src/security/builtin_plugins/tests/validate_local_permissions/etc/Test_Governance_invalid_data.xml
new file mode 100644
index 0000000..d445705
--- /dev/null
+++ b/src/security/builtin_plugins/tests/validate_local_permissions/etc/Test_Governance_invalid_data.xml
@@ -0,0 +1,123 @@
+<?xml version="1.0" encoding="utf-8"?>
+<dds xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xsi:noNamespaceSchemaLocation="https://www.omg.org/spec/DDS-SECURITY/20170901/omg_shared_ca_governance.xsd">
+    <domain_access_rules>
+        <domain_rule>
+            <domains>
+                <!-- All domains -->
+                <id>20</id>
+                <id>30</id>
+                <id_range>
+                    <min>0</min>
+                    <max>23</max>
+                </id_range>
+                <id_range>
+                    <min>100</min>
+                    <max>120</max>
+                </id_range>
+                <id>200</id>
+            </domains>
+
+            <!-- DomainParticipant that cann not authenticate or fail the authentication should be
+                 allowed to join the domain and see any any discovery data that are configured as "unprotected"
+                 and topics that are configured as "unprotected" -->
+            <allow_unauthenticated_participants>false</allow_unauthenticated_participants>
+
+            <!--  Only and any authenticated DomainParticipant should be allowed to join the domain and
+                  see the discovery data without checking access control  -->
+            <enable_join_access_control>TRUE</enable_join_access_control>
+
+            <!-- Discovery information should be protected with encryption followed by MAC (Message Authentication Codes) -->
+            <discovery_protection_kind>SIGN_WITH_ORIGIN_AUTHENTICATION</discovery_protection_kind>
+
+            <!--  Liveliness messages are also encrypted -->
+            <liveliness_protection_kind>ENCRYPT</liveliness_protection_kind>
+
+            <!-- Whole RTPS message is not protected -->
+            <rtps_protection_kind>ENCRYPT_WITH_ORIGIN_AUTHENTICATION</rtps_protection_kind>
+
+            <topic_access_rules>
+                <topic_rule>
+                    <!-- All (non-builtin) topics -->
+                    <topic_expression>*</topic_expression>
+
+                    <!-- Liveliness QoS data is protected -->
+                    <enable_liveliness_protection>true</enable_liveliness_protection>
+
+                    <!-- The discovery information on specific Topics should be sent
+                         using the secure (protected) discovery writers -->
+                    <enable_discovery_protection>true</enable_discovery_protection>
+
+                    <!-- The read access to all topics should be open to all. -->
+                    <enable_read_access_control>false</enable_read_access_control>
+
+                    <!-- The write access to all topics should be open to all. -->
+                    <enable_write_access_control>false</enable_write_access_control>
+
+                    <!-- Whole RTPS sub-message is protected. This includes metadata information
+                         like sequence numbers, heartbeats, key hashes, gaps,
+                         acknowledgment messages, etc. It also includes th possible payload. -->
+                    <metadata_protection_kind>ENCRYPT_WITH_</metadata_protection_kind>
+
+                    <!-- The payload data sent on the Topic (serialized application level data) should be
+                         protected with Encrypt then MAC. -->
+                    <data_protection_kind>ENCRYPT</data_protection_kind>
+                </topic_rule>
+                
+                <topic_rule>
+                    <!-- All (non-builtin) topics -->
+                    <topic_expression>OwnShip?ata</topic_expression>
+
+                    <!-- Liveliness QoS data is protected -->
+                    <enable_liveliness_protection>FALSE</enable_liveliness_protection>
+
+                    <!-- The discovery information on specific Topics should be sent
+                         using the secure (protected) discovery writers -->
+                    <enable_discovery_protection>false</enable_discovery_protection>
+
+                    <!-- The read access to all topics should be open to all. -->
+                    <enable_read_access_control>false</enable_read_access_control>
+
+                    <!-- The write access to all topics should be open to all. -->
+                    <enable_write_access_control>true</enable_write_access_control>
+
+                    <!-- Whole RTPS sub-message is protected. This includes metadata information
+                         like sequence numbers, heartbeats, key hashes, gaps,
+                         acknowledgment messages, etc. It also includes th possible payload. -->
+                    <metadata_protection_kind>SIGN</metadata_protection_kind>
+
+                    <!-- The payload data sent on the Topic (serialized application level data) should be
+                         protected with Encrypt then MAC. -->
+                    <data_protection_kind>ENCRYPT</data_protection_kind>
+                </topic_rule>
+                
+                <topic_rule>
+                    <!-- All (non-builtin) topics -->
+                    <topic_expression>Kinematics</topic_expression>
+
+                    <!-- Liveliness QoS data is protected -->
+                    <enable_liveliness_protection>true</enable_liveliness_protection>
+
+                    <!-- The discovery information on specific Topics should be sent
+                         using the secure (protected) discovery writers -->
+                    <enable_discovery_protection>true</enable_discovery_protection>
+
+                    <!-- The read access to all topics should be open to all. -->
+                    <enable_read_access_control>true</enable_read_access_control>
+
+                    <!-- The write access to all topics should be open to all. -->
+                    <enable_write_access_control>false</enable_write_access_control>
+
+                    <!-- Whole RTPS sub-message is protected. This includes metadata information
+                         like sequence numbers, heartbeats, key hashes, gaps,
+                         acknowledgment messages, etc. It also includes th possible payload. -->
+                    <metadata_protection_kind>NONE</metadata_protection_kind>
+
+                    <!-- The payload data sent on the Topic (serialized application level data) should be
+                         protected with Encrypt then MAC. -->
+                    <data_protection_kind>NONE</data_protection_kind>
+                </topic_rule>
+            </topic_access_rules>
+        </domain_rule>
+    </domain_access_rules>
+</dds>
diff --git a/src/security/builtin_plugins/tests/validate_local_permissions/etc/Test_Governance_invalid_element.p7s b/src/security/builtin_plugins/tests/validate_local_permissions/etc/Test_Governance_invalid_element.p7s
new file mode 100644
index 0000000..9a51a3f
--- /dev/null
+++ b/src/security/builtin_plugins/tests/validate_local_permissions/etc/Test_Governance_invalid_element.p7s
@@ -0,0 +1,178 @@
+MIME-Version: 1.0
+Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg="sha-256"; boundary="----4B1AFE4A648D807454B86C7DDD6F392C"
+
+This is an S/MIME signed message
+
+------4B1AFE4A648D807454B86C7DDD6F392C
+Content-Type: text/plain
+
+<?xml version="1.0" encoding="utf-8"?>
+<dds xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xsi:noNamespaceSchemaLocation="https://www.omg.org/spec/DDS-SECURITY/20170901/omg_shared_ca_governance.xsd">
+    <domain_access_rules>
+        <domain_rule>
+            <domains>
+                <!-- All domains -->
+                <id>20</id>
+                <id>30</id>
+                <id_range>
+                    <min>0</min>
+                    <max>23</max>
+                </id_range>
+                <id_range>
+                    <min>100</min>
+                    <max>120</max>
+                </id_range>
+                <id>200</id>
+            </domains>
+
+            <!-- DomainParticipant that cann not authenticate or fail the authentication should be
+                 allowed to join the domain and see any any discovery data that are configured as "unprotected"
+                 and topics that are configured as "unprotected" -->
+            <allow_unauthenticated_participants>false</allow_unauthenticated_participants>
+
+            <!--  Only and any authenticated DomainParticipant should be allowed to join the domain and
+                  see the discovery data without checking access control  -->
+            <enable_join_access_control>TRUE</enable_join_access_control>
+
+            <!-- Discovery information should be protected with encryption followed by MAC (Message Authentication Codes) -->
+            <discovery_protection_kind>SIGN_WITH_ORIGIN_AUTHENTICATION</discovery_protection_kind>
+
+            <!--  Liveliness messages are also encrypted -->
+            <liveliness_protection_kind>ENCRYPT</liveliness_protection_kind>
+
+            <ufo>Unidentified Flying Object</ufo>
+
+
+            <!-- Whole RTPS message is not protected -->
+            <rtps_protection_kind>ENCRYPT_WITH_ORIGIN_AUTHENTICATION</rtps_protection_kind>
+
+            <topic_access_rules>
+                <topic_rule>
+                    <!-- All (non-builtin) topics -->
+                    <topic_expression>*</topic_expression>
+
+                    <!-- Liveliness QoS data is protected -->
+                    <enable_liveliness_protection>true</enable_liveliness_protection>
+
+                    <!-- The discovery information on specific Topics should be sent
+                         using the secure (protected) discovery writers -->
+                    <enable_discovery_protection>true</enable_discovery_protection>
+
+                    <!-- The read access to all topics should be open to all. -->
+                    <enable_read_access_control>false</enable_read_access_control>
+
+                    <!-- The write access to all topics should be open to all. -->
+                    <enable_write_access_control>false</enable_write_access_control>
+
+                    <!-- Whole RTPS sub-message is protected. This includes metadata information
+                         like sequence numbers, heartbeats, key hashes, gaps,
+                         acknowledgment messages, etc. It also includes th possible payload. -->
+                    <metadata_protection_kind>ENCRYPT_WITH_ORIGIN_AUTHENTICATION</metadata_protection_kind>
+
+                    <!-- The payload data sent on the Topic (serialized application level data) should be
+                         protected with Encrypt then MAC. -->
+                    <data_protection_kind>ENCRYPT</data_protection_kind>
+                </topic_rule>
+                
+                <topic_rule>
+                    <!-- All (non-builtin) topics -->
+                    <topic_expression>OwnShip?ata</topic_expression>
+
+                    <!-- Liveliness QoS data is protected -->
+                    <enable_liveliness_protection>FALSE</enable_liveliness_protection>
+
+                    <!-- The discovery information on specific Topics should be sent
+                         using the secure (protected) discovery writers -->
+                    <enable_discovery_protection>false</enable_discovery_protection>
+
+                    <!-- The read access to all topics should be open to all. -->
+                    <enable_read_access_control>false</enable_read_access_control>
+
+                    <!-- The write access to all topics should be open to all. -->
+                    <enable_write_access_control>true</enable_write_access_control>
+
+                    <!-- Whole RTPS sub-message is protected. This includes metadata information
+                         like sequence numbers, heartbeats, key hashes, gaps,
+                         acknowledgment messages, etc. It also includes th possible payload. -->
+                    <metadata_protection_kind>SIGN</metadata_protection_kind>
+
+                    <!-- The payload data sent on the Topic (serialized application level data) should be
+                         protected with Encrypt then MAC. -->
+                    <data_protection_kind>ENCRYPT</data_protection_kind>
+                </topic_rule>
+                
+                <topic_rule>
+                    <!-- All (non-builtin) topics -->
+                    <topic_expression>Kinematics</topic_expression>
+
+                    <!-- Liveliness QoS data is protected -->
+                    <enable_liveliness_protection>true</enable_liveliness_protection>
+
+                    <!-- The discovery information on specific Topics should be sent
+                         using the secure (protected) discovery writers -->
+                    <enable_discovery_protection>true</enable_discovery_protection>
+
+                    <!-- The read access to all topics should be open to all. -->
+                    <enable_read_access_control>true</enable_read_access_control>
+
+                    <!-- The write access to all topics should be open to all. -->
+                    <enable_write_access_control>false</enable_write_access_control>
+
+                    <!-- Whole RTPS sub-message is protected. This includes metadata information
+                         like sequence numbers, heartbeats, key hashes, gaps,
+                         acknowledgment messages, etc. It also includes th possible payload. -->
+                    <metadata_protection_kind>NONE</metadata_protection_kind>
+
+                    <!-- The payload data sent on the Topic (serialized application level data) should be
+                         protected with Encrypt then MAC. -->
+                    <data_protection_kind>NONE</data_protection_kind>
+                </topic_rule>
+            </topic_access_rules>
+        </domain_rule>
+    </domain_access_rules>
+</dds>
+
+------4B1AFE4A648D807454B86C7DDD6F392C
+Content-Type: application/x-pkcs7-signature; name="smime.p7s"
+Content-Transfer-Encoding: base64
+Content-Disposition: attachment; filename="smime.p7s"
+
+MIIGXgYJKoZIhvcNAQcCoIIGTzCCBksCAQExDzANBglghkgBZQMEAgEFADALBgkq
+hkiG9w0BBwGgggORMIIDjTCCAnWgAwIBAgIJANsr3sm0NrypMA0GCSqGSIb3DQEB
+CwUAMFwxCzAJBgNVBAYTAk5MMRMwEQYDVQQIDApTb21lLVN0YXRlMR8wHQYDVQQK
+DBZBRExJTksgVGVjaG5vbG9jeSBJbmMuMRcwFQYDVQQDDA5hZGxpbmt0ZWNoLmNv
+bTAgFw0xODA3MzAxMjQ1NTVaGA8yMTE4MDcwNjEyNDU1NVowXDELMAkGA1UEBhMC
+TkwxEzARBgNVBAgMClNvbWUtU3RhdGUxHzAdBgNVBAoMFkFETElOSyBUZWNobm9s
+b2N5IEluYy4xFzAVBgNVBAMMDmFkbGlua3RlY2guY29tMIIBIjANBgkqhkiG9w0B
+AQEFAAOCAQ8AMIIBCgKCAQEAu7jfnJ0wYVuXgG+PgNawdN38+dRpa8jceqi+blID
+ehV6XCxrnGXusTCDuFmo7HMOBVMVNDXlcBWgoGd+u5EultnOEiIeGTgtHc1O6V9w
+icp3BGSpZZax/TcONjMVORaqHCADbQ2J8wsz1FHxuKDwX6BJElYOlK77lb/x3yLs
+DFFC+a0qn2RFh37rcWBRAHy8VEASXKZElT9ZmfKd+KUq34KojhNJ4DepKStTq074
+BRDXVivx+wVD951LFNPiQXq+mgHcLj1k37KlZflTFhdP5oEMtATNsXNJPHlEymiy
+SogRWAmKhysLQudukHfNKN+r0FEQMk/hzpYcFeZSOvbfNQIDAQABo1AwTjAdBgNV
+HQ4EFgQURWMbWvBKZwJvRV1/tyc1R82k0+gwHwYDVR0jBBgwFoAURWMbWvBKZwJv
+RV1/tyc1R82k0+gwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAkPF+
+ysVtvHnk2hpu9yNDLCJ96ZzIoKOyY7uRj4ovzlAHFdpNOJQdcJihTmN8i7Trht9X
+Vh0rGoR/6nHzo3TIeiogRC80RlDtuA3PF2dDQBMVDStlZMTZPb693hfjdAjhyyw9
+yghhKHHqNDvSsAL0KfBqjG4yGfGpJylYXIT5fWuKlo/ln/yyPa5s54T5XDo+CMbt
+lLX3QnwVOmaRyzylPiTcPCDIkdLBdXmlfyJcmW6fWa6kPx+35MOxPsXZbujCo+42
++OyLqcH1rKT6XhcshjXBEf+kdgUfSClrM1pNRWsw2ChIYim0F+nry5JFy0Y+8Hbb
+6SDB340BFmtgDHbFHTGCApEwggKNAgEBMGkwXDELMAkGA1UEBhMCTkwxEzARBgNV
+BAgMClNvbWUtU3RhdGUxHzAdBgNVBAoMFkFETElOSyBUZWNobm9sb2N5IEluYy4x
+FzAVBgNVBAMMDmFkbGlua3RlY2guY29tAgkA2yveybQ2vKkwDQYJYIZIAWUDBAIB
+BQCggfowGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAcBgkqhkiG9w0BCQUxDxcN
+MTkwMzI5MTMwODAzWjAvBgkqhkiG9w0BCQQxIgQgLhPNfJcKb6QszZuyFWmmLGOQ
+ZDTY0NBpcqMym1+AijAwgY4GCSqGSIb3DQEJDzGBgDB+MAsGCWCGSAFlAwQBKjAI
+BgYqhQMCAgkwCAYGKoUDAgIVMAsGCWCGSAFlAwQBFjALBglghkgBZQMEAQIwCgYI
+KoZIhvcNAwcwDgYIKoZIhvcNAwICAgCAMA0GCCqGSIb3DQMCAgFAMAcGBSsOAwIH
+MA0GCCqGSIb3DQMCAgEoMA0GCSqGSIb3DQEBAQUABIIBABwNsFseYbpH+mGslN/g
+UY1RNq8f9pFOhTn89NAu94xJgZ2wu5izmSsaEK8K8nrPnxTouD7b5P5w5JQnEVU5
+m2yDD62ZdrlNm51u6VS1JoleHleTEyseagVYlLk+R2FYIH8xfjT0e6jc93qIlm+f
+XehwwbCsVUUdy3ViV9APoFP6b5YB+bXe6AtMMTobhEzplqs7GzOFzzC4YuhHSvi2
+sVFXmlHFwOKKIS7he8467breo+SYunv5IttcyqypltydmEcOndCQ2uAWiPvsJIat
+DyIkewjrWFL/0l/uTDmk3EUcTmmugVkhykmkfb9subqMHXKbDkcXgZgggR57/9+n
+eOU=
+
+------4B1AFE4A648D807454B86C7DDD6F392C--
+
diff --git a/src/security/builtin_plugins/tests/validate_local_permissions/etc/Test_Governance_invalid_element.xml b/src/security/builtin_plugins/tests/validate_local_permissions/etc/Test_Governance_invalid_element.xml
new file mode 100644
index 0000000..81f5ea6
--- /dev/null
+++ b/src/security/builtin_plugins/tests/validate_local_permissions/etc/Test_Governance_invalid_element.xml
@@ -0,0 +1,126 @@
+<?xml version="1.0" encoding="utf-8"?>
+<dds xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xsi:noNamespaceSchemaLocation="https://www.omg.org/spec/DDS-SECURITY/20170901/omg_shared_ca_governance.xsd">
+    <domain_access_rules>
+        <domain_rule>
+            <domains>
+                <!-- All domains -->
+                <id>20</id>
+                <id>30</id>
+                <id_range>
+                    <min>0</min>
+                    <max>23</max>
+                </id_range>
+                <id_range>
+                    <min>100</min>
+                    <max>120</max>
+                </id_range>
+                <id>200</id>
+            </domains>
+
+            <!-- DomainParticipant that cann not authenticate or fail the authentication should be
+                 allowed to join the domain and see any any discovery data that are configured as "unprotected"
+                 and topics that are configured as "unprotected" -->
+            <allow_unauthenticated_participants>false</allow_unauthenticated_participants>
+
+            <!--  Only and any authenticated DomainParticipant should be allowed to join the domain and
+                  see the discovery data without checking access control  -->
+            <enable_join_access_control>TRUE</enable_join_access_control>
+
+            <!-- Discovery information should be protected with encryption followed by MAC (Message Authentication Codes) -->
+            <discovery_protection_kind>SIGN_WITH_ORIGIN_AUTHENTICATION</discovery_protection_kind>
+
+            <!--  Liveliness messages are also encrypted -->
+            <liveliness_protection_kind>ENCRYPT</liveliness_protection_kind>
+
+            <ufo>Unidentified Flying Object</ufo>
+
+
+            <!-- Whole RTPS message is not protected -->
+            <rtps_protection_kind>ENCRYPT_WITH_ORIGIN_AUTHENTICATION</rtps_protection_kind>
+
+            <topic_access_rules>
+                <topic_rule>
+                    <!-- All (non-builtin) topics -->
+                    <topic_expression>*</topic_expression>
+
+                    <!-- Liveliness QoS data is protected -->
+                    <enable_liveliness_protection>true</enable_liveliness_protection>
+
+                    <!-- The discovery information on specific Topics should be sent
+                         using the secure (protected) discovery writers -->
+                    <enable_discovery_protection>true</enable_discovery_protection>
+
+                    <!-- The read access to all topics should be open to all. -->
+                    <enable_read_access_control>false</enable_read_access_control>
+
+                    <!-- The write access to all topics should be open to all. -->
+                    <enable_write_access_control>false</enable_write_access_control>
+
+                    <!-- Whole RTPS sub-message is protected. This includes metadata information
+                         like sequence numbers, heartbeats, key hashes, gaps,
+                         acknowledgment messages, etc. It also includes th possible payload. -->
+                    <metadata_protection_kind>ENCRYPT_WITH_ORIGIN_AUTHENTICATION</metadata_protection_kind>
+
+                    <!-- The payload data sent on the Topic (serialized application level data) should be
+                         protected with Encrypt then MAC. -->
+                    <data_protection_kind>ENCRYPT</data_protection_kind>
+                </topic_rule>
+                
+                <topic_rule>
+                    <!-- All (non-builtin) topics -->
+                    <topic_expression>OwnShip?ata</topic_expression>
+
+                    <!-- Liveliness QoS data is protected -->
+                    <enable_liveliness_protection>FALSE</enable_liveliness_protection>
+
+                    <!-- The discovery information on specific Topics should be sent
+                         using the secure (protected) discovery writers -->
+                    <enable_discovery_protection>false</enable_discovery_protection>
+
+                    <!-- The read access to all topics should be open to all. -->
+                    <enable_read_access_control>false</enable_read_access_control>
+
+                    <!-- The write access to all topics should be open to all. -->
+                    <enable_write_access_control>true</enable_write_access_control>
+
+                    <!-- Whole RTPS sub-message is protected. This includes metadata information
+                         like sequence numbers, heartbeats, key hashes, gaps,
+                         acknowledgment messages, etc. It also includes th possible payload. -->
+                    <metadata_protection_kind>SIGN</metadata_protection_kind>
+
+                    <!-- The payload data sent on the Topic (serialized application level data) should be
+                         protected with Encrypt then MAC. -->
+                    <data_protection_kind>ENCRYPT</data_protection_kind>
+                </topic_rule>
+                
+                <topic_rule>
+                    <!-- All (non-builtin) topics -->
+                    <topic_expression>Kinematics</topic_expression>
+
+                    <!-- Liveliness QoS data is protected -->
+                    <enable_liveliness_protection>true</enable_liveliness_protection>
+
+                    <!-- The discovery information on specific Topics should be sent
+                         using the secure (protected) discovery writers -->
+                    <enable_discovery_protection>true</enable_discovery_protection>
+
+                    <!-- The read access to all topics should be open to all. -->
+                    <enable_read_access_control>true</enable_read_access_control>
+
+                    <!-- The write access to all topics should be open to all. -->
+                    <enable_write_access_control>false</enable_write_access_control>
+
+                    <!-- Whole RTPS sub-message is protected. This includes metadata information
+                         like sequence numbers, heartbeats, key hashes, gaps,
+                         acknowledgment messages, etc. It also includes th possible payload. -->
+                    <metadata_protection_kind>NONE</metadata_protection_kind>
+
+                    <!-- The payload data sent on the Topic (serialized application level data) should be
+                         protected with Encrypt then MAC. -->
+                    <data_protection_kind>NONE</data_protection_kind>
+                </topic_rule>
+            </topic_access_rules>
+        </domain_rule>
+    </domain_access_rules>
+</dds>
diff --git a/src/security/builtin_plugins/tests/validate_local_permissions/etc/Test_Governance_not_signed.p7s b/src/security/builtin_plugins/tests/validate_local_permissions/etc/Test_Governance_not_signed.p7s
new file mode 100644
index 0000000..30fa20a
--- /dev/null
+++ b/src/security/builtin_plugins/tests/validate_local_permissions/etc/Test_Governance_not_signed.p7s
@@ -0,0 +1,62 @@
+<?xml version="1.0" encoding="utf-8"?>
+<dds xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xsi:noNamespaceSchemaLocation="https://www.omg.org/spec/DDS-SECURITY/20170901/omg_shared_ca_governance.xsd">
+    <domain_access_rules>
+        <domain_rule>
+            <domains>
+                <!-- All domains -->
+                <id_range>
+                    <min>0</min>
+                    <max>230</max>
+                </id_range>
+            </domains>
+
+            <!-- DomainParticipant that cann not authenticate or fail the authentication should be
+                 allowed to join the domain and see any any discovery data that are configured as "unprotected"
+                 and topics that are configured as "unprotected" -->
+            <allow_unauthenticated_participants>false</allow_unauthenticated_participants>
+
+            <!--  Only and any authenticated DomainParticipant should be allowed to join the domain and
+                  see the discovery data without checking access control  -->
+            <enable_join_access_control>true</enable_join_access_control>
+
+            <!-- Discovery information should be protected with encryption followed by MAC (Message Authentication Codes) -->
+            <discovery_protection_kind>ENCRYPT</discovery_protection_kind>
+
+            <!--  Liveliness messages are also encrypted -->
+            <liveliness_protection_kind>ENCRYPT</liveliness_protection_kind>
+
+            <!-- Whole RTPS message is not protected -->
+            <rtps_protection_kind>NONE</rtps_protection_kind>
+
+            <topic_access_rules>
+                <topic_rule>
+                    <!-- All (non-builtin) topics -->
+                    <topic_expression>*</topic_expression>
+
+                    <!-- Liveliness QoS data is protected -->
+                    <enable_liveliness_protection>true</enable_liveliness_protection>
+
+                    <!-- The discovery information on specific Topics should be sent
+                         using the secure (protected) discovery writers -->
+                    <enable_discovery_protection>true</enable_discovery_protection>
+
+                    <!-- The read access to all topics should be open to all. -->
+                    <enable_read_access_control>false</enable_read_access_control>
+
+                    <!-- The write access to all topics should be open to all. -->
+                    <enable_write_access_control>false</enable_write_access_control>
+
+                    <!-- Whole RTPS sub-message is protected. This includes metadata information
+                         like sequence numbers, heartbeats, key hashes, gaps,
+                         acknowledgment messages, etc. It also includes th possible payload. -->
+                    <metadata_protection_kind>ENCRYPT</metadata_protection_kind>
+
+                    <!-- The payload data sent on the Topic (serialized application level data) should be
+                         protected with Encrypt then MAC. -->
+                    <data_protection_kind>ENCRYPT</data_protection_kind>
+                </topic_rule>
+            </topic_access_rules>
+        </domain_rule>
+    </domain_access_rules>
+</dds>
diff --git a/src/security/builtin_plugins/tests/validate_local_permissions/etc/Test_Governance_ok.p7s b/src/security/builtin_plugins/tests/validate_local_permissions/etc/Test_Governance_ok.p7s
new file mode 100644
index 0000000..c39903f
--- /dev/null
+++ b/src/security/builtin_plugins/tests/validate_local_permissions/etc/Test_Governance_ok.p7s
@@ -0,0 +1,114 @@
+MIME-Version: 1.0
+Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg="sha-256"; boundary="----DB94A190D9780A24156FB0E8F1E76B5F"
+
+This is an S/MIME signed message
+
+------DB94A190D9780A24156FB0E8F1E76B5F
+Content-Type: text/plain
+
+<?xml version="1.0" encoding="utf-8"?>
+<dds xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xsi:noNamespaceSchemaLocation="http://www.omg.org/spec/DDSSecurity/
+20170801/omg_shared_ca_domain_governance.xsd">
+    <domain_access_rules>
+        <domain_rule>
+            <domains>
+                <!-- All domains -->
+                <id_range>
+                    <min>0</min>
+                    <max>230</max>
+                </id_range>
+            </domains>
+
+            <!-- DomainParticipant that cann not authenticate or fail the authentication should be
+                 allowed to join the domain and see any any discovery data that are configured as "unprotected"
+                 and topics that are configured as "unprotected" -->
+            <allow_unauthenticated_participants>false</allow_unauthenticated_participants>
+
+            <!--  Only and any authenticated DomainParticipant should be allowed to join the domain and
+                  see the discovery data without checking access control  -->
+            <enable_join_access_control>true</enable_join_access_control>
+
+            <!-- Discovery information should be protected with encryption followed by MAC (Message Authentication Codes) -->
+            <discovery_protection_kind>ENCRYPT</discovery_protection_kind>
+
+            <!--  Liveliness messages are also encrypted -->
+            <liveliness_protection_kind>ENCRYPT</liveliness_protection_kind>
+
+            <!-- Whole RTPS message is not protected -->
+            <rtps_protection_kind>NONE</rtps_protection_kind>
+
+            <topic_access_rules>
+                <topic_rule>
+                    <!-- All (non-builtin) topics -->
+                    <topic_expression>*</topic_expression>
+
+                    <!-- Liveliness QoS data is protected -->
+                    <enable_liveliness_protection>true</enable_liveliness_protection>
+
+                    <!-- The discovery information on specific Topics should be sent
+                         using the secure (protected) discovery writers -->
+                    <enable_discovery_protection>true</enable_discovery_protection>
+
+                    <!-- The read access to all topics should be open to all. -->
+                    <enable_read_access_control>false</enable_read_access_control>
+
+                    <!-- The write access to all topics should be open to all. -->
+                    <enable_write_access_control>false</enable_write_access_control>
+
+                    <!-- Whole RTPS sub-message is protected. This includes metadata information
+                         like sequence numbers, heartbeats, key hashes, gaps,
+                         acknowledgment messages, etc. It also includes th possible payload. -->
+                    <metadata_protection_kind>ENCRYPT</metadata_protection_kind>
+
+                    <!-- The payload data sent on the Topic (serialized application level data) should be
+                         protected with Encrypt then MAC. -->
+                    <data_protection_kind>ENCRYPT</data_protection_kind>
+                </topic_rule>
+            </topic_access_rules>
+        </domain_rule>
+    </domain_access_rules>
+</dds>
+
+------DB94A190D9780A24156FB0E8F1E76B5F
+Content-Type: application/x-pkcs7-signature; name="smime.p7s"
+Content-Transfer-Encoding: base64
+Content-Disposition: attachment; filename="smime.p7s"
+
+MIIGSAYJKoZIhvcNAQcCoIIGOTCCBjUCAQExDzANBglghkgBZQMEAgEFADALBgkq
+hkiG9w0BBwGgggORMIIDjTCCAnWgAwIBAgIJANsr3sm0NrypMA0GCSqGSIb3DQEB
+CwUAMFwxCzAJBgNVBAYTAk5MMRMwEQYDVQQIDApTb21lLVN0YXRlMR8wHQYDVQQK
+DBZBRExJTksgVGVjaG5vbG9jeSBJbmMuMRcwFQYDVQQDDA5hZGxpbmt0ZWNoLmNv
+bTAgFw0xODA3MzAxMjQ1NTVaGA8yMTE4MDcwNjEyNDU1NVowXDELMAkGA1UEBhMC
+TkwxEzARBgNVBAgMClNvbWUtU3RhdGUxHzAdBgNVBAoMFkFETElOSyBUZWNobm9s
+b2N5IEluYy4xFzAVBgNVBAMMDmFkbGlua3RlY2guY29tMIIBIjANBgkqhkiG9w0B
+AQEFAAOCAQ8AMIIBCgKCAQEAu7jfnJ0wYVuXgG+PgNawdN38+dRpa8jceqi+blID
+ehV6XCxrnGXusTCDuFmo7HMOBVMVNDXlcBWgoGd+u5EultnOEiIeGTgtHc1O6V9w
+icp3BGSpZZax/TcONjMVORaqHCADbQ2J8wsz1FHxuKDwX6BJElYOlK77lb/x3yLs
+DFFC+a0qn2RFh37rcWBRAHy8VEASXKZElT9ZmfKd+KUq34KojhNJ4DepKStTq074
+BRDXVivx+wVD951LFNPiQXq+mgHcLj1k37KlZflTFhdP5oEMtATNsXNJPHlEymiy
+SogRWAmKhysLQudukHfNKN+r0FEQMk/hzpYcFeZSOvbfNQIDAQABo1AwTjAdBgNV
+HQ4EFgQURWMbWvBKZwJvRV1/tyc1R82k0+gwHwYDVR0jBBgwFoAURWMbWvBKZwJv
+RV1/tyc1R82k0+gwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAkPF+
+ysVtvHnk2hpu9yNDLCJ96ZzIoKOyY7uRj4ovzlAHFdpNOJQdcJihTmN8i7Trht9X
+Vh0rGoR/6nHzo3TIeiogRC80RlDtuA3PF2dDQBMVDStlZMTZPb693hfjdAjhyyw9
+yghhKHHqNDvSsAL0KfBqjG4yGfGpJylYXIT5fWuKlo/ln/yyPa5s54T5XDo+CMbt
+lLX3QnwVOmaRyzylPiTcPCDIkdLBdXmlfyJcmW6fWa6kPx+35MOxPsXZbujCo+42
++OyLqcH1rKT6XhcshjXBEf+kdgUfSClrM1pNRWsw2ChIYim0F+nry5JFy0Y+8Hbb
+6SDB340BFmtgDHbFHTGCAnswggJ3AgEBMGkwXDELMAkGA1UEBhMCTkwxEzARBgNV
+BAgMClNvbWUtU3RhdGUxHzAdBgNVBAoMFkFETElOSyBUZWNobm9sb2N5IEluYy4x
+FzAVBgNVBAMMDmFkbGlua3RlY2guY29tAgkA2yveybQ2vKkwDQYJYIZIAWUDBAIB
+BQCggeQwGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAcBgkqhkiG9w0BCQUxDxcN
+MTgwOTEzMDczOTUwWjAvBgkqhkiG9w0BCQQxIgQgXv8DkvlwebXMwHDbNc0/Pc30
+gyG3xWCnwet49TRMWFsweQYJKoZIhvcNAQkPMWwwajALBglghkgBZQMEASowCwYJ
+YIZIAWUDBAEWMAsGCWCGSAFlAwQBAjAKBggqhkiG9w0DBzAOBggqhkiG9w0DAgIC
+AIAwDQYIKoZIhvcNAwICAUAwBwYFKw4DAgcwDQYIKoZIhvcNAwICASgwDQYJKoZI
+hvcNAQEBBQAEggEANy8t0EFmv5j1n0+mMn2ut3Chu8PSJceC8gd34IiKq79uC1O3
+PbL9xgiJ2vz7QiTEEeNL2q+CG77cXOcHGUWa4nvbggr/9CqLfHEKGQxDfyXlJZfM
+8l550xIXRRBOQ7ilOGLD4QJFfbf9XA4rMuRe8WEYN3FleAaYBJag1tMPg1SS6tgA
+BBDM9b1kXHU319zYOk6kZFjlbwHv6XO22SEVRUpXrKudAI8hrGvwksF/+W0S/jS5
+NmYtj/1oMGlCGIaA5rs27H9CkgwrzoMQ3MsR98JlwEUSa4PEe8CClsIziOulQxsp
+MicBlMWL0rzpBPVfPTE4gZ/kP7hGBDEQlRzVTA==
+
+------DB94A190D9780A24156FB0E8F1E76B5F--
+
diff --git a/src/security/builtin_plugins/tests/validate_local_permissions/etc/Test_Governance_unknown_ca.p7s b/src/security/builtin_plugins/tests/validate_local_permissions/etc/Test_Governance_unknown_ca.p7s
new file mode 100644
index 0000000..9f07e40
--- /dev/null
+++ b/src/security/builtin_plugins/tests/validate_local_permissions/etc/Test_Governance_unknown_ca.p7s
@@ -0,0 +1,117 @@
+MIME-Version: 1.0
+Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg="sha-256"; boundary="----F38FD3F34A584E774726CA12090D0B48"
+
+This is an S/MIME signed message
+
+------F38FD3F34A584E774726CA12090D0B48
+Content-Type: text/plain
+
+<?xml version="1.0" encoding="utf-8"?>
+<dds xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xsi:noNamespaceSchemaLocation="http://www.omg.org/spec/DDSSecurity/
+20170801/omg_shared_ca_domain_governance.xsd">
+    <domain_access_rules>
+        <domain_rule>
+            <domains>
+                <!-- All domains -->
+                <id_range>
+                    <min>0</min>
+                    <max>230</max>
+                </id_range>
+            </domains>
+
+            <!-- DomainParticipant that cann not authenticate or fail the authentication should be
+                 allowed to join the domain and see any any discovery data that are configured as "unprotected"
+                 and topics that are configured as "unprotected" -->
+            <allow_unauthenticated_participants>false</allow_unauthenticated_participants>
+
+            <!--  Only and any authenticated DomainParticipant should be allowed to join the domain and
+                  see the discovery data without checking access control  -->
+            <enable_join_access_control>true</enable_join_access_control>
+
+            <!-- Discovery information should be protected with encryption followed by MAC (Message Authentication Codes) -->
+            <discovery_protection_kind>ENCRYPT</discovery_protection_kind>
+
+            <!--  Liveliness messages are also encrypted -->
+            <liveliness_protection_kind>ENCRYPT</liveliness_protection_kind>
+
+            <!-- Whole RTPS message is not protected -->
+            <rtps_protection_kind>NONE</rtps_protection_kind>
+
+            <topic_access_rules>
+                <topic_rule>
+                    <!-- All (non-builtin) topics -->
+                    <topic_expression>*</topic_expression>
+
+                    <!-- Liveliness QoS data is protected -->
+                    <enable_liveliness_protection>true</enable_liveliness_protection>
+
+                    <!-- The discovery information on specific Topics should be sent
+                         using the secure (protected) discovery writers -->
+                    <enable_discovery_protection>true</enable_discovery_protection>
+
+                    <!-- The read access to all topics should be open to all. -->
+                    <enable_read_access_control>false</enable_read_access_control>
+
+                    <!-- The write access to all topics should be open to all. -->
+                    <enable_write_access_control>false</enable_write_access_control>
+
+                    <!-- Whole RTPS sub-message is protected. This includes metadata information
+                         like sequence numbers, heartbeats, key hashes, gaps,
+                         acknowledgment messages, etc. It also includes th possible payload. -->
+                    <metadata_protection_kind>ENCRYPT</metadata_protection_kind>
+
+                    <!-- The payload data sent on the Topic (serialized application level data) should be
+                         protected with Encrypt then MAC. -->
+                    <data_protection_kind>ENCRYPT</data_protection_kind>
+                </topic_rule>
+            </topic_access_rules>
+        </domain_rule>
+    </domain_access_rules>
+</dds>
+
+------F38FD3F34A584E774726CA12090D0B48
+Content-Type: application/x-pkcs7-signature; name="smime.p7s"
+Content-Transfer-Encoding: base64
+Content-Disposition: attachment; filename="smime.p7s"
+
+MIIGywYJKoZIhvcNAQcCoIIGvDCCBrgCAQExDzANBglghkgBZQMEAgEFADALBgkq
+hkiG9w0BBwGgggPKMIIDxjCCAq4CCQCBuTktP0h8BDANBgkqhkiG9w0BAQsFADCB
+pDEWMBQGA1UEBwwNTG9jYWxpdHkgTmFtZTEhMB8GA1UECwwYT3JnYW5pemF0aW9u
+YWwgVW5pdCBOYW1lMRwwGgYJKoZIhvcNAQkBFg1FbWFpbCBBZGRyZXNzMQswCQYD
+VQQGEwJVUzELMAkGA1UECAwCTkoxGjAYBgNVBAoMEUV4YW1wbGUgU2lnbmVyIENB
+MRMwEQYDVQQDDApFeGFtcGxlIENBMB4XDTE4MDgxNTA4NTE0MVoXDTQzMDgwOTA4
+NTE0MVowgaQxFjAUBgNVBAcMDUxvY2FsaXR5IE5hbWUxITAfBgNVBAsMGE9yZ2Fu
+aXphdGlvbmFsIFVuaXQgTmFtZTEcMBoGCSqGSIb3DQEJARYNRW1haWwgQWRkcmVz
+czELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAk5KMRowGAYDVQQKDBFFeGFtcGxlIFNp
+Z25lciBDQTETMBEGA1UEAwwKRXhhbXBsZSBDQTCCASIwDQYJKoZIhvcNAQEBBQAD
+ggEPADCCAQoCggEBALStAQ0yjM2qAWwsOXdX3hiyoZ6DDHWOTNI5LoCZGaN9rUZe
+MY0waSxWNQ0ruURgZISeOFkdQTAE81Em+UaZI+MZvfYcEcSlVtF6yve/WnIzRYWu
+f917moMCAInktfch4E6mskr4h7n+9sEz+3GsQS8SQRtwUe+PiXzjZrqHSbLC4Kn3
+/b8Mt+Ww3a4FyjHDZQJZsGSvrScr0Gq3xeKfMwb+KYNEnmh0o4os0gEGA4KUR+/1
+YDl1NmxQnm/AIMqwJzeaezBoMn0Nsi+OlAms85imGURNj9BCEJZBWwuuNL5ECDAq
+WLOM3AKUsApVgtGd8/OLWW1RwYkW8uqTtkIR87MCAwEAATANBgkqhkiG9w0BAQsF
+AAOCAQEAokKC77/kvxlObLSwkT5+7+S+DeznLBRiGVEh8+9PQw1q91sjiOZWf0e3
+T3XPH7CR/NDYoQJkrsqzIwKYrj41z/1jAs+HkH45NpTFiGlUFXNs5iwNh4RUqgf4
+e78Mge4q7pHMFzWTEwEn4DJMGcDDjLW1kN8GobGwHR7O0MpAJKrqcBSo+SPomnQv
+TgiEMQ+Vlz0EJx6JPsq8c7HrxlSdeDAAWIOww/wcGyzlpYEoyz6voSSfdhMt5iy5
+k5BvhBJnTiJTasCHy9KRuis/6qpTZKEj0d7J7LAqpGh8oRIphMwCbFYQT0QBgV6p
+gM8Ufss/RZ6CshMNxz7KtIYpvmxPPTGCAsUwggLBAgEBMIGyMIGkMRYwFAYDVQQH
+DA1Mb2NhbGl0eSBOYW1lMSEwHwYDVQQLDBhPcmdhbml6YXRpb25hbCBVbml0IE5h
+bWUxHDAaBgkqhkiG9w0BCQEWDUVtYWlsIEFkZHJlc3MxCzAJBgNVBAYTAlVTMQsw
+CQYDVQQIDAJOSjEaMBgGA1UECgwRRXhhbXBsZSBTaWduZXIgQ0ExEzARBgNVBAMM
+CkV4YW1wbGUgQ0ECCQCBuTktP0h8BDANBglghkgBZQMEAgEFAKCB5DAYBgkqhkiG
+9w0BCQMxCwYJKoZIhvcNAQcBMBwGCSqGSIb3DQEJBTEPFw0xODA5MTMwOTIyMzha
+MC8GCSqGSIb3DQEJBDEiBCBe/wOS+XB5tczAcNs1zT89zfSDIbfFYKfB63j1NExY
+WzB5BgkqhkiG9w0BCQ8xbDBqMAsGCWCGSAFlAwQBKjALBglghkgBZQMEARYwCwYJ
+YIZIAWUDBAECMAoGCCqGSIb3DQMHMA4GCCqGSIb3DQMCAgIAgDANBggqhkiG9w0D
+AgIBQDAHBgUrDgMCBzANBggqhkiG9w0DAgIBKDANBgkqhkiG9w0BAQEFAASCAQAy
+baJVxRJcZ3wYtb/TfQUDKNmaz7pYWNoKNxkPyKUerMOAZ9n0yvySNJUpzG+kJJNi
+Ib792GXdmP4hdz4qC4Zx3S7H26OAYcOsTwd6+O/xcv8H7PQoPD+3fplhIvLtpIlS
+//9ghpBXbUowdgzeDrYBpzRLqUth58IxsHd9cJQCCboKZIv8+6eP9fn1OD/CLGV3
+BNMvmeP88LU8UgtiivmmEJZ0fRtDVAGRIWykT1AvTfl69Pv9VKDuUW3qkuMwz7lW
+Dv0c624BYPbQWdU7W5//iy4kSfwrtXtag7aovUbcwkmb2qb5v5c5ZqNoLPUvUpIG
+KZUh0/aBuBovjwHZMcgl
+
+------F38FD3F34A584E774726CA12090D0B48--
+
diff --git a/src/security/builtin_plugins/tests/validate_local_permissions/etc/Test_Permissions_ca.pem b/src/security/builtin_plugins/tests/validate_local_permissions/etc/Test_Permissions_ca.pem
new file mode 100644
index 0000000..2372ae0
--- /dev/null
+++ b/src/security/builtin_plugins/tests/validate_local_permissions/etc/Test_Permissions_ca.pem
@@ -0,0 +1,22 @@
+-----BEGIN CERTIFICATE-----
+MIIDjTCCAnWgAwIBAgIJANsr3sm0NrypMA0GCSqGSIb3DQEBCwUAMFwxCzAJBgNV
+BAYTAk5MMRMwEQYDVQQIDApTb21lLVN0YXRlMR8wHQYDVQQKDBZBRExJTksgVGVj
+aG5vbG9jeSBJbmMuMRcwFQYDVQQDDA5hZGxpbmt0ZWNoLmNvbTAgFw0xODA3MzAx
+MjQ1NTVaGA8yMTE4MDcwNjEyNDU1NVowXDELMAkGA1UEBhMCTkwxEzARBgNVBAgM
+ClNvbWUtU3RhdGUxHzAdBgNVBAoMFkFETElOSyBUZWNobm9sb2N5IEluYy4xFzAV
+BgNVBAMMDmFkbGlua3RlY2guY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB
+CgKCAQEAu7jfnJ0wYVuXgG+PgNawdN38+dRpa8jceqi+blIDehV6XCxrnGXusTCD
+uFmo7HMOBVMVNDXlcBWgoGd+u5EultnOEiIeGTgtHc1O6V9wicp3BGSpZZax/TcO
+NjMVORaqHCADbQ2J8wsz1FHxuKDwX6BJElYOlK77lb/x3yLsDFFC+a0qn2RFh37r
+cWBRAHy8VEASXKZElT9ZmfKd+KUq34KojhNJ4DepKStTq074BRDXVivx+wVD951L
+FNPiQXq+mgHcLj1k37KlZflTFhdP5oEMtATNsXNJPHlEymiySogRWAmKhysLQudu
+kHfNKN+r0FEQMk/hzpYcFeZSOvbfNQIDAQABo1AwTjAdBgNVHQ4EFgQURWMbWvBK
+ZwJvRV1/tyc1R82k0+gwHwYDVR0jBBgwFoAURWMbWvBKZwJvRV1/tyc1R82k0+gw
+DAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAkPF+ysVtvHnk2hpu9yND
+LCJ96ZzIoKOyY7uRj4ovzlAHFdpNOJQdcJihTmN8i7Trht9XVh0rGoR/6nHzo3TI
+eiogRC80RlDtuA3PF2dDQBMVDStlZMTZPb693hfjdAjhyyw9yghhKHHqNDvSsAL0
+KfBqjG4yGfGpJylYXIT5fWuKlo/ln/yyPa5s54T5XDo+CMbtlLX3QnwVOmaRyzyl
+PiTcPCDIkdLBdXmlfyJcmW6fWa6kPx+35MOxPsXZbujCo+42+OyLqcH1rKT6Xhcs
+hjXBEf+kdgUfSClrM1pNRWsw2ChIYim0F+nry5JFy0Y+8Hbb6SDB340BFmtgDHbF
+HQ==
+-----END CERTIFICATE-----
diff --git a/src/security/builtin_plugins/tests/validate_local_permissions/etc/Test_Permissions_ca_key.pem b/src/security/builtin_plugins/tests/validate_local_permissions/etc/Test_Permissions_ca_key.pem
new file mode 100644
index 0000000..22fac8b
--- /dev/null
+++ b/src/security/builtin_plugins/tests/validate_local_permissions/etc/Test_Permissions_ca_key.pem
@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEpAIBAAKCAQEAu7jfnJ0wYVuXgG+PgNawdN38+dRpa8jceqi+blIDehV6XCxr
+nGXusTCDuFmo7HMOBVMVNDXlcBWgoGd+u5EultnOEiIeGTgtHc1O6V9wicp3BGSp
+ZZax/TcONjMVORaqHCADbQ2J8wsz1FHxuKDwX6BJElYOlK77lb/x3yLsDFFC+a0q
+n2RFh37rcWBRAHy8VEASXKZElT9ZmfKd+KUq34KojhNJ4DepKStTq074BRDXVivx
++wVD951LFNPiQXq+mgHcLj1k37KlZflTFhdP5oEMtATNsXNJPHlEymiySogRWAmK
+hysLQudukHfNKN+r0FEQMk/hzpYcFeZSOvbfNQIDAQABAoIBABWqhMSCr+7Mr3O3
+bIymOr+CT4xWI8S47hmKGFCLTrNsfy7cQZ9PdHkm7Ez+rCx+KwQaTrwz7EM/e8aH
+q2zimMn4YXxeS7MFdM+Xvp/Y0BhXMd1j8Nk0x14+WHmQ88YfA4szdrHDekR+6oB6
+5Lc2fAfNbCGdpRksCQWDndrvIOda1swKW1RsGWHPGtSM1qOg09A4CeASqbsxZfdL
+9MgI7aJKYnvJrUhqsNZU3fuOrLDNl7/JvdI08nYLnNkEvbDYbdfH0Q/4laKsSJcp
+0jM6tPrxbHMDmBEwullVPrVqJX+n6Hvz3E8C9QiZq8NWbJUc5FntLx8ynbiJg6Lb
+1w49WxECgYEA8yVky++3v0ZMKZeSeGj3MuKuEJ2q3UdmsKXA+Pyq0rL/hh7r2oUY
+dQDs23BIuaHeIZxAGaMeMjoYQBi+G50XfwHZSMqivxX/yYkXxOJfPQvVLDbqCIWS
+94qU4/xo50IkCNxpvRwfpKG2ce5YG7jrQkfb5I6TfKUWAaXpmaQnbYsCgYEAxaVn
+Hzw3OdY7q6kURSY6a8KqtcuN0lNKeUb68vZemmZ0FNKmyh+xGVFXXlvmJpQgr5Zm
+2W2a1C1oPq2DEdvSKt/aTHVIazG9TtFK1WAXpLxmlXlyqWRv+IvdVkph+p/3dIT0
+Ilaglgbndth4xk0c1zqy3g4VlAgWgKKi5owZ/j8CgYEAndsFGbHEJZZKFCannSzo
+cEzinT7/kzGr5bt3ES9Y5/n2Euk4TmJignPbUowPaxU/1apPo1VXYVx+Kf7mTZ8r
+hfV5T9ze1BhAPGOY3uXo1wU7nLz6LBYsWDHMgEd7A8jZBDe1HmWH1aZ3gHgxE652
+bk2g4T3/WskDBIbmpi0AvAkCgYBKAfFnRMj5IzscwCcS7YmaqD377MiiJQYR+34k
+VBSAhDSbR3Wk4dESxd6NOqQndff3R74jVGNRZ99M+PPHUCSWYVQApToEyY81YDFB
+TMYNrW5MMjm5LB6xVs3+bcPacOPcAZzY7s8a3mL1oYE339AY16X6eBOkZpLmf/+3
+jGZ/SQKBgQDkyxymL4xJGV8HCDontJZiBStD954GH1AgqEAOdQxU5vW4ySQ7yRoT
+ajb8tH052yWW11Mxd0TRW9qbVI0/4/4lR86sODYLFbgrHAMBl7mxJ8Qwi4zdI9Am
+FXGkj5SX2bYrf2f0YvCHNUbELTd4mF6kAH0Eg6kHRXLsSbhtWC7D3Q==
+-----END RSA PRIVATE KEY-----
diff --git a/src/security/builtin_plugins/tests/validate_local_permissions/etc/Test_Permissions_expired.p7s b/src/security/builtin_plugins/tests/validate_local_permissions/etc/Test_Permissions_expired.p7s
new file mode 100644
index 0000000..bf35bf7
--- /dev/null
+++ b/src/security/builtin_plugins/tests/validate_local_permissions/etc/Test_Permissions_expired.p7s
@@ -0,0 +1,243 @@
+MIME-Version: 1.0
+Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg="sha-256"; boundary="----11798C99B4C31493D0479BB8A2064C72"
+
+This is an S/MIME signed message
+
+------11798C99B4C31493D0479BB8A2064C72
+Content-Type: text/plain
+
+<?xml version="1.0" encoding="utf-8"?>
+<dds xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xsi:noNamespaceSchemaLocation="https://www.omg.org/spec/DDS-SECURITY/20170901/omg_shared_ca_permissions.xsd">
+    <permissions>
+        <grant name="OpenSplicePermissions">
+            <subject_name>CN=CHAM500 cert,O=Internet Widgits Pty Ltd,ST=Some-State,C=NL</subject_name>
+            <validity>
+                <!-- Format is CCYY-MM-DDThh:mm:ss[Z|(+|-)hh:mm] in GMT -->
+                <not_before>2015-09-15T01:00:00</not_before>
+                <not_after>2016-09-15T01:00:00</not_after>
+            </validity>
+            <allow_rule>
+                <domains>
+                    <id_range>
+                        <min>0</min>
+                        <max>230</max>
+                    </id_range>
+                </domains>
+                <publish>
+                    <topics>
+                        <topic>K*</topic>
+                        <topic>*OldMessage</topic>
+                        <topic>OldMessanger</topic>
+                        <topic>NewMessage</topic>
+                    </topics>
+        <partitions>
+      <partition>Apart</partition>
+      <partition>Bpa?t*</partition>
+        </partitions>
+                </publish>
+                <subscribe>
+                    <topics>
+                        <topic>K*</topic>
+                        <topic>*OldMessage</topic>
+                        <topic>OldMessanger</topic>
+                        <topic>NewMessage</topic>
+                    </topics>
+        <partitions>
+      <partition>Apart</partition>
+      <partition>Bpa?t*</partition>
+        </partitions>
+                </subscribe>
+            </allow_rule>
+            <deny_rule>
+                <domains>
+                    <id_range>
+                        <min>0</min>
+                        <max>230</max>
+                    </id_range>
+                </domains>
+                <publish>
+                    <topics>
+                        <topic>P*</topic>
+                        <topic>*WrongMessage</topic>
+                        <topic>FakeMessanger</topic>
+                        <topic>ChangedMessage</topic>
+                    </topics>
+        <partitions>
+      <partition>Apart</partition>
+      <partition>Bpa?t*</partition>
+        </partitions>
+                </publish>
+                <subscribe>
+                    <topics>
+                        <topic>P*</topic>
+                        <topic>*WrongMessage</topic>
+                        <topic>FakeMessanger</topic>
+                        <topic>ChangedMessage</topic>
+                    </topics>
+        <partitions>
+      <partition>Apart</partition>
+      <partition>Bpa?t*</partition>
+        </partitions>
+                </subscribe>
+            </deny_rule>
+
+            <default>DENY</default>
+        </grant>
+        <grant name="SpareNodeOpenSplicePermissions">
+            <subject_name>CN=Spare cert,O=Internet Widgits Pty Ltd,ST=Some-State,C=NL</subject_name>
+            <validity>
+                <!-- Format is CCYY-MM-DDThh:mm:ss[Z|(+|-)hh:mm] in GMT -->
+                <not_before>2015-09-15T01:00:00</not_before>
+                <not_after>2115-09-15T01:00:00</not_after>
+            </validity>
+            <allow_rule>
+                <domains>
+                <!-- All domains -->
+                 <id>20</id>
+                 <id>30</id>
+                 <id_range>
+                     <min>0</min>
+                     <max>23</max>
+                 </id_range>
+                 <id_range>
+                     <min>100</min>
+                     <max>120</max>
+                 </id_range>
+                 <id>200</id>
+               </domains>
+                <publish>
+                    <topics>
+                        <topic>K*</topic>
+                        <topic>*OldMessage</topic>
+                        <topic>OldMessanger</topic>
+                        <topic>NewMessage</topic>
+                    </topics>
+        <partitions>
+      <partition>Apart</partition>
+      <partition>Bpa?t*</partition>
+        </partitions>
+                </publish>
+                <subscribe>
+                    <topics>
+                        <topic>K*</topic>
+                        <topic>*OldMessage</topic>
+                        <topic>OldMessanger</topic>
+                        <topic>NewMessage</topic>
+                    </topics>
+        <partitions>
+      <partition>Apart</partition>
+      <partition>Bpa?t*</partition>
+        </partitions>
+                </subscribe>
+            </allow_rule>
+            <deny_rule>
+                <domains>
+                 <id_range>
+                     <min>0</min>
+                     <max>23</max>
+                 </id_range>
+                 <id_range>
+                     <min>100</min>
+                     <max>120</max>
+                 </id_range>
+                 <id>200</id>
+                </domains>
+                <publish>
+                    <topics>
+                        <topic>P*</topic>
+                        <topic>*WrongMessage</topic>
+                        <topic>FakeMessanger</topic>
+                        <topic>ChangedMessage</topic>
+                    </topics>
+                    <partitions>
+                      <partition>Apart</partition>
+                      <partition>Bpa?t*</partition>
+                    </partitions>
+                </publish>
+                <subscribe>
+                    <topics>
+                        <topic>P*</topic>
+                        <topic>*WrongMessage</topic>
+                        <topic>FakeMessanger</topic>
+                        <topic>ChangedMessage</topic>
+                    </topics>
+                    <partitions>
+                      <partition>Apart</partition>
+                      <partition>Bpa?t*</partition>
+                    </partitions>
+                    <data_tags>
+                      <tag>
+                        <name>aTagName1</name>
+                        <value>aTagValue1</value>
+                      </tag>
+                    </data_tags>
+                </subscribe>
+                <relay>
+                  <topics>
+                        <topic>P*</topic>
+                        <topic>*WrongMessage</topic>
+                        <topic>FakeMessanger</topic>
+                        <topic>ChangedMessage</topic>
+                    </topics>
+                    <partitions>
+                      <partition>Apart</partition>
+                      <partition>Bpa?t*</partition>
+                    </partitions>
+                    <data_tags>
+                      <tag>
+                        <name>aTagName1</name>
+                        <value>aTagValue1</value>
+                      </tag>
+                    </data_tags>
+                </relay>
+            </deny_rule>
+
+            <default>ALLOW</default>
+        </grant>
+    </permissions>
+</dds>
+
+------11798C99B4C31493D0479BB8A2064C72
+Content-Type: application/x-pkcs7-signature; name="smime.p7s"
+Content-Transfer-Encoding: base64
+Content-Disposition: attachment; filename="smime.p7s"
+
+MIIGXgYJKoZIhvcNAQcCoIIGTzCCBksCAQExDzANBglghkgBZQMEAgEFADALBgkq
+hkiG9w0BBwGgggORMIIDjTCCAnWgAwIBAgIJANsr3sm0NrypMA0GCSqGSIb3DQEB
+CwUAMFwxCzAJBgNVBAYTAk5MMRMwEQYDVQQIDApTb21lLVN0YXRlMR8wHQYDVQQK
+DBZBRExJTksgVGVjaG5vbG9jeSBJbmMuMRcwFQYDVQQDDA5hZGxpbmt0ZWNoLmNv
+bTAgFw0xODA3MzAxMjQ1NTVaGA8yMTE4MDcwNjEyNDU1NVowXDELMAkGA1UEBhMC
+TkwxEzARBgNVBAgMClNvbWUtU3RhdGUxHzAdBgNVBAoMFkFETElOSyBUZWNobm9s
+b2N5IEluYy4xFzAVBgNVBAMMDmFkbGlua3RlY2guY29tMIIBIjANBgkqhkiG9w0B
+AQEFAAOCAQ8AMIIBCgKCAQEAu7jfnJ0wYVuXgG+PgNawdN38+dRpa8jceqi+blID
+ehV6XCxrnGXusTCDuFmo7HMOBVMVNDXlcBWgoGd+u5EultnOEiIeGTgtHc1O6V9w
+icp3BGSpZZax/TcONjMVORaqHCADbQ2J8wsz1FHxuKDwX6BJElYOlK77lb/x3yLs
+DFFC+a0qn2RFh37rcWBRAHy8VEASXKZElT9ZmfKd+KUq34KojhNJ4DepKStTq074
+BRDXVivx+wVD951LFNPiQXq+mgHcLj1k37KlZflTFhdP5oEMtATNsXNJPHlEymiy
+SogRWAmKhysLQudukHfNKN+r0FEQMk/hzpYcFeZSOvbfNQIDAQABo1AwTjAdBgNV
+HQ4EFgQURWMbWvBKZwJvRV1/tyc1R82k0+gwHwYDVR0jBBgwFoAURWMbWvBKZwJv
+RV1/tyc1R82k0+gwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAkPF+
+ysVtvHnk2hpu9yNDLCJ96ZzIoKOyY7uRj4ovzlAHFdpNOJQdcJihTmN8i7Trht9X
+Vh0rGoR/6nHzo3TIeiogRC80RlDtuA3PF2dDQBMVDStlZMTZPb693hfjdAjhyyw9
+yghhKHHqNDvSsAL0KfBqjG4yGfGpJylYXIT5fWuKlo/ln/yyPa5s54T5XDo+CMbt
+lLX3QnwVOmaRyzylPiTcPCDIkdLBdXmlfyJcmW6fWa6kPx+35MOxPsXZbujCo+42
++OyLqcH1rKT6XhcshjXBEf+kdgUfSClrM1pNRWsw2ChIYim0F+nry5JFy0Y+8Hbb
+6SDB340BFmtgDHbFHTGCApEwggKNAgEBMGkwXDELMAkGA1UEBhMCTkwxEzARBgNV
+BAgMClNvbWUtU3RhdGUxHzAdBgNVBAoMFkFETElOSyBUZWNobm9sb2N5IEluYy4x
+FzAVBgNVBAMMDmFkbGlua3RlY2guY29tAgkA2yveybQ2vKkwDQYJYIZIAWUDBAIB
+BQCggfowGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAcBgkqhkiG9w0BCQUxDxcN
+MTkwMzI5MTMwODAzWjAvBgkqhkiG9w0BCQQxIgQgXPEkUvQgZwRMdZgxT8k/mrsJ
+delB0E3RjpayHUkKYzowgY4GCSqGSIb3DQEJDzGBgDB+MAsGCWCGSAFlAwQBKjAI
+BgYqhQMCAgkwCAYGKoUDAgIVMAsGCWCGSAFlAwQBFjALBglghkgBZQMEAQIwCgYI
+KoZIhvcNAwcwDgYIKoZIhvcNAwICAgCAMA0GCCqGSIb3DQMCAgFAMAcGBSsOAwIH
+MA0GCCqGSIb3DQMCAgEoMA0GCSqGSIb3DQEBAQUABIIBAA/TNULF62fO5mfjXm1L
+Yk4Dg/5ZxAF/grDAjamo5v2fxGn6B1rrkj8YtyB1FEA0moM/cL31kNXNMqLvFdhY
+lHCmX8x5PHkKzLihTIMx6diSCupBvvqUACeA7Ir1A3tMqW5tYYMg6sZ/YolgLLFG
+8XmhttpEibtZm90MN3Xpsa4TiW5PlEWHC5ai3tyeyd/RCVoeQJVA0pAytmjdf2Mw
+C3W/28tUxVCAjdlqXYap6jWZlNv/43P5HED837bF5iqoa1dTvDirca6WPanNjp28
+GQDi4bnD1kAk8wAKIm14qwS+fzxM3SKxJtdQuUCx+s/tPma4bLCqt843ok35SoWo
+QKM=
+
+------11798C99B4C31493D0479BB8A2064C72--
+
diff --git a/src/security/builtin_plugins/tests/validate_local_permissions/etc/Test_Permissions_expired.xml b/src/security/builtin_plugins/tests/validate_local_permissions/etc/Test_Permissions_expired.xml
new file mode 100644
index 0000000..f408942
--- /dev/null
+++ b/src/security/builtin_plugins/tests/validate_local_permissions/etc/Test_Permissions_expired.xml
@@ -0,0 +1,191 @@
+<?xml version="1.0" encoding="utf-8"?>
+<dds xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xsi:noNamespaceSchemaLocation="https://www.omg.org/spec/DDS-SECURITY/20170901/omg_shared_ca_permissions.xsd">
+    <permissions>
+        <grant name="OpenSplicePermissions">
+            <subject_name>CN=CHAM500 cert,O=Internet Widgits Pty Ltd,ST=Some-State,C=NL</subject_name>
+            <validity>
+                <!-- Format is CCYY-MM-DDThh:mm:ss[Z|(+|-)hh:mm] in GMT -->
+                <not_before>2015-09-15T01:00:00</not_before>
+                <not_after>2016-09-15T01:00:00</not_after>
+            </validity>
+            <allow_rule>
+                <domains>
+                    <id_range>
+                        <min>0</min>
+                        <max>230</max>
+                    </id_range>
+                </domains>
+                <publish>
+                    <topics>
+                        <topic>K*</topic>
+                        <topic>*OldMessage</topic>
+                        <topic>OldMessanger</topic>
+                        <topic>NewMessage</topic>
+                    </topics>
+        <partitions>
+      <partition>Apart</partition>
+      <partition>Bpa?t*</partition>
+        </partitions>
+                </publish>
+                <subscribe>
+                    <topics>
+                        <topic>K*</topic>
+                        <topic>*OldMessage</topic>
+                        <topic>OldMessanger</topic>
+                        <topic>NewMessage</topic>
+                    </topics>
+        <partitions>
+      <partition>Apart</partition>
+      <partition>Bpa?t*</partition>
+        </partitions>
+                </subscribe>
+            </allow_rule>
+            <deny_rule>
+                <domains>
+                    <id_range>
+                        <min>0</min>
+                        <max>230</max>
+                    </id_range>
+                </domains>
+                <publish>
+                    <topics>
+                        <topic>P*</topic>
+                        <topic>*WrongMessage</topic>
+                        <topic>FakeMessanger</topic>
+                        <topic>ChangedMessage</topic>
+                    </topics>
+        <partitions>
+      <partition>Apart</partition>
+      <partition>Bpa?t*</partition>
+        </partitions>
+                </publish>
+                <subscribe>
+                    <topics>
+                        <topic>P*</topic>
+                        <topic>*WrongMessage</topic>
+                        <topic>FakeMessanger</topic>
+                        <topic>ChangedMessage</topic>
+                    </topics>
+        <partitions>
+      <partition>Apart</partition>
+      <partition>Bpa?t*</partition>
+        </partitions>
+                </subscribe>
+            </deny_rule>
+
+            <default>DENY</default>
+        </grant>
+        <grant name="SpareNodeOpenSplicePermissions">
+            <subject_name>CN=Spare cert,O=Internet Widgits Pty Ltd,ST=Some-State,C=NL</subject_name>
+            <validity>
+                <!-- Format is CCYY-MM-DDThh:mm:ss[Z|(+|-)hh:mm] in GMT -->
+                <not_before>2015-09-15T01:00:00</not_before>
+                <not_after>2115-09-15T01:00:00</not_after>
+            </validity>
+            <allow_rule>
+                <domains>
+                <!-- All domains -->
+                 <id>20</id>
+                 <id>30</id>
+                 <id_range>
+                     <min>0</min>
+                     <max>23</max>
+                 </id_range>
+                 <id_range>
+                     <min>100</min>
+                     <max>120</max>
+                 </id_range>
+                 <id>200</id>
+               </domains>
+                <publish>
+                    <topics>
+                        <topic>K*</topic>
+                        <topic>*OldMessage</topic>
+                        <topic>OldMessanger</topic>
+                        <topic>NewMessage</topic>
+                    </topics>
+        <partitions>
+      <partition>Apart</partition>
+      <partition>Bpa?t*</partition>
+        </partitions>
+                </publish>
+                <subscribe>
+                    <topics>
+                        <topic>K*</topic>
+                        <topic>*OldMessage</topic>
+                        <topic>OldMessanger</topic>
+                        <topic>NewMessage</topic>
+                    </topics>
+        <partitions>
+      <partition>Apart</partition>
+      <partition>Bpa?t*</partition>
+        </partitions>
+                </subscribe>
+            </allow_rule>
+            <deny_rule>
+                <domains>
+                 <id_range>
+                     <min>0</min>
+                     <max>23</max>
+                 </id_range>
+                 <id_range>
+                     <min>100</min>
+                     <max>120</max>
+                 </id_range>
+                 <id>200</id>
+                </domains>
+                <publish>
+                    <topics>
+                        <topic>P*</topic>
+                        <topic>*WrongMessage</topic>
+                        <topic>FakeMessanger</topic>
+                        <topic>ChangedMessage</topic>
+                    </topics>
+                    <partitions>
+                      <partition>Apart</partition>
+                      <partition>Bpa?t*</partition>
+                    </partitions>
+                </publish>
+                <subscribe>
+                    <topics>
+                        <topic>P*</topic>
+                        <topic>*WrongMessage</topic>
+                        <topic>FakeMessanger</topic>
+                        <topic>ChangedMessage</topic>
+                    </topics>
+                    <partitions>
+                      <partition>Apart</partition>
+                      <partition>Bpa?t*</partition>
+                    </partitions>
+                    <data_tags>
+                      <tag>
+                        <name>aTagName1</name>
+                        <value>aTagValue1</value>
+                      </tag>
+                    </data_tags>
+                </subscribe>
+                <relay>
+                  <topics>
+                        <topic>P*</topic>
+                        <topic>*WrongMessage</topic>
+                        <topic>FakeMessanger</topic>
+                        <topic>ChangedMessage</topic>
+                    </topics>
+                    <partitions>
+                      <partition>Apart</partition>
+                      <partition>Bpa?t*</partition>
+                    </partitions>
+                    <data_tags>
+                      <tag>
+                        <name>aTagName1</name>
+                        <value>aTagValue1</value>
+                      </tag>
+                    </data_tags>
+                </relay>
+            </deny_rule>
+
+            <default>ALLOW</default>
+        </grant>
+    </permissions>
+</dds>
diff --git a/src/security/builtin_plugins/tests/validate_local_permissions/etc/Test_Permissions_full.p7s b/src/security/builtin_plugins/tests/validate_local_permissions/etc/Test_Permissions_full.p7s
new file mode 100644
index 0000000..a8e71c1
--- /dev/null
+++ b/src/security/builtin_plugins/tests/validate_local_permissions/etc/Test_Permissions_full.p7s
@@ -0,0 +1,243 @@
+MIME-Version: 1.0
+Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg="sha-256"; boundary="----D2957343698C311655D075C56A04A68D"
+
+This is an S/MIME signed message
+
+------D2957343698C311655D075C56A04A68D
+Content-Type: text/plain
+
+<?xml version="1.0" encoding="utf-8"?>
+<dds xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xsi:noNamespaceSchemaLocation="https://www.omg.org/spec/DDS-SECURITY/20170901/omg_shared_ca_permissions.xsd">
+    <permissions>
+        <grant name="OpenSplicePermissions">
+            <subject_name>CN=CHAM500 cert,O=Internet Widgits Pty Ltd,ST=Some-State,C=NL</subject_name>
+            <validity>
+                <!-- Format is CCYY-MM-DDThh:mm:ss[Z|(+|-)hh:mm] in GMT -->
+                <not_before>2015-09-15T01:00:00</not_before>
+                <not_after>2115-09-15T01:00:00</not_after>
+            </validity>
+            <allow_rule>
+                <domains>
+                    <id_range>
+                        <min>0</min>
+                        <max>230</max>
+                    </id_range>
+                </domains>
+                <publish>
+                    <topics>
+                        <topic>K*</topic>
+                        <topic>*OldMessage</topic>
+                        <topic>OldMessanger</topic>
+                        <topic>NewMessage</topic>
+                    </topics>
+        <partitions>
+      <partition>Apart</partition>
+      <partition>Bpa?t*</partition>
+        </partitions>
+                </publish>
+                <subscribe>
+                    <topics>
+                        <topic>K*</topic>
+                        <topic>*OldMessage</topic>
+                        <topic>OldMessanger</topic>
+                        <topic>NewMessage</topic>
+                    </topics>
+        <partitions>
+      <partition>Apart</partition>
+      <partition>Bpa?t*</partition>
+        </partitions>
+                </subscribe>
+            </allow_rule>
+            <deny_rule>
+                <domains>
+                    <id_range>
+                        <min>0</min>
+                        <max>230</max>
+                    </id_range>
+                </domains>
+                <publish>
+                    <topics>
+                        <topic>P*</topic>
+                        <topic>*WrongMessage</topic>
+                        <topic>FakeMessanger</topic>
+                        <topic>ChangedMessage</topic>
+                    </topics>
+        <partitions>
+      <partition>Apart</partition>
+      <partition>Bpa?t*</partition>
+        </partitions>
+                </publish>
+                <subscribe>
+                    <topics>
+                        <topic>P*</topic>
+                        <topic>*WrongMessage</topic>
+                        <topic>FakeMessanger</topic>
+                        <topic>ChangedMessage</topic>
+                    </topics>
+        <partitions>
+      <partition>Apart</partition>
+      <partition>Bpa?t*</partition>
+        </partitions>
+                </subscribe>
+            </deny_rule>
+
+            <default>DENY</default>
+        </grant>
+        <grant name="SpareNodeOpenSplicePermissions">
+            <subject_name>CN=Spare cert,O=Internet Widgits Pty Ltd,ST=Some-State,C=NL</subject_name>
+            <validity>
+                <!-- Format is CCYY-MM-DDThh:mm:ss[Z|(+|-)hh:mm] in GMT -->
+                <not_before>2015-09-15T01:00:00</not_before>
+                <not_after>2115-09-15T01:00:00</not_after>
+            </validity>
+            <allow_rule>
+                <domains>
+                <!-- All domains -->
+                 <id>20</id>
+                 <id>30</id>
+                 <id_range>
+                     <min>0</min>
+                     <max>23</max>
+                 </id_range>
+                 <id_range>
+                     <min>100</min>
+                     <max>120</max>
+                 </id_range>
+                 <id>200</id>
+               </domains>
+                <publish>
+                    <topics>
+                        <topic>K*</topic>
+                        <topic>*OldMessage</topic>
+                        <topic>OldMessanger</topic>
+                        <topic>NewMessage</topic>
+                    </topics>
+        <partitions>
+      <partition>Apart</partition>
+      <partition>Bpa?t*</partition>
+        </partitions>
+                </publish>
+                <subscribe>
+                    <topics>
+                        <topic>K*</topic>
+                        <topic>*OldMessage</topic>
+                        <topic>OldMessanger</topic>
+                        <topic>NewMessage</topic>
+                    </topics>
+        <partitions>
+      <partition>Apart</partition>
+      <partition>Bpa?t*</partition>
+        </partitions>
+                </subscribe>
+            </allow_rule>
+            <deny_rule>
+                <domains>
+                 <id_range>
+                     <min>0</min>
+                     <max>23</max>
+                 </id_range>
+                 <id_range>
+                     <min>100</min>
+                     <max>120</max>
+                 </id_range>
+                 <id>200</id>
+                </domains>
+                <publish>
+                    <topics>
+                        <topic>P*</topic>
+                        <topic>*WrongMessage</topic>
+                        <topic>FakeMessanger</topic>
+                        <topic>ChangedMessage</topic>
+                    </topics>
+                    <partitions>
+                      <partition>Apart</partition>
+                      <partition>Bpa?t*</partition>
+                    </partitions>
+                </publish>
+                <subscribe>
+                    <topics>
+                        <topic>P*</topic>
+                        <topic>*WrongMessage</topic>
+                        <topic>FakeMessanger</topic>
+                        <topic>ChangedMessage</topic>
+                    </topics>
+                    <partitions>
+                      <partition>Apart</partition>
+                      <partition>Bpa?t*</partition>
+                    </partitions>
+                    <data_tags>
+                      <tag>
+                        <name>aTagName1</name>
+                        <value>aTagValue1</value>
+                      </tag>
+                    </data_tags>
+                </subscribe>
+                <relay>
+                  <topics>
+                        <topic>P*</topic>
+                        <topic>*WrongMessage</topic>
+                        <topic>FakeMessanger</topic>
+                        <topic>ChangedMessage</topic>
+                    </topics>
+                    <partitions>
+                      <partition>Apart</partition>
+                      <partition>Bpa?t*</partition>
+                    </partitions>
+                    <data_tags>
+                      <tag>
+                        <name>aTagName1</name>
+                        <value>aTagValue1</value>
+                      </tag>
+                    </data_tags>
+                </relay>
+            </deny_rule>
+
+            <default>ALLOW</default>
+        </grant>
+    </permissions>
+</dds>
+
+------D2957343698C311655D075C56A04A68D
+Content-Type: application/x-pkcs7-signature; name="smime.p7s"
+Content-Transfer-Encoding: base64
+Content-Disposition: attachment; filename="smime.p7s"
+
+MIIGXgYJKoZIhvcNAQcCoIIGTzCCBksCAQExDzANBglghkgBZQMEAgEFADALBgkq
+hkiG9w0BBwGgggORMIIDjTCCAnWgAwIBAgIJANsr3sm0NrypMA0GCSqGSIb3DQEB
+CwUAMFwxCzAJBgNVBAYTAk5MMRMwEQYDVQQIDApTb21lLVN0YXRlMR8wHQYDVQQK
+DBZBRExJTksgVGVjaG5vbG9jeSBJbmMuMRcwFQYDVQQDDA5hZGxpbmt0ZWNoLmNv
+bTAgFw0xODA3MzAxMjQ1NTVaGA8yMTE4MDcwNjEyNDU1NVowXDELMAkGA1UEBhMC
+TkwxEzARBgNVBAgMClNvbWUtU3RhdGUxHzAdBgNVBAoMFkFETElOSyBUZWNobm9s
+b2N5IEluYy4xFzAVBgNVBAMMDmFkbGlua3RlY2guY29tMIIBIjANBgkqhkiG9w0B
+AQEFAAOCAQ8AMIIBCgKCAQEAu7jfnJ0wYVuXgG+PgNawdN38+dRpa8jceqi+blID
+ehV6XCxrnGXusTCDuFmo7HMOBVMVNDXlcBWgoGd+u5EultnOEiIeGTgtHc1O6V9w
+icp3BGSpZZax/TcONjMVORaqHCADbQ2J8wsz1FHxuKDwX6BJElYOlK77lb/x3yLs
+DFFC+a0qn2RFh37rcWBRAHy8VEASXKZElT9ZmfKd+KUq34KojhNJ4DepKStTq074
+BRDXVivx+wVD951LFNPiQXq+mgHcLj1k37KlZflTFhdP5oEMtATNsXNJPHlEymiy
+SogRWAmKhysLQudukHfNKN+r0FEQMk/hzpYcFeZSOvbfNQIDAQABo1AwTjAdBgNV
+HQ4EFgQURWMbWvBKZwJvRV1/tyc1R82k0+gwHwYDVR0jBBgwFoAURWMbWvBKZwJv
+RV1/tyc1R82k0+gwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAkPF+
+ysVtvHnk2hpu9yNDLCJ96ZzIoKOyY7uRj4ovzlAHFdpNOJQdcJihTmN8i7Trht9X
+Vh0rGoR/6nHzo3TIeiogRC80RlDtuA3PF2dDQBMVDStlZMTZPb693hfjdAjhyyw9
+yghhKHHqNDvSsAL0KfBqjG4yGfGpJylYXIT5fWuKlo/ln/yyPa5s54T5XDo+CMbt
+lLX3QnwVOmaRyzylPiTcPCDIkdLBdXmlfyJcmW6fWa6kPx+35MOxPsXZbujCo+42
++OyLqcH1rKT6XhcshjXBEf+kdgUfSClrM1pNRWsw2ChIYim0F+nry5JFy0Y+8Hbb
+6SDB340BFmtgDHbFHTGCApEwggKNAgEBMGkwXDELMAkGA1UEBhMCTkwxEzARBgNV
+BAgMClNvbWUtU3RhdGUxHzAdBgNVBAoMFkFETElOSyBUZWNobm9sb2N5IEluYy4x
+FzAVBgNVBAMMDmFkbGlua3RlY2guY29tAgkA2yveybQ2vKkwDQYJYIZIAWUDBAIB
+BQCggfowGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAcBgkqhkiG9w0BCQUxDxcN
+MTkwMzI5MTMwODAzWjAvBgkqhkiG9w0BCQQxIgQgcYMSlCRiboSPUqMbBIKL7lBv
+QJlEFiHrJ5t/aOJZbi0wgY4GCSqGSIb3DQEJDzGBgDB+MAsGCWCGSAFlAwQBKjAI
+BgYqhQMCAgkwCAYGKoUDAgIVMAsGCWCGSAFlAwQBFjALBglghkgBZQMEAQIwCgYI
+KoZIhvcNAwcwDgYIKoZIhvcNAwICAgCAMA0GCCqGSIb3DQMCAgFAMAcGBSsOAwIH
+MA0GCCqGSIb3DQMCAgEoMA0GCSqGSIb3DQEBAQUABIIBAJsR4q4Eeorhd4sQaw+D
+PErzkTuI1PEDzv2oYy3U/w4ZdGF2TJQqZ/OqiKEtmwqVAKfuPb9XQLPSENtn2uZC
+wz9ZcvMJ4/GOOMWezN6J65pfuAeEWa0oGCcAASl7tuk+QpAK3MY8L5hxCPb6sfr9
+jslfMqJ+WYgrOVuqWMAYZoXwIgJ1GdREXOXoCnyEkwy6Prk6NhSDO6Jl91PxcZWG
+ZITu7y/mklX8cSx09MNyOfefFhCIfNnXGJu0HUTYluTFd1LgRan6f0uyPR2zBLlE
+qzuaetvpNlUclf8dywlazI8oRjfrusYo3tiKG+hHkjrXc7WHOh+I08Tqeyue+0tg
+cjw=
+
+------D2957343698C311655D075C56A04A68D--
+
diff --git a/src/security/builtin_plugins/tests/validate_local_permissions/etc/Test_Permissions_full.xml b/src/security/builtin_plugins/tests/validate_local_permissions/etc/Test_Permissions_full.xml
new file mode 100644
index 0000000..0be3fa2
--- /dev/null
+++ b/src/security/builtin_plugins/tests/validate_local_permissions/etc/Test_Permissions_full.xml
@@ -0,0 +1,191 @@
+<?xml version="1.0" encoding="utf-8"?>
+<dds xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xsi:noNamespaceSchemaLocation="https://www.omg.org/spec/DDS-SECURITY/20170901/omg_shared_ca_permissions.xsd">
+    <permissions>
+        <grant name="OpenSplicePermissions">
+            <subject_name>CN=CHAM500 cert,O=Internet Widgits Pty Ltd,ST=Some-State,C=NL</subject_name>
+            <validity>
+                <!-- Format is CCYY-MM-DDThh:mm:ss[Z|(+|-)hh:mm] in GMT -->
+                <not_before>2015-09-15T01:00:00</not_before>
+                <not_after>2115-09-15T01:00:00</not_after>
+            </validity>
+            <allow_rule>
+                <domains>
+                    <id_range>
+                        <min>0</min>
+                        <max>230</max>
+                    </id_range>
+                </domains>
+                <publish>
+                    <topics>
+                        <topic>K*</topic>
+                        <topic>*OldMessage</topic>
+                        <topic>OldMessanger</topic>
+                        <topic>NewMessage</topic>
+                    </topics>
+        <partitions>
+      <partition>Apart</partition>
+      <partition>Bpa?t*</partition>
+        </partitions>
+                </publish>
+                <subscribe>
+                    <topics>
+                        <topic>K*</topic>
+                        <topic>*OldMessage</topic>
+                        <topic>OldMessanger</topic>
+                        <topic>NewMessage</topic>
+                    </topics>
+        <partitions>
+      <partition>Apart</partition>
+      <partition>Bpa?t*</partition>
+        </partitions>
+                </subscribe>
+            </allow_rule>
+            <deny_rule>
+                <domains>
+                    <id_range>
+                        <min>0</min>
+                        <max>230</max>
+                    </id_range>
+                </domains>
+                <publish>
+                    <topics>
+                        <topic>P*</topic>
+                        <topic>*WrongMessage</topic>
+                        <topic>FakeMessanger</topic>
+                        <topic>ChangedMessage</topic>
+                    </topics>
+        <partitions>
+      <partition>Apart</partition>
+      <partition>Bpa?t*</partition>
+        </partitions>
+                </publish>
+                <subscribe>
+                    <topics>
+                        <topic>P*</topic>
+                        <topic>*WrongMessage</topic>
+                        <topic>FakeMessanger</topic>
+                        <topic>ChangedMessage</topic>
+                    </topics>
+        <partitions>
+      <partition>Apart</partition>
+      <partition>Bpa?t*</partition>
+        </partitions>
+                </subscribe>
+            </deny_rule>
+
+            <default>DENY</default>
+        </grant>
+        <grant name="SpareNodeOpenSplicePermissions">
+            <subject_name>CN=Spare cert,O=Internet Widgits Pty Ltd,ST=Some-State,C=NL</subject_name>
+            <validity>
+                <!-- Format is CCYY-MM-DDThh:mm:ss[Z|(+|-)hh:mm] in GMT -->
+                <not_before>2015-09-15T01:00:00</not_before>
+                <not_after>2115-09-15T01:00:00</not_after>
+            </validity>
+            <allow_rule>
+                <domains>
+                <!-- All domains -->
+                 <id>20</id>
+                 <id>30</id>
+                 <id_range>
+                     <min>0</min>
+                     <max>23</max>
+                 </id_range>
+                 <id_range>
+                     <min>100</min>
+                     <max>120</max>
+                 </id_range>
+                 <id>200</id>
+               </domains>
+                <publish>
+                    <topics>
+                        <topic>K*</topic>
+                        <topic>*OldMessage</topic>
+                        <topic>OldMessanger</topic>
+                        <topic>NewMessage</topic>
+                    </topics>
+        <partitions>
+      <partition>Apart</partition>
+      <partition>Bpa?t*</partition>
+        </partitions>
+                </publish>
+                <subscribe>
+                    <topics>
+                        <topic>K*</topic>
+                        <topic>*OldMessage</topic>
+                        <topic>OldMessanger</topic>
+                        <topic>NewMessage</topic>
+                    </topics>
+        <partitions>
+      <partition>Apart</partition>
+      <partition>Bpa?t*</partition>
+        </partitions>
+                </subscribe>
+            </allow_rule>
+            <deny_rule>
+                <domains>
+                 <id_range>
+                     <min>0</min>
+                     <max>23</max>
+                 </id_range>
+                 <id_range>
+                     <min>100</min>
+                     <max>120</max>
+                 </id_range>
+                 <id>200</id>
+                </domains>
+                <publish>
+                    <topics>
+                        <topic>P*</topic>
+                        <topic>*WrongMessage</topic>
+                        <topic>FakeMessanger</topic>
+                        <topic>ChangedMessage</topic>
+                    </topics>
+                    <partitions>
+                      <partition>Apart</partition>
+                      <partition>Bpa?t*</partition>
+                    </partitions>
+                </publish>
+                <subscribe>
+                    <topics>
+                        <topic>P*</topic>
+                        <topic>*WrongMessage</topic>
+                        <topic>FakeMessanger</topic>
+                        <topic>ChangedMessage</topic>
+                    </topics>
+                    <partitions>
+                      <partition>Apart</partition>
+                      <partition>Bpa?t*</partition>
+                    </partitions>
+                    <data_tags>
+                      <tag>
+                        <name>aTagName1</name>
+                        <value>aTagValue1</value>
+                      </tag>
+                    </data_tags>
+                </subscribe>
+                <relay>
+                  <topics>
+                        <topic>P*</topic>
+                        <topic>*WrongMessage</topic>
+                        <topic>FakeMessanger</topic>
+                        <topic>ChangedMessage</topic>
+                    </topics>
+                    <partitions>
+                      <partition>Apart</partition>
+                      <partition>Bpa?t*</partition>
+                    </partitions>
+                    <data_tags>
+                      <tag>
+                        <name>aTagName1</name>
+                        <value>aTagValue1</value>
+                      </tag>
+                    </data_tags>
+                </relay>
+            </deny_rule>
+
+            <default>ALLOW</default>
+        </grant>
+    </permissions>
+</dds>
diff --git a/src/security/builtin_plugins/tests/validate_local_permissions/etc/Test_Permissions_invalid_data.p7s b/src/security/builtin_plugins/tests/validate_local_permissions/etc/Test_Permissions_invalid_data.p7s
new file mode 100644
index 0000000..b3b969e
--- /dev/null
+++ b/src/security/builtin_plugins/tests/validate_local_permissions/etc/Test_Permissions_invalid_data.p7s
@@ -0,0 +1,219 @@
+MIME-Version: 1.0
+Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg="sha-256"; boundary="----62BE4CE8CF1FCB0420A2F2884B1618E6"
+
+This is an S/MIME signed message
+
+------62BE4CE8CF1FCB0420A2F2884B1618E6
+Content-Type: text/plain
+
+<?xml version="1.0" encoding="utf-8"?>
+<dds xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xsi:noNamespaceSchemaLocation="https://www.omg.org/spec/DDS-SECURITY/20170901/omg_shared_ca_permissions.xsd">
+    <permissions>
+        <grant name="OpenSplicePermissions">
+            <subject_name>CN=CHAM500 cert,O=Internet Widgits Pty Ltd,ST=Some-State,C=NL</subject_name>
+            <validity>
+                <!-- Format is CCYY-MM-DDThh:mm:ss[Z|(+|-)hh:mm] in GMT -->
+                <not_before>2015-09-15T01:00:00</not_before>
+                <not_after>2115-09-15T01:00:00</not_after>
+            </validity>
+            <allow_rule>
+                <domains>
+                    <id_range>
+                        <min>0</min>
+                        <max>430</max>
+                    </id_range>
+                </domains>
+                <publish>
+                    <topics>
+                        <topic>K*</topic>
+                        <topic>*OldMessage</topic>
+                        <topic>OldMessanger</topic>
+                        <topic>NewMessage</topic>
+                    </topics>
+		    <partitions>
+			<partition>Apart</partition>
+			<partition>Bpa?t*</partition>
+		    </partitions>
+                </publish>
+                <subscribe>
+                    <topics>
+                        <topic>K*</topic>
+                        <topic>*OldMessage</topic>
+                        <topic>OldMessanger</topic>
+                        <topic>NewMessage</topic>
+                    </topics>
+		    <partitions>
+			<partition>Apart</partition>
+			<partition>Bpa?t*</partition>
+		    </partitions>
+                </subscribe>
+            </allow_rule>
+            <deny_rule>
+                <domains>
+                    <id_range>
+                        <min>0</min>
+                        <max>230</max>
+                    </id_range>
+                </domains>
+                <publish>
+                    <topics>
+                        <topic>P*</topic>
+                        <topic>*WrongMessage</topic>
+                        <topic>FakeMessanger</topic>
+                        <topic>ChangedMessage</topic>
+                    </topics>
+		    <partitions>
+			<partition>Apart</partition>
+			<partition>Bpa?t*</partition>
+		    </partitions>
+                </publish>
+                <subscribe>
+                    <topics>
+                        <topic>P*</topic>
+                        <topic>*WrongMessage</topic>
+                        <topic>FakeMessanger</topic>
+                        <topic>ChangedMessage</topic>
+                    </topics>
+		    <partitions>
+			<partition>Apart</partition>
+			<partition>Bpa?t*</partition>
+		    </partitions>
+                </subscribe>
+            </deny_rule>
+
+            <default>DENY</default>
+        </grant>
+        <grant name="SpareNodeOpenSplicePermissions">
+            <subject_name>CN=CHAM500 cert,O=Internet Widgits Pty Ltd,ST=Some-State,C=NL</subject_name>
+            <validity>
+                <!-- Format is CCYY-MM-DDThh:mm:ss[Z|(+|-)hh:mm] in GMT -->
+                <not_before>2015-09-15T01:00:00</not_before>
+                <not_after>2115-09-15T01:00:00</not_after>
+            </validity>
+            <allow_rule>
+                <domains>
+                <!-- All domains -->
+                 <id>20</id>
+                 <id>30</id>
+                 <id_range>
+                     <min>0</min>
+                     <max>23</max>
+                 </id_range>
+                 <id_range>
+                     <min>100</min>
+                     <max>120</max>
+                 </id_range>
+                 <id>200</id>
+               </domains>
+                <publish>
+                    <topics>
+                        <topic>K*</topic>
+                        <topic>*OldMessage</topic>
+                        <topic>OldMessanger</topic>
+                        <topic>NewMessage</topic>
+                    </topics>
+		    <partitions>
+			<partition>Apart</partition>
+			<partition>Bpa?t*</partition>
+		    </partitions>
+                </publish>
+                <subscribe>
+                    <topics>
+                        <topic>K*</topic>
+                        <topic>*OldMessage</topic>
+                        <topic>OldMessanger</topic>
+                        <topic>NewMessage</topic>
+                    </topics>
+		    <partitions>
+			<partition>Apart</partition>
+			<partition>Bpa?t*</partition>
+		    </partitions>
+                </subscribe>
+            </allow_rule>
+            <deny_rule>
+                <domains>
+                 <id_range>
+                     <min>0</min>
+                     <max>23</max>
+                 </id_range>
+                 <id_range>
+                     <min>100</min>
+                     <max>120</max>
+                 </id_range>
+                 <id>200</id>
+                </domains>
+                <publish>
+                    <topics>
+                        <topic>P*</topic>
+                        <topic>*WrongMessage</topic>
+                        <topic>FakeMessanger</topic>
+                        <topic>ChangedMessage</topic>
+                    </topics>
+		    <partitions>
+			<partition>Apart</partition>
+			<partition>Bpa?t*</partition>
+		    </partitions>
+                </publish>
+                <subscribe>
+                    <topics>
+                        <topic>P*</topic>
+                        <topic>*WrongMessage</topic>
+                        <topic>FakeMessanger</topic>
+                        <topic>ChangedMessage</topic>
+                    </topics>
+		    <partitions>
+			<partition>Apart</partition>
+			<partition>Bpa?t*</partition>
+		    </partitions>
+                </subscribe>
+            </deny_rule>
+
+            <default>DENY</default>
+        </grant>
+    </permissions>
+</dds>
+
+------62BE4CE8CF1FCB0420A2F2884B1618E6
+Content-Type: application/x-pkcs7-signature; name="smime.p7s"
+Content-Transfer-Encoding: base64
+Content-Disposition: attachment; filename="smime.p7s"
+
+MIIGXgYJKoZIhvcNAQcCoIIGTzCCBksCAQExDzANBglghkgBZQMEAgEFADALBgkq
+hkiG9w0BBwGgggORMIIDjTCCAnWgAwIBAgIJANsr3sm0NrypMA0GCSqGSIb3DQEB
+CwUAMFwxCzAJBgNVBAYTAk5MMRMwEQYDVQQIDApTb21lLVN0YXRlMR8wHQYDVQQK
+DBZBRExJTksgVGVjaG5vbG9jeSBJbmMuMRcwFQYDVQQDDA5hZGxpbmt0ZWNoLmNv
+bTAgFw0xODA3MzAxMjQ1NTVaGA8yMTE4MDcwNjEyNDU1NVowXDELMAkGA1UEBhMC
+TkwxEzARBgNVBAgMClNvbWUtU3RhdGUxHzAdBgNVBAoMFkFETElOSyBUZWNobm9s
+b2N5IEluYy4xFzAVBgNVBAMMDmFkbGlua3RlY2guY29tMIIBIjANBgkqhkiG9w0B
+AQEFAAOCAQ8AMIIBCgKCAQEAu7jfnJ0wYVuXgG+PgNawdN38+dRpa8jceqi+blID
+ehV6XCxrnGXusTCDuFmo7HMOBVMVNDXlcBWgoGd+u5EultnOEiIeGTgtHc1O6V9w
+icp3BGSpZZax/TcONjMVORaqHCADbQ2J8wsz1FHxuKDwX6BJElYOlK77lb/x3yLs
+DFFC+a0qn2RFh37rcWBRAHy8VEASXKZElT9ZmfKd+KUq34KojhNJ4DepKStTq074
+BRDXVivx+wVD951LFNPiQXq+mgHcLj1k37KlZflTFhdP5oEMtATNsXNJPHlEymiy
+SogRWAmKhysLQudukHfNKN+r0FEQMk/hzpYcFeZSOvbfNQIDAQABo1AwTjAdBgNV
+HQ4EFgQURWMbWvBKZwJvRV1/tyc1R82k0+gwHwYDVR0jBBgwFoAURWMbWvBKZwJv
+RV1/tyc1R82k0+gwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAkPF+
+ysVtvHnk2hpu9yNDLCJ96ZzIoKOyY7uRj4ovzlAHFdpNOJQdcJihTmN8i7Trht9X
+Vh0rGoR/6nHzo3TIeiogRC80RlDtuA3PF2dDQBMVDStlZMTZPb693hfjdAjhyyw9
+yghhKHHqNDvSsAL0KfBqjG4yGfGpJylYXIT5fWuKlo/ln/yyPa5s54T5XDo+CMbt
+lLX3QnwVOmaRyzylPiTcPCDIkdLBdXmlfyJcmW6fWa6kPx+35MOxPsXZbujCo+42
++OyLqcH1rKT6XhcshjXBEf+kdgUfSClrM1pNRWsw2ChIYim0F+nry5JFy0Y+8Hbb
+6SDB340BFmtgDHbFHTGCApEwggKNAgEBMGkwXDELMAkGA1UEBhMCTkwxEzARBgNV
+BAgMClNvbWUtU3RhdGUxHzAdBgNVBAoMFkFETElOSyBUZWNobm9sb2N5IEluYy4x
+FzAVBgNVBAMMDmFkbGlua3RlY2guY29tAgkA2yveybQ2vKkwDQYJYIZIAWUDBAIB
+BQCggfowGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAcBgkqhkiG9w0BCQUxDxcN
+MTkwMzI5MTMwODAzWjAvBgkqhkiG9w0BCQQxIgQghoicue+FOmdIHF9rpsNCfmjP
++ZyN+t9kCdmR68JCJU0wgY4GCSqGSIb3DQEJDzGBgDB+MAsGCWCGSAFlAwQBKjAI
+BgYqhQMCAgkwCAYGKoUDAgIVMAsGCWCGSAFlAwQBFjALBglghkgBZQMEAQIwCgYI
+KoZIhvcNAwcwDgYIKoZIhvcNAwICAgCAMA0GCCqGSIb3DQMCAgFAMAcGBSsOAwIH
+MA0GCCqGSIb3DQMCAgEoMA0GCSqGSIb3DQEBAQUABIIBAI0BX2tu2DbQjvuzKG35
+myNBcOC9ZzRDqJEtmQhcY/2hAJzurlnclJVTEXFyXdpV4ywtA+lQvbtToh11AvnY
+IY1QWNVm19mfO1J6m6PFu18tizd30sG7p1TZKxGB3zDeVVqmedZ+o7QJHv9/ixzz
+Pyo2B9tG5Su94+ADc0LQNyGICjeMr7L6dhFDsm7fXBi8pMBKy/zEAynTA3r1ibsn
+5zlizPMlad2HCaYv44x7Xksg9FSbzJwJpTiprbQbZSUPYk4WlfVz0l4plzRKu4AP
+lCOsdRE6C6GQFnK5bLyndu3Ycp10niwfkfobruCDyigu+gjZtmmF/T7A8Xkk1uvx
+fAM=
+
+------62BE4CE8CF1FCB0420A2F2884B1618E6--
+
diff --git a/src/security/builtin_plugins/tests/validate_local_permissions/etc/Test_Permissions_invalid_data.xml b/src/security/builtin_plugins/tests/validate_local_permissions/etc/Test_Permissions_invalid_data.xml
new file mode 100644
index 0000000..5ebb397
--- /dev/null
+++ b/src/security/builtin_plugins/tests/validate_local_permissions/etc/Test_Permissions_invalid_data.xml
@@ -0,0 +1,167 @@
+<?xml version="1.0" encoding="utf-8"?>
+<dds xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xsi:noNamespaceSchemaLocation="https://www.omg.org/spec/DDS-SECURITY/20170901/omg_shared_ca_permissions.xsd">
+    <permissions>
+        <grant name="OpenSplicePermissions">
+            <subject_name>CN=CHAM500 cert,O=Internet Widgits Pty Ltd,ST=Some-State,C=NL</subject_name>
+            <validity>
+                <!-- Format is CCYY-MM-DDThh:mm:ss[Z|(+|-)hh:mm] in GMT -->
+                <not_before>2015-09-15T01:00:00</not_before>
+                <not_after>2115-09-15T01:00:00</not_after>
+            </validity>
+            <allow_rule>
+                <domains>
+                    <id_range>
+                        <min>0</min>
+                        <max>430</max>
+                    </id_range>
+                </domains>
+                <publish>
+                    <topics>
+                        <topic>K*</topic>
+                        <topic>*OldMessage</topic>
+                        <topic>OldMessanger</topic>
+                        <topic>NewMessage</topic>
+                    </topics>
+		    <partitions>
+			<partition>Apart</partition>
+			<partition>Bpa?t*</partition>
+		    </partitions>
+                </publish>
+                <subscribe>
+                    <topics>
+                        <topic>K*</topic>
+                        <topic>*OldMessage</topic>
+                        <topic>OldMessanger</topic>
+                        <topic>NewMessage</topic>
+                    </topics>
+		    <partitions>
+			<partition>Apart</partition>
+			<partition>Bpa?t*</partition>
+		    </partitions>
+                </subscribe>
+            </allow_rule>
+            <deny_rule>
+                <domains>
+                    <id_range>
+                        <min>0</min>
+                        <max>230</max>
+                    </id_range>
+                </domains>
+                <publish>
+                    <topics>
+                        <topic>P*</topic>
+                        <topic>*WrongMessage</topic>
+                        <topic>FakeMessanger</topic>
+                        <topic>ChangedMessage</topic>
+                    </topics>
+		    <partitions>
+			<partition>Apart</partition>
+			<partition>Bpa?t*</partition>
+		    </partitions>
+                </publish>
+                <subscribe>
+                    <topics>
+                        <topic>P*</topic>
+                        <topic>*WrongMessage</topic>
+                        <topic>FakeMessanger</topic>
+                        <topic>ChangedMessage</topic>
+                    </topics>
+		    <partitions>
+			<partition>Apart</partition>
+			<partition>Bpa?t*</partition>
+		    </partitions>
+                </subscribe>
+            </deny_rule>
+
+            <default>DENY</default>
+        </grant>
+        <grant name="SpareNodeOpenSplicePermissions">
+            <subject_name>CN=CHAM500 cert,O=Internet Widgits Pty Ltd,ST=Some-State,C=NL</subject_name>
+            <validity>
+                <!-- Format is CCYY-MM-DDThh:mm:ss[Z|(+|-)hh:mm] in GMT -->
+                <not_before>2015-09-15T01:00:00</not_before>
+                <not_after>2115-09-15T01:00:00</not_after>
+            </validity>
+            <allow_rule>
+                <domains>
+                <!-- All domains -->
+                 <id>20</id>
+                 <id>30</id>
+                 <id_range>
+                     <min>0</min>
+                     <max>23</max>
+                 </id_range>
+                 <id_range>
+                     <min>100</min>
+                     <max>120</max>
+                 </id_range>
+                 <id>200</id>
+               </domains>
+                <publish>
+                    <topics>
+                        <topic>K*</topic>
+                        <topic>*OldMessage</topic>
+                        <topic>OldMessanger</topic>
+                        <topic>NewMessage</topic>
+                    </topics>
+		    <partitions>
+			<partition>Apart</partition>
+			<partition>Bpa?t*</partition>
+		    </partitions>
+                </publish>
+                <subscribe>
+                    <topics>
+                        <topic>K*</topic>
+                        <topic>*OldMessage</topic>
+                        <topic>OldMessanger</topic>
+                        <topic>NewMessage</topic>
+                    </topics>
+		    <partitions>
+			<partition>Apart</partition>
+			<partition>Bpa?t*</partition>
+		    </partitions>
+                </subscribe>
+            </allow_rule>
+            <deny_rule>
+                <domains>
+                 <id_range>
+                     <min>0</min>
+                     <max>23</max>
+                 </id_range>
+                 <id_range>
+                     <min>100</min>
+                     <max>120</max>
+                 </id_range>
+                 <id>200</id>
+                </domains>
+                <publish>
+                    <topics>
+                        <topic>P*</topic>
+                        <topic>*WrongMessage</topic>
+                        <topic>FakeMessanger</topic>
+                        <topic>ChangedMessage</topic>
+                    </topics>
+		    <partitions>
+			<partition>Apart</partition>
+			<partition>Bpa?t*</partition>
+		    </partitions>
+                </publish>
+                <subscribe>
+                    <topics>
+                        <topic>P*</topic>
+                        <topic>*WrongMessage</topic>
+                        <topic>FakeMessanger</topic>
+                        <topic>ChangedMessage</topic>
+                    </topics>
+		    <partitions>
+			<partition>Apart</partition>
+			<partition>Bpa?t*</partition>
+		    </partitions>
+                </subscribe>
+            </deny_rule>
+
+            <default>DENY</default>
+        </grant>
+    </permissions>
+</dds>
diff --git a/src/security/builtin_plugins/tests/validate_local_permissions/etc/Test_Permissions_invalid_element.p7s b/src/security/builtin_plugins/tests/validate_local_permissions/etc/Test_Permissions_invalid_element.p7s
new file mode 100644
index 0000000..521f4cf
--- /dev/null
+++ b/src/security/builtin_plugins/tests/validate_local_permissions/etc/Test_Permissions_invalid_element.p7s
@@ -0,0 +1,219 @@
+MIME-Version: 1.0
+Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg="sha-256"; boundary="----3EE420429594FF1492D49B1EEBFBAF0E"
+
+This is an S/MIME signed message
+
+------3EE420429594FF1492D49B1EEBFBAF0E
+Content-Type: text/plain
+
+<?xml version="1.0" encoding="utf-8"?>
+<dds xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xsi:noNamespaceSchemaLocation="https://www.omg.org/spec/DDS-SECURITY/20170901/omg_shared_ca_permissions.xsd">
+    <permissions>
+        <grant name="OpenSplicePermissions">
+            <subject_name>CN=CHAM500 cert,O=Internet Widgits Pty Ltd,ST=Some-State,C=NL</subject_name>
+            <validity>
+                <!-- Format is CCYY-MM-DDThh:mm:ss[Z|(+|-)hh:mm] in GMT -->
+                <not_before>2015-09-15T01:00:00</not_before>
+                <not_after>2115-09-15T01:00:00</not_after>
+            </validity>
+            <allow_rule>
+                <domains>
+                    <id_range>
+                        <min>0</min>
+                        <max>230</max>
+                    </id_range>
+                </domains>
+                <ufo>
+                    <topics>
+                        <topic>K*</topic>
+                        <topic>*OldMessage</topic>
+                        <topic>OldMessanger</topic>
+                        <topic>NewMessage</topic>
+                    </topics>
+		    <partitions>
+			<partition>Apart</partition>
+			<partition>Bpa?t*</partition>
+		    </partitions>
+                </ufo>
+                <subscribe>
+                    <topics>
+                        <topic>K*</topic>
+                        <topic>*OldMessage</topic>
+                        <topic>OldMessanger</topic>
+                        <topic>NewMessage</topic>
+                    </topics>
+		    <partitions>
+			<partition>Apart</partition>
+			<partition>Bpa?t*</partition>
+		    </partitions>
+                </subscribe>
+            </allow_rule>
+            <deny_rule>
+                <domains>
+                    <id_range>
+                        <min>0</min>
+                        <max>230</max>
+                    </id_range>
+                </domains>
+                <publish>
+                    <topics>
+                        <topic>P*</topic>
+                        <topic>*WrongMessage</topic>
+                        <topic>FakeMessanger</topic>
+                        <topic>ChangedMessage</topic>
+                    </topics>
+		    <partitions>
+			<partition>Apart</partition>
+			<partition>Bpa?t*</partition>
+		    </partitions>
+                </publish>
+                <subscribe>
+                    <topics>
+                        <topic>P*</topic>
+                        <topic>*WrongMessage</topic>
+                        <topic>FakeMessanger</topic>
+                        <topic>ChangedMessage</topic>
+                    </topics>
+		    <partitions>
+			<partition>Apart</partition>
+			<partition>Bpa?t*</partition>
+		    </partitions>
+                </subscribe>
+            </deny_rule>
+
+            <default>DENY</default>
+        </grant>
+        <grant name="SpareNodeOpenSplicePermissions">
+            <subject_name>CN=CHAM500 cert,O=Internet Widgits Pty Ltd,ST=Some-State,C=NL</subject_name>
+            <validity>
+                <!-- Format is CCYY-MM-DDThh:mm:ss[Z|(+|-)hh:mm] in GMT -->
+                <not_before>2015-09-15T01:00:00</not_before>
+                <not_after>2115-09-15T01:00:00</not_after>
+            </validity>
+            <allow_rule>
+                <domains>
+                <!-- All domains -->
+                 <id>20</id>
+                 <id>30</id>
+                 <id_range>
+                     <min>0</min>
+                     <max>23</max>
+                 </id_range>
+                 <id_range>
+                     <min>100</min>
+                     <max>120</max>
+                 </id_range>
+                 <id>200</id>
+               </domains>
+                <publish>
+                    <topics>
+                        <topic>K*</topic>
+                        <topic>*OldMessage</topic>
+                        <topic>OldMessanger</topic>
+                        <topic>NewMessage</topic>
+                    </topics>
+		    <partitions>
+			<partition>Apart</partition>
+			<partition>Bpa?t*</partition>
+		    </partitions>
+                </publish>
+                <subscribe>
+                    <topics>
+                        <topic>K*</topic>
+                        <topic>*OldMessage</topic>
+                        <topic>OldMessanger</topic>
+                        <topic>NewMessage</topic>
+                    </topics>
+		    <partitions>
+			<partition>Apart</partition>
+			<partition>Bpa?t*</partition>
+		    </partitions>
+                </subscribe>
+            </allow_rule>
+            <deny_rule>
+                <domains>
+                 <id_range>
+                     <min>0</min>
+                     <max>23</max>
+                 </id_range>
+                 <id_range>
+                     <min>100</min>
+                     <max>120</max>
+                 </id_range>
+                 <id>200</id>
+                </domains>
+                <publish>
+                    <topics>
+                        <topic>P*</topic>
+                        <topic>*WrongMessage</topic>
+                        <topic>FakeMessanger</topic>
+                        <topic>ChangedMessage</topic>
+                    </topics>
+		    <partitions>
+			<partition>Apart</partition>
+			<partition>Bpa?t*</partition>
+		    </partitions>
+                </publish>
+                <subscribe>
+                    <topics>
+                        <topic>P*</topic>
+                        <topic>*WrongMessage</topic>
+                        <topic>FakeMessanger</topic>
+                        <topic>ChangedMessage</topic>
+                    </topics>
+		    <partitions>
+			<partition>Apart</partition>
+			<partition>Bpa?t*</partition>
+		    </partitions>
+                </subscribe>
+            </deny_rule>
+
+            <default>DENY</default>
+        </grant>
+    </permissions>
+</dds>
+
+------3EE420429594FF1492D49B1EEBFBAF0E
+Content-Type: application/x-pkcs7-signature; name="smime.p7s"
+Content-Transfer-Encoding: base64
+Content-Disposition: attachment; filename="smime.p7s"
+
+MIIGXgYJKoZIhvcNAQcCoIIGTzCCBksCAQExDzANBglghkgBZQMEAgEFADALBgkq
+hkiG9w0BBwGgggORMIIDjTCCAnWgAwIBAgIJANsr3sm0NrypMA0GCSqGSIb3DQEB
+CwUAMFwxCzAJBgNVBAYTAk5MMRMwEQYDVQQIDApTb21lLVN0YXRlMR8wHQYDVQQK
+DBZBRExJTksgVGVjaG5vbG9jeSBJbmMuMRcwFQYDVQQDDA5hZGxpbmt0ZWNoLmNv
+bTAgFw0xODA3MzAxMjQ1NTVaGA8yMTE4MDcwNjEyNDU1NVowXDELMAkGA1UEBhMC
+TkwxEzARBgNVBAgMClNvbWUtU3RhdGUxHzAdBgNVBAoMFkFETElOSyBUZWNobm9s
+b2N5IEluYy4xFzAVBgNVBAMMDmFkbGlua3RlY2guY29tMIIBIjANBgkqhkiG9w0B
+AQEFAAOCAQ8AMIIBCgKCAQEAu7jfnJ0wYVuXgG+PgNawdN38+dRpa8jceqi+blID
+ehV6XCxrnGXusTCDuFmo7HMOBVMVNDXlcBWgoGd+u5EultnOEiIeGTgtHc1O6V9w
+icp3BGSpZZax/TcONjMVORaqHCADbQ2J8wsz1FHxuKDwX6BJElYOlK77lb/x3yLs
+DFFC+a0qn2RFh37rcWBRAHy8VEASXKZElT9ZmfKd+KUq34KojhNJ4DepKStTq074
+BRDXVivx+wVD951LFNPiQXq+mgHcLj1k37KlZflTFhdP5oEMtATNsXNJPHlEymiy
+SogRWAmKhysLQudukHfNKN+r0FEQMk/hzpYcFeZSOvbfNQIDAQABo1AwTjAdBgNV
+HQ4EFgQURWMbWvBKZwJvRV1/tyc1R82k0+gwHwYDVR0jBBgwFoAURWMbWvBKZwJv
+RV1/tyc1R82k0+gwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAkPF+
+ysVtvHnk2hpu9yNDLCJ96ZzIoKOyY7uRj4ovzlAHFdpNOJQdcJihTmN8i7Trht9X
+Vh0rGoR/6nHzo3TIeiogRC80RlDtuA3PF2dDQBMVDStlZMTZPb693hfjdAjhyyw9
+yghhKHHqNDvSsAL0KfBqjG4yGfGpJylYXIT5fWuKlo/ln/yyPa5s54T5XDo+CMbt
+lLX3QnwVOmaRyzylPiTcPCDIkdLBdXmlfyJcmW6fWa6kPx+35MOxPsXZbujCo+42
++OyLqcH1rKT6XhcshjXBEf+kdgUfSClrM1pNRWsw2ChIYim0F+nry5JFy0Y+8Hbb
+6SDB340BFmtgDHbFHTGCApEwggKNAgEBMGkwXDELMAkGA1UEBhMCTkwxEzARBgNV
+BAgMClNvbWUtU3RhdGUxHzAdBgNVBAoMFkFETElOSyBUZWNobm9sb2N5IEluYy4x
+FzAVBgNVBAMMDmFkbGlua3RlY2guY29tAgkA2yveybQ2vKkwDQYJYIZIAWUDBAIB
+BQCggfowGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAcBgkqhkiG9w0BCQUxDxcN
+MTkwMzI5MTMwODAzWjAvBgkqhkiG9w0BCQQxIgQgk4Y6Rw4+DVfETNs8Ddv6rnhK
+w7EwwZ9nE7SiujxSsDEwgY4GCSqGSIb3DQEJDzGBgDB+MAsGCWCGSAFlAwQBKjAI
+BgYqhQMCAgkwCAYGKoUDAgIVMAsGCWCGSAFlAwQBFjALBglghkgBZQMEAQIwCgYI
+KoZIhvcNAwcwDgYIKoZIhvcNAwICAgCAMA0GCCqGSIb3DQMCAgFAMAcGBSsOAwIH
+MA0GCCqGSIb3DQMCAgEoMA0GCSqGSIb3DQEBAQUABIIBAGkiiP+V49XZIwqbpqwN
+RHv0tn06/BAuRGNybse1GkVzlNmuwbGObUUpKtKh4VxN8XuTfH5uuLEqftN2LvGG
+zEiyosHX0gjsX6hihqoIcbfdsKpxd/OPCr/iNdOKWCSyV0aqaP3fc9Y2L1xVdXfn
+avjfd8wief+ERfwKlsbHYsgh6/zwhVeMt2mzr8T0c+ICC99+XXmSvpnGJ89amYub
+NnQwdxTp4PBQhudXixG3LrZ1CZafoLRz+x9vEIVF9oFyy7kMkeFtjd7aXc346Ama
+djOu1LtzvWZKOMeGYVaSiQMl4HhpOh/embx+AClH/Hf1o7AA+ivF8vZgUDAAK2GD
+rx8=
+
+------3EE420429594FF1492D49B1EEBFBAF0E--
+
diff --git a/src/security/builtin_plugins/tests/validate_local_permissions/etc/Test_Permissions_invalid_element.xml b/src/security/builtin_plugins/tests/validate_local_permissions/etc/Test_Permissions_invalid_element.xml
new file mode 100644
index 0000000..6f38953
--- /dev/null
+++ b/src/security/builtin_plugins/tests/validate_local_permissions/etc/Test_Permissions_invalid_element.xml
@@ -0,0 +1,167 @@
+<?xml version="1.0" encoding="utf-8"?>
+<dds xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xsi:noNamespaceSchemaLocation="https://www.omg.org/spec/DDS-SECURITY/20170901/omg_shared_ca_permissions.xsd">
+    <permissions>
+        <grant name="OpenSplicePermissions">
+            <subject_name>CN=CHAM500 cert,O=Internet Widgits Pty Ltd,ST=Some-State,C=NL</subject_name>
+            <validity>
+                <!-- Format is CCYY-MM-DDThh:mm:ss[Z|(+|-)hh:mm] in GMT -->
+                <not_before>2015-09-15T01:00:00</not_before>
+                <not_after>2115-09-15T01:00:00</not_after>
+            </validity>
+            <allow_rule>
+                <domains>
+                    <id_range>
+                        <min>0</min>
+                        <max>230</max>
+                    </id_range>
+                </domains>
+                <ufo>
+                    <topics>
+                        <topic>K*</topic>
+                        <topic>*OldMessage</topic>
+                        <topic>OldMessanger</topic>
+                        <topic>NewMessage</topic>
+                    </topics>
+		    <partitions>
+			<partition>Apart</partition>
+			<partition>Bpa?t*</partition>
+		    </partitions>
+                </ufo>
+                <subscribe>
+                    <topics>
+                        <topic>K*</topic>
+                        <topic>*OldMessage</topic>
+                        <topic>OldMessanger</topic>
+                        <topic>NewMessage</topic>
+                    </topics>
+		    <partitions>
+			<partition>Apart</partition>
+			<partition>Bpa?t*</partition>
+		    </partitions>
+                </subscribe>
+            </allow_rule>
+            <deny_rule>
+                <domains>
+                    <id_range>
+                        <min>0</min>
+                        <max>230</max>
+                    </id_range>
+                </domains>
+                <publish>
+                    <topics>
+                        <topic>P*</topic>
+                        <topic>*WrongMessage</topic>
+                        <topic>FakeMessanger</topic>
+                        <topic>ChangedMessage</topic>
+                    </topics>
+		    <partitions>
+			<partition>Apart</partition>
+			<partition>Bpa?t*</partition>
+		    </partitions>
+                </publish>
+                <subscribe>
+                    <topics>
+                        <topic>P*</topic>
+                        <topic>*WrongMessage</topic>
+                        <topic>FakeMessanger</topic>
+                        <topic>ChangedMessage</topic>
+                    </topics>
+		    <partitions>
+			<partition>Apart</partition>
+			<partition>Bpa?t*</partition>
+		    </partitions>
+                </subscribe>
+            </deny_rule>
+
+            <default>DENY</default>
+        </grant>
+        <grant name="SpareNodeOpenSplicePermissions">
+            <subject_name>CN=CHAM500 cert,O=Internet Widgits Pty Ltd,ST=Some-State,C=NL</subject_name>
+            <validity>
+                <!-- Format is CCYY-MM-DDThh:mm:ss[Z|(+|-)hh:mm] in GMT -->
+                <not_before>2015-09-15T01:00:00</not_before>
+                <not_after>2115-09-15T01:00:00</not_after>
+            </validity>
+            <allow_rule>
+                <domains>
+                <!-- All domains -->
+                 <id>20</id>
+                 <id>30</id>
+                 <id_range>
+                     <min>0</min>
+                     <max>23</max>
+                 </id_range>
+                 <id_range>
+                     <min>100</min>
+                     <max>120</max>
+                 </id_range>
+                 <id>200</id>
+               </domains>
+                <publish>
+                    <topics>
+                        <topic>K*</topic>
+                        <topic>*OldMessage</topic>
+                        <topic>OldMessanger</topic>
+                        <topic>NewMessage</topic>
+                    </topics>
+		    <partitions>
+			<partition>Apart</partition>
+			<partition>Bpa?t*</partition>
+		    </partitions>
+                </publish>
+                <subscribe>
+                    <topics>
+                        <topic>K*</topic>
+                        <topic>*OldMessage</topic>
+                        <topic>OldMessanger</topic>
+                        <topic>NewMessage</topic>
+                    </topics>
+		    <partitions>
+			<partition>Apart</partition>
+			<partition>Bpa?t*</partition>
+		    </partitions>
+                </subscribe>
+            </allow_rule>
+            <deny_rule>
+                <domains>
+                 <id_range>
+                     <min>0</min>
+                     <max>23</max>
+                 </id_range>
+                 <id_range>
+                     <min>100</min>
+                     <max>120</max>
+                 </id_range>
+                 <id>200</id>
+                </domains>
+                <publish>
+                    <topics>
+                        <topic>P*</topic>
+                        <topic>*WrongMessage</topic>
+                        <topic>FakeMessanger</topic>
+                        <topic>ChangedMessage</topic>
+                    </topics>
+		    <partitions>
+			<partition>Apart</partition>
+			<partition>Bpa?t*</partition>
+		    </partitions>
+                </publish>
+                <subscribe>
+                    <topics>
+                        <topic>P*</topic>
+                        <topic>*WrongMessage</topic>
+                        <topic>FakeMessanger</topic>
+                        <topic>ChangedMessage</topic>
+                    </topics>
+		    <partitions>
+			<partition>Apart</partition>
+			<partition>Bpa?t*</partition>
+		    </partitions>
+                </subscribe>
+            </deny_rule>
+
+            <default>DENY</default>
+        </grant>
+    </permissions>
+</dds>
diff --git a/src/security/builtin_plugins/tests/validate_local_permissions/etc/Test_Permissions_lack_of_not_after.p7s b/src/security/builtin_plugins/tests/validate_local_permissions/etc/Test_Permissions_lack_of_not_after.p7s
new file mode 100644
index 0000000..804f556
--- /dev/null
+++ b/src/security/builtin_plugins/tests/validate_local_permissions/etc/Test_Permissions_lack_of_not_after.p7s
@@ -0,0 +1,95 @@
+MIME-Version: 1.0
+Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg="sha-256"; boundary="----E9994989EF5BC12DCCE6563CF088037D"
+
+This is an S/MIME signed message
+
+------E9994989EF5BC12DCCE6563CF088037D
+Content-Type: text/plain
+
+<?xml version="1.0" encoding="utf-8"?>
+<dds xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xsi:noNamespaceSchemaLocation="https://www.omg.org/spec/DDS-SECURITY/20170901/omg_shared_ca_permissions.xsd">
+    <permissions>
+        <grant name="OpenSplicePermissions">
+            <subject_name>/O=Internet Widgits Pty Ltd/ST=Some-State/C=NL/CN=CHAM500 cert</subject_name>
+            <validity>
+                <!-- Format is CCYY-MM-DDThh:mm:ss[Z|(+|-)hh:mm] in GMT -->
+                <not_before>2015-09-15T01:00:00</not_before>
+            </validity>
+            <allow_rule>
+                <domains>
+                    <id_range>
+                        <min>0</min>
+                        <max>230</max>
+                    </id_range>
+                </domains>
+                <publish>
+                    <topics>
+                        <topic>K*</topic>
+                        <topic>*OldMessage</topic>
+                        <topic>OldMessanger</topic>
+                        <topic>NewMessage</topic>
+                    </topics>
+        <partitions>
+      <partition>Apart</partition>
+      <partition>Bpa?t*</partition>
+        </partitions>
+                </publish>
+                <subscribe>
+                    <topics>
+                        <topic>K*</topic>
+                        <topic>*OldMessage</topic>
+                        <topic>OldMessanger</topic>
+                        <topic>NewMessage</topic>
+                    </topics>
+                </subscribe>
+            </allow_rule>
+
+            <default>ALLOW</default>
+        </grant>
+    </permissions>
+</dds>
+
+------E9994989EF5BC12DCCE6563CF088037D
+Content-Type: application/x-pkcs7-signature; name="smime.p7s"
+Content-Transfer-Encoding: base64
+Content-Disposition: attachment; filename="smime.p7s"
+
+MIIGXgYJKoZIhvcNAQcCoIIGTzCCBksCAQExDzANBglghkgBZQMEAgEFADALBgkq
+hkiG9w0BBwGgggORMIIDjTCCAnWgAwIBAgIJANsr3sm0NrypMA0GCSqGSIb3DQEB
+CwUAMFwxCzAJBgNVBAYTAk5MMRMwEQYDVQQIDApTb21lLVN0YXRlMR8wHQYDVQQK
+DBZBRExJTksgVGVjaG5vbG9jeSBJbmMuMRcwFQYDVQQDDA5hZGxpbmt0ZWNoLmNv
+bTAgFw0xODA3MzAxMjQ1NTVaGA8yMTE4MDcwNjEyNDU1NVowXDELMAkGA1UEBhMC
+TkwxEzARBgNVBAgMClNvbWUtU3RhdGUxHzAdBgNVBAoMFkFETElOSyBUZWNobm9s
+b2N5IEluYy4xFzAVBgNVBAMMDmFkbGlua3RlY2guY29tMIIBIjANBgkqhkiG9w0B
+AQEFAAOCAQ8AMIIBCgKCAQEAu7jfnJ0wYVuXgG+PgNawdN38+dRpa8jceqi+blID
+ehV6XCxrnGXusTCDuFmo7HMOBVMVNDXlcBWgoGd+u5EultnOEiIeGTgtHc1O6V9w
+icp3BGSpZZax/TcONjMVORaqHCADbQ2J8wsz1FHxuKDwX6BJElYOlK77lb/x3yLs
+DFFC+a0qn2RFh37rcWBRAHy8VEASXKZElT9ZmfKd+KUq34KojhNJ4DepKStTq074
+BRDXVivx+wVD951LFNPiQXq+mgHcLj1k37KlZflTFhdP5oEMtATNsXNJPHlEymiy
+SogRWAmKhysLQudukHfNKN+r0FEQMk/hzpYcFeZSOvbfNQIDAQABo1AwTjAdBgNV
+HQ4EFgQURWMbWvBKZwJvRV1/tyc1R82k0+gwHwYDVR0jBBgwFoAURWMbWvBKZwJv
+RV1/tyc1R82k0+gwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAkPF+
+ysVtvHnk2hpu9yNDLCJ96ZzIoKOyY7uRj4ovzlAHFdpNOJQdcJihTmN8i7Trht9X
+Vh0rGoR/6nHzo3TIeiogRC80RlDtuA3PF2dDQBMVDStlZMTZPb693hfjdAjhyyw9
+yghhKHHqNDvSsAL0KfBqjG4yGfGpJylYXIT5fWuKlo/ln/yyPa5s54T5XDo+CMbt
+lLX3QnwVOmaRyzylPiTcPCDIkdLBdXmlfyJcmW6fWa6kPx+35MOxPsXZbujCo+42
++OyLqcH1rKT6XhcshjXBEf+kdgUfSClrM1pNRWsw2ChIYim0F+nry5JFy0Y+8Hbb
+6SDB340BFmtgDHbFHTGCApEwggKNAgEBMGkwXDELMAkGA1UEBhMCTkwxEzARBgNV
+BAgMClNvbWUtU3RhdGUxHzAdBgNVBAoMFkFETElOSyBUZWNobm9sb2N5IEluYy4x
+FzAVBgNVBAMMDmFkbGlua3RlY2guY29tAgkA2yveybQ2vKkwDQYJYIZIAWUDBAIB
+BQCggfowGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAcBgkqhkiG9w0BCQUxDxcN
+MTkwMzI5MTMwODAzWjAvBgkqhkiG9w0BCQQxIgQgVn6yZWB0OOqW+6/ubhU1M4pT
+tL+lh8qj9izsf/c3gKMwgY4GCSqGSIb3DQEJDzGBgDB+MAsGCWCGSAFlAwQBKjAI
+BgYqhQMCAgkwCAYGKoUDAgIVMAsGCWCGSAFlAwQBFjALBglghkgBZQMEAQIwCgYI
+KoZIhvcNAwcwDgYIKoZIhvcNAwICAgCAMA0GCCqGSIb3DQMCAgFAMAcGBSsOAwIH
+MA0GCCqGSIb3DQMCAgEoMA0GCSqGSIb3DQEBAQUABIIBAKhwx+Ew2m6lHQxL0I0K
+Z0fdN8+19XGKYPWNuGwDR5MYpMX5jin/w/FgzeG5gSHqB51PRLJjH81incNVcRCf
+bRKvwOv8b4J8D14ZG28SoNCsKejbXccFuA967ir+GHYrh0V9ikM/TwPuhosxclM5
+hZQuvRKig6Fum+PmGO7sLNyIPB1ODE8gbz0IiY9l6Zlp0xEe/+4YYpBL+GKamnlS
+boRrfgGaTaWWi9EnjZWmJkFBO9vC08XZQ1akCubC0G8Kki0X3ZXJVXkX3AxjvZJY
+XDdstpKWbfqlWzkYlJSI/I96BO2ZXY7nnsQU+8tvPV/6k6BaC80m0FhoTQJfDdLR
+WnA=
+
+------E9994989EF5BC12DCCE6563CF088037D--
+
diff --git a/src/security/builtin_plugins/tests/validate_local_permissions/etc/Test_Permissions_lack_of_not_after.xml b/src/security/builtin_plugins/tests/validate_local_permissions/etc/Test_Permissions_lack_of_not_after.xml
new file mode 100644
index 0000000..27e5fb9
--- /dev/null
+++ b/src/security/builtin_plugins/tests/validate_local_permissions/etc/Test_Permissions_lack_of_not_after.xml
@@ -0,0 +1,43 @@
+<?xml version="1.0" encoding="utf-8"?>
+<dds xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xsi:noNamespaceSchemaLocation="https://www.omg.org/spec/DDS-SECURITY/20170901/omg_shared_ca_permissions.xsd">
+    <permissions>
+        <grant name="OpenSplicePermissions">
+            <subject_name>/O=Internet Widgits Pty Ltd/ST=Some-State/C=NL/CN=CHAM500 cert</subject_name>
+            <validity>
+                <!-- Format is CCYY-MM-DDThh:mm:ss[Z|(+|-)hh:mm] in GMT -->
+                <not_before>2015-09-15T01:00:00</not_before>
+            </validity>
+            <allow_rule>
+                <domains>
+                    <id_range>
+                        <min>0</min>
+                        <max>230</max>
+                    </id_range>
+                </domains>
+                <publish>
+                    <topics>
+                        <topic>K*</topic>
+                        <topic>*OldMessage</topic>
+                        <topic>OldMessanger</topic>
+                        <topic>NewMessage</topic>
+                    </topics>
+        <partitions>
+      <partition>Apart</partition>
+      <partition>Bpa?t*</partition>
+        </partitions>
+                </publish>
+                <subscribe>
+                    <topics>
+                        <topic>K*</topic>
+                        <topic>*OldMessage</topic>
+                        <topic>OldMessanger</topic>
+                        <topic>NewMessage</topic>
+                    </topics>
+                </subscribe>
+            </allow_rule>
+
+            <default>ALLOW</default>
+        </grant>
+    </permissions>
+</dds>
diff --git a/src/security/builtin_plugins/tests/validate_local_permissions/etc/Test_Permissions_lack_of_not_before.p7s b/src/security/builtin_plugins/tests/validate_local_permissions/etc/Test_Permissions_lack_of_not_before.p7s
new file mode 100644
index 0000000..a21bac6
--- /dev/null
+++ b/src/security/builtin_plugins/tests/validate_local_permissions/etc/Test_Permissions_lack_of_not_before.p7s
@@ -0,0 +1,95 @@
+MIME-Version: 1.0
+Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg="sha-256"; boundary="----E0088C6C0B487BC746E35E87718DA89E"
+
+This is an S/MIME signed message
+
+------E0088C6C0B487BC746E35E87718DA89E
+Content-Type: text/plain
+
+<?xml version="1.0" encoding="utf-8"?>
+<dds xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xsi:noNamespaceSchemaLocation="https://www.omg.org/spec/DDS-SECURITY/20170901/omg_shared_ca_permissions.xsd">
+    <permissions>
+        <grant name="OpenSplicePermissions">
+            <subject_name>/O=Internet Widgits Pty Ltd/ST=Some-State/C=NL/CN=CHAM500 cert</subject_name>
+            <validity>
+                <!-- Format is CCYY-MM-DDThh:mm:ss[Z|(+|-)hh:mm] in GMT -->
+                <not_after>2115-09-15T01:00:00</not_after>
+            </validity>
+            <allow_rule>
+                <domains>
+                    <id_range>
+                        <min>0</min>
+                        <max>230</max>
+                    </id_range>
+                </domains>
+                <publish>
+                    <topics>
+                        <topic>K*</topic>
+                        <topic>*OldMessage</topic>
+                        <topic>OldMessanger</topic>
+                        <topic>NewMessage</topic>
+                    </topics>
+        <partitions>
+      <partition>Apart</partition>
+      <partition>Bpa?t*</partition>
+        </partitions>
+                </publish>
+                <subscribe>
+                    <topics>
+                        <topic>K*</topic>
+                        <topic>*OldMessage</topic>
+                        <topic>OldMessanger</topic>
+                        <topic>NewMessage</topic>
+                    </topics>
+                </subscribe>
+            </allow_rule>
+
+            <default>ALLOW</default>
+        </grant>
+    </permissions>
+</dds>
+
+------E0088C6C0B487BC746E35E87718DA89E
+Content-Type: application/x-pkcs7-signature; name="smime.p7s"
+Content-Transfer-Encoding: base64
+Content-Disposition: attachment; filename="smime.p7s"
+
+MIIGXgYJKoZIhvcNAQcCoIIGTzCCBksCAQExDzANBglghkgBZQMEAgEFADALBgkq
+hkiG9w0BBwGgggORMIIDjTCCAnWgAwIBAgIJANsr3sm0NrypMA0GCSqGSIb3DQEB
+CwUAMFwxCzAJBgNVBAYTAk5MMRMwEQYDVQQIDApTb21lLVN0YXRlMR8wHQYDVQQK
+DBZBRExJTksgVGVjaG5vbG9jeSBJbmMuMRcwFQYDVQQDDA5hZGxpbmt0ZWNoLmNv
+bTAgFw0xODA3MzAxMjQ1NTVaGA8yMTE4MDcwNjEyNDU1NVowXDELMAkGA1UEBhMC
+TkwxEzARBgNVBAgMClNvbWUtU3RhdGUxHzAdBgNVBAoMFkFETElOSyBUZWNobm9s
+b2N5IEluYy4xFzAVBgNVBAMMDmFkbGlua3RlY2guY29tMIIBIjANBgkqhkiG9w0B
+AQEFAAOCAQ8AMIIBCgKCAQEAu7jfnJ0wYVuXgG+PgNawdN38+dRpa8jceqi+blID
+ehV6XCxrnGXusTCDuFmo7HMOBVMVNDXlcBWgoGd+u5EultnOEiIeGTgtHc1O6V9w
+icp3BGSpZZax/TcONjMVORaqHCADbQ2J8wsz1FHxuKDwX6BJElYOlK77lb/x3yLs
+DFFC+a0qn2RFh37rcWBRAHy8VEASXKZElT9ZmfKd+KUq34KojhNJ4DepKStTq074
+BRDXVivx+wVD951LFNPiQXq+mgHcLj1k37KlZflTFhdP5oEMtATNsXNJPHlEymiy
+SogRWAmKhysLQudukHfNKN+r0FEQMk/hzpYcFeZSOvbfNQIDAQABo1AwTjAdBgNV
+HQ4EFgQURWMbWvBKZwJvRV1/tyc1R82k0+gwHwYDVR0jBBgwFoAURWMbWvBKZwJv
+RV1/tyc1R82k0+gwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAkPF+
+ysVtvHnk2hpu9yNDLCJ96ZzIoKOyY7uRj4ovzlAHFdpNOJQdcJihTmN8i7Trht9X
+Vh0rGoR/6nHzo3TIeiogRC80RlDtuA3PF2dDQBMVDStlZMTZPb693hfjdAjhyyw9
+yghhKHHqNDvSsAL0KfBqjG4yGfGpJylYXIT5fWuKlo/ln/yyPa5s54T5XDo+CMbt
+lLX3QnwVOmaRyzylPiTcPCDIkdLBdXmlfyJcmW6fWa6kPx+35MOxPsXZbujCo+42
++OyLqcH1rKT6XhcshjXBEf+kdgUfSClrM1pNRWsw2ChIYim0F+nry5JFy0Y+8Hbb
+6SDB340BFmtgDHbFHTGCApEwggKNAgEBMGkwXDELMAkGA1UEBhMCTkwxEzARBgNV
+BAgMClNvbWUtU3RhdGUxHzAdBgNVBAoMFkFETElOSyBUZWNobm9sb2N5IEluYy4x
+FzAVBgNVBAMMDmFkbGlua3RlY2guY29tAgkA2yveybQ2vKkwDQYJYIZIAWUDBAIB
+BQCggfowGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAcBgkqhkiG9w0BCQUxDxcN
+MTkwMzI5MTMwODAzWjAvBgkqhkiG9w0BCQQxIgQgOCgkm0Mu6pRSDhlMd5/7OGhr
+3TedLdpw5DQNC60vDgYwgY4GCSqGSIb3DQEJDzGBgDB+MAsGCWCGSAFlAwQBKjAI
+BgYqhQMCAgkwCAYGKoUDAgIVMAsGCWCGSAFlAwQBFjALBglghkgBZQMEAQIwCgYI
+KoZIhvcNAwcwDgYIKoZIhvcNAwICAgCAMA0GCCqGSIb3DQMCAgFAMAcGBSsOAwIH
+MA0GCCqGSIb3DQMCAgEoMA0GCSqGSIb3DQEBAQUABIIBALYwxGivvBYfCdRADnYd
+ysgBOITPhEY+TqqqEtiX4cIyeEdZGMFxcciMxbXVB1qy7js7PM+tbZ/+ICutyA7J
+dkU9cNO9hLM/LYASv9B9zpgxMecYcA9rx7OEpM3Sr2eXOTbu2j3gUoCun7y8f+yv
+iiYUORa0cX8oFnq++rQXHE/0rOVd17tboLvsy97Tro8o1e7WFA2gkJsCyo4QF+Lg
+yz8IKdKMIRLpEl07bGIcIq4gvarQnN3qT1KuOMrDQD29CFZMwCO/TSGVeZYRHdW9
+s1hhmrTlkmlhPyXG9yxm9PH9UHZyfhkbrhIXZtN6M/7SO8VfTMfotyTbFtuatzzL
+fz4=
+
+------E0088C6C0B487BC746E35E87718DA89E--
+
diff --git a/src/security/builtin_plugins/tests/validate_local_permissions/etc/Test_Permissions_lack_of_not_before.xml b/src/security/builtin_plugins/tests/validate_local_permissions/etc/Test_Permissions_lack_of_not_before.xml
new file mode 100644
index 0000000..6c3f892
--- /dev/null
+++ b/src/security/builtin_plugins/tests/validate_local_permissions/etc/Test_Permissions_lack_of_not_before.xml
@@ -0,0 +1,43 @@
+<?xml version="1.0" encoding="utf-8"?>
+<dds xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xsi:noNamespaceSchemaLocation="https://www.omg.org/spec/DDS-SECURITY/20170901/omg_shared_ca_permissions.xsd">
+    <permissions>
+        <grant name="OpenSplicePermissions">
+            <subject_name>/O=Internet Widgits Pty Ltd/ST=Some-State/C=NL/CN=CHAM500 cert</subject_name>
+            <validity>
+                <!-- Format is CCYY-MM-DDThh:mm:ss[Z|(+|-)hh:mm] in GMT -->
+                <not_after>2115-09-15T01:00:00</not_after>
+            </validity>
+            <allow_rule>
+                <domains>
+                    <id_range>
+                        <min>0</min>
+                        <max>230</max>
+                    </id_range>
+                </domains>
+                <publish>
+                    <topics>
+                        <topic>K*</topic>
+                        <topic>*OldMessage</topic>
+                        <topic>OldMessanger</topic>
+                        <topic>NewMessage</topic>
+                    </topics>
+        <partitions>
+      <partition>Apart</partition>
+      <partition>Bpa?t*</partition>
+        </partitions>
+                </publish>
+                <subscribe>
+                    <topics>
+                        <topic>K*</topic>
+                        <topic>*OldMessage</topic>
+                        <topic>OldMessanger</topic>
+                        <topic>NewMessage</topic>
+                    </topics>
+                </subscribe>
+            </allow_rule>
+
+            <default>ALLOW</default>
+        </grant>
+    </permissions>
+</dds>
diff --git a/src/security/builtin_plugins/tests/validate_local_permissions/etc/Test_Permissions_not_signed.p7s b/src/security/builtin_plugins/tests/validate_local_permissions/etc/Test_Permissions_not_signed.p7s
new file mode 100644
index 0000000..8759d91
--- /dev/null
+++ b/src/security/builtin_plugins/tests/validate_local_permissions/etc/Test_Permissions_not_signed.p7s
@@ -0,0 +1,33 @@
+<?xml version="1.0" encoding="utf-8"?>
+<dds xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xsi:noNamespaceSchemaLocation="https://www.omg.org/spec/DDS-SECURITY/20170901/omg_shared_ca_permissions.xsd">
+    <permissions>
+        <grant name="OpenSplicePermissions">
+            <subject_name>CN=CHAM500 cert,O=Internet Widgits Pty Ltd,ST=Some-State,C=NL</subject_name>
+            <validity>
+                <!-- Format is CCYY-MM-DDThh:mm:ss[Z|(+|-)hh:mm] in GMT -->
+                <not_before>2015-09-15T01:00:00</not_before>
+                <not_after>2115-09-15T01:00:00</not_after>
+            </validity>
+            <allow_rule>
+                <domains>
+                    <id_range>
+                        <min>0</min>
+                        <max>230</max>
+                    </id_range>
+                </domains>
+                <publish>
+                    <topics>
+                        <topic>*</topic>
+                    </topics>
+                </publish>
+                <subscribe>
+                    <topics>
+                        <topic>*</topic>
+                    </topics>
+                </subscribe>
+            </allow_rule>
+            <default>DENY</default>
+        </grant>
+    </permissions>
+</dds>
diff --git a/src/security/builtin_plugins/tests/validate_local_permissions/etc/Test_Permissions_notyet.p7s b/src/security/builtin_plugins/tests/validate_local_permissions/etc/Test_Permissions_notyet.p7s
new file mode 100644
index 0000000..7fd4098
--- /dev/null
+++ b/src/security/builtin_plugins/tests/validate_local_permissions/etc/Test_Permissions_notyet.p7s
@@ -0,0 +1,243 @@
+MIME-Version: 1.0
+Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg="sha-256"; boundary="----F87E07CA6CCEAB50B03A143AC2354EB4"
+
+This is an S/MIME signed message
+
+------F87E07CA6CCEAB50B03A143AC2354EB4
+Content-Type: text/plain
+
+<?xml version="1.0" encoding="utf-8"?>
+<dds xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xsi:noNamespaceSchemaLocation="https://www.omg.org/spec/DDS-SECURITY/20170901/omg_shared_ca_permissions.xsd">
+    <permissions>
+        <grant name="OpenSplicePermissions">
+            <subject_name>CN=CHAM500 cert,O=Internet Widgits Pty Ltd,ST=Some-State,C=NL</subject_name>
+            <validity>
+                <!-- Format is CCYY-MM-DDThh:mm:ss[Z|(+|-)hh:mm] in GMT -->
+                <not_before>2035-09-15T01:00:00</not_before>
+                <not_after>2046-09-15T01:00:00</not_after>
+            </validity>
+            <allow_rule>
+                <domains>
+                    <id_range>
+                        <min>0</min>
+                        <max>230</max>
+                    </id_range>
+                </domains>
+                <publish>
+                    <topics>
+                        <topic>K*</topic>
+                        <topic>*OldMessage</topic>
+                        <topic>OldMessanger</topic>
+                        <topic>NewMessage</topic>
+                    </topics>
+        <partitions>
+      <partition>Apart</partition>
+      <partition>Bpa?t*</partition>
+        </partitions>
+                </publish>
+                <subscribe>
+                    <topics>
+                        <topic>K*</topic>
+                        <topic>*OldMessage</topic>
+                        <topic>OldMessanger</topic>
+                        <topic>NewMessage</topic>
+                    </topics>
+        <partitions>
+      <partition>Apart</partition>
+      <partition>Bpa?t*</partition>
+        </partitions>
+                </subscribe>
+            </allow_rule>
+            <deny_rule>
+                <domains>
+                    <id_range>
+                        <min>0</min>
+                        <max>230</max>
+                    </id_range>
+                </domains>
+                <publish>
+                    <topics>
+                        <topic>P*</topic>
+                        <topic>*WrongMessage</topic>
+                        <topic>FakeMessanger</topic>
+                        <topic>ChangedMessage</topic>
+                    </topics>
+        <partitions>
+      <partition>Apart</partition>
+      <partition>Bpa?t*</partition>
+        </partitions>
+                </publish>
+                <subscribe>
+                    <topics>
+                        <topic>P*</topic>
+                        <topic>*WrongMessage</topic>
+                        <topic>FakeMessanger</topic>
+                        <topic>ChangedMessage</topic>
+                    </topics>
+        <partitions>
+      <partition>Apart</partition>
+      <partition>Bpa?t*</partition>
+        </partitions>
+                </subscribe>
+            </deny_rule>
+
+            <default>DENY</default>
+        </grant>
+        <grant name="SpareNodeOpenSplicePermissions">
+            <subject_name>CN=Spare cert,O=Internet Widgits Pty Ltd,ST=Some-State,C=NL</subject_name>
+            <validity>
+                <!-- Format is CCYY-MM-DDThh:mm:ss[Z|(+|-)hh:mm] in GMT -->
+                <not_before>2015-09-15T01:00:00</not_before>
+                <not_after>2115-09-15T01:00:00</not_after>
+            </validity>
+            <allow_rule>
+                <domains>
+                <!-- All domains -->
+                 <id>20</id>
+                 <id>30</id>
+                 <id_range>
+                     <min>0</min>
+                     <max>23</max>
+                 </id_range>
+                 <id_range>
+                     <min>100</min>
+                     <max>120</max>
+                 </id_range>
+                 <id>200</id>
+               </domains>
+                <publish>
+                    <topics>
+                        <topic>K*</topic>
+                        <topic>*OldMessage</topic>
+                        <topic>OldMessanger</topic>
+                        <topic>NewMessage</topic>
+                    </topics>
+        <partitions>
+      <partition>Apart</partition>
+      <partition>Bpa?t*</partition>
+        </partitions>
+                </publish>
+                <subscribe>
+                    <topics>
+                        <topic>K*</topic>
+                        <topic>*OldMessage</topic>
+                        <topic>OldMessanger</topic>
+                        <topic>NewMessage</topic>
+                    </topics>
+        <partitions>
+      <partition>Apart</partition>
+      <partition>Bpa?t*</partition>
+        </partitions>
+                </subscribe>
+            </allow_rule>
+            <deny_rule>
+                <domains>
+                 <id_range>
+                     <min>0</min>
+                     <max>23</max>
+                 </id_range>
+                 <id_range>
+                     <min>100</min>
+                     <max>120</max>
+                 </id_range>
+                 <id>200</id>
+                </domains>
+                <publish>
+                    <topics>
+                        <topic>P*</topic>
+                        <topic>*WrongMessage</topic>
+                        <topic>FakeMessanger</topic>
+                        <topic>ChangedMessage</topic>
+                    </topics>
+                    <partitions>
+                      <partition>Apart</partition>
+                      <partition>Bpa?t*</partition>
+                    </partitions>
+                </publish>
+                <subscribe>
+                    <topics>
+                        <topic>P*</topic>
+                        <topic>*WrongMessage</topic>
+                        <topic>FakeMessanger</topic>
+                        <topic>ChangedMessage</topic>
+                    </topics>
+                    <partitions>
+                      <partition>Apart</partition>
+                      <partition>Bpa?t*</partition>
+                    </partitions>
+                    <data_tags>
+                      <tag>
+                        <name>aTagName1</name>
+                        <value>aTagValue1</value>
+                      </tag>
+                    </data_tags>
+                </subscribe>
+                <relay>
+                  <topics>
+                        <topic>P*</topic>
+                        <topic>*WrongMessage</topic>
+                        <topic>FakeMessanger</topic>
+                        <topic>ChangedMessage</topic>
+                    </topics>
+                    <partitions>
+                      <partition>Apart</partition>
+                      <partition>Bpa?t*</partition>
+                    </partitions>
+                    <data_tags>
+                      <tag>
+                        <name>aTagName1</name>
+                        <value>aTagValue1</value>
+                      </tag>
+                    </data_tags>
+                </relay>
+            </deny_rule>
+
+            <default>ALLOW</default>
+        </grant>
+    </permissions>
+</dds>
+
+------F87E07CA6CCEAB50B03A143AC2354EB4
+Content-Type: application/x-pkcs7-signature; name="smime.p7s"
+Content-Transfer-Encoding: base64
+Content-Disposition: attachment; filename="smime.p7s"
+
+MIIGXgYJKoZIhvcNAQcCoIIGTzCCBksCAQExDzANBglghkgBZQMEAgEFADALBgkq
+hkiG9w0BBwGgggORMIIDjTCCAnWgAwIBAgIJANsr3sm0NrypMA0GCSqGSIb3DQEB
+CwUAMFwxCzAJBgNVBAYTAk5MMRMwEQYDVQQIDApTb21lLVN0YXRlMR8wHQYDVQQK
+DBZBRExJTksgVGVjaG5vbG9jeSBJbmMuMRcwFQYDVQQDDA5hZGxpbmt0ZWNoLmNv
+bTAgFw0xODA3MzAxMjQ1NTVaGA8yMTE4MDcwNjEyNDU1NVowXDELMAkGA1UEBhMC
+TkwxEzARBgNVBAgMClNvbWUtU3RhdGUxHzAdBgNVBAoMFkFETElOSyBUZWNobm9s
+b2N5IEluYy4xFzAVBgNVBAMMDmFkbGlua3RlY2guY29tMIIBIjANBgkqhkiG9w0B
+AQEFAAOCAQ8AMIIBCgKCAQEAu7jfnJ0wYVuXgG+PgNawdN38+dRpa8jceqi+blID
+ehV6XCxrnGXusTCDuFmo7HMOBVMVNDXlcBWgoGd+u5EultnOEiIeGTgtHc1O6V9w
+icp3BGSpZZax/TcONjMVORaqHCADbQ2J8wsz1FHxuKDwX6BJElYOlK77lb/x3yLs
+DFFC+a0qn2RFh37rcWBRAHy8VEASXKZElT9ZmfKd+KUq34KojhNJ4DepKStTq074
+BRDXVivx+wVD951LFNPiQXq+mgHcLj1k37KlZflTFhdP5oEMtATNsXNJPHlEymiy
+SogRWAmKhysLQudukHfNKN+r0FEQMk/hzpYcFeZSOvbfNQIDAQABo1AwTjAdBgNV
+HQ4EFgQURWMbWvBKZwJvRV1/tyc1R82k0+gwHwYDVR0jBBgwFoAURWMbWvBKZwJv
+RV1/tyc1R82k0+gwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAkPF+
+ysVtvHnk2hpu9yNDLCJ96ZzIoKOyY7uRj4ovzlAHFdpNOJQdcJihTmN8i7Trht9X
+Vh0rGoR/6nHzo3TIeiogRC80RlDtuA3PF2dDQBMVDStlZMTZPb693hfjdAjhyyw9
+yghhKHHqNDvSsAL0KfBqjG4yGfGpJylYXIT5fWuKlo/ln/yyPa5s54T5XDo+CMbt
+lLX3QnwVOmaRyzylPiTcPCDIkdLBdXmlfyJcmW6fWa6kPx+35MOxPsXZbujCo+42
++OyLqcH1rKT6XhcshjXBEf+kdgUfSClrM1pNRWsw2ChIYim0F+nry5JFy0Y+8Hbb
+6SDB340BFmtgDHbFHTGCApEwggKNAgEBMGkwXDELMAkGA1UEBhMCTkwxEzARBgNV
+BAgMClNvbWUtU3RhdGUxHzAdBgNVBAoMFkFETElOSyBUZWNobm9sb2N5IEluYy4x
+FzAVBgNVBAMMDmFkbGlua3RlY2guY29tAgkA2yveybQ2vKkwDQYJYIZIAWUDBAIB
+BQCggfowGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAcBgkqhkiG9w0BCQUxDxcN
+MTkwMzI5MTMwODAzWjAvBgkqhkiG9w0BCQQxIgQg0GGu1gWhHWhfWnmg55AIr4tv
+zMK0kIxNfJYQbb7LpJ8wgY4GCSqGSIb3DQEJDzGBgDB+MAsGCWCGSAFlAwQBKjAI
+BgYqhQMCAgkwCAYGKoUDAgIVMAsGCWCGSAFlAwQBFjALBglghkgBZQMEAQIwCgYI
+KoZIhvcNAwcwDgYIKoZIhvcNAwICAgCAMA0GCCqGSIb3DQMCAgFAMAcGBSsOAwIH
+MA0GCCqGSIb3DQMCAgEoMA0GCSqGSIb3DQEBAQUABIIBALsPI2+b0w+iUPJGJeMd
+VdrY7s/GZYm6M8qOA5fmh3144bY1rZRjdHjXtLdaNDNN1Z5buRCiQcklAilf6O14
+7u6a5HR12N4LTbg3OYQplwz4ed/wBsL726htmkAK3JogGk5OVLqmmdrz3UOD8IaZ
+wAfx2tpj3VJOVuW0XsqOrzQpnOjGWcPeOw6NAxRH1gLsxBP9HDz5+wrsKXjV/zG8
+dFTaZ0bKnBXTp5ccc9jB4qbcllC9nlJkJszGqvwOP7zWBAOXeU+joUGM4Bt+8Pmt
+pKsVAmEqMpc368RMayDBWtTqUWpUKvDh4HSkuOGD4Hj5ViAoLFjisROhIK2d98XI
+cRQ=
+
+------F87E07CA6CCEAB50B03A143AC2354EB4--
+
diff --git a/src/security/builtin_plugins/tests/validate_local_permissions/etc/Test_Permissions_notyet.xml b/src/security/builtin_plugins/tests/validate_local_permissions/etc/Test_Permissions_notyet.xml
new file mode 100644
index 0000000..99fec50
--- /dev/null
+++ b/src/security/builtin_plugins/tests/validate_local_permissions/etc/Test_Permissions_notyet.xml
@@ -0,0 +1,191 @@
+<?xml version="1.0" encoding="utf-8"?>
+<dds xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xsi:noNamespaceSchemaLocation="https://www.omg.org/spec/DDS-SECURITY/20170901/omg_shared_ca_permissions.xsd">
+    <permissions>
+        <grant name="OpenSplicePermissions">
+            <subject_name>CN=CHAM500 cert,O=Internet Widgits Pty Ltd,ST=Some-State,C=NL</subject_name>
+            <validity>
+                <!-- Format is CCYY-MM-DDThh:mm:ss[Z|(+|-)hh:mm] in GMT -->
+                <not_before>2035-09-15T01:00:00</not_before>
+                <not_after>2046-09-15T01:00:00</not_after>
+            </validity>
+            <allow_rule>
+                <domains>
+                    <id_range>
+                        <min>0</min>
+                        <max>230</max>
+                    </id_range>
+                </domains>
+                <publish>
+                    <topics>
+                        <topic>K*</topic>
+                        <topic>*OldMessage</topic>
+                        <topic>OldMessanger</topic>
+                        <topic>NewMessage</topic>
+                    </topics>
+        <partitions>
+      <partition>Apart</partition>
+      <partition>Bpa?t*</partition>
+        </partitions>
+                </publish>
+                <subscribe>
+                    <topics>
+                        <topic>K*</topic>
+                        <topic>*OldMessage</topic>
+                        <topic>OldMessanger</topic>
+                        <topic>NewMessage</topic>
+                    </topics>
+        <partitions>
+      <partition>Apart</partition>
+      <partition>Bpa?t*</partition>
+        </partitions>
+                </subscribe>
+            </allow_rule>
+            <deny_rule>
+                <domains>
+                    <id_range>
+                        <min>0</min>
+                        <max>230</max>
+                    </id_range>
+                </domains>
+                <publish>
+                    <topics>
+                        <topic>P*</topic>
+                        <topic>*WrongMessage</topic>
+                        <topic>FakeMessanger</topic>
+                        <topic>ChangedMessage</topic>
+                    </topics>
+        <partitions>
+      <partition>Apart</partition>
+      <partition>Bpa?t*</partition>
+        </partitions>
+                </publish>
+                <subscribe>
+                    <topics>
+                        <topic>P*</topic>
+                        <topic>*WrongMessage</topic>
+                        <topic>FakeMessanger</topic>
+                        <topic>ChangedMessage</topic>
+                    </topics>
+        <partitions>
+      <partition>Apart</partition>
+      <partition>Bpa?t*</partition>
+        </partitions>
+                </subscribe>
+            </deny_rule>
+
+            <default>DENY</default>
+        </grant>
+        <grant name="SpareNodeOpenSplicePermissions">
+            <subject_name>CN=Spare cert,O=Internet Widgits Pty Ltd,ST=Some-State,C=NL</subject_name>
+            <validity>
+                <!-- Format is CCYY-MM-DDThh:mm:ss[Z|(+|-)hh:mm] in GMT -->
+                <not_before>2015-09-15T01:00:00</not_before>
+                <not_after>2115-09-15T01:00:00</not_after>
+            </validity>
+            <allow_rule>
+                <domains>
+                <!-- All domains -->
+                 <id>20</id>
+                 <id>30</id>
+                 <id_range>
+                     <min>0</min>
+                     <max>23</max>
+                 </id_range>
+                 <id_range>
+                     <min>100</min>
+                     <max>120</max>
+                 </id_range>
+                 <id>200</id>
+               </domains>
+                <publish>
+                    <topics>
+                        <topic>K*</topic>
+                        <topic>*OldMessage</topic>
+                        <topic>OldMessanger</topic>
+                        <topic>NewMessage</topic>
+                    </topics>
+        <partitions>
+      <partition>Apart</partition>
+      <partition>Bpa?t*</partition>
+        </partitions>
+                </publish>
+                <subscribe>
+                    <topics>
+                        <topic>K*</topic>
+                        <topic>*OldMessage</topic>
+                        <topic>OldMessanger</topic>
+                        <topic>NewMessage</topic>
+                    </topics>
+        <partitions>
+      <partition>Apart</partition>
+      <partition>Bpa?t*</partition>
+        </partitions>
+                </subscribe>
+            </allow_rule>
+            <deny_rule>
+                <domains>
+                 <id_range>
+                     <min>0</min>
+                     <max>23</max>
+                 </id_range>
+                 <id_range>
+                     <min>100</min>
+                     <max>120</max>
+                 </id_range>
+                 <id>200</id>
+                </domains>
+                <publish>
+                    <topics>
+                        <topic>P*</topic>
+                        <topic>*WrongMessage</topic>
+                        <topic>FakeMessanger</topic>
+                        <topic>ChangedMessage</topic>
+                    </topics>
+                    <partitions>
+                      <partition>Apart</partition>
+                      <partition>Bpa?t*</partition>
+                    </partitions>
+                </publish>
+                <subscribe>
+                    <topics>
+                        <topic>P*</topic>
+                        <topic>*WrongMessage</topic>
+                        <topic>FakeMessanger</topic>
+                        <topic>ChangedMessage</topic>
+                    </topics>
+                    <partitions>
+                      <partition>Apart</partition>
+                      <partition>Bpa?t*</partition>
+                    </partitions>
+                    <data_tags>
+                      <tag>
+                        <name>aTagName1</name>
+                        <value>aTagValue1</value>
+                      </tag>
+                    </data_tags>
+                </subscribe>
+                <relay>
+                  <topics>
+                        <topic>P*</topic>
+                        <topic>*WrongMessage</topic>
+                        <topic>FakeMessanger</topic>
+                        <topic>ChangedMessage</topic>
+                    </topics>
+                    <partitions>
+                      <partition>Apart</partition>
+                      <partition>Bpa?t*</partition>
+                    </partitions>
+                    <data_tags>
+                      <tag>
+                        <name>aTagName1</name>
+                        <value>aTagValue1</value>
+                      </tag>
+                    </data_tags>
+                </relay>
+            </deny_rule>
+
+            <default>ALLOW</default>
+        </grant>
+    </permissions>
+</dds>
diff --git a/src/security/builtin_plugins/tests/validate_local_permissions/etc/Test_Permissions_ok.p7s b/src/security/builtin_plugins/tests/validate_local_permissions/etc/Test_Permissions_ok.p7s
new file mode 100644
index 0000000..052075b
--- /dev/null
+++ b/src/security/builtin_plugins/tests/validate_local_permissions/etc/Test_Permissions_ok.p7s
@@ -0,0 +1,85 @@
+MIME-Version: 1.0
+Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg="sha-256"; boundary="----6B91005B007BBA8EDE10CD1CE487DB27"
+
+This is an S/MIME signed message
+
+------6B91005B007BBA8EDE10CD1CE487DB27
+Content-Type: text/plain
+
+<?xml version="1.0" encoding="utf-8"?>
+<dds xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xsi:noNamespaceSchemaLocation="https://www.omg.org/spec/DDS-SECURITY/20170901/omg_shared_ca_permissions.xsd">
+    <permissions>
+        <grant name="OpenSplicePermissions">
+            <subject_name>CN=CHAM500 cert,O=Internet Widgits Pty Ltd,ST=Some-State,C=NL</subject_name>
+            <validity>
+                <!-- Format is CCYY-MM-DDThh:mm:ss[Z|(+|-)hh:mm] in GMT -->
+                <not_before>2015-09-15T01:00:00</not_before>
+                <not_after>2115-09-15T01:00:00</not_after>
+            </validity>
+            <allow_rule>
+                <domains>
+                    <id_range>
+                        <min>0</min>
+                        <max>230</max>
+                    </id_range>
+                </domains>
+                <publish>
+                    <topics>
+                        <topic>*</topic>
+                    </topics>
+                </publish>
+                <subscribe>
+                    <topics>
+                        <topic>*</topic>
+                    </topics>
+                </subscribe>
+            </allow_rule>
+            <default>DENY</default>
+        </grant>
+    </permissions>
+</dds>
+
+------6B91005B007BBA8EDE10CD1CE487DB27
+Content-Type: application/x-pkcs7-signature; name="smime.p7s"
+Content-Transfer-Encoding: base64
+Content-Disposition: attachment; filename="smime.p7s"
+
+MIIGXgYJKoZIhvcNAQcCoIIGTzCCBksCAQExDzANBglghkgBZQMEAgEFADALBgkq
+hkiG9w0BBwGgggORMIIDjTCCAnWgAwIBAgIJANsr3sm0NrypMA0GCSqGSIb3DQEB
+CwUAMFwxCzAJBgNVBAYTAk5MMRMwEQYDVQQIDApTb21lLVN0YXRlMR8wHQYDVQQK
+DBZBRExJTksgVGVjaG5vbG9jeSBJbmMuMRcwFQYDVQQDDA5hZGxpbmt0ZWNoLmNv
+bTAgFw0xODA3MzAxMjQ1NTVaGA8yMTE4MDcwNjEyNDU1NVowXDELMAkGA1UEBhMC
+TkwxEzARBgNVBAgMClNvbWUtU3RhdGUxHzAdBgNVBAoMFkFETElOSyBUZWNobm9s
+b2N5IEluYy4xFzAVBgNVBAMMDmFkbGlua3RlY2guY29tMIIBIjANBgkqhkiG9w0B
+AQEFAAOCAQ8AMIIBCgKCAQEAu7jfnJ0wYVuXgG+PgNawdN38+dRpa8jceqi+blID
+ehV6XCxrnGXusTCDuFmo7HMOBVMVNDXlcBWgoGd+u5EultnOEiIeGTgtHc1O6V9w
+icp3BGSpZZax/TcONjMVORaqHCADbQ2J8wsz1FHxuKDwX6BJElYOlK77lb/x3yLs
+DFFC+a0qn2RFh37rcWBRAHy8VEASXKZElT9ZmfKd+KUq34KojhNJ4DepKStTq074
+BRDXVivx+wVD951LFNPiQXq+mgHcLj1k37KlZflTFhdP5oEMtATNsXNJPHlEymiy
+SogRWAmKhysLQudukHfNKN+r0FEQMk/hzpYcFeZSOvbfNQIDAQABo1AwTjAdBgNV
+HQ4EFgQURWMbWvBKZwJvRV1/tyc1R82k0+gwHwYDVR0jBBgwFoAURWMbWvBKZwJv
+RV1/tyc1R82k0+gwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAkPF+
+ysVtvHnk2hpu9yNDLCJ96ZzIoKOyY7uRj4ovzlAHFdpNOJQdcJihTmN8i7Trht9X
+Vh0rGoR/6nHzo3TIeiogRC80RlDtuA3PF2dDQBMVDStlZMTZPb693hfjdAjhyyw9
+yghhKHHqNDvSsAL0KfBqjG4yGfGpJylYXIT5fWuKlo/ln/yyPa5s54T5XDo+CMbt
+lLX3QnwVOmaRyzylPiTcPCDIkdLBdXmlfyJcmW6fWa6kPx+35MOxPsXZbujCo+42
++OyLqcH1rKT6XhcshjXBEf+kdgUfSClrM1pNRWsw2ChIYim0F+nry5JFy0Y+8Hbb
+6SDB340BFmtgDHbFHTGCApEwggKNAgEBMGkwXDELMAkGA1UEBhMCTkwxEzARBgNV
+BAgMClNvbWUtU3RhdGUxHzAdBgNVBAoMFkFETElOSyBUZWNobm9sb2N5IEluYy4x
+FzAVBgNVBAMMDmFkbGlua3RlY2guY29tAgkA2yveybQ2vKkwDQYJYIZIAWUDBAIB
+BQCggfowGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAcBgkqhkiG9w0BCQUxDxcN
+MTkwMzI5MTMwODAzWjAvBgkqhkiG9w0BCQQxIgQgl3LfUhn9L0vG/3QRPVYptcYw
+/NH5HMN99aMe9JAT+LAwgY4GCSqGSIb3DQEJDzGBgDB+MAsGCWCGSAFlAwQBKjAI
+BgYqhQMCAgkwCAYGKoUDAgIVMAsGCWCGSAFlAwQBFjALBglghkgBZQMEAQIwCgYI
+KoZIhvcNAwcwDgYIKoZIhvcNAwICAgCAMA0GCCqGSIb3DQMCAgFAMAcGBSsOAwIH
+MA0GCCqGSIb3DQMCAgEoMA0GCSqGSIb3DQEBAQUABIIBAHe9vakfXPvbpgMeqlhG
+SW6Z3uVA3Yri9bgQDpJ9daIUsM0/TLBSQVs85twTMXvqUSntKbfSGehxDQ9F+yje
+mOEPMIwxOqcVyc2jpqoYsUWqpwiiZyk49DHUFrOfWJUx+rKdBftZWkxD05Wkovhk
+2d4hGS/65Haoho4Z0AZwcyH+F52FZMiqw7I9FKrPlhxvJfQXmhIjOKtnvWnQ+Ar7
+YYiSrBEHMCy82LF1aKzz0nkL1SYWQHuQX475qoU4LMYY1J8WsD3rSBeq4GYZrl2K
+X/JcOquMYqjfJLMYZY4fsc3FgEBkKNqJz1tDZ3ir24VMl+WsbEjVK8oXe/wt4V0U
+aNQ=
+
+------6B91005B007BBA8EDE10CD1CE487DB27--
+
diff --git a/src/security/builtin_plugins/tests/validate_local_permissions/etc/Test_Permissions_ok.xml b/src/security/builtin_plugins/tests/validate_local_permissions/etc/Test_Permissions_ok.xml
new file mode 100644
index 0000000..8759d91
--- /dev/null
+++ b/src/security/builtin_plugins/tests/validate_local_permissions/etc/Test_Permissions_ok.xml
@@ -0,0 +1,33 @@
+<?xml version="1.0" encoding="utf-8"?>
+<dds xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xsi:noNamespaceSchemaLocation="https://www.omg.org/spec/DDS-SECURITY/20170901/omg_shared_ca_permissions.xsd">
+    <permissions>
+        <grant name="OpenSplicePermissions">
+            <subject_name>CN=CHAM500 cert,O=Internet Widgits Pty Ltd,ST=Some-State,C=NL</subject_name>
+            <validity>
+                <!-- Format is CCYY-MM-DDThh:mm:ss[Z|(+|-)hh:mm] in GMT -->
+                <not_before>2015-09-15T01:00:00</not_before>
+                <not_after>2115-09-15T01:00:00</not_after>
+            </validity>
+            <allow_rule>
+                <domains>
+                    <id_range>
+                        <min>0</min>
+                        <max>230</max>
+                    </id_range>
+                </domains>
+                <publish>
+                    <topics>
+                        <topic>*</topic>
+                    </topics>
+                </publish>
+                <subscribe>
+                    <topics>
+                        <topic>*</topic>
+                    </topics>
+                </subscribe>
+            </allow_rule>
+            <default>DENY</default>
+        </grant>
+    </permissions>
+</dds>
diff --git a/src/security/builtin_plugins/tests/validate_local_permissions/etc/Test_Permissions_unknown_ca.p7s b/src/security/builtin_plugins/tests/validate_local_permissions/etc/Test_Permissions_unknown_ca.p7s
new file mode 100644
index 0000000..6a2905a
--- /dev/null
+++ b/src/security/builtin_plugins/tests/validate_local_permissions/etc/Test_Permissions_unknown_ca.p7s
@@ -0,0 +1,87 @@
+MIME-Version: 1.0
+Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg="sha-256"; boundary="----7FBACED8776E5A4CF7612C83F9C33E17"
+
+This is an S/MIME signed message
+
+------7FBACED8776E5A4CF7612C83F9C33E17
+Content-Type: text/plain
+
+<?xml version="1.0" encoding="utf-8"?>
+<dds xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xsi:noNamespaceSchemaLocation="https://www.omg.org/spec/DDS-SECURITY/20170901/omg_shared_ca_permissions.xsd">
+    <permissions>
+        <grant name="OpenSplicePermissions">
+            <subject_name>/C=NL/ST=Some-State/O=ADLINK Technolocy Inc./CN=adlinktech.com</subject_name>
+            <validity>
+                <!-- Format is CCYY-MM-DDThh:mm:ss[Z|(+|-)hh:mm] in GMT -->
+                <not_before>2015-09-15T01:00:00</not_before>
+                <not_after>2115-09-15T01:00:00</not_after>
+            </validity>
+            <allow_rule>
+                <domains>
+                    <id_range>
+                        <min>0</min>
+                        <max>230</max>
+                    </id_range>
+                </domains>
+                <publish>
+                    <topics>
+                        <topic>*</topic>
+                    </topics>
+                </publish>
+                <subscribe>
+                    <topics>
+                        <topic>*</topic>
+                    </topics>
+                </subscribe>
+            </allow_rule>
+            <default>DENY</default>
+        </grant>
+    </permissions>
+</dds>
+
+------7FBACED8776E5A4CF7612C83F9C33E17
+Content-Type: application/x-pkcs7-signature; name="smime.p7s"
+Content-Transfer-Encoding: base64
+Content-Disposition: attachment; filename="smime.p7s"
+
+MIIGywYJKoZIhvcNAQcCoIIGvDCCBrgCAQExDzANBglghkgBZQMEAgEFADALBgkq
+hkiG9w0BBwGgggPKMIIDxjCCAq4CCQCBuTktP0h8BDANBgkqhkiG9w0BAQsFADCB
+pDEWMBQGA1UEBwwNTG9jYWxpdHkgTmFtZTEhMB8GA1UECwwYT3JnYW5pemF0aW9u
+YWwgVW5pdCBOYW1lMRwwGgYJKoZIhvcNAQkBFg1FbWFpbCBBZGRyZXNzMQswCQYD
+VQQGEwJVUzELMAkGA1UECAwCTkoxGjAYBgNVBAoMEUV4YW1wbGUgU2lnbmVyIENB
+MRMwEQYDVQQDDApFeGFtcGxlIENBMB4XDTE4MDgxNTA4NTE0MVoXDTQzMDgwOTA4
+NTE0MVowgaQxFjAUBgNVBAcMDUxvY2FsaXR5IE5hbWUxITAfBgNVBAsMGE9yZ2Fu
+aXphdGlvbmFsIFVuaXQgTmFtZTEcMBoGCSqGSIb3DQEJARYNRW1haWwgQWRkcmVz
+czELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAk5KMRowGAYDVQQKDBFFeGFtcGxlIFNp
+Z25lciBDQTETMBEGA1UEAwwKRXhhbXBsZSBDQTCCASIwDQYJKoZIhvcNAQEBBQAD
+ggEPADCCAQoCggEBALStAQ0yjM2qAWwsOXdX3hiyoZ6DDHWOTNI5LoCZGaN9rUZe
+MY0waSxWNQ0ruURgZISeOFkdQTAE81Em+UaZI+MZvfYcEcSlVtF6yve/WnIzRYWu
+f917moMCAInktfch4E6mskr4h7n+9sEz+3GsQS8SQRtwUe+PiXzjZrqHSbLC4Kn3
+/b8Mt+Ww3a4FyjHDZQJZsGSvrScr0Gq3xeKfMwb+KYNEnmh0o4os0gEGA4KUR+/1
+YDl1NmxQnm/AIMqwJzeaezBoMn0Nsi+OlAms85imGURNj9BCEJZBWwuuNL5ECDAq
+WLOM3AKUsApVgtGd8/OLWW1RwYkW8uqTtkIR87MCAwEAATANBgkqhkiG9w0BAQsF
+AAOCAQEAokKC77/kvxlObLSwkT5+7+S+DeznLBRiGVEh8+9PQw1q91sjiOZWf0e3
+T3XPH7CR/NDYoQJkrsqzIwKYrj41z/1jAs+HkH45NpTFiGlUFXNs5iwNh4RUqgf4
+e78Mge4q7pHMFzWTEwEn4DJMGcDDjLW1kN8GobGwHR7O0MpAJKrqcBSo+SPomnQv
+TgiEMQ+Vlz0EJx6JPsq8c7HrxlSdeDAAWIOww/wcGyzlpYEoyz6voSSfdhMt5iy5
+k5BvhBJnTiJTasCHy9KRuis/6qpTZKEj0d7J7LAqpGh8oRIphMwCbFYQT0QBgV6p
+gM8Ufss/RZ6CshMNxz7KtIYpvmxPPTGCAsUwggLBAgEBMIGyMIGkMRYwFAYDVQQH
+DA1Mb2NhbGl0eSBOYW1lMSEwHwYDVQQLDBhPcmdhbml6YXRpb25hbCBVbml0IE5h
+bWUxHDAaBgkqhkiG9w0BCQEWDUVtYWlsIEFkZHJlc3MxCzAJBgNVBAYTAlVTMQsw
+CQYDVQQIDAJOSjEaMBgGA1UECgwRRXhhbXBsZSBTaWduZXIgQ0ExEzARBgNVBAMM
+CkV4YW1wbGUgQ0ECCQCBuTktP0h8BDANBglghkgBZQMEAgEFAKCB5DAYBgkqhkiG
+9w0BCQMxCwYJKoZIhvcNAQcBMBwGCSqGSIb3DQEJBTEPFw0xODA5MTMwOTIzMDNa
+MC8GCSqGSIb3DQEJBDEiBCCvP08gFBO7651mPPDFQ2suhL+eprGCGuRLXmiBmdvx
+ITB5BgkqhkiG9w0BCQ8xbDBqMAsGCWCGSAFlAwQBKjALBglghkgBZQMEARYwCwYJ
+YIZIAWUDBAECMAoGCCqGSIb3DQMHMA4GCCqGSIb3DQMCAgIAgDANBggqhkiG9w0D
+AgIBQDAHBgUrDgMCBzANBggqhkiG9w0DAgIBKDANBgkqhkiG9w0BAQEFAASCAQB/
+4EQel+0LsmiNFCUjWM68u4ZvPtFBpeDe456DJuG6QR0LIzW42U7N4P2ZTIqjpGZx
+YekBCNdkiVy6ER5IA4WfcKd6zXZEuXVxkMrGpJlqGdd+IdZpTsrBygGZJS4vMUfD
+/6ty6OycET88RmJIu4V/TM3yLVKzHuj6TxCXb4OIYx8g3mdXUwUrp6DGgqggRSPJ
+tatbpnqGZGcvty8MusXVnjnEwUWnJ/jojypY3MyL4MTbjufjv0K6NKQ3RzoLssot
+SLq0YDLwvX/s9sLXDCedAwFXBS/6Qv56v0M2x4o8e3Eul7gGTMuCd/dJ0BhF8CW+
+IGxR5I3xXssh/AuWRRtV
+
+------7FBACED8776E5A4CF7612C83F9C33E17--
+
diff --git a/src/security/builtin_plugins/tests/validate_local_permissions/etc/Test_Permissions_unknown_subject.p7s b/src/security/builtin_plugins/tests/validate_local_permissions/etc/Test_Permissions_unknown_subject.p7s
new file mode 100644
index 0000000..fb488c7
--- /dev/null
+++ b/src/security/builtin_plugins/tests/validate_local_permissions/etc/Test_Permissions_unknown_subject.p7s
@@ -0,0 +1,85 @@
+MIME-Version: 1.0
+Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg="sha-256"; boundary="----7B161F9203F175A7F82A389A3E044741"
+
+This is an S/MIME signed message
+
+------7B161F9203F175A7F82A389A3E044741
+Content-Type: text/plain
+
+<?xml version="1.0" encoding="utf-8"?>
+<dds xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xsi:noNamespaceSchemaLocation="https://www.omg.org/spec/DDS-SECURITY/20170901/omg_shared_ca_permissions.xsd">
+    <permissions>
+        <grant name="OpenSplicePermissions">
+            <subject_name>gibberish</subject_name>
+            <validity>
+                <!-- Format is CCYY-MM-DDThh:mm:ss[Z|(+|-)hh:mm] in GMT -->
+                <not_before>2015-09-15T01:00:00</not_before>
+                <not_after>2115-09-15T01:00:00</not_after>
+            </validity>
+            <allow_rule>
+                <domains>
+                    <id_range>
+                        <min>0</min>
+                        <max>230</max>
+                    </id_range>
+                </domains>
+                <publish>
+                    <topics>
+                        <topic>*</topic>
+                    </topics>
+                </publish>
+                <subscribe>
+                    <topics>
+                        <topic>*</topic>
+                    </topics>
+                </subscribe>
+            </allow_rule>
+            <default>DENY</default>
+        </grant>
+    </permissions>
+</dds>
+
+------7B161F9203F175A7F82A389A3E044741
+Content-Type: application/x-pkcs7-signature; name="smime.p7s"
+Content-Transfer-Encoding: base64
+Content-Disposition: attachment; filename="smime.p7s"
+
+MIIGXgYJKoZIhvcNAQcCoIIGTzCCBksCAQExDzANBglghkgBZQMEAgEFADALBgkq
+hkiG9w0BBwGgggORMIIDjTCCAnWgAwIBAgIJANsr3sm0NrypMA0GCSqGSIb3DQEB
+CwUAMFwxCzAJBgNVBAYTAk5MMRMwEQYDVQQIDApTb21lLVN0YXRlMR8wHQYDVQQK
+DBZBRExJTksgVGVjaG5vbG9jeSBJbmMuMRcwFQYDVQQDDA5hZGxpbmt0ZWNoLmNv
+bTAgFw0xODA3MzAxMjQ1NTVaGA8yMTE4MDcwNjEyNDU1NVowXDELMAkGA1UEBhMC
+TkwxEzARBgNVBAgMClNvbWUtU3RhdGUxHzAdBgNVBAoMFkFETElOSyBUZWNobm9s
+b2N5IEluYy4xFzAVBgNVBAMMDmFkbGlua3RlY2guY29tMIIBIjANBgkqhkiG9w0B
+AQEFAAOCAQ8AMIIBCgKCAQEAu7jfnJ0wYVuXgG+PgNawdN38+dRpa8jceqi+blID
+ehV6XCxrnGXusTCDuFmo7HMOBVMVNDXlcBWgoGd+u5EultnOEiIeGTgtHc1O6V9w
+icp3BGSpZZax/TcONjMVORaqHCADbQ2J8wsz1FHxuKDwX6BJElYOlK77lb/x3yLs
+DFFC+a0qn2RFh37rcWBRAHy8VEASXKZElT9ZmfKd+KUq34KojhNJ4DepKStTq074
+BRDXVivx+wVD951LFNPiQXq+mgHcLj1k37KlZflTFhdP5oEMtATNsXNJPHlEymiy
+SogRWAmKhysLQudukHfNKN+r0FEQMk/hzpYcFeZSOvbfNQIDAQABo1AwTjAdBgNV
+HQ4EFgQURWMbWvBKZwJvRV1/tyc1R82k0+gwHwYDVR0jBBgwFoAURWMbWvBKZwJv
+RV1/tyc1R82k0+gwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAkPF+
+ysVtvHnk2hpu9yNDLCJ96ZzIoKOyY7uRj4ovzlAHFdpNOJQdcJihTmN8i7Trht9X
+Vh0rGoR/6nHzo3TIeiogRC80RlDtuA3PF2dDQBMVDStlZMTZPb693hfjdAjhyyw9
+yghhKHHqNDvSsAL0KfBqjG4yGfGpJylYXIT5fWuKlo/ln/yyPa5s54T5XDo+CMbt
+lLX3QnwVOmaRyzylPiTcPCDIkdLBdXmlfyJcmW6fWa6kPx+35MOxPsXZbujCo+42
++OyLqcH1rKT6XhcshjXBEf+kdgUfSClrM1pNRWsw2ChIYim0F+nry5JFy0Y+8Hbb
+6SDB340BFmtgDHbFHTGCApEwggKNAgEBMGkwXDELMAkGA1UEBhMCTkwxEzARBgNV
+BAgMClNvbWUtU3RhdGUxHzAdBgNVBAoMFkFETElOSyBUZWNobm9sb2N5IEluYy4x
+FzAVBgNVBAMMDmFkbGlua3RlY2guY29tAgkA2yveybQ2vKkwDQYJYIZIAWUDBAIB
+BQCggfowGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAcBgkqhkiG9w0BCQUxDxcN
+MTkwMzI5MTMwODAzWjAvBgkqhkiG9w0BCQQxIgQg44QSCYJrKGm9hdPbOKQjrnQ8
+LXMSbo0mve1cRKvrm3gwgY4GCSqGSIb3DQEJDzGBgDB+MAsGCWCGSAFlAwQBKjAI
+BgYqhQMCAgkwCAYGKoUDAgIVMAsGCWCGSAFlAwQBFjALBglghkgBZQMEAQIwCgYI
+KoZIhvcNAwcwDgYIKoZIhvcNAwICAgCAMA0GCCqGSIb3DQMCAgFAMAcGBSsOAwIH
+MA0GCCqGSIb3DQMCAgEoMA0GCSqGSIb3DQEBAQUABIIBAH/fJ90OwloC73faPAGC
+VRZrhW/gSsy/1VnprvWdDAU1ZZK+srIISFZAy19LcApTis0Vy9yz2PG8pue49R+y
+UF6mCDSuN/l9SRBdUN+CXQdQ8sGq5SHXNhGzSX/nbR20ol4cSUMpKlEGx66E0KUW
+tkk8HzYw7aHMiwK2E2Y0sbm/M/rdmAbgEoywYfvc25V4FHP66TstfCLBjN9Hz3bH
+WcrCZuPjZo6vBd/rIJQSlgH81aCWn5RfCIccbc3iogwzIhYxAr6d+4do3LNa6H80
+W6CMgl0AnWFfa4QwnXFUzb1/W2rFjHp453w1Cbqk4Ll4ZlVJr4fzIuyuJMQlMrmK
+1P0=
+
+------7B161F9203F175A7F82A389A3E044741--
+
diff --git a/src/security/builtin_plugins/tests/validate_local_permissions/etc/Test_Permissions_unknown_subject.xml b/src/security/builtin_plugins/tests/validate_local_permissions/etc/Test_Permissions_unknown_subject.xml
new file mode 100644
index 0000000..8a55faf
--- /dev/null
+++ b/src/security/builtin_plugins/tests/validate_local_permissions/etc/Test_Permissions_unknown_subject.xml
@@ -0,0 +1,33 @@
+<?xml version="1.0" encoding="utf-8"?>
+<dds xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xsi:noNamespaceSchemaLocation="https://www.omg.org/spec/DDS-SECURITY/20170901/omg_shared_ca_permissions.xsd">
+    <permissions>
+        <grant name="OpenSplicePermissions">
+            <subject_name>gibberish</subject_name>
+            <validity>
+                <!-- Format is CCYY-MM-DDThh:mm:ss[Z|(+|-)hh:mm] in GMT -->
+                <not_before>2015-09-15T01:00:00</not_before>
+                <not_after>2115-09-15T01:00:00</not_after>
+            </validity>
+            <allow_rule>
+                <domains>
+                    <id_range>
+                        <min>0</min>
+                        <max>230</max>
+                    </id_range>
+                </domains>
+                <publish>
+                    <topics>
+                        <topic>*</topic>
+                    </topics>
+                </publish>
+                <subscribe>
+                    <topics>
+                        <topic>*</topic>
+                    </topics>
+                </subscribe>
+            </allow_rule>
+            <default>DENY</default>
+        </grant>
+    </permissions>
+</dds>
diff --git a/src/security/builtin_plugins/tests/validate_local_permissions/src/validate_local_permissions_utests.c b/src/security/builtin_plugins/tests/validate_local_permissions/src/validate_local_permissions_utests.c
new file mode 100644
index 0000000..b690fdb
--- /dev/null
+++ b/src/security/builtin_plugins/tests/validate_local_permissions/src/validate_local_permissions_utests.c
@@ -0,0 +1,1020 @@
+/*
+ * Copyright(c) 2006 to 2019 ADLINK Technology Limited and others
+ *
+ * This program and the accompanying materials are made available under the
+ * terms of the Eclipse Public License v. 2.0 which is available at
+ * http://www.eclipse.org/legal/epl-2.0, or the Eclipse Distribution License
+ * v. 1.0 which is available at
+ * http://www.eclipse.org/org/documents/edl-v10.php.
+ *
+ * SPDX-License-Identifier: EPL-2.0 OR BSD-3-Clause
+ */
+#include <assert.h>
+#include <openssl/evp.h>
+#include <openssl/hmac.h>
+#include <openssl/bio.h>
+#include <openssl/err.h>
+
+#include "dds/ddsrt/environ.h"
+#include "dds/ddsrt/heap.h"
+#include "dds/ddsrt/io.h"
+#include "dds/ddsrt/string.h"
+#include "dds/ddsrt/types.h"
+#include "dds/security/dds_security_api.h"
+#include "dds/security/core/dds_security_utils.h"
+#include "CUnit/CUnit.h"
+#include "CUnit/Test.h"
+#include "common/src/loader.h"
+#include "config_env.h"
+
+static const char *PROPERTY_IDENTITY_CA = "dds.sec.auth.identity_ca";
+static const char *PROPERTY_PRIVATE_KEY = "dds.sec.auth.private_key";
+static const char *PROPERTY_IDENTITY_CERT = "dds.sec.auth.identity_certificate";
+static const char *PROPERTY_PERMISSIONS_CA = "dds.sec.access.permissions_ca";
+static const char *PROPERTY_PERMISSIONS = "dds.sec.access.permissions";
+static const char *PROPERTY_GOVERNANCE = "dds.sec.access.governance";
+
+static const char *RELATIVE_PATH_TO_ETC_DIR = "/validate_local_permissions/etc/";
+
+static const char *AUTH_IDENTITY_CERT =
+    "data:,-----BEGIN CERTIFICATE-----\n"
+    "MIIEQTCCAymgAwIBAgIINpuaAAnrQZIwDQYJKoZIhvcNAQELBQAwXzELMAkGA1UE\n"
+    "BhMCTkwxEzARBgNVBAgTClNvbWUtU3RhdGUxITAfBgNVBAoTGEludGVybmV0IFdp\n"
+    "ZGdpdHMgUHR5IEx0ZDEYMBYGA1UEAxMPQ0hBTTUwMCByb290IGNhMCAXDTE3MDIy\n"
+    "MjIyMjIwMFoYDzIyMjIwMjIyMjIyMjAwWjBcMQswCQYDVQQGEwJOTDETMBEGA1UE\n"
+    "CBMKU29tZS1TdGF0ZTEhMB8GA1UEChMYSW50ZXJuZXQgV2lkZ2l0cyBQdHkgTHRk\n"
+    "MRUwEwYDVQQDEwxDSEFNNTAwIGNlcnQwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw\n"
+    "ggEKAoIBAQDCpVhivH/wBIyu74rvQncnSZqKyspN6CvD1pmV9wft5PHhVt9jV79v\n"
+    "gSub5LADoRHAgFdv9duYgBr17Ob6uRrIY4B18CcrCjhQcC4gjx8y2jl9PeYm+qYD\n"
+    "3o44FYBrBq0QCnrQgKsb/qX9Z+Mw/VUiw65x68W876LEHQQoEgT4kxSuagwBoVRk\n"
+    "ePD6fYAKmT4XS3x+O0v+rHESTcsKF6yMadgp7h3eH1b8kJTzSx8JV9Zzq++mxjox\n"
+    "qhbBVP5nDze2hhSIeCkCvSrx7efkgKS4AQXa5/Z44GiAu1TfXXUqdic9rxwD0edn\n"
+    "ajNElnZe7sjok/0yuqvH+2hSqpNva/zpAgMBAAGjggEAMIH9MAwGA1UdDwQFAwMH\n"
+    "/4AwgewGA1UdJQSB5DCB4QYIKwYBBQUHAwEGCCsGAQUFBwMCBggrBgEFBQcDAwYI\n"
+    "KwYBBQUHAwQGCCsGAQUFBwMIBgorBgEEAYI3AgEVBgorBgEEAYI3AgEWBgorBgEE\n"
+    "AYI3CgMBBgorBgEEAYI3CgMDBgorBgEEAYI3CgMEBglghkgBhvhCBAEGCysGAQQB\n"
+    "gjcKAwQBBggrBgEFBQcDBQYIKwYBBQUHAwYGCCsGAQUFBwMHBggrBgEFBQgCAgYK\n"
+    "KwYBBAGCNxQCAgYIKwYBBQUHAwkGCCsGAQUFBwMNBggrBgEFBQcDDgYHKwYBBQID\n"
+    "BTANBgkqhkiG9w0BAQsFAAOCAQEAawdHy0Xw7nTK2ltp91Ion6fJ7hqYuj///zr7\n"
+    "Adt6uonpDh/xl3esuwcFimIJrJrHujnGkL0nLddRCikmnzuBMNDWS6yq0/Ckl/YG\n"
+    "yjNr44dlX24wo+MVAgkj3/8CyWDZ3a8kBg9QT3bs2SqbjmhTrXN1DRyf9S5vJysE\n"
+    "I7V1gTN66BeKL64hOrAlRVrEu8Ds6TWL6Q/YH+61ViZkoLTeSaPjH4nknaFr4C35\n"
+    "iji0JhkyfRHRRVPHFnaj25AkxOrSV64qVKoTMjDl5fji5iMGtjm6iJ7q05ml/qDl\n"
+    "nLotHXemZNvYhbwUmRzbt4Dls9EMH4VRbP85I94nM5TAvtHVNA==\n"
+    "-----END CERTIFICATE-----\n";
+
+static const char *AUTH_IDENTITY_CA =
+    "data:,-----BEGIN CERTIFICATE-----\n"
+    "MIIEmTCCA4GgAwIBAgIIZ5gEIUFhO5wwDQYJKoZIhvcNAQELBQAwXzELMAkGA1UE\n"
+    "BhMCTkwxEzARBgNVBAgTClNvbWUtU3RhdGUxITAfBgNVBAoTGEludGVybmV0IFdp\n"
+    "ZGdpdHMgUHR5IEx0ZDEYMBYGA1UEAxMPQ0hBTTUwMCByb290IGNhMCAXDTE4MDIx\n"
+    "MjE1MDUwMFoYDzIyMjIwMjIyMjIyMjAwWjBfMQswCQYDVQQGEwJOTDETMBEGA1UE\n"
+    "CBMKU29tZS1TdGF0ZTEhMB8GA1UEChMYSW50ZXJuZXQgV2lkZ2l0cyBQdHkgTHRk\n"
+    "MRgwFgYDVQQDEw9DSEFNNTAwIHJvb3QgY2EwggEiMA0GCSqGSIb3DQEBAQUAA4IB\n"
+    "DwAwggEKAoIBAQC6Fa3TheL+UrdZCp9GhU/2WbneP2t/avUa3muwDttPxeI2XU9k\n"
+    "ZjBR95mAXme4SPXHk5+YDN319AqIje3oKhzky/ngvKH2GkoJKYxWnuDBfMEHdViz\n"
+    "2Q9/xso2ZvH50ukwWa0pfx2/EVV1wRxeQcRd/UVfq3KTJizG0M88mOYvGEAw3LFf\n"
+    "zef7k1aCuOofQmBvLukUudcYpMzfyHFp7lQqU4CcrrR5RtmfiUfrWfdGLea2iPDB\n"
+    "pJgN8ESOMwEHtOTEBDclYnH9L4t7CHQz+fXXS5IWFsDK9fCMQjnxDsDVeNrNzTYL\n"
+    "FaZrMg9S6IUQCEsQWsnq5weS8omOpVLUm9klAgMBAAGjggFVMIIBUTAMBgNVHRME\n"
+    "BTADAQH/MB0GA1UdDgQWBBQg2FZB/j8uWDVnJhjwXkX278znSTAfBgNVHSMEGDAW\n"
+    "gBQg2FZB/j8uWDVnJhjwXkX278znSTAPBgNVHQ8BAf8EBQMDB/+AMIHvBgNVHSUB\n"
+    "Af8EgeQwgeEGCCsGAQUFBwMBBggrBgEFBQcDAgYIKwYBBQUHAwMGCCsGAQUFBwME\n"
+    "BggrBgEFBQcDCAYKKwYBBAGCNwIBFQYKKwYBBAGCNwIBFgYKKwYBBAGCNwoDAQYK\n"
+    "KwYBBAGCNwoDAwYKKwYBBAGCNwoDBAYJYIZIAYb4QgQBBgsrBgEEAYI3CgMEAQYI\n"
+    "KwYBBQUHAwUGCCsGAQUFBwMGBggrBgEFBQcDBwYIKwYBBQUIAgIGCisGAQQBgjcU\n"
+    "AgIGCCsGAQUFBwMJBggrBgEFBQcDDQYIKwYBBQUHAw4GBysGAQUCAwUwDQYJKoZI\n"
+    "hvcNAQELBQADggEBAKHmwejWRwGE1wf1k2rG8SNRV/neGsZ6Qfqf6co3TpR/Wi1s\n"
+    "iZDvSeT/rbqNBS7z34xnG88NIUwu00y78e8Mfon31ZZbK4Uo7fla9/D3ukdJqPQC\n"
+    "LKdbKJjR2kH+KCukY/1rghjJ8/X+t2egBit0LCOdsFCl07Sfksb9kpGUIZSFcYYm\n"
+    "geqhjhoNwxazzHiw+QWHC5HG9248JIizBmy1aymNWuMnPudhjHAnPcsIlqMVNq3t\n"
+    "Rv9ap7S8JeCxHVRPJvJeCwXWvW3dW/v3xH52Yn/fqRblN1w9Fxz5NhopKx0gj/Jd\n"
+    "sw2N4Fk4gaOWEolFpa0bwNw8nAx7moehZpowzfw=\n"
+    "-----END CERTIFICATE-----\n";
+
+static const char *AUTH_PRIVATE_KEY =
+    "data:,-----BEGIN RSA PRIVATE KEY-----\n"
+    "MIIEogIBAAKCAQEAwqVYYrx/8ASMru+K70J3J0maisrKTegrw9aZlfcH7eTx4Vbf\n"
+    "Y1e/b4Erm+SwA6ERwIBXb/XbmIAa9ezm+rkayGOAdfAnKwo4UHAuII8fMto5fT3m\n"
+    "JvqmA96OOBWAawatEAp60ICrG/6l/WfjMP1VIsOucevFvO+ixB0EKBIE+JMUrmoM\n"
+    "AaFUZHjw+n2ACpk+F0t8fjtL/qxxEk3LChesjGnYKe4d3h9W/JCU80sfCVfWc6vv\n"
+    "psY6MaoWwVT+Zw83toYUiHgpAr0q8e3n5ICkuAEF2uf2eOBogLtU3111KnYnPa8c\n"
+    "A9HnZ2ozRJZ2Xu7I6JP9Mrqrx/toUqqTb2v86QIDAQABAoIBAC1q32DKkx+yMBFx\n"
+    "m32QiLUGG6VfBC2BixS7MkMnzRXZYgcuehl4FBc0kLRjfB6cqsO8LqrVN1QyMBhK\n"
+    "GutN3c38SbE7RChqzhEW2+yE+Mao3Nk4ZEecHLiyaYT0n25ZtHAVwep823BAzwJ+\n"
+    "BykbM45VEpNKbG1VjSktjBa9faNyZiZAEJEjVyla+6R8N4kHV52LbZcLjvJv3IQ2\n"
+    "iPYRrmMyI5C23qTni0vy7yJbAXBo3CqgSlwie9FARBWT7Puu7F4mF1O1c/SnTysw\n"
+    "Tm3e5FzgfHipQbnRVn0w4rDprPMKmPxMnvf/Wkw0zVgNadp1Tc1I6Yj525DEQ07i\n"
+    "2gIn/gECgYEA4jNnY1u2Eu7x3pAQF3dRO0x35boVtuq9iwQk7q+uaZaK4RJRr+0Y\n"
+    "T68S3bPnfer6SHvcxtST89Bvs/j/Ky4SOaX037UYjFh6T7OIzPl+MzO1yb+VOBT6\n"
+    "D6FVGEJGp8ZAITU1OfJPeTYViUeEC8tHFGoKUCk50FbB6jOf1oKtv/ECgYEA3EnB\n"
+    "Y7kSbJJaUuj9ciFUL/pAno86Cim3VjegK1wKgEiyDb610bhoMErovPwfVJbtcttG\n"
+    "eKJNuwizkRcVbj+vpjDvqqaP5eMxLl6/Nd4haPMJYzGo88Z8NJpwFRNF2KEWjOpQ\n"
+    "2NEvoCeRtVulCJyka2Tpljzw8cOXkxhPOe2UhHkCgYBo3entj0QO7QXm56T+LAvV\n"
+    "0PK45xdQEO3EuCwjGAFk5C0IgUSrqeCeeIzniZMltj1IQ1wsNbtNynEu3530t8wt\n"
+    "O7oVyFBUKGSz9IjUdkpClJOPr6kPMfJoMqRPtdIpz+hFPPSrI6IikKdVWHloOlp+\n"
+    "pVaYqTQrWT1XRY2xli3VEQKBgGySmZN6Cx+h/oywswIGdUT0VdcQhq2to+QFpJba\n"
+    "VX6m1cM6hMip2Ag9U3qZ1SNPBBdBBfm9HQybHE3dj713/C2wHuAAGhpXIM1W+20k\n"
+    "X1knuC/AsSH9aQhQOf/ZMOq1crTfZBuI9q0782/sjGmzMsKPySU4QhUWruVb7OiD\n"
+    "NVkZAoGAEvihW7G+8/iOE40vGHyBqUeopAAWLciTAUIEwM/Oi3BYfNWNTWF/FWNc\n"
+    "nMvCZPYigY8C1vO+1iT2Frtd3CIU+f01Q3fJNJoRLlEiKLNZUJRF48OKUqjKSmsi\n"
+    "w6pucFO40z05YW7utApj4L82rZnOS0pd1tUI1yexqvj0i4ThJfk=\n"
+    "-----END RSA PRIVATE KEY-----\n";
+
+static struct plugins_hdl *g_plugins = NULL;
+static dds_security_authentication *g_auth = NULL;
+static dds_security_access_control *g_access_control = NULL;
+static char *g_path_to_etc_dir = NULL;
+
+/* Prepare a property sequence. */
+static void dds_security_property_init(DDS_Security_PropertySeq *seq, DDS_Security_unsigned_long size)
+{
+  seq->_length = size;
+  seq->_maximum = size;
+  seq->_buffer = ddsrt_malloc(size * sizeof(DDS_Security_Property_t));
+  memset(seq->_buffer, 0, size * sizeof(DDS_Security_Property_t));
+}
+
+/* Cleanup a property sequence.*/
+static void dds_security_property_deinit(DDS_Security_PropertySeq *seq)
+{
+  uint32_t i;
+
+  for (i = 0; i < seq->_length; i++)
+  {
+    ddsrt_free(seq->_buffer[i].name);
+    ddsrt_free(seq->_buffer[i].value);
+  }
+  ddsrt_free(seq->_buffer);
+}
+
+/* Find a property within a sequence.*/
+static DDS_Security_Property_t *dds_security_property_find(DDS_Security_PropertySeq *seq, const char *name)
+{
+  DDS_Security_Property_t *prop = NULL;
+  uint32_t i;
+  for (i = 0; (i < seq->_length) && (prop == NULL); i++)
+  {
+    if (strcmp(seq->_buffer[i].name, name) == 0)
+    {
+      prop = &(seq->_buffer[i]);
+    }
+  }
+  return prop;
+}
+
+/* Cleanup exception contents.*/
+static void reset_exception(DDS_Security_SecurityException *ex)
+{
+  ex->code = 0;
+  ex->minor_code = 0;
+  ddsrt_free(ex->message);
+  ex->message = NULL;
+}
+
+/* Glue two strings together */
+static char *combine_strings(const char *prefix, const char *postfix)
+{
+  char *str;
+  ddsrt_asprintf(&str, "%s%s", prefix, postfix);
+  return str;
+}
+
+/* Use the given file to create a proper file uri (with directory).*/
+static char *create_uri_file(const char *file)
+{
+  char *uri;
+  char *dir;
+  if (file)
+  {
+    dir = combine_strings("file:", g_path_to_etc_dir);
+    uri = combine_strings(dir, file);
+    ddsrt_free(dir);
+  }
+  else
+  {
+    uri = ddsrt_strdup("file:");
+  }
+  return uri;
+}
+
+/* Read the given file contents and transform it into a data uri.*/
+static char *create_uri_data(const char *file)
+{
+  char *data = NULL;
+  char *location;
+  char *contents;
+
+  if (file)
+  {
+    location = combine_strings(g_path_to_etc_dir, file);
+    if (location)
+    {
+      contents = load_file_contents(location);
+      if (contents)
+      {
+        data = combine_strings("data:,", contents);
+        ddsrt_free(contents);
+      }
+      ddsrt_free(location);
+    }
+  }
+  else
+  {
+    data = ddsrt_strdup("data:,");
+  }
+
+  return data;
+}
+
+/* Fill the security properties of a participant QoS with the
+ * authorization and access_control values. */
+static void fill_property_policy(DDS_Security_PropertyQosPolicy *property, const char *permission_ca, const char *permission_uri, const char *governance_uri)
+{
+  dds_security_property_init(&property->value, 6);
+  /* Authentication properties. */
+  property->value._buffer[0].name = ddsrt_strdup(PROPERTY_IDENTITY_CERT);
+  property->value._buffer[0].value = ddsrt_strdup(AUTH_IDENTITY_CERT);
+  property->value._buffer[1].name = ddsrt_strdup(PROPERTY_IDENTITY_CA);
+  property->value._buffer[1].value = ddsrt_strdup(AUTH_IDENTITY_CA);
+  property->value._buffer[2].name = ddsrt_strdup(PROPERTY_PRIVATE_KEY);
+  property->value._buffer[2].value = ddsrt_strdup(AUTH_PRIVATE_KEY);
+  /* AccessControl properties. */
+  property->value._buffer[3].name = ddsrt_strdup(PROPERTY_PERMISSIONS_CA);
+  property->value._buffer[3].value = permission_ca ? ddsrt_strdup(permission_ca) : NULL;
+  property->value._buffer[4].name = ddsrt_strdup(PROPERTY_PERMISSIONS);
+  property->value._buffer[4].value = permission_uri ? ddsrt_strdup(permission_uri) : NULL;
+  property->value._buffer[5].name = ddsrt_strdup(PROPERTY_GOVERNANCE);
+  property->value._buffer[5].value = governance_uri ? ddsrt_strdup(governance_uri) : NULL;
+}
+
+/* Open a local identity by calling the authorization plugin with
+ * properly created dummy values and the given participant QoS.*/
+static DDS_Security_IdentityHandle create_local_identity(DDS_Security_Qos *participant_qos)
+{
+  DDS_Security_IdentityHandle local_id_hdl = DDS_SECURITY_HANDLE_NIL;
+  DDS_Security_ValidationResult_t result;
+  DDS_Security_DomainId domain_id = 0;
+  DDS_Security_GUID_t local_participant_guid;
+  DDS_Security_GUID_t candidate_participant_guid;
+  DDS_Security_SecurityException exception = {NULL, 0, 0};
+  DDS_Security_GuidPrefix_t prefix = {0xb0, 0xb1, 0xb2, 0xb3, 0xb4, 0xb5, 0xb6, 0xb7, 0xb8, 0xb9, 0xba, 0xbb};
+  DDS_Security_EntityId_t entityId = {{0xb0, 0xb1, 0xb2}, 0x1};
+
+  CU_ASSERT_FATAL(g_auth->validate_local_identity != NULL);
+
+  memset(&local_participant_guid, 0, sizeof(local_participant_guid));
+  memcpy(&candidate_participant_guid.prefix, &prefix, sizeof(prefix));
+  memcpy(&candidate_participant_guid.entityId, &entityId, sizeof(entityId));
+
+  /* Now call the function. */
+  result = g_auth->validate_local_identity(
+      g_auth,
+      &local_id_hdl,
+      &local_participant_guid,
+      domain_id,
+      participant_qos,
+      &candidate_participant_guid,
+      &exception);
+
+  if (result != DDS_SECURITY_VALIDATION_OK)
+  {
+    printf("validate_local_identity_failed: %s\n", exception.message ? exception.message : "Error message missing");
+  }
+
+  reset_exception(&exception);
+
+  return local_id_hdl;
+}
+
+/* Close the given local identity by returning its handle to the
+ * authorization plugin.*/
+static void clear_local_identity(DDS_Security_IdentityHandle local_id_hdl)
+{
+  DDS_Security_SecurityException exception = {NULL, 0, 0};
+  DDS_Security_boolean success;
+
+  if (local_id_hdl != DDS_SECURITY_HANDLE_NIL)
+  {
+    success = g_auth->return_identity_handle(g_auth, local_id_hdl, &exception);
+    if (!success)
+    {
+      printf("return_identity_handle failed: %s\n", exception.message ? exception.message : "Error message missing");
+    }
+    reset_exception(&exception);
+  }
+}
+
+/* Prepare the global link to the test's "etc" directory.*/
+static void set_path_to_etc_dir(void)
+{
+  ddsrt_asprintf(&g_path_to_etc_dir, "%s%s", CONFIG_ENV_TESTS_DIR, RELATIVE_PATH_TO_ETC_DIR);
+}
+
+/* Initialize the participant QoS with security related properties.
+ * It will transform the given files into proper uri's.
+ * A NULL will result in a file uri without actual link.*/
+static void qos_init_file(DDS_Security_Qos *participant_qos, const char *certificate_filename, const char *permission_filename, const char *governance_filename)
+{
+  char *permission_ca;
+  char *permission_uri;
+  char *governance_uri;
+
+  permission_ca = create_uri_file(certificate_filename);
+  permission_uri = create_uri_file(permission_filename);
+  governance_uri = create_uri_file(governance_filename);
+
+  memset(participant_qos, 0, sizeof(*participant_qos));
+  fill_property_policy(&(participant_qos->property),
+                       permission_ca,
+                       permission_uri,
+                       governance_uri);
+
+  ddsrt_free(permission_ca);
+  ddsrt_free(permission_uri);
+  ddsrt_free(governance_uri);
+}
+
+/* Initialize the participant QoS with security related properties.
+ * It will transform the given files into data uri's.
+ * A NULL will result in a data uri without actual data.*/
+static void qos_init_data(DDS_Security_Qos *participant_qos, const char *certificate_filename, const char *permission_filename, const char *governance_filename)
+{
+  char *permission_ca;
+  char *permission_uri;
+  char *governance_uri;
+
+  permission_ca = create_uri_data(certificate_filename);
+  permission_uri = create_uri_data(permission_filename);
+  governance_uri = create_uri_data(governance_filename);
+  CU_ASSERT_FATAL(permission_ca != NULL);
+  CU_ASSERT_FATAL(permission_uri != NULL);
+  CU_ASSERT_FATAL(governance_uri != NULL);
+
+  memset(participant_qos, 0, sizeof(*participant_qos));
+  fill_property_policy(&(participant_qos->property),
+                       permission_ca,
+                       permission_uri,
+                       governance_uri);
+
+  ddsrt_free(permission_ca);
+  ddsrt_free(permission_uri);
+  ddsrt_free(governance_uri);
+}
+
+/* Initialize the participant QoS with security related properties.
+ * A NULL will result in an uri with an unknown type.*/
+static void qos_init_type(DDS_Security_Qos *participant_qos, const char *certificate_filename, const char *permission_filename, const char *governance_filename)
+{
+  char *permission_ca;
+  char *permission_uri;
+  char *governance_uri;
+
+  if (certificate_filename)
+    permission_ca = create_uri_file(certificate_filename);
+  else
+    permission_ca = ddsrt_strdup("unknown_type:,just some data");
+  if (permission_filename)
+    permission_uri = create_uri_file(permission_filename);
+  else
+    permission_uri = ddsrt_strdup("unknown_type:,just some data");
+  if (governance_filename)
+    governance_uri = create_uri_file(governance_filename);
+  else
+    governance_uri = ddsrt_strdup("unknown_type:,just some data");
+
+  memset(participant_qos, 0, sizeof(*participant_qos));
+  fill_property_policy(&(participant_qos->property),
+                       permission_ca,
+                       permission_uri,
+                       governance_uri);
+
+  ddsrt_free(permission_ca);
+  ddsrt_free(permission_uri);
+  ddsrt_free(governance_uri);
+}
+
+/* Initialize the participant QoS with security related properties.
+ * Allow NULL as property value.*/
+static void qos_init_null(DDS_Security_Qos *participant_qos, const char *certificate_filename, const char *permission_filename, const char *governance_filename)
+{
+  char *permission_ca = NULL;
+  char *permission_uri = NULL;
+  char *governance_uri = NULL;
+
+  if (certificate_filename)
+    permission_ca = create_uri_file(certificate_filename);
+  if (permission_filename)
+    permission_uri = create_uri_file(permission_filename);
+  if (governance_filename)
+    governance_uri = create_uri_file(governance_filename);
+
+  memset(participant_qos, 0, sizeof(*participant_qos));
+  fill_property_policy(&(participant_qos->property),
+                       permission_ca,
+                       permission_uri,
+                       governance_uri);
+
+  ddsrt_free(permission_ca);
+  ddsrt_free(permission_uri);
+  ddsrt_free(governance_uri);
+}
+
+/* Cleanup the participant QoS.*/
+static void qos_deinit(DDS_Security_Qos *participant_qos)
+{
+  dds_security_property_deinit(&(participant_qos->property.value));
+}
+
+/* Setup the testing environment by loading the plugins and
+ * creating a local identity.*/
+static DDS_Security_IdentityHandle test_setup(DDS_Security_Qos *participant_qos)
+{
+  DDS_Security_IdentityHandle local_id_hdl = DDS_SECURITY_HANDLE_NIL;
+
+  g_plugins = load_plugins(&g_access_control /* Access Control */,
+                           &g_auth /* Authentication */,
+                           NULL /* Cryptograpy    */);
+  if (g_plugins)
+  {
+    CU_ASSERT_FATAL(g_auth != NULL);
+    CU_ASSERT_FATAL(g_access_control != NULL);
+    CU_ASSERT_FATAL(g_access_control->validate_local_permissions != NULL);
+    CU_ASSERT_FATAL(g_access_control->return_permissions_handle != NULL);
+
+    local_id_hdl = create_local_identity(participant_qos);
+  }
+
+  return local_id_hdl;
+}
+
+/* Teardown the testing environment by clearing the local identity
+ * and closing the plugins.*/
+static int test_teardown(DDS_Security_IdentityHandle local_id_hdl)
+{
+  clear_local_identity(local_id_hdl);
+  unload_plugins(g_plugins);
+  g_plugins = NULL;
+  g_access_control = NULL;
+  g_auth = NULL;
+  return 0;
+}
+
+/* The AccessControl related properties in the participant_qos will
+ * have some kind of problem that should force a failure when
+ * checking the local permissions.*/
+static DDS_Security_long test_failure_scenario(DDS_Security_Qos *participant_qos)
+{
+  DDS_Security_long code = DDS_SECURITY_ERR_OK_CODE;
+  DDS_Security_IdentityHandle local_id_hdl = DDS_SECURITY_HANDLE_NIL;
+  DDS_Security_PermissionsHandle result;
+  DDS_Security_SecurityException exception = {NULL, 0, 0};
+
+  /* Prepare testing environment. */
+  local_id_hdl = test_setup(participant_qos);
+  CU_ASSERT_FATAL(local_id_hdl != DDS_SECURITY_HANDLE_NIL);
+
+  /* Call the plugin with the invalid property. */
+  result = g_access_control->validate_local_permissions(
+      g_access_control,
+      g_auth,
+      local_id_hdl,
+      0,
+      participant_qos,
+      &exception);
+
+  /* Be sure the plugin returned a failure. */
+  CU_ASSERT(result == 0);
+  if (result == 0)
+  {
+    code = exception.code;
+    CU_ASSERT(exception.message != NULL);
+    printf("validate_local_permissions failed: (%d) %s\n", (int)exception.code, exception.message ? exception.message : "Error message missing");
+  }
+  else
+  {
+    reset_exception(&exception);
+    g_access_control->return_permissions_handle(g_access_control, result, &exception);
+  }
+  reset_exception(&exception);
+
+  /* Cleanup the testing environment. */
+  test_teardown(local_id_hdl);
+
+  return code;
+}
+
+/* Use with invalid file link for certificate, permission or
+ * governance. The local permissions check should fail.*/
+static DDS_Security_long test_invalid_file_uri(const char *certificate_filename, const char *permission_filename, const char *governance_filename)
+{
+  DDS_Security_long code = DDS_SECURITY_ERR_OK_CODE;
+  DDS_Security_Qos participant_qos;
+
+  qos_init_file(&participant_qos,
+                certificate_filename,
+                permission_filename,
+                governance_filename);
+
+  code = test_failure_scenario(&participant_qos);
+
+  qos_deinit(&participant_qos);
+
+  return code;
+}
+
+/* Use with invalid data for certificate, permission or governance.
+ * The local permissions check should fail.*/
+static DDS_Security_long test_invalid_data_uri(const char *certificate_filename, const char *permission_filename, const char *governance_filename)
+{
+  DDS_Security_long code = DDS_SECURITY_ERR_OK_CODE;
+  DDS_Security_Qos participant_qos;
+
+  qos_init_data(&participant_qos,
+                certificate_filename,
+                permission_filename,
+                governance_filename);
+
+  code = test_failure_scenario(&participant_qos);
+
+  qos_deinit(&participant_qos);
+
+  return code;
+}
+
+/* Generate uri's with invalid types for certificate, permission
+ * or governance. The local permissions check should fail.*/
+static DDS_Security_long test_invalid_type_uri(const char *certificate_filename, const char *permission_filename, const char *governance_filename)
+{
+  DDS_Security_long code = DDS_SECURITY_ERR_OK_CODE;
+  DDS_Security_Qos participant_qos;
+
+  qos_init_type(&participant_qos,
+                certificate_filename,
+                permission_filename,
+                governance_filename);
+
+  code = test_failure_scenario(&participant_qos);
+  qos_deinit(&participant_qos);
+  return code;
+}
+
+/* Create properties in the QoS without actual values (NULL).
+ * The local permissions check should fail.*/
+static DDS_Security_long test_null_uri(const char *certificate_filename, const char *permission_filename, const char *governance_filename)
+{
+  DDS_Security_long code = DDS_SECURITY_ERR_OK_CODE;
+  DDS_Security_Qos participant_qos;
+
+  qos_init_null(&participant_qos,
+                certificate_filename,
+                permission_filename,
+                governance_filename);
+
+  code = test_failure_scenario(&participant_qos);
+
+  qos_deinit(&participant_qos);
+
+  return code;
+}
+
+/* Get valid documents, but corrupt the signatures.
+ * The local permissions check should fail.*/
+static DDS_Security_long test_corrupted_signature(bool corrupt_permissions, bool corrupt_governance)
+{
+  DDS_Security_long code = DDS_SECURITY_ERR_OK_CODE;
+  DDS_Security_Property_t *prop = NULL;
+  DDS_Security_Qos participant_qos;
+  size_t len;
+
+  /* Get data with valid signatures. */
+  qos_init_data(&participant_qos,
+                "Test_Permissions_ca.pem",
+                "Test_Permissions_full.p7s",
+                "Test_Governance_full.p7s");
+
+  /* Only allow one signature to be corrupted. */
+  CU_ASSERT_FATAL(corrupt_permissions != corrupt_governance);
+
+  /* Corrupt the signature. */
+  if (corrupt_permissions)
+    prop = dds_security_property_find(&(participant_qos.property.value), PROPERTY_PERMISSIONS);
+  if (corrupt_governance)
+    prop = dds_security_property_find(&(participant_qos.property.value), PROPERTY_GOVERNANCE);
+
+  /* Just some (hardcoded) sanity checks. */
+  CU_ASSERT_FATAL(prop != NULL);
+  CU_ASSERT_FATAL(prop->value != NULL);
+  len = strlen(prop->value);
+  CU_ASSERT_FATAL(len > 2250);
+
+  /* Corrupt a byte somewhere in the signature. */
+  prop->value[len - 75]--;
+
+  code = test_failure_scenario(&participant_qos);
+  qos_deinit(&participant_qos);
+  return code;
+}
+
+static void suite_validate_local_permissions_init(void)
+{
+  set_path_to_etc_dir();
+}
+
+static void suite_validate_local_permissions_fini(void)
+{
+  ddsrt_free(g_path_to_etc_dir);
+}
+
+/* Supplying proper files should pass the local permissions check */
+CU_Test(ddssec_builtin_validate_local_permissions, valid_file, .init = suite_validate_local_permissions_init, .fini = suite_validate_local_permissions_fini)
+{
+  DDS_Security_IdentityHandle local_id_hdl = DDS_SECURITY_HANDLE_NIL;
+  DDS_Security_PermissionsHandle result;
+  DDS_Security_Qos participant_qos;
+  DDS_Security_SecurityException exception = {NULL, 0, 0};
+
+  qos_init_file(&participant_qos,
+                "Test_Permissions_ca.pem",
+                "Test_Permissions_full.p7s",
+                "Test_Governance_full.p7s");
+  local_id_hdl = test_setup(&participant_qos);
+  CU_ASSERT_FATAL(local_id_hdl != DDS_SECURITY_HANDLE_NIL);
+
+  result = g_access_control->validate_local_permissions(
+      g_access_control,
+      g_auth,
+      local_id_hdl,
+      0,
+      &participant_qos,
+      &exception);
+
+  CU_ASSERT(result != 0);
+  if (result == 0)
+  {
+    printf("validate_local_permissions_failed: %s\n", exception.message ? exception.message : "Error message missing");
+  }
+  else
+  {
+    g_access_control->return_permissions_handle(g_access_control, result, &exception);
+  }
+  reset_exception(&exception);
+
+  test_teardown(local_id_hdl);
+  qos_deinit(&participant_qos);
+}
+
+/* Supplying proper data should pass the local permissions check */
+CU_Test(ddssec_builtin_validate_local_permissions, valid_data, .init = suite_validate_local_permissions_init, .fini = suite_validate_local_permissions_fini)
+{
+  DDS_Security_IdentityHandle local_id_hdl = DDS_SECURITY_HANDLE_NIL;
+  DDS_Security_PermissionsHandle result;
+  DDS_Security_Qos participant_qos;
+  DDS_Security_SecurityException exception = {NULL, 0, 0};
+
+  qos_init_data(&participant_qos,
+                "Test_Permissions_ca.pem",
+                "Test_Permissions_full.p7s",
+                "Test_Governance_full.p7s");
+  local_id_hdl = test_setup(&participant_qos);
+  CU_ASSERT(local_id_hdl != DDS_SECURITY_HANDLE_NIL);
+
+  result = g_access_control->validate_local_permissions(
+      g_access_control,
+      g_auth,
+      local_id_hdl,
+      0,
+      &participant_qos,
+      &exception);
+
+  CU_ASSERT(result != 0);
+  if (result == 0)
+  {
+    printf("validate_local_permissions_failed: %s\n", exception.message ? exception.message : "Error message missing");
+  }
+  else
+  {
+    g_access_control->return_permissions_handle(g_access_control, result, &exception);
+  }
+  reset_exception(&exception);
+
+  test_teardown(local_id_hdl);
+  qos_deinit(&participant_qos);
+}
+
+/* Supplying no files but directories should fail the local permissions check. */
+CU_Test(ddssec_builtin_validate_local_permissions, uri_directories, .init = suite_validate_local_permissions_init, .fini = suite_validate_local_permissions_fini)
+{
+  DDS_Security_long code;
+
+  /* Certificate points to a valid directory.*/
+  code = test_invalid_file_uri("",
+                               "Test_Permissions_full.p7s",
+                               "Test_Governance_full.p7s");
+  CU_ASSERT(code == DDS_SECURITY_ERR_INVALID_FILE_PATH_CODE);
+
+  /* Permission points to a valid directory. */
+  code = test_invalid_file_uri("Test_Permissions_ca.pem",
+                               "",
+                               "Test_Governance_full.p7s");
+  CU_ASSERT(code == DDS_SECURITY_ERR_INVALID_FILE_PATH_CODE);
+
+  /* Governance points to a valid directory.*/
+  code = test_invalid_file_uri("Test_Permissions_ca.pem",
+                               "Test_Permissions_full.p7s",
+                               "");
+  CU_ASSERT(code == DDS_SECURITY_ERR_INVALID_FILE_PATH_CODE);
+}
+
+/* Supplying empty files should fail the local permissions check. */
+CU_Test(ddssec_builtin_validate_local_permissions, uri_empty_files, .init = suite_validate_local_permissions_init, .fini = suite_validate_local_permissions_fini)
+{
+  DDS_Security_long code;
+
+  /* Certificate points to an empty file. */
+  code = test_invalid_file_uri("Test_File_empty.txt",
+                               "Test_Permissions_full.p7s",
+                               "Test_Governance_full.p7s");
+  CU_ASSERT(code == DDS_SECURITY_ERR_INVALID_FILE_PATH_CODE);
+
+  /* Permission points to an empty file. */
+  code = test_invalid_file_uri("Test_Permissions_ca.pem",
+                               "Test_File_empty.txt",
+                               "Test_Governance_full.p7s");
+  CU_ASSERT(code == DDS_SECURITY_ERR_INVALID_FILE_PATH_CODE);
+
+  /* Governance points to an empty file. */
+  code = test_invalid_file_uri("Test_Permissions_ca.pem",
+                               "Test_Permissions_full.p7s",
+                               "Test_File_empty.txt");
+  CU_ASSERT(code == DDS_SECURITY_ERR_INVALID_FILE_PATH_CODE);
+}
+
+/* Supplying text files should fail the local permissions check. */
+CU_Test(ddssec_builtin_validate_local_permissions, uri_text_files, .init = suite_validate_local_permissions_init, .fini = suite_validate_local_permissions_fini)
+{
+  DDS_Security_long code;
+
+  /* Certificate points to a file with only text. */
+  code = test_invalid_file_uri("Test_File_text.txt",
+                               "Test_Permissions_full.p7s",
+                               "Test_Governance_full.p7s");
+  CU_ASSERT(code == DDS_SECURITY_ERR_INVALID_CERTIFICATE_CODE);
+
+  /* Permission points to a file with only text. */
+  code = test_invalid_file_uri("Test_Permissions_ca.pem",
+                               "Test_File_text.txt",
+                               "Test_Governance_full.p7s");
+  CU_ASSERT(code == DDS_SECURITY_ERR_INVALID_SMIME_DOCUMENT_CODE);
+
+  /* Governance points to a file with only text. */
+  code = test_invalid_file_uri("Test_Permissions_ca.pem",
+                               "Test_Permissions_full.p7s",
+                               "Test_File_text.txt");
+  CU_ASSERT(code == DDS_SECURITY_ERR_INVALID_SMIME_DOCUMENT_CODE);
+}
+
+/* Not supplying files should fail the local permissions check. */
+CU_Test(ddssec_builtin_validate_local_permissions, uri_absent_files, .init = suite_validate_local_permissions_init, .fini = suite_validate_local_permissions_fini)
+{
+  DDS_Security_long code;
+
+  /* Certificate points to a non-existing file.*/
+  code = test_invalid_file_uri("Test_File_absent.txt",
+                               "Test_Permissions_full.p7s",
+                               "Test_Governance_full.p7s");
+  CU_ASSERT(code == DDS_SECURITY_ERR_INVALID_FILE_PATH_CODE);
+
+  /* Permission points to a non-existing file.*/
+  code = test_invalid_file_uri("Test_Permissions_ca.pem",
+                               "Test_File_absent.txt",
+                               "Test_Governance_full.p7s");
+  CU_ASSERT(code == DDS_SECURITY_ERR_INVALID_FILE_PATH_CODE);
+
+  /* Governance points to a non-existing file.*/
+  code = test_invalid_file_uri("Test_Permissions_ca.pem",
+                               "Test_Permissions_full.p7s",
+                               "Test_File_absent.txt");
+  CU_ASSERT(code == DDS_SECURITY_ERR_INVALID_FILE_PATH_CODE);
+}
+
+/* Not supplying file uris should fail the local permissions check. */
+CU_Test(ddssec_builtin_validate_local_permissions, uri_no_files, .init = suite_validate_local_permissions_init, .fini = suite_validate_local_permissions_fini)
+{
+  DDS_Security_long code;
+
+  /* Certificate file uri doesn't point to anything.*/
+  code = test_invalid_file_uri(NULL,
+                               "Test_Permissions_full.p7s",
+                               "Test_Governance_full.p7s");
+  CU_ASSERT(code == DDS_SECURITY_ERR_INVALID_FILE_PATH_CODE);
+
+  /* Permission file uri doesn't point to anything.*/
+  code = test_invalid_file_uri("Test_Permissions_ca.pem",
+                               NULL,
+                               "Test_Governance_full.p7s");
+  CU_ASSERT(code == DDS_SECURITY_ERR_INVALID_FILE_PATH_CODE);
+
+  /* Governance file uri doesn't point to anything.*/
+  code = test_invalid_file_uri("Test_Permissions_ca.pem",
+                               "Test_Permissions_full.p7s",
+                               NULL);
+  CU_ASSERT(code == DDS_SECURITY_ERR_INVALID_FILE_PATH_CODE);
+}
+
+/* Supplying empty data should fail the local permissions check. */
+CU_Test(ddssec_builtin_validate_local_permissions, uri_empty_data, .init = suite_validate_local_permissions_init, .fini = suite_validate_local_permissions_fini)
+{
+  DDS_Security_long code;
+
+  /* Certificate is empty data.*/
+  code = test_invalid_data_uri(NULL,
+                               "Test_Permissions_full.p7s",
+                               "Test_Governance_full.p7s");
+  CU_ASSERT(code == DDS_SECURITY_ERR_INVALID_CERTIFICATE_CODE);
+
+  /* Permission is empty data.*/
+  code = test_invalid_data_uri("Test_Permissions_ca.pem",
+                               NULL,
+                               "Test_Governance_full.p7s");
+  CU_ASSERT(code == DDS_SECURITY_ERR_INVALID_PERMISSION_DOCUMENT_PROPERTY_CODE);
+
+  /* Governance is empty data.*/
+  code = test_invalid_data_uri("Test_Permissions_ca.pem",
+                               "Test_Permissions_full.p7s",
+                               NULL);
+  CU_ASSERT(code == DDS_SECURITY_ERR_INVALID_GOVERNANCE_DOCUMENT_PROPERTY_CODE);
+}
+
+/* Supplying uris with invalid types should fail the local permissions check. */
+CU_Test(ddssec_builtin_validate_local_permissions, uri_invalid_types, .init = suite_validate_local_permissions_init, .fini = suite_validate_local_permissions_fini)
+{
+  DDS_Security_long code;
+
+  /* Certificate doesn't point to anything: results in invalid type.*/
+  code = test_invalid_type_uri(NULL,
+                               "Test_Permissions_full.p7s",
+                               "Test_Governance_full.p7s");
+  CU_ASSERT(code == DDS_SECURITY_ERR_CERTIFICATE_TYPE_NOT_SUPPORTED_CODE);
+
+  /* Permission doesn't point to anything: results in invalid type.*/
+  code = test_invalid_type_uri("Test_Permissions_ca.pem",
+                               NULL,
+                               "Test_Governance_full.p7s");
+  CU_ASSERT(code == DDS_SECURITY_ERR_URI_TYPE_NOT_SUPPORTED_CODE);
+
+  /* Governance doesn't point to anything: results in invalid type*/
+  code = test_invalid_type_uri("Test_Permissions_ca.pem",
+                               "Test_Permissions_full.p7s",
+                               NULL);
+  CU_ASSERT(code == DDS_SECURITY_ERR_URI_TYPE_NOT_SUPPORTED_CODE);
+}
+
+/* Not supplying actual uris should fail the local permissions check. */
+CU_Test(ddssec_builtin_validate_local_permissions, uri_null, .init = suite_validate_local_permissions_init, .fini = suite_validate_local_permissions_fini)
+{
+  DDS_Security_long code;
+
+  /* Certificate doesn't point to anything.*/
+  code = test_null_uri(NULL,
+                       "Test_Permissions_full.p7s",
+                       "Test_Governance_full.p7s");
+  CU_ASSERT(code == DDS_SECURITY_ERR_MISSING_PROPERTY_CODE);
+
+  /* Permission doesn't point to anything.*/
+  code = test_null_uri("Test_Permissions_ca.pem",
+                       NULL,
+                       "Test_Governance_full.p7s");
+  CU_ASSERT(code == DDS_SECURITY_ERR_MISSING_PROPERTY_CODE);
+
+  /* Governance doesn't point to anything.*/
+  code = test_null_uri("Test_Permissions_ca.pem",
+                       "Test_Permissions_full.p7s",
+                       NULL);
+  CU_ASSERT(code == DDS_SECURITY_ERR_MISSING_PROPERTY_CODE);
+}
+
+/* Corrupted signatures should fail the local permissions check. */
+CU_Test(ddssec_builtin_validate_local_permissions, corrupted_signatures, .init = suite_validate_local_permissions_init, .fini = suite_validate_local_permissions_fini)
+{
+  DDS_Security_long code;
+
+  /* Corrupt permission signature.*/
+  code = test_corrupted_signature(true /* Corrupt permissions? Yes. */,
+                                  false /* Corrupt governance?  No.  */);
+  CU_ASSERT(code == DDS_SECURITY_ERR_INVALID_SMIME_DOCUMENT_CODE);
+
+  /* Corrupt governance signature.*/
+  code = test_corrupted_signature(false /* Corrupt permissions? No.  */,
+                                  true /* Corrupt governance?  Yes. */);
+  CU_ASSERT(code == DDS_SECURITY_ERR_INVALID_SMIME_DOCUMENT_CODE);
+}
+
+/* Unknown signatures should fail the local permissions check. */
+CU_Test(ddssec_builtin_validate_local_permissions, unknown_ca, .init = suite_validate_local_permissions_init, .fini = suite_validate_local_permissions_fini)
+{
+  DDS_Security_long code;
+
+  /* Permission with unknown CA.*/
+  code = test_invalid_file_uri("Test_Permissions_ca.pem",
+                               "Test_Permissions_unknown_ca.p7s",
+                               "Test_Governance_full.p7s");
+  CU_ASSERT(code == DDS_SECURITY_ERR_INVALID_SMIME_DOCUMENT_CODE);
+
+  /* Governance with unknown CA.*/
+  code = test_invalid_file_uri("Test_Permissions_ca.pem",
+                               "Test_Permissions_full.p7s",
+                               "Test_Governance_unknown_ca.p7s");
+  CU_ASSERT(code == DDS_SECURITY_ERR_INVALID_SMIME_DOCUMENT_CODE);
+}
+
+/* Un-available signatures should fail the local permissions check. */
+CU_Test(ddssec_builtin_validate_local_permissions, not_signed, .init = suite_validate_local_permissions_init, .fini = suite_validate_local_permissions_fini)
+{
+  DDS_Security_long code;
+
+  /* Permission not signed.*/
+  code = test_invalid_file_uri("Test_Permissions_ca.pem",
+                               "Test_Permissions_not_signed.p7s",
+                               "Test_Governance_full.p7s");
+  CU_ASSERT(code == DDS_SECURITY_ERR_INVALID_SMIME_DOCUMENT_CODE);
+
+  /* Governance not signed.*/
+  code = test_invalid_file_uri("Test_Permissions_ca.pem",
+                               "Test_Permissions_full.p7s",
+                               "Test_Governance_not_signed.p7s");
+  CU_ASSERT(code == DDS_SECURITY_ERR_INVALID_SMIME_DOCUMENT_CODE);
+}
+
+/* Permissions outside the validity data should fail the local */
+CU_Test(ddssec_builtin_validate_local_permissions, validity, .init = suite_validate_local_permissions_init, .fini = suite_validate_local_permissions_fini)
+{
+  DDS_Security_long code;
+
+  /* Permission already expired.*/
+  code = test_invalid_file_uri("Test_Permissions_ca.pem",
+                               "Test_Permissions_expired.p7s",
+                               "Test_Governance_full.p7s");
+  CU_ASSERT(code == DDS_SECURITY_ERR_VALIDITY_PERIOD_EXPIRED_CODE);
+
+  /* Permission not yet valid.*/
+  code = test_invalid_file_uri("Test_Permissions_ca.pem",
+                               "Test_Permissions_notyet.p7s",
+                               "Test_Governance_full.p7s");
+  CU_ASSERT(code == DDS_SECURITY_ERR_VALIDITY_PERIOD_NOT_STARTED_CODE);
+}
+
+/* Permissions document does not contain a proper subject_name,
+ * which should fail the local permissions check. */
+CU_Test(ddssec_builtin_validate_local_permissions, subject_name, .init = suite_validate_local_permissions_init, .fini = suite_validate_local_permissions_fini)
+{
+  DDS_Security_long code;
+
+  /* Permission document with unknown subject. */
+  code = test_invalid_file_uri("Test_Permissions_ca.pem",
+                               "Test_Permissions_unknown_subject.p7s",
+                               "Test_Governance_check_create_participant.p7s");
+  CU_ASSERT(code == DDS_SECURITY_ERR_INVALID_SUBJECT_NAME_CODE);
+}
+
+/* Documents with invalid xml should fail the local permissions check. */
+CU_Test(ddssec_builtin_validate_local_permissions, xml_invalid, .init = suite_validate_local_permissions_init, .fini = suite_validate_local_permissions_fini)
+{
+  DDS_Security_long code;
+
+  /* Permission XML contains invalid domain id. */
+  code = test_invalid_file_uri("Test_Permissions_ca.pem",
+                               "Test_Permissions_invalid_data.p7s",
+                               "Test_Governance_ok.p7s");
+  CU_ASSERT(code == DDS_SECURITY_ERR_CAN_NOT_PARSE_PERMISSIONS_CODE);
+
+  /* Permission XML contains invalid domain id. */
+  code = test_invalid_file_uri("Test_Permissions_ca.pem",
+                               "Test_Permissions_invalid_element.p7s",
+                               "Test_Governance_ok.p7s");
+  CU_ASSERT(code == DDS_SECURITY_ERR_CAN_NOT_PARSE_PERMISSIONS_CODE);
+
+  /* Permission XML is missing the 'not before' validity tag.*/
+  code = test_invalid_file_uri("Test_Permissions_ca.pem",
+                               "Test_Permissions_lack_of_not_before.p7s",
+                               "Test_Governance_ok.p7s");
+  CU_ASSERT(code == DDS_SECURITY_ERR_CAN_NOT_PARSE_PERMISSIONS_CODE);
+
+  /* Permission XML is missing the 'not after' validity tag.*/
+  code = test_invalid_file_uri("Test_Permissions_ca.pem",
+                               "Test_Permissions_lack_of_not_after.p7s",
+                               "Test_Governance_ok.p7s");
+  CU_ASSERT(code == DDS_SECURITY_ERR_CAN_NOT_PARSE_PERMISSIONS_CODE);
+
+  /* Governance XML contains invalid encryption kind.*/
+  code = test_invalid_file_uri("Test_Permissions_ca.pem",
+                               "Test_Permissions_ok.p7s",
+                               "Test_Governance_invalid_data.p7s");
+  CU_ASSERT(code == DDS_SECURITY_ERR_CAN_NOT_PARSE_GOVERNANCE_CODE);
+
+  /* Governance XML contains unknown element.*/
+  code = test_invalid_file_uri("Test_Permissions_ca.pem",
+                               "Test_Permissions_ok.p7s",
+                               "Test_Governance_invalid_element.p7s");
+  CU_ASSERT(code == DDS_SECURITY_ERR_CAN_NOT_PARSE_GOVERNANCE_CODE);
+}
diff --git a/src/security/builtin_plugins/tests/validate_remote_permissions/etc/Test_Governance_ok.p7s b/src/security/builtin_plugins/tests/validate_remote_permissions/etc/Test_Governance_ok.p7s
new file mode 100644
index 0000000..c39903f
--- /dev/null
+++ b/src/security/builtin_plugins/tests/validate_remote_permissions/etc/Test_Governance_ok.p7s
@@ -0,0 +1,114 @@
+MIME-Version: 1.0
+Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg="sha-256"; boundary="----DB94A190D9780A24156FB0E8F1E76B5F"
+
+This is an S/MIME signed message
+
+------DB94A190D9780A24156FB0E8F1E76B5F
+Content-Type: text/plain
+
+<?xml version="1.0" encoding="utf-8"?>
+<dds xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xsi:noNamespaceSchemaLocation="http://www.omg.org/spec/DDSSecurity/
+20170801/omg_shared_ca_domain_governance.xsd">
+    <domain_access_rules>
+        <domain_rule>
+            <domains>
+                <!-- All domains -->
+                <id_range>
+                    <min>0</min>
+                    <max>230</max>
+                </id_range>
+            </domains>
+
+            <!-- DomainParticipant that cann not authenticate or fail the authentication should be
+                 allowed to join the domain and see any any discovery data that are configured as "unprotected"
+                 and topics that are configured as "unprotected" -->
+            <allow_unauthenticated_participants>false</allow_unauthenticated_participants>
+
+            <!--  Only and any authenticated DomainParticipant should be allowed to join the domain and
+                  see the discovery data without checking access control  -->
+            <enable_join_access_control>true</enable_join_access_control>
+
+            <!-- Discovery information should be protected with encryption followed by MAC (Message Authentication Codes) -->
+            <discovery_protection_kind>ENCRYPT</discovery_protection_kind>
+
+            <!--  Liveliness messages are also encrypted -->
+            <liveliness_protection_kind>ENCRYPT</liveliness_protection_kind>
+
+            <!-- Whole RTPS message is not protected -->
+            <rtps_protection_kind>NONE</rtps_protection_kind>
+
+            <topic_access_rules>
+                <topic_rule>
+                    <!-- All (non-builtin) topics -->
+                    <topic_expression>*</topic_expression>
+
+                    <!-- Liveliness QoS data is protected -->
+                    <enable_liveliness_protection>true</enable_liveliness_protection>
+
+                    <!-- The discovery information on specific Topics should be sent
+                         using the secure (protected) discovery writers -->
+                    <enable_discovery_protection>true</enable_discovery_protection>
+
+                    <!-- The read access to all topics should be open to all. -->
+                    <enable_read_access_control>false</enable_read_access_control>
+
+                    <!-- The write access to all topics should be open to all. -->
+                    <enable_write_access_control>false</enable_write_access_control>
+
+                    <!-- Whole RTPS sub-message is protected. This includes metadata information
+                         like sequence numbers, heartbeats, key hashes, gaps,
+                         acknowledgment messages, etc. It also includes th possible payload. -->
+                    <metadata_protection_kind>ENCRYPT</metadata_protection_kind>
+
+                    <!-- The payload data sent on the Topic (serialized application level data) should be
+                         protected with Encrypt then MAC. -->
+                    <data_protection_kind>ENCRYPT</data_protection_kind>
+                </topic_rule>
+            </topic_access_rules>
+        </domain_rule>
+    </domain_access_rules>
+</dds>
+
+------DB94A190D9780A24156FB0E8F1E76B5F
+Content-Type: application/x-pkcs7-signature; name="smime.p7s"
+Content-Transfer-Encoding: base64
+Content-Disposition: attachment; filename="smime.p7s"
+
+MIIGSAYJKoZIhvcNAQcCoIIGOTCCBjUCAQExDzANBglghkgBZQMEAgEFADALBgkq
+hkiG9w0BBwGgggORMIIDjTCCAnWgAwIBAgIJANsr3sm0NrypMA0GCSqGSIb3DQEB
+CwUAMFwxCzAJBgNVBAYTAk5MMRMwEQYDVQQIDApTb21lLVN0YXRlMR8wHQYDVQQK
+DBZBRExJTksgVGVjaG5vbG9jeSBJbmMuMRcwFQYDVQQDDA5hZGxpbmt0ZWNoLmNv
+bTAgFw0xODA3MzAxMjQ1NTVaGA8yMTE4MDcwNjEyNDU1NVowXDELMAkGA1UEBhMC
+TkwxEzARBgNVBAgMClNvbWUtU3RhdGUxHzAdBgNVBAoMFkFETElOSyBUZWNobm9s
+b2N5IEluYy4xFzAVBgNVBAMMDmFkbGlua3RlY2guY29tMIIBIjANBgkqhkiG9w0B
+AQEFAAOCAQ8AMIIBCgKCAQEAu7jfnJ0wYVuXgG+PgNawdN38+dRpa8jceqi+blID
+ehV6XCxrnGXusTCDuFmo7HMOBVMVNDXlcBWgoGd+u5EultnOEiIeGTgtHc1O6V9w
+icp3BGSpZZax/TcONjMVORaqHCADbQ2J8wsz1FHxuKDwX6BJElYOlK77lb/x3yLs
+DFFC+a0qn2RFh37rcWBRAHy8VEASXKZElT9ZmfKd+KUq34KojhNJ4DepKStTq074
+BRDXVivx+wVD951LFNPiQXq+mgHcLj1k37KlZflTFhdP5oEMtATNsXNJPHlEymiy
+SogRWAmKhysLQudukHfNKN+r0FEQMk/hzpYcFeZSOvbfNQIDAQABo1AwTjAdBgNV
+HQ4EFgQURWMbWvBKZwJvRV1/tyc1R82k0+gwHwYDVR0jBBgwFoAURWMbWvBKZwJv
+RV1/tyc1R82k0+gwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAkPF+
+ysVtvHnk2hpu9yNDLCJ96ZzIoKOyY7uRj4ovzlAHFdpNOJQdcJihTmN8i7Trht9X
+Vh0rGoR/6nHzo3TIeiogRC80RlDtuA3PF2dDQBMVDStlZMTZPb693hfjdAjhyyw9
+yghhKHHqNDvSsAL0KfBqjG4yGfGpJylYXIT5fWuKlo/ln/yyPa5s54T5XDo+CMbt
+lLX3QnwVOmaRyzylPiTcPCDIkdLBdXmlfyJcmW6fWa6kPx+35MOxPsXZbujCo+42
++OyLqcH1rKT6XhcshjXBEf+kdgUfSClrM1pNRWsw2ChIYim0F+nry5JFy0Y+8Hbb
+6SDB340BFmtgDHbFHTGCAnswggJ3AgEBMGkwXDELMAkGA1UEBhMCTkwxEzARBgNV
+BAgMClNvbWUtU3RhdGUxHzAdBgNVBAoMFkFETElOSyBUZWNobm9sb2N5IEluYy4x
+FzAVBgNVBAMMDmFkbGlua3RlY2guY29tAgkA2yveybQ2vKkwDQYJYIZIAWUDBAIB
+BQCggeQwGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAcBgkqhkiG9w0BCQUxDxcN
+MTgwOTEzMDczOTUwWjAvBgkqhkiG9w0BCQQxIgQgXv8DkvlwebXMwHDbNc0/Pc30
+gyG3xWCnwet49TRMWFsweQYJKoZIhvcNAQkPMWwwajALBglghkgBZQMEASowCwYJ
+YIZIAWUDBAEWMAsGCWCGSAFlAwQBAjAKBggqhkiG9w0DBzAOBggqhkiG9w0DAgIC
+AIAwDQYIKoZIhvcNAwICAUAwBwYFKw4DAgcwDQYIKoZIhvcNAwICASgwDQYJKoZI
+hvcNAQEBBQAEggEANy8t0EFmv5j1n0+mMn2ut3Chu8PSJceC8gd34IiKq79uC1O3
+PbL9xgiJ2vz7QiTEEeNL2q+CG77cXOcHGUWa4nvbggr/9CqLfHEKGQxDfyXlJZfM
+8l550xIXRRBOQ7ilOGLD4QJFfbf9XA4rMuRe8WEYN3FleAaYBJag1tMPg1SS6tgA
+BBDM9b1kXHU319zYOk6kZFjlbwHv6XO22SEVRUpXrKudAI8hrGvwksF/+W0S/jS5
+NmYtj/1oMGlCGIaA5rs27H9CkgwrzoMQ3MsR98JlwEUSa4PEe8CClsIziOulQxsp
+MicBlMWL0rzpBPVfPTE4gZ/kP7hGBDEQlRzVTA==
+
+------DB94A190D9780A24156FB0E8F1E76B5F--
+
diff --git a/src/security/builtin_plugins/tests/validate_remote_permissions/etc/Test_Permissions_different_subject_representation.p7s b/src/security/builtin_plugins/tests/validate_remote_permissions/etc/Test_Permissions_different_subject_representation.p7s
new file mode 100644
index 0000000..13273ba
--- /dev/null
+++ b/src/security/builtin_plugins/tests/validate_remote_permissions/etc/Test_Permissions_different_subject_representation.p7s
@@ -0,0 +1,96 @@
+MIME-Version: 1.0
+Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg="sha-256"; boundary="----57B71E0E17C33E9E1569D11B98DA1D03"
+
+This is an S/MIME signed message
+
+------57B71E0E17C33E9E1569D11B98DA1D03
+Content-Type: text/plain
+
+<?xml version="1.0" encoding="utf-8"?>
+<dds xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xsi:noNamespaceSchemaLocation="https://www.omg.org/spec/DDS-SECURITY/20170901/omg_shared_ca_permissions.xsd">
+    <permissions>
+        <grant name="OpenSplicePermissions">
+            <subject_name>/O=Internet Widgits Pty Ltd/ST=Some-State/C=NL/CN=CHAM500 cert</subject_name>
+            <validity>
+                <!-- Format is CCYY-MM-DDThh:mm:ss[Z|(+|-)hh:mm] in GMT -->
+                <not_before>2015-09-15T01:00:00</not_before>
+                <not_after>2115-09-15T01:00:00</not_after>
+            </validity>
+            <allow_rule>
+                <domains>
+                    <id_range>
+                        <min>0</min>
+                        <max>230</max>
+                    </id_range>
+                </domains>
+                <publish>
+                    <topics>
+                        <topic>K*</topic>
+                        <topic>*OldMessage</topic>
+                        <topic>OldMessanger</topic>
+                        <topic>NewMessage</topic>
+                    </topics>
+        <partitions>
+      <partition>Apart</partition>
+      <partition>Bpa?t*</partition>
+        </partitions>
+                </publish>
+                <subscribe>
+                    <topics>
+                        <topic>K*</topic>
+                        <topic>*OldMessage</topic>
+                        <topic>OldMessanger</topic>
+                        <topic>NewMessage</topic>
+                    </topics>
+                </subscribe>
+            </allow_rule>
+
+            <default>ALLOW</default>
+        </grant>
+    </permissions>
+</dds>
+
+------57B71E0E17C33E9E1569D11B98DA1D03
+Content-Type: application/x-pkcs7-signature; name="smime.p7s"
+Content-Transfer-Encoding: base64
+Content-Disposition: attachment; filename="smime.p7s"
+
+MIIGXgYJKoZIhvcNAQcCoIIGTzCCBksCAQExDzANBglghkgBZQMEAgEFADALBgkq
+hkiG9w0BBwGgggORMIIDjTCCAnWgAwIBAgIJANsr3sm0NrypMA0GCSqGSIb3DQEB
+CwUAMFwxCzAJBgNVBAYTAk5MMRMwEQYDVQQIDApTb21lLVN0YXRlMR8wHQYDVQQK
+DBZBRExJTksgVGVjaG5vbG9jeSBJbmMuMRcwFQYDVQQDDA5hZGxpbmt0ZWNoLmNv
+bTAgFw0xODA3MzAxMjQ1NTVaGA8yMTE4MDcwNjEyNDU1NVowXDELMAkGA1UEBhMC
+TkwxEzARBgNVBAgMClNvbWUtU3RhdGUxHzAdBgNVBAoMFkFETElOSyBUZWNobm9s
+b2N5IEluYy4xFzAVBgNVBAMMDmFkbGlua3RlY2guY29tMIIBIjANBgkqhkiG9w0B
+AQEFAAOCAQ8AMIIBCgKCAQEAu7jfnJ0wYVuXgG+PgNawdN38+dRpa8jceqi+blID
+ehV6XCxrnGXusTCDuFmo7HMOBVMVNDXlcBWgoGd+u5EultnOEiIeGTgtHc1O6V9w
+icp3BGSpZZax/TcONjMVORaqHCADbQ2J8wsz1FHxuKDwX6BJElYOlK77lb/x3yLs
+DFFC+a0qn2RFh37rcWBRAHy8VEASXKZElT9ZmfKd+KUq34KojhNJ4DepKStTq074
+BRDXVivx+wVD951LFNPiQXq+mgHcLj1k37KlZflTFhdP5oEMtATNsXNJPHlEymiy
+SogRWAmKhysLQudukHfNKN+r0FEQMk/hzpYcFeZSOvbfNQIDAQABo1AwTjAdBgNV
+HQ4EFgQURWMbWvBKZwJvRV1/tyc1R82k0+gwHwYDVR0jBBgwFoAURWMbWvBKZwJv
+RV1/tyc1R82k0+gwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAkPF+
+ysVtvHnk2hpu9yNDLCJ96ZzIoKOyY7uRj4ovzlAHFdpNOJQdcJihTmN8i7Trht9X
+Vh0rGoR/6nHzo3TIeiogRC80RlDtuA3PF2dDQBMVDStlZMTZPb693hfjdAjhyyw9
+yghhKHHqNDvSsAL0KfBqjG4yGfGpJylYXIT5fWuKlo/ln/yyPa5s54T5XDo+CMbt
+lLX3QnwVOmaRyzylPiTcPCDIkdLBdXmlfyJcmW6fWa6kPx+35MOxPsXZbujCo+42
++OyLqcH1rKT6XhcshjXBEf+kdgUfSClrM1pNRWsw2ChIYim0F+nry5JFy0Y+8Hbb
+6SDB340BFmtgDHbFHTGCApEwggKNAgEBMGkwXDELMAkGA1UEBhMCTkwxEzARBgNV
+BAgMClNvbWUtU3RhdGUxHzAdBgNVBAoMFkFETElOSyBUZWNobm9sb2N5IEluYy4x
+FzAVBgNVBAMMDmFkbGlua3RlY2guY29tAgkA2yveybQ2vKkwDQYJYIZIAWUDBAIB
+BQCggfowGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAcBgkqhkiG9w0BCQUxDxcN
+MTkwMzI5MTMwODAzWjAvBgkqhkiG9w0BCQQxIgQgocQS4FLDqU6X3kzlYhW9GLLt
+ItKIWQ9ghIL29OEyHPcwgY4GCSqGSIb3DQEJDzGBgDB+MAsGCWCGSAFlAwQBKjAI
+BgYqhQMCAgkwCAYGKoUDAgIVMAsGCWCGSAFlAwQBFjALBglghkgBZQMEAQIwCgYI
+KoZIhvcNAwcwDgYIKoZIhvcNAwICAgCAMA0GCCqGSIb3DQMCAgFAMAcGBSsOAwIH
+MA0GCCqGSIb3DQMCAgEoMA0GCSqGSIb3DQEBAQUABIIBADPtNnKmzgMNaoeAiyxH
+0oO3D9qsLWlon9eG+ri3e4O4IBGAwPtwN92ah3OmqXeB7xqBlZwnR4jQIxwVl8eL
+Zs2y7lJ6LxPYHJj6qERlYbRjS55X7Wnjcwy81w+yQelSLFcKvdmrV5HIuLbeskWw
+WiJxu3Sxtett3NnJxV5za6C27pxGXmv+xdspUe1Zeoz7WjAA0ljOazSUXAyCriQH
+LXSGjTM8Lgn/P8xJTVzGgxmLmGm9fAhhYk+25G9Fspomigvnj+B6HobEf4xKA/Mm
+WPaLsNkLtbi954g5+EM9AOjpCR/2Ii1NB4lWeKGZLtbEm71dEUe2VDePy2ju+oOB
+9ec=
+
+------57B71E0E17C33E9E1569D11B98DA1D03--
+
diff --git a/src/security/builtin_plugins/tests/validate_remote_permissions/etc/Test_Permissions_different_subject_representation.xml b/src/security/builtin_plugins/tests/validate_remote_permissions/etc/Test_Permissions_different_subject_representation.xml
new file mode 100644
index 0000000..585030e
--- /dev/null
+++ b/src/security/builtin_plugins/tests/validate_remote_permissions/etc/Test_Permissions_different_subject_representation.xml
@@ -0,0 +1,44 @@
+<?xml version="1.0" encoding="utf-8"?>
+<dds xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xsi:noNamespaceSchemaLocation="https://www.omg.org/spec/DDS-SECURITY/20170901/omg_shared_ca_permissions.xsd">
+    <permissions>
+        <grant name="OpenSplicePermissions">
+            <subject_name>/O=Internet Widgits Pty Ltd/ST=Some-State/C=NL/CN=CHAM500 cert</subject_name>
+            <validity>
+                <!-- Format is CCYY-MM-DDThh:mm:ss[Z|(+|-)hh:mm] in GMT -->
+                <not_before>2015-09-15T01:00:00</not_before>
+                <not_after>2115-09-15T01:00:00</not_after>
+            </validity>
+            <allow_rule>
+                <domains>
+                    <id_range>
+                        <min>0</min>
+                        <max>230</max>
+                    </id_range>
+                </domains>
+                <publish>
+                    <topics>
+                        <topic>K*</topic>
+                        <topic>*OldMessage</topic>
+                        <topic>OldMessanger</topic>
+                        <topic>NewMessage</topic>
+                    </topics>
+        <partitions>
+      <partition>Apart</partition>
+      <partition>Bpa?t*</partition>
+        </partitions>
+                </publish>
+                <subscribe>
+                    <topics>
+                        <topic>K*</topic>
+                        <topic>*OldMessage</topic>
+                        <topic>OldMessanger</topic>
+                        <topic>NewMessage</topic>
+                    </topics>
+                </subscribe>
+            </allow_rule>
+
+            <default>ALLOW</default>
+        </grant>
+    </permissions>
+</dds>
diff --git a/src/security/builtin_plugins/tests/validate_remote_permissions/etc/Test_Permissions_expired.p7s b/src/security/builtin_plugins/tests/validate_remote_permissions/etc/Test_Permissions_expired.p7s
new file mode 100644
index 0000000..bf35bf7
--- /dev/null
+++ b/src/security/builtin_plugins/tests/validate_remote_permissions/etc/Test_Permissions_expired.p7s
@@ -0,0 +1,243 @@
+MIME-Version: 1.0
+Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg="sha-256"; boundary="----11798C99B4C31493D0479BB8A2064C72"
+
+This is an S/MIME signed message
+
+------11798C99B4C31493D0479BB8A2064C72
+Content-Type: text/plain
+
+<?xml version="1.0" encoding="utf-8"?>
+<dds xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xsi:noNamespaceSchemaLocation="https://www.omg.org/spec/DDS-SECURITY/20170901/omg_shared_ca_permissions.xsd">
+    <permissions>
+        <grant name="OpenSplicePermissions">
+            <subject_name>CN=CHAM500 cert,O=Internet Widgits Pty Ltd,ST=Some-State,C=NL</subject_name>
+            <validity>
+                <!-- Format is CCYY-MM-DDThh:mm:ss[Z|(+|-)hh:mm] in GMT -->
+                <not_before>2015-09-15T01:00:00</not_before>
+                <not_after>2016-09-15T01:00:00</not_after>
+            </validity>
+            <allow_rule>
+                <domains>
+                    <id_range>
+                        <min>0</min>
+                        <max>230</max>
+                    </id_range>
+                </domains>
+                <publish>
+                    <topics>
+                        <topic>K*</topic>
+                        <topic>*OldMessage</topic>
+                        <topic>OldMessanger</topic>
+                        <topic>NewMessage</topic>
+                    </topics>
+        <partitions>
+      <partition>Apart</partition>
+      <partition>Bpa?t*</partition>
+        </partitions>
+                </publish>
+                <subscribe>
+                    <topics>
+                        <topic>K*</topic>
+                        <topic>*OldMessage</topic>
+                        <topic>OldMessanger</topic>
+                        <topic>NewMessage</topic>
+                    </topics>
+        <partitions>
+      <partition>Apart</partition>
+      <partition>Bpa?t*</partition>
+        </partitions>
+                </subscribe>
+            </allow_rule>
+            <deny_rule>
+                <domains>
+                    <id_range>
+                        <min>0</min>
+                        <max>230</max>
+                    </id_range>
+                </domains>
+                <publish>
+                    <topics>
+                        <topic>P*</topic>
+                        <topic>*WrongMessage</topic>
+                        <topic>FakeMessanger</topic>
+                        <topic>ChangedMessage</topic>
+                    </topics>
+        <partitions>
+      <partition>Apart</partition>
+      <partition>Bpa?t*</partition>
+        </partitions>
+                </publish>
+                <subscribe>
+                    <topics>
+                        <topic>P*</topic>
+                        <topic>*WrongMessage</topic>
+                        <topic>FakeMessanger</topic>
+                        <topic>ChangedMessage</topic>
+                    </topics>
+        <partitions>
+      <partition>Apart</partition>
+      <partition>Bpa?t*</partition>
+        </partitions>
+                </subscribe>
+            </deny_rule>
+
+            <default>DENY</default>
+        </grant>
+        <grant name="SpareNodeOpenSplicePermissions">
+            <subject_name>CN=Spare cert,O=Internet Widgits Pty Ltd,ST=Some-State,C=NL</subject_name>
+            <validity>
+                <!-- Format is CCYY-MM-DDThh:mm:ss[Z|(+|-)hh:mm] in GMT -->
+                <not_before>2015-09-15T01:00:00</not_before>
+                <not_after>2115-09-15T01:00:00</not_after>
+            </validity>
+            <allow_rule>
+                <domains>
+                <!-- All domains -->
+                 <id>20</id>
+                 <id>30</id>
+                 <id_range>
+                     <min>0</min>
+                     <max>23</max>
+                 </id_range>
+                 <id_range>
+                     <min>100</min>
+                     <max>120</max>
+                 </id_range>
+                 <id>200</id>
+               </domains>
+                <publish>
+                    <topics>
+                        <topic>K*</topic>
+                        <topic>*OldMessage</topic>
+                        <topic>OldMessanger</topic>
+                        <topic>NewMessage</topic>
+                    </topics>
+        <partitions>
+      <partition>Apart</partition>
+      <partition>Bpa?t*</partition>
+        </partitions>
+                </publish>
+                <subscribe>
+                    <topics>
+                        <topic>K*</topic>
+                        <topic>*OldMessage</topic>
+                        <topic>OldMessanger</topic>
+                        <topic>NewMessage</topic>
+                    </topics>
+        <partitions>
+      <partition>Apart</partition>
+      <partition>Bpa?t*</partition>
+        </partitions>
+                </subscribe>
+            </allow_rule>
+            <deny_rule>
+                <domains>
+                 <id_range>
+                     <min>0</min>
+                     <max>23</max>
+                 </id_range>
+                 <id_range>
+                     <min>100</min>
+                     <max>120</max>
+                 </id_range>
+                 <id>200</id>
+                </domains>
+                <publish>
+                    <topics>
+                        <topic>P*</topic>
+                        <topic>*WrongMessage</topic>
+                        <topic>FakeMessanger</topic>
+                        <topic>ChangedMessage</topic>
+                    </topics>
+                    <partitions>
+                      <partition>Apart</partition>
+                      <partition>Bpa?t*</partition>
+                    </partitions>
+                </publish>
+                <subscribe>
+                    <topics>
+                        <topic>P*</topic>
+                        <topic>*WrongMessage</topic>
+                        <topic>FakeMessanger</topic>
+                        <topic>ChangedMessage</topic>
+                    </topics>
+                    <partitions>
+                      <partition>Apart</partition>
+                      <partition>Bpa?t*</partition>
+                    </partitions>
+                    <data_tags>
+                      <tag>
+                        <name>aTagName1</name>
+                        <value>aTagValue1</value>
+                      </tag>
+                    </data_tags>
+                </subscribe>
+                <relay>
+                  <topics>
+                        <topic>P*</topic>
+                        <topic>*WrongMessage</topic>
+                        <topic>FakeMessanger</topic>
+                        <topic>ChangedMessage</topic>
+                    </topics>
+                    <partitions>
+                      <partition>Apart</partition>
+                      <partition>Bpa?t*</partition>
+                    </partitions>
+                    <data_tags>
+                      <tag>
+                        <name>aTagName1</name>
+                        <value>aTagValue1</value>
+                      </tag>
+                    </data_tags>
+                </relay>
+            </deny_rule>
+
+            <default>ALLOW</default>
+        </grant>
+    </permissions>
+</dds>
+
+------11798C99B4C31493D0479BB8A2064C72
+Content-Type: application/x-pkcs7-signature; name="smime.p7s"
+Content-Transfer-Encoding: base64
+Content-Disposition: attachment; filename="smime.p7s"
+
+MIIGXgYJKoZIhvcNAQcCoIIGTzCCBksCAQExDzANBglghkgBZQMEAgEFADALBgkq
+hkiG9w0BBwGgggORMIIDjTCCAnWgAwIBAgIJANsr3sm0NrypMA0GCSqGSIb3DQEB
+CwUAMFwxCzAJBgNVBAYTAk5MMRMwEQYDVQQIDApTb21lLVN0YXRlMR8wHQYDVQQK
+DBZBRExJTksgVGVjaG5vbG9jeSBJbmMuMRcwFQYDVQQDDA5hZGxpbmt0ZWNoLmNv
+bTAgFw0xODA3MzAxMjQ1NTVaGA8yMTE4MDcwNjEyNDU1NVowXDELMAkGA1UEBhMC
+TkwxEzARBgNVBAgMClNvbWUtU3RhdGUxHzAdBgNVBAoMFkFETElOSyBUZWNobm9s
+b2N5IEluYy4xFzAVBgNVBAMMDmFkbGlua3RlY2guY29tMIIBIjANBgkqhkiG9w0B
+AQEFAAOCAQ8AMIIBCgKCAQEAu7jfnJ0wYVuXgG+PgNawdN38+dRpa8jceqi+blID
+ehV6XCxrnGXusTCDuFmo7HMOBVMVNDXlcBWgoGd+u5EultnOEiIeGTgtHc1O6V9w
+icp3BGSpZZax/TcONjMVORaqHCADbQ2J8wsz1FHxuKDwX6BJElYOlK77lb/x3yLs
+DFFC+a0qn2RFh37rcWBRAHy8VEASXKZElT9ZmfKd+KUq34KojhNJ4DepKStTq074
+BRDXVivx+wVD951LFNPiQXq+mgHcLj1k37KlZflTFhdP5oEMtATNsXNJPHlEymiy
+SogRWAmKhysLQudukHfNKN+r0FEQMk/hzpYcFeZSOvbfNQIDAQABo1AwTjAdBgNV
+HQ4EFgQURWMbWvBKZwJvRV1/tyc1R82k0+gwHwYDVR0jBBgwFoAURWMbWvBKZwJv
+RV1/tyc1R82k0+gwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAkPF+
+ysVtvHnk2hpu9yNDLCJ96ZzIoKOyY7uRj4ovzlAHFdpNOJQdcJihTmN8i7Trht9X
+Vh0rGoR/6nHzo3TIeiogRC80RlDtuA3PF2dDQBMVDStlZMTZPb693hfjdAjhyyw9
+yghhKHHqNDvSsAL0KfBqjG4yGfGpJylYXIT5fWuKlo/ln/yyPa5s54T5XDo+CMbt
+lLX3QnwVOmaRyzylPiTcPCDIkdLBdXmlfyJcmW6fWa6kPx+35MOxPsXZbujCo+42
++OyLqcH1rKT6XhcshjXBEf+kdgUfSClrM1pNRWsw2ChIYim0F+nry5JFy0Y+8Hbb
+6SDB340BFmtgDHbFHTGCApEwggKNAgEBMGkwXDELMAkGA1UEBhMCTkwxEzARBgNV
+BAgMClNvbWUtU3RhdGUxHzAdBgNVBAoMFkFETElOSyBUZWNobm9sb2N5IEluYy4x
+FzAVBgNVBAMMDmFkbGlua3RlY2guY29tAgkA2yveybQ2vKkwDQYJYIZIAWUDBAIB
+BQCggfowGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAcBgkqhkiG9w0BCQUxDxcN
+MTkwMzI5MTMwODAzWjAvBgkqhkiG9w0BCQQxIgQgXPEkUvQgZwRMdZgxT8k/mrsJ
+delB0E3RjpayHUkKYzowgY4GCSqGSIb3DQEJDzGBgDB+MAsGCWCGSAFlAwQBKjAI
+BgYqhQMCAgkwCAYGKoUDAgIVMAsGCWCGSAFlAwQBFjALBglghkgBZQMEAQIwCgYI
+KoZIhvcNAwcwDgYIKoZIhvcNAwICAgCAMA0GCCqGSIb3DQMCAgFAMAcGBSsOAwIH
+MA0GCCqGSIb3DQMCAgEoMA0GCSqGSIb3DQEBAQUABIIBAA/TNULF62fO5mfjXm1L
+Yk4Dg/5ZxAF/grDAjamo5v2fxGn6B1rrkj8YtyB1FEA0moM/cL31kNXNMqLvFdhY
+lHCmX8x5PHkKzLihTIMx6diSCupBvvqUACeA7Ir1A3tMqW5tYYMg6sZ/YolgLLFG
+8XmhttpEibtZm90MN3Xpsa4TiW5PlEWHC5ai3tyeyd/RCVoeQJVA0pAytmjdf2Mw
+C3W/28tUxVCAjdlqXYap6jWZlNv/43P5HED837bF5iqoa1dTvDirca6WPanNjp28
+GQDi4bnD1kAk8wAKIm14qwS+fzxM3SKxJtdQuUCx+s/tPma4bLCqt843ok35SoWo
+QKM=
+
+------11798C99B4C31493D0479BB8A2064C72--
+
diff --git a/src/security/builtin_plugins/tests/validate_remote_permissions/etc/Test_Permissions_expired.xml b/src/security/builtin_plugins/tests/validate_remote_permissions/etc/Test_Permissions_expired.xml
new file mode 100644
index 0000000..f408942
--- /dev/null
+++ b/src/security/builtin_plugins/tests/validate_remote_permissions/etc/Test_Permissions_expired.xml
@@ -0,0 +1,191 @@
+<?xml version="1.0" encoding="utf-8"?>
+<dds xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xsi:noNamespaceSchemaLocation="https://www.omg.org/spec/DDS-SECURITY/20170901/omg_shared_ca_permissions.xsd">
+    <permissions>
+        <grant name="OpenSplicePermissions">
+            <subject_name>CN=CHAM500 cert,O=Internet Widgits Pty Ltd,ST=Some-State,C=NL</subject_name>
+            <validity>
+                <!-- Format is CCYY-MM-DDThh:mm:ss[Z|(+|-)hh:mm] in GMT -->
+                <not_before>2015-09-15T01:00:00</not_before>
+                <not_after>2016-09-15T01:00:00</not_after>
+            </validity>
+            <allow_rule>
+                <domains>
+                    <id_range>
+                        <min>0</min>
+                        <max>230</max>
+                    </id_range>
+                </domains>
+                <publish>
+                    <topics>
+                        <topic>K*</topic>
+                        <topic>*OldMessage</topic>
+                        <topic>OldMessanger</topic>
+                        <topic>NewMessage</topic>
+                    </topics>
+        <partitions>
+      <partition>Apart</partition>
+      <partition>Bpa?t*</partition>
+        </partitions>
+                </publish>
+                <subscribe>
+                    <topics>
+                        <topic>K*</topic>
+                        <topic>*OldMessage</topic>
+                        <topic>OldMessanger</topic>
+                        <topic>NewMessage</topic>
+                    </topics>
+        <partitions>
+      <partition>Apart</partition>
+      <partition>Bpa?t*</partition>
+        </partitions>
+                </subscribe>
+            </allow_rule>
+            <deny_rule>
+                <domains>
+                    <id_range>
+                        <min>0</min>
+                        <max>230</max>
+                    </id_range>
+                </domains>
+                <publish>
+                    <topics>
+                        <topic>P*</topic>
+                        <topic>*WrongMessage</topic>
+                        <topic>FakeMessanger</topic>
+                        <topic>ChangedMessage</topic>
+                    </topics>
+        <partitions>
+      <partition>Apart</partition>
+      <partition>Bpa?t*</partition>
+        </partitions>
+                </publish>
+                <subscribe>
+                    <topics>
+                        <topic>P*</topic>
+                        <topic>*WrongMessage</topic>
+                        <topic>FakeMessanger</topic>
+                        <topic>ChangedMessage</topic>
+                    </topics>
+        <partitions>
+      <partition>Apart</partition>
+      <partition>Bpa?t*</partition>
+        </partitions>
+                </subscribe>
+            </deny_rule>
+
+            <default>DENY</default>
+        </grant>
+        <grant name="SpareNodeOpenSplicePermissions">
+            <subject_name>CN=Spare cert,O=Internet Widgits Pty Ltd,ST=Some-State,C=NL</subject_name>
+            <validity>
+                <!-- Format is CCYY-MM-DDThh:mm:ss[Z|(+|-)hh:mm] in GMT -->
+                <not_before>2015-09-15T01:00:00</not_before>
+                <not_after>2115-09-15T01:00:00</not_after>
+            </validity>
+            <allow_rule>
+                <domains>
+                <!-- All domains -->
+                 <id>20</id>
+                 <id>30</id>
+                 <id_range>
+                     <min>0</min>
+                     <max>23</max>
+                 </id_range>
+                 <id_range>
+                     <min>100</min>
+                     <max>120</max>
+                 </id_range>
+                 <id>200</id>
+               </domains>
+                <publish>
+                    <topics>
+                        <topic>K*</topic>
+                        <topic>*OldMessage</topic>
+                        <topic>OldMessanger</topic>
+                        <topic>NewMessage</topic>
+                    </topics>
+        <partitions>
+      <partition>Apart</partition>
+      <partition>Bpa?t*</partition>
+        </partitions>
+                </publish>
+                <subscribe>
+                    <topics>
+                        <topic>K*</topic>
+                        <topic>*OldMessage</topic>
+                        <topic>OldMessanger</topic>
+                        <topic>NewMessage</topic>
+                    </topics>
+        <partitions>
+      <partition>Apart</partition>
+      <partition>Bpa?t*</partition>
+        </partitions>
+                </subscribe>
+            </allow_rule>
+            <deny_rule>
+                <domains>
+                 <id_range>
+                     <min>0</min>
+                     <max>23</max>
+                 </id_range>
+                 <id_range>
+                     <min>100</min>
+                     <max>120</max>
+                 </id_range>
+                 <id>200</id>
+                </domains>
+                <publish>
+                    <topics>
+                        <topic>P*</topic>
+                        <topic>*WrongMessage</topic>
+                        <topic>FakeMessanger</topic>
+                        <topic>ChangedMessage</topic>
+                    </topics>
+                    <partitions>
+                      <partition>Apart</partition>
+                      <partition>Bpa?t*</partition>
+                    </partitions>
+                </publish>
+                <subscribe>
+                    <topics>
+                        <topic>P*</topic>
+                        <topic>*WrongMessage</topic>
+                        <topic>FakeMessanger</topic>
+                        <topic>ChangedMessage</topic>
+                    </topics>
+                    <partitions>
+                      <partition>Apart</partition>
+                      <partition>Bpa?t*</partition>
+                    </partitions>
+                    <data_tags>
+                      <tag>
+                        <name>aTagName1</name>
+                        <value>aTagValue1</value>
+                      </tag>
+                    </data_tags>
+                </subscribe>
+                <relay>
+                  <topics>
+                        <topic>P*</topic>
+                        <topic>*WrongMessage</topic>
+                        <topic>FakeMessanger</topic>
+                        <topic>ChangedMessage</topic>
+                    </topics>
+                    <partitions>
+                      <partition>Apart</partition>
+                      <partition>Bpa?t*</partition>
+                    </partitions>
+                    <data_tags>
+                      <tag>
+                        <name>aTagName1</name>
+                        <value>aTagValue1</value>
+                      </tag>
+                    </data_tags>
+                </relay>
+            </deny_rule>
+
+            <default>ALLOW</default>
+        </grant>
+    </permissions>
+</dds>
diff --git a/src/security/builtin_plugins/tests/validate_remote_permissions/etc/Test_Permissions_invalid_data.p7s b/src/security/builtin_plugins/tests/validate_remote_permissions/etc/Test_Permissions_invalid_data.p7s
new file mode 100644
index 0000000..b3b969e
--- /dev/null
+++ b/src/security/builtin_plugins/tests/validate_remote_permissions/etc/Test_Permissions_invalid_data.p7s
@@ -0,0 +1,219 @@
+MIME-Version: 1.0
+Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg="sha-256"; boundary="----62BE4CE8CF1FCB0420A2F2884B1618E6"
+
+This is an S/MIME signed message
+
+------62BE4CE8CF1FCB0420A2F2884B1618E6
+Content-Type: text/plain
+
+<?xml version="1.0" encoding="utf-8"?>
+<dds xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xsi:noNamespaceSchemaLocation="https://www.omg.org/spec/DDS-SECURITY/20170901/omg_shared_ca_permissions.xsd">
+    <permissions>
+        <grant name="OpenSplicePermissions">
+            <subject_name>CN=CHAM500 cert,O=Internet Widgits Pty Ltd,ST=Some-State,C=NL</subject_name>
+            <validity>
+                <!-- Format is CCYY-MM-DDThh:mm:ss[Z|(+|-)hh:mm] in GMT -->
+                <not_before>2015-09-15T01:00:00</not_before>
+                <not_after>2115-09-15T01:00:00</not_after>
+            </validity>
+            <allow_rule>
+                <domains>
+                    <id_range>
+                        <min>0</min>
+                        <max>430</max>
+                    </id_range>
+                </domains>
+                <publish>
+                    <topics>
+                        <topic>K*</topic>
+                        <topic>*OldMessage</topic>
+                        <topic>OldMessanger</topic>
+                        <topic>NewMessage</topic>
+                    </topics>
+		    <partitions>
+			<partition>Apart</partition>
+			<partition>Bpa?t*</partition>
+		    </partitions>
+                </publish>
+                <subscribe>
+                    <topics>
+                        <topic>K*</topic>
+                        <topic>*OldMessage</topic>
+                        <topic>OldMessanger</topic>
+                        <topic>NewMessage</topic>
+                    </topics>
+		    <partitions>
+			<partition>Apart</partition>
+			<partition>Bpa?t*</partition>
+		    </partitions>
+                </subscribe>
+            </allow_rule>
+            <deny_rule>
+                <domains>
+                    <id_range>
+                        <min>0</min>
+                        <max>230</max>
+                    </id_range>
+                </domains>
+                <publish>
+                    <topics>
+                        <topic>P*</topic>
+                        <topic>*WrongMessage</topic>
+                        <topic>FakeMessanger</topic>
+                        <topic>ChangedMessage</topic>
+                    </topics>
+		    <partitions>
+			<partition>Apart</partition>
+			<partition>Bpa?t*</partition>
+		    </partitions>
+                </publish>
+                <subscribe>
+                    <topics>
+                        <topic>P*</topic>
+                        <topic>*WrongMessage</topic>
+                        <topic>FakeMessanger</topic>
+                        <topic>ChangedMessage</topic>
+                    </topics>
+		    <partitions>
+			<partition>Apart</partition>
+			<partition>Bpa?t*</partition>
+		    </partitions>
+                </subscribe>
+            </deny_rule>
+
+            <default>DENY</default>
+        </grant>
+        <grant name="SpareNodeOpenSplicePermissions">
+            <subject_name>CN=CHAM500 cert,O=Internet Widgits Pty Ltd,ST=Some-State,C=NL</subject_name>
+            <validity>
+                <!-- Format is CCYY-MM-DDThh:mm:ss[Z|(+|-)hh:mm] in GMT -->
+                <not_before>2015-09-15T01:00:00</not_before>
+                <not_after>2115-09-15T01:00:00</not_after>
+            </validity>
+            <allow_rule>
+                <domains>
+                <!-- All domains -->
+                 <id>20</id>
+                 <id>30</id>
+                 <id_range>
+                     <min>0</min>
+                     <max>23</max>
+                 </id_range>
+                 <id_range>
+                     <min>100</min>
+                     <max>120</max>
+                 </id_range>
+                 <id>200</id>
+               </domains>
+                <publish>
+                    <topics>
+                        <topic>K*</topic>
+                        <topic>*OldMessage</topic>
+                        <topic>OldMessanger</topic>
+                        <topic>NewMessage</topic>
+                    </topics>
+		    <partitions>
+			<partition>Apart</partition>
+			<partition>Bpa?t*</partition>
+		    </partitions>
+                </publish>
+                <subscribe>
+                    <topics>
+                        <topic>K*</topic>
+                        <topic>*OldMessage</topic>
+                        <topic>OldMessanger</topic>
+                        <topic>NewMessage</topic>
+                    </topics>
+		    <partitions>
+			<partition>Apart</partition>
+			<partition>Bpa?t*</partition>
+		    </partitions>
+                </subscribe>
+            </allow_rule>
+            <deny_rule>
+                <domains>
+                 <id_range>
+                     <min>0</min>
+                     <max>23</max>
+                 </id_range>
+                 <id_range>
+                     <min>100</min>
+                     <max>120</max>
+                 </id_range>
+                 <id>200</id>
+                </domains>
+                <publish>
+                    <topics>
+                        <topic>P*</topic>
+                        <topic>*WrongMessage</topic>
+                        <topic>FakeMessanger</topic>
+                        <topic>ChangedMessage</topic>
+                    </topics>
+		    <partitions>
+			<partition>Apart</partition>
+			<partition>Bpa?t*</partition>
+		    </partitions>
+                </publish>
+                <subscribe>
+                    <topics>
+                        <topic>P*</topic>
+                        <topic>*WrongMessage</topic>
+                        <topic>FakeMessanger</topic>
+                        <topic>ChangedMessage</topic>
+                    </topics>
+		    <partitions>
+			<partition>Apart</partition>
+			<partition>Bpa?t*</partition>
+		    </partitions>
+                </subscribe>
+            </deny_rule>
+
+            <default>DENY</default>
+        </grant>
+    </permissions>
+</dds>
+
+------62BE4CE8CF1FCB0420A2F2884B1618E6
+Content-Type: application/x-pkcs7-signature; name="smime.p7s"
+Content-Transfer-Encoding: base64
+Content-Disposition: attachment; filename="smime.p7s"
+
+MIIGXgYJKoZIhvcNAQcCoIIGTzCCBksCAQExDzANBglghkgBZQMEAgEFADALBgkq
+hkiG9w0BBwGgggORMIIDjTCCAnWgAwIBAgIJANsr3sm0NrypMA0GCSqGSIb3DQEB
+CwUAMFwxCzAJBgNVBAYTAk5MMRMwEQYDVQQIDApTb21lLVN0YXRlMR8wHQYDVQQK
+DBZBRExJTksgVGVjaG5vbG9jeSBJbmMuMRcwFQYDVQQDDA5hZGxpbmt0ZWNoLmNv
+bTAgFw0xODA3MzAxMjQ1NTVaGA8yMTE4MDcwNjEyNDU1NVowXDELMAkGA1UEBhMC
+TkwxEzARBgNVBAgMClNvbWUtU3RhdGUxHzAdBgNVBAoMFkFETElOSyBUZWNobm9s
+b2N5IEluYy4xFzAVBgNVBAMMDmFkbGlua3RlY2guY29tMIIBIjANBgkqhkiG9w0B
+AQEFAAOCAQ8AMIIBCgKCAQEAu7jfnJ0wYVuXgG+PgNawdN38+dRpa8jceqi+blID
+ehV6XCxrnGXusTCDuFmo7HMOBVMVNDXlcBWgoGd+u5EultnOEiIeGTgtHc1O6V9w
+icp3BGSpZZax/TcONjMVORaqHCADbQ2J8wsz1FHxuKDwX6BJElYOlK77lb/x3yLs
+DFFC+a0qn2RFh37rcWBRAHy8VEASXKZElT9ZmfKd+KUq34KojhNJ4DepKStTq074
+BRDXVivx+wVD951LFNPiQXq+mgHcLj1k37KlZflTFhdP5oEMtATNsXNJPHlEymiy
+SogRWAmKhysLQudukHfNKN+r0FEQMk/hzpYcFeZSOvbfNQIDAQABo1AwTjAdBgNV
+HQ4EFgQURWMbWvBKZwJvRV1/tyc1R82k0+gwHwYDVR0jBBgwFoAURWMbWvBKZwJv
+RV1/tyc1R82k0+gwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAkPF+
+ysVtvHnk2hpu9yNDLCJ96ZzIoKOyY7uRj4ovzlAHFdpNOJQdcJihTmN8i7Trht9X
+Vh0rGoR/6nHzo3TIeiogRC80RlDtuA3PF2dDQBMVDStlZMTZPb693hfjdAjhyyw9
+yghhKHHqNDvSsAL0KfBqjG4yGfGpJylYXIT5fWuKlo/ln/yyPa5s54T5XDo+CMbt
+lLX3QnwVOmaRyzylPiTcPCDIkdLBdXmlfyJcmW6fWa6kPx+35MOxPsXZbujCo+42
++OyLqcH1rKT6XhcshjXBEf+kdgUfSClrM1pNRWsw2ChIYim0F+nry5JFy0Y+8Hbb
+6SDB340BFmtgDHbFHTGCApEwggKNAgEBMGkwXDELMAkGA1UEBhMCTkwxEzARBgNV
+BAgMClNvbWUtU3RhdGUxHzAdBgNVBAoMFkFETElOSyBUZWNobm9sb2N5IEluYy4x
+FzAVBgNVBAMMDmFkbGlua3RlY2guY29tAgkA2yveybQ2vKkwDQYJYIZIAWUDBAIB
+BQCggfowGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAcBgkqhkiG9w0BCQUxDxcN
+MTkwMzI5MTMwODAzWjAvBgkqhkiG9w0BCQQxIgQghoicue+FOmdIHF9rpsNCfmjP
++ZyN+t9kCdmR68JCJU0wgY4GCSqGSIb3DQEJDzGBgDB+MAsGCWCGSAFlAwQBKjAI
+BgYqhQMCAgkwCAYGKoUDAgIVMAsGCWCGSAFlAwQBFjALBglghkgBZQMEAQIwCgYI
+KoZIhvcNAwcwDgYIKoZIhvcNAwICAgCAMA0GCCqGSIb3DQMCAgFAMAcGBSsOAwIH
+MA0GCCqGSIb3DQMCAgEoMA0GCSqGSIb3DQEBAQUABIIBAI0BX2tu2DbQjvuzKG35
+myNBcOC9ZzRDqJEtmQhcY/2hAJzurlnclJVTEXFyXdpV4ywtA+lQvbtToh11AvnY
+IY1QWNVm19mfO1J6m6PFu18tizd30sG7p1TZKxGB3zDeVVqmedZ+o7QJHv9/ixzz
+Pyo2B9tG5Su94+ADc0LQNyGICjeMr7L6dhFDsm7fXBi8pMBKy/zEAynTA3r1ibsn
+5zlizPMlad2HCaYv44x7Xksg9FSbzJwJpTiprbQbZSUPYk4WlfVz0l4plzRKu4AP
+lCOsdRE6C6GQFnK5bLyndu3Ycp10niwfkfobruCDyigu+gjZtmmF/T7A8Xkk1uvx
+fAM=
+
+------62BE4CE8CF1FCB0420A2F2884B1618E6--
+
diff --git a/src/security/builtin_plugins/tests/validate_remote_permissions/etc/Test_Permissions_invalid_data.xml b/src/security/builtin_plugins/tests/validate_remote_permissions/etc/Test_Permissions_invalid_data.xml
new file mode 100644
index 0000000..5ebb397
--- /dev/null
+++ b/src/security/builtin_plugins/tests/validate_remote_permissions/etc/Test_Permissions_invalid_data.xml
@@ -0,0 +1,167 @@
+<?xml version="1.0" encoding="utf-8"?>
+<dds xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xsi:noNamespaceSchemaLocation="https://www.omg.org/spec/DDS-SECURITY/20170901/omg_shared_ca_permissions.xsd">
+    <permissions>
+        <grant name="OpenSplicePermissions">
+            <subject_name>CN=CHAM500 cert,O=Internet Widgits Pty Ltd,ST=Some-State,C=NL</subject_name>
+            <validity>
+                <!-- Format is CCYY-MM-DDThh:mm:ss[Z|(+|-)hh:mm] in GMT -->
+                <not_before>2015-09-15T01:00:00</not_before>
+                <not_after>2115-09-15T01:00:00</not_after>
+            </validity>
+            <allow_rule>
+                <domains>
+                    <id_range>
+                        <min>0</min>
+                        <max>430</max>
+                    </id_range>
+                </domains>
+                <publish>
+                    <topics>
+                        <topic>K*</topic>
+                        <topic>*OldMessage</topic>
+                        <topic>OldMessanger</topic>
+                        <topic>NewMessage</topic>
+                    </topics>
+		    <partitions>
+			<partition>Apart</partition>
+			<partition>Bpa?t*</partition>
+		    </partitions>
+                </publish>
+                <subscribe>
+                    <topics>
+                        <topic>K*</topic>
+                        <topic>*OldMessage</topic>
+                        <topic>OldMessanger</topic>
+                        <topic>NewMessage</topic>
+                    </topics>
+		    <partitions>
+			<partition>Apart</partition>
+			<partition>Bpa?t*</partition>
+		    </partitions>
+                </subscribe>
+            </allow_rule>
+            <deny_rule>
+                <domains>
+                    <id_range>
+                        <min>0</min>
+                        <max>230</max>
+                    </id_range>
+                </domains>
+                <publish>
+                    <topics>
+                        <topic>P*</topic>
+                        <topic>*WrongMessage</topic>
+                        <topic>FakeMessanger</topic>
+                        <topic>ChangedMessage</topic>
+                    </topics>
+		    <partitions>
+			<partition>Apart</partition>
+			<partition>Bpa?t*</partition>
+		    </partitions>
+                </publish>
+                <subscribe>
+                    <topics>
+                        <topic>P*</topic>
+                        <topic>*WrongMessage</topic>
+                        <topic>FakeMessanger</topic>
+                        <topic>ChangedMessage</topic>
+                    </topics>
+		    <partitions>
+			<partition>Apart</partition>
+			<partition>Bpa?t*</partition>
+		    </partitions>
+                </subscribe>
+            </deny_rule>
+
+            <default>DENY</default>
+        </grant>
+        <grant name="SpareNodeOpenSplicePermissions">
+            <subject_name>CN=CHAM500 cert,O=Internet Widgits Pty Ltd,ST=Some-State,C=NL</subject_name>
+            <validity>
+                <!-- Format is CCYY-MM-DDThh:mm:ss[Z|(+|-)hh:mm] in GMT -->
+                <not_before>2015-09-15T01:00:00</not_before>
+                <not_after>2115-09-15T01:00:00</not_after>
+            </validity>
+            <allow_rule>
+                <domains>
+                <!-- All domains -->
+                 <id>20</id>
+                 <id>30</id>
+                 <id_range>
+                     <min>0</min>
+                     <max>23</max>
+                 </id_range>
+                 <id_range>
+                     <min>100</min>
+                     <max>120</max>
+                 </id_range>
+                 <id>200</id>
+               </domains>
+                <publish>
+                    <topics>
+                        <topic>K*</topic>
+                        <topic>*OldMessage</topic>
+                        <topic>OldMessanger</topic>
+                        <topic>NewMessage</topic>
+                    </topics>
+		    <partitions>
+			<partition>Apart</partition>
+			<partition>Bpa?t*</partition>
+		    </partitions>
+                </publish>
+                <subscribe>
+                    <topics>
+                        <topic>K*</topic>
+                        <topic>*OldMessage</topic>
+                        <topic>OldMessanger</topic>
+                        <topic>NewMessage</topic>
+                    </topics>
+		    <partitions>
+			<partition>Apart</partition>
+			<partition>Bpa?t*</partition>
+		    </partitions>
+                </subscribe>
+            </allow_rule>
+            <deny_rule>
+                <domains>
+                 <id_range>
+                     <min>0</min>
+                     <max>23</max>
+                 </id_range>
+                 <id_range>
+                     <min>100</min>
+                     <max>120</max>
+                 </id_range>
+                 <id>200</id>
+                </domains>
+                <publish>
+                    <topics>
+                        <topic>P*</topic>
+                        <topic>*WrongMessage</topic>
+                        <topic>FakeMessanger</topic>
+                        <topic>ChangedMessage</topic>
+                    </topics>
+		    <partitions>
+			<partition>Apart</partition>
+			<partition>Bpa?t*</partition>
+		    </partitions>
+                </publish>
+                <subscribe>
+                    <topics>
+                        <topic>P*</topic>
+                        <topic>*WrongMessage</topic>
+                        <topic>FakeMessanger</topic>
+                        <topic>ChangedMessage</topic>
+                    </topics>
+		    <partitions>
+			<partition>Apart</partition>
+			<partition>Bpa?t*</partition>
+		    </partitions>
+                </subscribe>
+            </deny_rule>
+
+            <default>DENY</default>
+        </grant>
+    </permissions>
+</dds>
diff --git a/src/security/builtin_plugins/tests/validate_remote_permissions/etc/Test_Permissions_missing_subject_component.p7s b/src/security/builtin_plugins/tests/validate_remote_permissions/etc/Test_Permissions_missing_subject_component.p7s
new file mode 100644
index 0000000..1362a86
--- /dev/null
+++ b/src/security/builtin_plugins/tests/validate_remote_permissions/etc/Test_Permissions_missing_subject_component.p7s
@@ -0,0 +1,96 @@
+MIME-Version: 1.0
+Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg="sha-256"; boundary="----DE8A6693E9678989859C23D21F4587AD"
+
+This is an S/MIME signed message
+
+------DE8A6693E9678989859C23D21F4587AD
+Content-Type: text/plain
+
+<?xml version="1.0" encoding="utf-8"?>
+<dds xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xsi:noNamespaceSchemaLocation="https://www.omg.org/spec/DDS-SECURITY/20170901/omg_shared_ca_permissions.xsd">
+    <permissions>
+        <grant name="OpenSplicePermissions">
+            <subject_name>/O=Internet Widgits Pty Ltd/ST=Some-State/CN=CHAM500 cert</subject_name>
+            <validity>
+                <!-- Format is CCYY-MM-DDThh:mm:ss[Z|(+|-)hh:mm] in GMT -->
+                <not_before>2015-09-15T01:00:00</not_before>
+                <not_after>2115-09-15T01:00:00</not_after>
+            </validity>
+            <allow_rule>
+                <domains>
+                    <id_range>
+                        <min>0</min>
+                        <max>230</max>
+                    </id_range>
+                </domains>
+                <publish>
+                    <topics>
+                        <topic>K*</topic>
+                        <topic>*OldMessage</topic>
+                        <topic>OldMessanger</topic>
+                        <topic>NewMessage</topic>
+                    </topics>
+        <partitions>
+      <partition>Apart</partition>
+      <partition>Bpa?t*</partition>
+        </partitions>
+                </publish>
+                <subscribe>
+                    <topics>
+                        <topic>K*</topic>
+                        <topic>*OldMessage</topic>
+                        <topic>OldMessanger</topic>
+                        <topic>NewMessage</topic>
+                    </topics>
+                </subscribe>
+            </allow_rule>
+
+            <default>ALLOW</default>
+        </grant>
+    </permissions>
+</dds>
+
+------DE8A6693E9678989859C23D21F4587AD
+Content-Type: application/x-pkcs7-signature; name="smime.p7s"
+Content-Transfer-Encoding: base64
+Content-Disposition: attachment; filename="smime.p7s"
+
+MIIGXgYJKoZIhvcNAQcCoIIGTzCCBksCAQExDzANBglghkgBZQMEAgEFADALBgkq
+hkiG9w0BBwGgggORMIIDjTCCAnWgAwIBAgIJANsr3sm0NrypMA0GCSqGSIb3DQEB
+CwUAMFwxCzAJBgNVBAYTAk5MMRMwEQYDVQQIDApTb21lLVN0YXRlMR8wHQYDVQQK
+DBZBRExJTksgVGVjaG5vbG9jeSBJbmMuMRcwFQYDVQQDDA5hZGxpbmt0ZWNoLmNv
+bTAgFw0xODA3MzAxMjQ1NTVaGA8yMTE4MDcwNjEyNDU1NVowXDELMAkGA1UEBhMC
+TkwxEzARBgNVBAgMClNvbWUtU3RhdGUxHzAdBgNVBAoMFkFETElOSyBUZWNobm9s
+b2N5IEluYy4xFzAVBgNVBAMMDmFkbGlua3RlY2guY29tMIIBIjANBgkqhkiG9w0B
+AQEFAAOCAQ8AMIIBCgKCAQEAu7jfnJ0wYVuXgG+PgNawdN38+dRpa8jceqi+blID
+ehV6XCxrnGXusTCDuFmo7HMOBVMVNDXlcBWgoGd+u5EultnOEiIeGTgtHc1O6V9w
+icp3BGSpZZax/TcONjMVORaqHCADbQ2J8wsz1FHxuKDwX6BJElYOlK77lb/x3yLs
+DFFC+a0qn2RFh37rcWBRAHy8VEASXKZElT9ZmfKd+KUq34KojhNJ4DepKStTq074
+BRDXVivx+wVD951LFNPiQXq+mgHcLj1k37KlZflTFhdP5oEMtATNsXNJPHlEymiy
+SogRWAmKhysLQudukHfNKN+r0FEQMk/hzpYcFeZSOvbfNQIDAQABo1AwTjAdBgNV
+HQ4EFgQURWMbWvBKZwJvRV1/tyc1R82k0+gwHwYDVR0jBBgwFoAURWMbWvBKZwJv
+RV1/tyc1R82k0+gwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAkPF+
+ysVtvHnk2hpu9yNDLCJ96ZzIoKOyY7uRj4ovzlAHFdpNOJQdcJihTmN8i7Trht9X
+Vh0rGoR/6nHzo3TIeiogRC80RlDtuA3PF2dDQBMVDStlZMTZPb693hfjdAjhyyw9
+yghhKHHqNDvSsAL0KfBqjG4yGfGpJylYXIT5fWuKlo/ln/yyPa5s54T5XDo+CMbt
+lLX3QnwVOmaRyzylPiTcPCDIkdLBdXmlfyJcmW6fWa6kPx+35MOxPsXZbujCo+42
++OyLqcH1rKT6XhcshjXBEf+kdgUfSClrM1pNRWsw2ChIYim0F+nry5JFy0Y+8Hbb
+6SDB340BFmtgDHbFHTGCApEwggKNAgEBMGkwXDELMAkGA1UEBhMCTkwxEzARBgNV
+BAgMClNvbWUtU3RhdGUxHzAdBgNVBAoMFkFETElOSyBUZWNobm9sb2N5IEluYy4x
+FzAVBgNVBAMMDmFkbGlua3RlY2guY29tAgkA2yveybQ2vKkwDQYJYIZIAWUDBAIB
+BQCggfowGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAcBgkqhkiG9w0BCQUxDxcN
+MTkwMzI5MTMwODAzWjAvBgkqhkiG9w0BCQQxIgQgrFwsV4SyJfHq+dBhrRXj6PlS
+nZYIo1hJ+L29+U2Xpk0wgY4GCSqGSIb3DQEJDzGBgDB+MAsGCWCGSAFlAwQBKjAI
+BgYqhQMCAgkwCAYGKoUDAgIVMAsGCWCGSAFlAwQBFjALBglghkgBZQMEAQIwCgYI
+KoZIhvcNAwcwDgYIKoZIhvcNAwICAgCAMA0GCCqGSIb3DQMCAgFAMAcGBSsOAwIH
+MA0GCCqGSIb3DQMCAgEoMA0GCSqGSIb3DQEBAQUABIIBAAt1pbdIgmqHNrruevrr
+TUptMNDw6YzlmXpWAq3KZBGaeaiHpYbkI+WhJJee9hG7bF9NGI/SfjPhiaiTjk2X
+XCgmFZJUQhY8pOWkVPSAhBxd+r4kQtRxo2Na148Z2nrxeqcLbk+SE1hxTwT2OgLh
+HWHBoQofZcRFp36Z9v51fZHAZLbQ8pD45+oAe/7ElyrO80MnJc+2RUxcnLScT1J0
+ykgTsgrQxcVVZX6EFHhQxnzpqCbjGvpdGSnyojAFI4PuQ3uNiOTPTYqad4jf/vIq
+YHngEXSMN8wkd8bopl1EPVdxDqKkXuwAb29Q6UvDWLQ4IDZkdHTWc/ojiKjxWsKF
+wuQ=
+
+------DE8A6693E9678989859C23D21F4587AD--
+
diff --git a/src/security/builtin_plugins/tests/validate_remote_permissions/etc/Test_Permissions_missing_subject_component.xml b/src/security/builtin_plugins/tests/validate_remote_permissions/etc/Test_Permissions_missing_subject_component.xml
new file mode 100644
index 0000000..de70a1c
--- /dev/null
+++ b/src/security/builtin_plugins/tests/validate_remote_permissions/etc/Test_Permissions_missing_subject_component.xml
@@ -0,0 +1,44 @@
+<?xml version="1.0" encoding="utf-8"?>
+<dds xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xsi:noNamespaceSchemaLocation="https://www.omg.org/spec/DDS-SECURITY/20170901/omg_shared_ca_permissions.xsd">
+    <permissions>
+        <grant name="OpenSplicePermissions">
+            <subject_name>/O=Internet Widgits Pty Ltd/ST=Some-State/CN=CHAM500 cert</subject_name>
+            <validity>
+                <!-- Format is CCYY-MM-DDThh:mm:ss[Z|(+|-)hh:mm] in GMT -->
+                <not_before>2015-09-15T01:00:00</not_before>
+                <not_after>2115-09-15T01:00:00</not_after>
+            </validity>
+            <allow_rule>
+                <domains>
+                    <id_range>
+                        <min>0</min>
+                        <max>230</max>
+                    </id_range>
+                </domains>
+                <publish>
+                    <topics>
+                        <topic>K*</topic>
+                        <topic>*OldMessage</topic>
+                        <topic>OldMessanger</topic>
+                        <topic>NewMessage</topic>
+                    </topics>
+        <partitions>
+      <partition>Apart</partition>
+      <partition>Bpa?t*</partition>
+        </partitions>
+                </publish>
+                <subscribe>
+                    <topics>
+                        <topic>K*</topic>
+                        <topic>*OldMessage</topic>
+                        <topic>OldMessanger</topic>
+                        <topic>NewMessage</topic>
+                    </topics>
+                </subscribe>
+            </allow_rule>
+
+            <default>ALLOW</default>
+        </grant>
+    </permissions>
+</dds>
diff --git a/src/security/builtin_plugins/tests/validate_remote_permissions/etc/Test_Permissions_not_signed.p7s b/src/security/builtin_plugins/tests/validate_remote_permissions/etc/Test_Permissions_not_signed.p7s
new file mode 100644
index 0000000..8759d91
--- /dev/null
+++ b/src/security/builtin_plugins/tests/validate_remote_permissions/etc/Test_Permissions_not_signed.p7s
@@ -0,0 +1,33 @@
+<?xml version="1.0" encoding="utf-8"?>
+<dds xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xsi:noNamespaceSchemaLocation="https://www.omg.org/spec/DDS-SECURITY/20170901/omg_shared_ca_permissions.xsd">
+    <permissions>
+        <grant name="OpenSplicePermissions">
+            <subject_name>CN=CHAM500 cert,O=Internet Widgits Pty Ltd,ST=Some-State,C=NL</subject_name>
+            <validity>
+                <!-- Format is CCYY-MM-DDThh:mm:ss[Z|(+|-)hh:mm] in GMT -->
+                <not_before>2015-09-15T01:00:00</not_before>
+                <not_after>2115-09-15T01:00:00</not_after>
+            </validity>
+            <allow_rule>
+                <domains>
+                    <id_range>
+                        <min>0</min>
+                        <max>230</max>
+                    </id_range>
+                </domains>
+                <publish>
+                    <topics>
+                        <topic>*</topic>
+                    </topics>
+                </publish>
+                <subscribe>
+                    <topics>
+                        <topic>*</topic>
+                    </topics>
+                </subscribe>
+            </allow_rule>
+            <default>DENY</default>
+        </grant>
+    </permissions>
+</dds>
diff --git a/src/security/builtin_plugins/tests/validate_remote_permissions/etc/Test_Permissions_notyet.p7s b/src/security/builtin_plugins/tests/validate_remote_permissions/etc/Test_Permissions_notyet.p7s
new file mode 100644
index 0000000..7fd4098
--- /dev/null
+++ b/src/security/builtin_plugins/tests/validate_remote_permissions/etc/Test_Permissions_notyet.p7s
@@ -0,0 +1,243 @@
+MIME-Version: 1.0
+Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg="sha-256"; boundary="----F87E07CA6CCEAB50B03A143AC2354EB4"
+
+This is an S/MIME signed message
+
+------F87E07CA6CCEAB50B03A143AC2354EB4
+Content-Type: text/plain
+
+<?xml version="1.0" encoding="utf-8"?>
+<dds xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xsi:noNamespaceSchemaLocation="https://www.omg.org/spec/DDS-SECURITY/20170901/omg_shared_ca_permissions.xsd">
+    <permissions>
+        <grant name="OpenSplicePermissions">
+            <subject_name>CN=CHAM500 cert,O=Internet Widgits Pty Ltd,ST=Some-State,C=NL</subject_name>
+            <validity>
+                <!-- Format is CCYY-MM-DDThh:mm:ss[Z|(+|-)hh:mm] in GMT -->
+                <not_before>2035-09-15T01:00:00</not_before>
+                <not_after>2046-09-15T01:00:00</not_after>
+            </validity>
+            <allow_rule>
+                <domains>
+                    <id_range>
+                        <min>0</min>
+                        <max>230</max>
+                    </id_range>
+                </domains>
+                <publish>
+                    <topics>
+                        <topic>K*</topic>
+                        <topic>*OldMessage</topic>
+                        <topic>OldMessanger</topic>
+                        <topic>NewMessage</topic>
+                    </topics>
+        <partitions>
+      <partition>Apart</partition>
+      <partition>Bpa?t*</partition>
+        </partitions>
+                </publish>
+                <subscribe>
+                    <topics>
+                        <topic>K*</topic>
+                        <topic>*OldMessage</topic>
+                        <topic>OldMessanger</topic>
+                        <topic>NewMessage</topic>
+                    </topics>
+        <partitions>
+      <partition>Apart</partition>
+      <partition>Bpa?t*</partition>
+        </partitions>
+                </subscribe>
+            </allow_rule>
+            <deny_rule>
+                <domains>
+                    <id_range>
+                        <min>0</min>
+                        <max>230</max>
+                    </id_range>
+                </domains>
+                <publish>
+                    <topics>
+                        <topic>P*</topic>
+                        <topic>*WrongMessage</topic>
+                        <topic>FakeMessanger</topic>
+                        <topic>ChangedMessage</topic>
+                    </topics>
+        <partitions>
+      <partition>Apart</partition>
+      <partition>Bpa?t*</partition>
+        </partitions>
+                </publish>
+                <subscribe>
+                    <topics>
+                        <topic>P*</topic>
+                        <topic>*WrongMessage</topic>
+                        <topic>FakeMessanger</topic>
+                        <topic>ChangedMessage</topic>
+                    </topics>
+        <partitions>
+      <partition>Apart</partition>
+      <partition>Bpa?t*</partition>
+        </partitions>
+                </subscribe>
+            </deny_rule>
+
+            <default>DENY</default>
+        </grant>
+        <grant name="SpareNodeOpenSplicePermissions">
+            <subject_name>CN=Spare cert,O=Internet Widgits Pty Ltd,ST=Some-State,C=NL</subject_name>
+            <validity>
+                <!-- Format is CCYY-MM-DDThh:mm:ss[Z|(+|-)hh:mm] in GMT -->
+                <not_before>2015-09-15T01:00:00</not_before>
+                <not_after>2115-09-15T01:00:00</not_after>
+            </validity>
+            <allow_rule>
+                <domains>
+                <!-- All domains -->
+                 <id>20</id>
+                 <id>30</id>
+                 <id_range>
+                     <min>0</min>
+                     <max>23</max>
+                 </id_range>
+                 <id_range>
+                     <min>100</min>
+                     <max>120</max>
+                 </id_range>
+                 <id>200</id>
+               </domains>
+                <publish>
+                    <topics>
+                        <topic>K*</topic>
+                        <topic>*OldMessage</topic>
+                        <topic>OldMessanger</topic>
+                        <topic>NewMessage</topic>
+                    </topics>
+        <partitions>
+      <partition>Apart</partition>
+      <partition>Bpa?t*</partition>
+        </partitions>
+                </publish>
+                <subscribe>
+                    <topics>
+                        <topic>K*</topic>
+                        <topic>*OldMessage</topic>
+                        <topic>OldMessanger</topic>
+                        <topic>NewMessage</topic>
+                    </topics>
+        <partitions>
+      <partition>Apart</partition>
+      <partition>Bpa?t*</partition>
+        </partitions>
+                </subscribe>
+            </allow_rule>
+            <deny_rule>
+                <domains>
+                 <id_range>
+                     <min>0</min>
+                     <max>23</max>
+                 </id_range>
+                 <id_range>
+                     <min>100</min>
+                     <max>120</max>
+                 </id_range>
+                 <id>200</id>
+                </domains>
+                <publish>
+                    <topics>
+                        <topic>P*</topic>
+                        <topic>*WrongMessage</topic>
+                        <topic>FakeMessanger</topic>
+                        <topic>ChangedMessage</topic>
+                    </topics>
+                    <partitions>
+                      <partition>Apart</partition>
+                      <partition>Bpa?t*</partition>
+                    </partitions>
+                </publish>
+                <subscribe>
+                    <topics>
+                        <topic>P*</topic>
+                        <topic>*WrongMessage</topic>
+                        <topic>FakeMessanger</topic>
+                        <topic>ChangedMessage</topic>
+                    </topics>
+                    <partitions>
+                      <partition>Apart</partition>
+                      <partition>Bpa?t*</partition>
+                    </partitions>
+                    <data_tags>
+                      <tag>
+                        <name>aTagName1</name>
+                        <value>aTagValue1</value>
+                      </tag>
+                    </data_tags>
+                </subscribe>
+                <relay>
+                  <topics>
+                        <topic>P*</topic>
+                        <topic>*WrongMessage</topic>
+                        <topic>FakeMessanger</topic>
+                        <topic>ChangedMessage</topic>
+                    </topics>
+                    <partitions>
+                      <partition>Apart</partition>
+                      <partition>Bpa?t*</partition>
+                    </partitions>
+                    <data_tags>
+                      <tag>
+                        <name>aTagName1</name>
+                        <value>aTagValue1</value>
+                      </tag>
+                    </data_tags>
+                </relay>
+            </deny_rule>
+
+            <default>ALLOW</default>
+        </grant>
+    </permissions>
+</dds>
+
+------F87E07CA6CCEAB50B03A143AC2354EB4
+Content-Type: application/x-pkcs7-signature; name="smime.p7s"
+Content-Transfer-Encoding: base64
+Content-Disposition: attachment; filename="smime.p7s"
+
+MIIGXgYJKoZIhvcNAQcCoIIGTzCCBksCAQExDzANBglghkgBZQMEAgEFADALBgkq
+hkiG9w0BBwGgggORMIIDjTCCAnWgAwIBAgIJANsr3sm0NrypMA0GCSqGSIb3DQEB
+CwUAMFwxCzAJBgNVBAYTAk5MMRMwEQYDVQQIDApTb21lLVN0YXRlMR8wHQYDVQQK
+DBZBRExJTksgVGVjaG5vbG9jeSBJbmMuMRcwFQYDVQQDDA5hZGxpbmt0ZWNoLmNv
+bTAgFw0xODA3MzAxMjQ1NTVaGA8yMTE4MDcwNjEyNDU1NVowXDELMAkGA1UEBhMC
+TkwxEzARBgNVBAgMClNvbWUtU3RhdGUxHzAdBgNVBAoMFkFETElOSyBUZWNobm9s
+b2N5IEluYy4xFzAVBgNVBAMMDmFkbGlua3RlY2guY29tMIIBIjANBgkqhkiG9w0B
+AQEFAAOCAQ8AMIIBCgKCAQEAu7jfnJ0wYVuXgG+PgNawdN38+dRpa8jceqi+blID
+ehV6XCxrnGXusTCDuFmo7HMOBVMVNDXlcBWgoGd+u5EultnOEiIeGTgtHc1O6V9w
+icp3BGSpZZax/TcONjMVORaqHCADbQ2J8wsz1FHxuKDwX6BJElYOlK77lb/x3yLs
+DFFC+a0qn2RFh37rcWBRAHy8VEASXKZElT9ZmfKd+KUq34KojhNJ4DepKStTq074
+BRDXVivx+wVD951LFNPiQXq+mgHcLj1k37KlZflTFhdP5oEMtATNsXNJPHlEymiy
+SogRWAmKhysLQudukHfNKN+r0FEQMk/hzpYcFeZSOvbfNQIDAQABo1AwTjAdBgNV
+HQ4EFgQURWMbWvBKZwJvRV1/tyc1R82k0+gwHwYDVR0jBBgwFoAURWMbWvBKZwJv
+RV1/tyc1R82k0+gwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAkPF+
+ysVtvHnk2hpu9yNDLCJ96ZzIoKOyY7uRj4ovzlAHFdpNOJQdcJihTmN8i7Trht9X
+Vh0rGoR/6nHzo3TIeiogRC80RlDtuA3PF2dDQBMVDStlZMTZPb693hfjdAjhyyw9
+yghhKHHqNDvSsAL0KfBqjG4yGfGpJylYXIT5fWuKlo/ln/yyPa5s54T5XDo+CMbt
+lLX3QnwVOmaRyzylPiTcPCDIkdLBdXmlfyJcmW6fWa6kPx+35MOxPsXZbujCo+42
++OyLqcH1rKT6XhcshjXBEf+kdgUfSClrM1pNRWsw2ChIYim0F+nry5JFy0Y+8Hbb
+6SDB340BFmtgDHbFHTGCApEwggKNAgEBMGkwXDELMAkGA1UEBhMCTkwxEzARBgNV
+BAgMClNvbWUtU3RhdGUxHzAdBgNVBAoMFkFETElOSyBUZWNobm9sb2N5IEluYy4x
+FzAVBgNVBAMMDmFkbGlua3RlY2guY29tAgkA2yveybQ2vKkwDQYJYIZIAWUDBAIB
+BQCggfowGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAcBgkqhkiG9w0BCQUxDxcN
+MTkwMzI5MTMwODAzWjAvBgkqhkiG9w0BCQQxIgQg0GGu1gWhHWhfWnmg55AIr4tv
+zMK0kIxNfJYQbb7LpJ8wgY4GCSqGSIb3DQEJDzGBgDB+MAsGCWCGSAFlAwQBKjAI
+BgYqhQMCAgkwCAYGKoUDAgIVMAsGCWCGSAFlAwQBFjALBglghkgBZQMEAQIwCgYI
+KoZIhvcNAwcwDgYIKoZIhvcNAwICAgCAMA0GCCqGSIb3DQMCAgFAMAcGBSsOAwIH
+MA0GCCqGSIb3DQMCAgEoMA0GCSqGSIb3DQEBAQUABIIBALsPI2+b0w+iUPJGJeMd
+VdrY7s/GZYm6M8qOA5fmh3144bY1rZRjdHjXtLdaNDNN1Z5buRCiQcklAilf6O14
+7u6a5HR12N4LTbg3OYQplwz4ed/wBsL726htmkAK3JogGk5OVLqmmdrz3UOD8IaZ
+wAfx2tpj3VJOVuW0XsqOrzQpnOjGWcPeOw6NAxRH1gLsxBP9HDz5+wrsKXjV/zG8
+dFTaZ0bKnBXTp5ccc9jB4qbcllC9nlJkJszGqvwOP7zWBAOXeU+joUGM4Bt+8Pmt
+pKsVAmEqMpc368RMayDBWtTqUWpUKvDh4HSkuOGD4Hj5ViAoLFjisROhIK2d98XI
+cRQ=
+
+------F87E07CA6CCEAB50B03A143AC2354EB4--
+
diff --git a/src/security/builtin_plugins/tests/validate_remote_permissions/etc/Test_Permissions_notyet.xml b/src/security/builtin_plugins/tests/validate_remote_permissions/etc/Test_Permissions_notyet.xml
new file mode 100644
index 0000000..99fec50
--- /dev/null
+++ b/src/security/builtin_plugins/tests/validate_remote_permissions/etc/Test_Permissions_notyet.xml
@@ -0,0 +1,191 @@
+<?xml version="1.0" encoding="utf-8"?>
+<dds xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xsi:noNamespaceSchemaLocation="https://www.omg.org/spec/DDS-SECURITY/20170901/omg_shared_ca_permissions.xsd">
+    <permissions>
+        <grant name="OpenSplicePermissions">
+            <subject_name>CN=CHAM500 cert,O=Internet Widgits Pty Ltd,ST=Some-State,C=NL</subject_name>
+            <validity>
+                <!-- Format is CCYY-MM-DDThh:mm:ss[Z|(+|-)hh:mm] in GMT -->
+                <not_before>2035-09-15T01:00:00</not_before>
+                <not_after>2046-09-15T01:00:00</not_after>
+            </validity>
+            <allow_rule>
+                <domains>
+                    <id_range>
+                        <min>0</min>
+                        <max>230</max>
+                    </id_range>
+                </domains>
+                <publish>
+                    <topics>
+                        <topic>K*</topic>
+                        <topic>*OldMessage</topic>
+                        <topic>OldMessanger</topic>
+                        <topic>NewMessage</topic>
+                    </topics>
+        <partitions>
+      <partition>Apart</partition>
+      <partition>Bpa?t*</partition>
+        </partitions>
+                </publish>
+                <subscribe>
+                    <topics>
+                        <topic>K*</topic>
+                        <topic>*OldMessage</topic>
+                        <topic>OldMessanger</topic>
+                        <topic>NewMessage</topic>
+                    </topics>
+        <partitions>
+      <partition>Apart</partition>
+      <partition>Bpa?t*</partition>
+        </partitions>
+                </subscribe>
+            </allow_rule>
+            <deny_rule>
+                <domains>
+                    <id_range>
+                        <min>0</min>
+                        <max>230</max>
+                    </id_range>
+                </domains>
+                <publish>
+                    <topics>
+                        <topic>P*</topic>
+                        <topic>*WrongMessage</topic>
+                        <topic>FakeMessanger</topic>
+                        <topic>ChangedMessage</topic>
+                    </topics>
+        <partitions>
+      <partition>Apart</partition>
+      <partition>Bpa?t*</partition>
+        </partitions>
+                </publish>
+                <subscribe>
+                    <topics>
+                        <topic>P*</topic>
+                        <topic>*WrongMessage</topic>
+                        <topic>FakeMessanger</topic>
+                        <topic>ChangedMessage</topic>
+                    </topics>
+        <partitions>
+      <partition>Apart</partition>
+      <partition>Bpa?t*</partition>
+        </partitions>
+                </subscribe>
+            </deny_rule>
+
+            <default>DENY</default>
+        </grant>
+        <grant name="SpareNodeOpenSplicePermissions">
+            <subject_name>CN=Spare cert,O=Internet Widgits Pty Ltd,ST=Some-State,C=NL</subject_name>
+            <validity>
+                <!-- Format is CCYY-MM-DDThh:mm:ss[Z|(+|-)hh:mm] in GMT -->
+                <not_before>2015-09-15T01:00:00</not_before>
+                <not_after>2115-09-15T01:00:00</not_after>
+            </validity>
+            <allow_rule>
+                <domains>
+                <!-- All domains -->
+                 <id>20</id>
+                 <id>30</id>
+                 <id_range>
+                     <min>0</min>
+                     <max>23</max>
+                 </id_range>
+                 <id_range>
+                     <min>100</min>
+                     <max>120</max>
+                 </id_range>
+                 <id>200</id>
+               </domains>
+                <publish>
+                    <topics>
+                        <topic>K*</topic>
+                        <topic>*OldMessage</topic>
+                        <topic>OldMessanger</topic>
+                        <topic>NewMessage</topic>
+                    </topics>
+        <partitions>
+      <partition>Apart</partition>
+      <partition>Bpa?t*</partition>
+        </partitions>
+                </publish>
+                <subscribe>
+                    <topics>
+                        <topic>K*</topic>
+                        <topic>*OldMessage</topic>
+                        <topic>OldMessanger</topic>
+                        <topic>NewMessage</topic>
+                    </topics>
+        <partitions>
+      <partition>Apart</partition>
+      <partition>Bpa?t*</partition>
+        </partitions>
+                </subscribe>
+            </allow_rule>
+            <deny_rule>
+                <domains>
+                 <id_range>
+                     <min>0</min>
+                     <max>23</max>
+                 </id_range>
+                 <id_range>
+                     <min>100</min>
+                     <max>120</max>
+                 </id_range>
+                 <id>200</id>
+                </domains>
+                <publish>
+                    <topics>
+                        <topic>P*</topic>
+                        <topic>*WrongMessage</topic>
+                        <topic>FakeMessanger</topic>
+                        <topic>ChangedMessage</topic>
+                    </topics>
+                    <partitions>
+                      <partition>Apart</partition>
+                      <partition>Bpa?t*</partition>
+                    </partitions>
+                </publish>
+                <subscribe>
+                    <topics>
+                        <topic>P*</topic>
+                        <topic>*WrongMessage</topic>
+                        <topic>FakeMessanger</topic>
+                        <topic>ChangedMessage</topic>
+                    </topics>
+                    <partitions>
+                      <partition>Apart</partition>
+                      <partition>Bpa?t*</partition>
+                    </partitions>
+                    <data_tags>
+                      <tag>
+                        <name>aTagName1</name>
+                        <value>aTagValue1</value>
+                      </tag>
+                    </data_tags>
+                </subscribe>
+                <relay>
+                  <topics>
+                        <topic>P*</topic>
+                        <topic>*WrongMessage</topic>
+                        <topic>FakeMessanger</topic>
+                        <topic>ChangedMessage</topic>
+                    </topics>
+                    <partitions>
+                      <partition>Apart</partition>
+                      <partition>Bpa?t*</partition>
+                    </partitions>
+                    <data_tags>
+                      <tag>
+                        <name>aTagName1</name>
+                        <value>aTagValue1</value>
+                      </tag>
+                    </data_tags>
+                </relay>
+            </deny_rule>
+
+            <default>ALLOW</default>
+        </grant>
+    </permissions>
+</dds>
diff --git a/src/security/builtin_plugins/tests/validate_remote_permissions/etc/Test_Permissions_ok.p7s b/src/security/builtin_plugins/tests/validate_remote_permissions/etc/Test_Permissions_ok.p7s
new file mode 100644
index 0000000..052075b
--- /dev/null
+++ b/src/security/builtin_plugins/tests/validate_remote_permissions/etc/Test_Permissions_ok.p7s
@@ -0,0 +1,85 @@
+MIME-Version: 1.0
+Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg="sha-256"; boundary="----6B91005B007BBA8EDE10CD1CE487DB27"
+
+This is an S/MIME signed message
+
+------6B91005B007BBA8EDE10CD1CE487DB27
+Content-Type: text/plain
+
+<?xml version="1.0" encoding="utf-8"?>
+<dds xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xsi:noNamespaceSchemaLocation="https://www.omg.org/spec/DDS-SECURITY/20170901/omg_shared_ca_permissions.xsd">
+    <permissions>
+        <grant name="OpenSplicePermissions">
+            <subject_name>CN=CHAM500 cert,O=Internet Widgits Pty Ltd,ST=Some-State,C=NL</subject_name>
+            <validity>
+                <!-- Format is CCYY-MM-DDThh:mm:ss[Z|(+|-)hh:mm] in GMT -->
+                <not_before>2015-09-15T01:00:00</not_before>
+                <not_after>2115-09-15T01:00:00</not_after>
+            </validity>
+            <allow_rule>
+                <domains>
+                    <id_range>
+                        <min>0</min>
+                        <max>230</max>
+                    </id_range>
+                </domains>
+                <publish>
+                    <topics>
+                        <topic>*</topic>
+                    </topics>
+                </publish>
+                <subscribe>
+                    <topics>
+                        <topic>*</topic>
+                    </topics>
+                </subscribe>
+            </allow_rule>
+            <default>DENY</default>
+        </grant>
+    </permissions>
+</dds>
+
+------6B91005B007BBA8EDE10CD1CE487DB27
+Content-Type: application/x-pkcs7-signature; name="smime.p7s"
+Content-Transfer-Encoding: base64
+Content-Disposition: attachment; filename="smime.p7s"
+
+MIIGXgYJKoZIhvcNAQcCoIIGTzCCBksCAQExDzANBglghkgBZQMEAgEFADALBgkq
+hkiG9w0BBwGgggORMIIDjTCCAnWgAwIBAgIJANsr3sm0NrypMA0GCSqGSIb3DQEB
+CwUAMFwxCzAJBgNVBAYTAk5MMRMwEQYDVQQIDApTb21lLVN0YXRlMR8wHQYDVQQK
+DBZBRExJTksgVGVjaG5vbG9jeSBJbmMuMRcwFQYDVQQDDA5hZGxpbmt0ZWNoLmNv
+bTAgFw0xODA3MzAxMjQ1NTVaGA8yMTE4MDcwNjEyNDU1NVowXDELMAkGA1UEBhMC
+TkwxEzARBgNVBAgMClNvbWUtU3RhdGUxHzAdBgNVBAoMFkFETElOSyBUZWNobm9s
+b2N5IEluYy4xFzAVBgNVBAMMDmFkbGlua3RlY2guY29tMIIBIjANBgkqhkiG9w0B
+AQEFAAOCAQ8AMIIBCgKCAQEAu7jfnJ0wYVuXgG+PgNawdN38+dRpa8jceqi+blID
+ehV6XCxrnGXusTCDuFmo7HMOBVMVNDXlcBWgoGd+u5EultnOEiIeGTgtHc1O6V9w
+icp3BGSpZZax/TcONjMVORaqHCADbQ2J8wsz1FHxuKDwX6BJElYOlK77lb/x3yLs
+DFFC+a0qn2RFh37rcWBRAHy8VEASXKZElT9ZmfKd+KUq34KojhNJ4DepKStTq074
+BRDXVivx+wVD951LFNPiQXq+mgHcLj1k37KlZflTFhdP5oEMtATNsXNJPHlEymiy
+SogRWAmKhysLQudukHfNKN+r0FEQMk/hzpYcFeZSOvbfNQIDAQABo1AwTjAdBgNV
+HQ4EFgQURWMbWvBKZwJvRV1/tyc1R82k0+gwHwYDVR0jBBgwFoAURWMbWvBKZwJv
+RV1/tyc1R82k0+gwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAkPF+
+ysVtvHnk2hpu9yNDLCJ96ZzIoKOyY7uRj4ovzlAHFdpNOJQdcJihTmN8i7Trht9X
+Vh0rGoR/6nHzo3TIeiogRC80RlDtuA3PF2dDQBMVDStlZMTZPb693hfjdAjhyyw9
+yghhKHHqNDvSsAL0KfBqjG4yGfGpJylYXIT5fWuKlo/ln/yyPa5s54T5XDo+CMbt
+lLX3QnwVOmaRyzylPiTcPCDIkdLBdXmlfyJcmW6fWa6kPx+35MOxPsXZbujCo+42
++OyLqcH1rKT6XhcshjXBEf+kdgUfSClrM1pNRWsw2ChIYim0F+nry5JFy0Y+8Hbb
+6SDB340BFmtgDHbFHTGCApEwggKNAgEBMGkwXDELMAkGA1UEBhMCTkwxEzARBgNV
+BAgMClNvbWUtU3RhdGUxHzAdBgNVBAoMFkFETElOSyBUZWNobm9sb2N5IEluYy4x
+FzAVBgNVBAMMDmFkbGlua3RlY2guY29tAgkA2yveybQ2vKkwDQYJYIZIAWUDBAIB
+BQCggfowGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAcBgkqhkiG9w0BCQUxDxcN
+MTkwMzI5MTMwODAzWjAvBgkqhkiG9w0BCQQxIgQgl3LfUhn9L0vG/3QRPVYptcYw
+/NH5HMN99aMe9JAT+LAwgY4GCSqGSIb3DQEJDzGBgDB+MAsGCWCGSAFlAwQBKjAI
+BgYqhQMCAgkwCAYGKoUDAgIVMAsGCWCGSAFlAwQBFjALBglghkgBZQMEAQIwCgYI
+KoZIhvcNAwcwDgYIKoZIhvcNAwICAgCAMA0GCCqGSIb3DQMCAgFAMAcGBSsOAwIH
+MA0GCCqGSIb3DQMCAgEoMA0GCSqGSIb3DQEBAQUABIIBAHe9vakfXPvbpgMeqlhG
+SW6Z3uVA3Yri9bgQDpJ9daIUsM0/TLBSQVs85twTMXvqUSntKbfSGehxDQ9F+yje
+mOEPMIwxOqcVyc2jpqoYsUWqpwiiZyk49DHUFrOfWJUx+rKdBftZWkxD05Wkovhk
+2d4hGS/65Haoho4Z0AZwcyH+F52FZMiqw7I9FKrPlhxvJfQXmhIjOKtnvWnQ+Ar7
+YYiSrBEHMCy82LF1aKzz0nkL1SYWQHuQX475qoU4LMYY1J8WsD3rSBeq4GYZrl2K
+X/JcOquMYqjfJLMYZY4fsc3FgEBkKNqJz1tDZ3ir24VMl+WsbEjVK8oXe/wt4V0U
+aNQ=
+
+------6B91005B007BBA8EDE10CD1CE487DB27--
+
diff --git a/src/security/builtin_plugins/tests/validate_remote_permissions/etc/Test_Permissions_ok.xml b/src/security/builtin_plugins/tests/validate_remote_permissions/etc/Test_Permissions_ok.xml
new file mode 100644
index 0000000..8759d91
--- /dev/null
+++ b/src/security/builtin_plugins/tests/validate_remote_permissions/etc/Test_Permissions_ok.xml
@@ -0,0 +1,33 @@
+<?xml version="1.0" encoding="utf-8"?>
+<dds xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xsi:noNamespaceSchemaLocation="https://www.omg.org/spec/DDS-SECURITY/20170901/omg_shared_ca_permissions.xsd">
+    <permissions>
+        <grant name="OpenSplicePermissions">
+            <subject_name>CN=CHAM500 cert,O=Internet Widgits Pty Ltd,ST=Some-State,C=NL</subject_name>
+            <validity>
+                <!-- Format is CCYY-MM-DDThh:mm:ss[Z|(+|-)hh:mm] in GMT -->
+                <not_before>2015-09-15T01:00:00</not_before>
+                <not_after>2115-09-15T01:00:00</not_after>
+            </validity>
+            <allow_rule>
+                <domains>
+                    <id_range>
+                        <min>0</min>
+                        <max>230</max>
+                    </id_range>
+                </domains>
+                <publish>
+                    <topics>
+                        <topic>*</topic>
+                    </topics>
+                </publish>
+                <subscribe>
+                    <topics>
+                        <topic>*</topic>
+                    </topics>
+                </subscribe>
+            </allow_rule>
+            <default>DENY</default>
+        </grant>
+    </permissions>
+</dds>
diff --git a/src/security/builtin_plugins/tests/validate_remote_permissions/etc/Test_Permissions_unknown_ca.p7s b/src/security/builtin_plugins/tests/validate_remote_permissions/etc/Test_Permissions_unknown_ca.p7s
new file mode 100644
index 0000000..6a2905a
--- /dev/null
+++ b/src/security/builtin_plugins/tests/validate_remote_permissions/etc/Test_Permissions_unknown_ca.p7s
@@ -0,0 +1,87 @@
+MIME-Version: 1.0
+Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg="sha-256"; boundary="----7FBACED8776E5A4CF7612C83F9C33E17"
+
+This is an S/MIME signed message
+
+------7FBACED8776E5A4CF7612C83F9C33E17
+Content-Type: text/plain
+
+<?xml version="1.0" encoding="utf-8"?>
+<dds xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xsi:noNamespaceSchemaLocation="https://www.omg.org/spec/DDS-SECURITY/20170901/omg_shared_ca_permissions.xsd">
+    <permissions>
+        <grant name="OpenSplicePermissions">
+            <subject_name>/C=NL/ST=Some-State/O=ADLINK Technolocy Inc./CN=adlinktech.com</subject_name>
+            <validity>
+                <!-- Format is CCYY-MM-DDThh:mm:ss[Z|(+|-)hh:mm] in GMT -->
+                <not_before>2015-09-15T01:00:00</not_before>
+                <not_after>2115-09-15T01:00:00</not_after>
+            </validity>
+            <allow_rule>
+                <domains>
+                    <id_range>
+                        <min>0</min>
+                        <max>230</max>
+                    </id_range>
+                </domains>
+                <publish>
+                    <topics>
+                        <topic>*</topic>
+                    </topics>
+                </publish>
+                <subscribe>
+                    <topics>
+                        <topic>*</topic>
+                    </topics>
+                </subscribe>
+            </allow_rule>
+            <default>DENY</default>
+        </grant>
+    </permissions>
+</dds>
+
+------7FBACED8776E5A4CF7612C83F9C33E17
+Content-Type: application/x-pkcs7-signature; name="smime.p7s"
+Content-Transfer-Encoding: base64
+Content-Disposition: attachment; filename="smime.p7s"
+
+MIIGywYJKoZIhvcNAQcCoIIGvDCCBrgCAQExDzANBglghkgBZQMEAgEFADALBgkq
+hkiG9w0BBwGgggPKMIIDxjCCAq4CCQCBuTktP0h8BDANBgkqhkiG9w0BAQsFADCB
+pDEWMBQGA1UEBwwNTG9jYWxpdHkgTmFtZTEhMB8GA1UECwwYT3JnYW5pemF0aW9u
+YWwgVW5pdCBOYW1lMRwwGgYJKoZIhvcNAQkBFg1FbWFpbCBBZGRyZXNzMQswCQYD
+VQQGEwJVUzELMAkGA1UECAwCTkoxGjAYBgNVBAoMEUV4YW1wbGUgU2lnbmVyIENB
+MRMwEQYDVQQDDApFeGFtcGxlIENBMB4XDTE4MDgxNTA4NTE0MVoXDTQzMDgwOTA4
+NTE0MVowgaQxFjAUBgNVBAcMDUxvY2FsaXR5IE5hbWUxITAfBgNVBAsMGE9yZ2Fu
+aXphdGlvbmFsIFVuaXQgTmFtZTEcMBoGCSqGSIb3DQEJARYNRW1haWwgQWRkcmVz
+czELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAk5KMRowGAYDVQQKDBFFeGFtcGxlIFNp
+Z25lciBDQTETMBEGA1UEAwwKRXhhbXBsZSBDQTCCASIwDQYJKoZIhvcNAQEBBQAD
+ggEPADCCAQoCggEBALStAQ0yjM2qAWwsOXdX3hiyoZ6DDHWOTNI5LoCZGaN9rUZe
+MY0waSxWNQ0ruURgZISeOFkdQTAE81Em+UaZI+MZvfYcEcSlVtF6yve/WnIzRYWu
+f917moMCAInktfch4E6mskr4h7n+9sEz+3GsQS8SQRtwUe+PiXzjZrqHSbLC4Kn3
+/b8Mt+Ww3a4FyjHDZQJZsGSvrScr0Gq3xeKfMwb+KYNEnmh0o4os0gEGA4KUR+/1
+YDl1NmxQnm/AIMqwJzeaezBoMn0Nsi+OlAms85imGURNj9BCEJZBWwuuNL5ECDAq
+WLOM3AKUsApVgtGd8/OLWW1RwYkW8uqTtkIR87MCAwEAATANBgkqhkiG9w0BAQsF
+AAOCAQEAokKC77/kvxlObLSwkT5+7+S+DeznLBRiGVEh8+9PQw1q91sjiOZWf0e3
+T3XPH7CR/NDYoQJkrsqzIwKYrj41z/1jAs+HkH45NpTFiGlUFXNs5iwNh4RUqgf4
+e78Mge4q7pHMFzWTEwEn4DJMGcDDjLW1kN8GobGwHR7O0MpAJKrqcBSo+SPomnQv
+TgiEMQ+Vlz0EJx6JPsq8c7HrxlSdeDAAWIOww/wcGyzlpYEoyz6voSSfdhMt5iy5
+k5BvhBJnTiJTasCHy9KRuis/6qpTZKEj0d7J7LAqpGh8oRIphMwCbFYQT0QBgV6p
+gM8Ufss/RZ6CshMNxz7KtIYpvmxPPTGCAsUwggLBAgEBMIGyMIGkMRYwFAYDVQQH
+DA1Mb2NhbGl0eSBOYW1lMSEwHwYDVQQLDBhPcmdhbml6YXRpb25hbCBVbml0IE5h
+bWUxHDAaBgkqhkiG9w0BCQEWDUVtYWlsIEFkZHJlc3MxCzAJBgNVBAYTAlVTMQsw
+CQYDVQQIDAJOSjEaMBgGA1UECgwRRXhhbXBsZSBTaWduZXIgQ0ExEzARBgNVBAMM
+CkV4YW1wbGUgQ0ECCQCBuTktP0h8BDANBglghkgBZQMEAgEFAKCB5DAYBgkqhkiG
+9w0BCQMxCwYJKoZIhvcNAQcBMBwGCSqGSIb3DQEJBTEPFw0xODA5MTMwOTIzMDNa
+MC8GCSqGSIb3DQEJBDEiBCCvP08gFBO7651mPPDFQ2suhL+eprGCGuRLXmiBmdvx
+ITB5BgkqhkiG9w0BCQ8xbDBqMAsGCWCGSAFlAwQBKjALBglghkgBZQMEARYwCwYJ
+YIZIAWUDBAECMAoGCCqGSIb3DQMHMA4GCCqGSIb3DQMCAgIAgDANBggqhkiG9w0D
+AgIBQDAHBgUrDgMCBzANBggqhkiG9w0DAgIBKDANBgkqhkiG9w0BAQEFAASCAQB/
+4EQel+0LsmiNFCUjWM68u4ZvPtFBpeDe456DJuG6QR0LIzW42U7N4P2ZTIqjpGZx
+YekBCNdkiVy6ER5IA4WfcKd6zXZEuXVxkMrGpJlqGdd+IdZpTsrBygGZJS4vMUfD
+/6ty6OycET88RmJIu4V/TM3yLVKzHuj6TxCXb4OIYx8g3mdXUwUrp6DGgqggRSPJ
+tatbpnqGZGcvty8MusXVnjnEwUWnJ/jojypY3MyL4MTbjufjv0K6NKQ3RzoLssot
+SLq0YDLwvX/s9sLXDCedAwFXBS/6Qv56v0M2x4o8e3Eul7gGTMuCd/dJ0BhF8CW+
+IGxR5I3xXssh/AuWRRtV
+
+------7FBACED8776E5A4CF7612C83F9C33E17--
+
diff --git a/src/security/builtin_plugins/tests/validate_remote_permissions/etc/Test_Permissions_unknown_subject.p7s b/src/security/builtin_plugins/tests/validate_remote_permissions/etc/Test_Permissions_unknown_subject.p7s
new file mode 100644
index 0000000..fb488c7
--- /dev/null
+++ b/src/security/builtin_plugins/tests/validate_remote_permissions/etc/Test_Permissions_unknown_subject.p7s
@@ -0,0 +1,85 @@
+MIME-Version: 1.0
+Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg="sha-256"; boundary="----7B161F9203F175A7F82A389A3E044741"
+
+This is an S/MIME signed message
+
+------7B161F9203F175A7F82A389A3E044741
+Content-Type: text/plain
+
+<?xml version="1.0" encoding="utf-8"?>
+<dds xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xsi:noNamespaceSchemaLocation="https://www.omg.org/spec/DDS-SECURITY/20170901/omg_shared_ca_permissions.xsd">
+    <permissions>
+        <grant name="OpenSplicePermissions">
+            <subject_name>gibberish</subject_name>
+            <validity>
+                <!-- Format is CCYY-MM-DDThh:mm:ss[Z|(+|-)hh:mm] in GMT -->
+                <not_before>2015-09-15T01:00:00</not_before>
+                <not_after>2115-09-15T01:00:00</not_after>
+            </validity>
+            <allow_rule>
+                <domains>
+                    <id_range>
+                        <min>0</min>
+                        <max>230</max>
+                    </id_range>
+                </domains>
+                <publish>
+                    <topics>
+                        <topic>*</topic>
+                    </topics>
+                </publish>
+                <subscribe>
+                    <topics>
+                        <topic>*</topic>
+                    </topics>
+                </subscribe>
+            </allow_rule>
+            <default>DENY</default>
+        </grant>
+    </permissions>
+</dds>
+
+------7B161F9203F175A7F82A389A3E044741
+Content-Type: application/x-pkcs7-signature; name="smime.p7s"
+Content-Transfer-Encoding: base64
+Content-Disposition: attachment; filename="smime.p7s"
+
+MIIGXgYJKoZIhvcNAQcCoIIGTzCCBksCAQExDzANBglghkgBZQMEAgEFADALBgkq
+hkiG9w0BBwGgggORMIIDjTCCAnWgAwIBAgIJANsr3sm0NrypMA0GCSqGSIb3DQEB
+CwUAMFwxCzAJBgNVBAYTAk5MMRMwEQYDVQQIDApTb21lLVN0YXRlMR8wHQYDVQQK
+DBZBRExJTksgVGVjaG5vbG9jeSBJbmMuMRcwFQYDVQQDDA5hZGxpbmt0ZWNoLmNv
+bTAgFw0xODA3MzAxMjQ1NTVaGA8yMTE4MDcwNjEyNDU1NVowXDELMAkGA1UEBhMC
+TkwxEzARBgNVBAgMClNvbWUtU3RhdGUxHzAdBgNVBAoMFkFETElOSyBUZWNobm9s
+b2N5IEluYy4xFzAVBgNVBAMMDmFkbGlua3RlY2guY29tMIIBIjANBgkqhkiG9w0B
+AQEFAAOCAQ8AMIIBCgKCAQEAu7jfnJ0wYVuXgG+PgNawdN38+dRpa8jceqi+blID
+ehV6XCxrnGXusTCDuFmo7HMOBVMVNDXlcBWgoGd+u5EultnOEiIeGTgtHc1O6V9w
+icp3BGSpZZax/TcONjMVORaqHCADbQ2J8wsz1FHxuKDwX6BJElYOlK77lb/x3yLs
+DFFC+a0qn2RFh37rcWBRAHy8VEASXKZElT9ZmfKd+KUq34KojhNJ4DepKStTq074
+BRDXVivx+wVD951LFNPiQXq+mgHcLj1k37KlZflTFhdP5oEMtATNsXNJPHlEymiy
+SogRWAmKhysLQudukHfNKN+r0FEQMk/hzpYcFeZSOvbfNQIDAQABo1AwTjAdBgNV
+HQ4EFgQURWMbWvBKZwJvRV1/tyc1R82k0+gwHwYDVR0jBBgwFoAURWMbWvBKZwJv
+RV1/tyc1R82k0+gwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAkPF+
+ysVtvHnk2hpu9yNDLCJ96ZzIoKOyY7uRj4ovzlAHFdpNOJQdcJihTmN8i7Trht9X
+Vh0rGoR/6nHzo3TIeiogRC80RlDtuA3PF2dDQBMVDStlZMTZPb693hfjdAjhyyw9
+yghhKHHqNDvSsAL0KfBqjG4yGfGpJylYXIT5fWuKlo/ln/yyPa5s54T5XDo+CMbt
+lLX3QnwVOmaRyzylPiTcPCDIkdLBdXmlfyJcmW6fWa6kPx+35MOxPsXZbujCo+42
++OyLqcH1rKT6XhcshjXBEf+kdgUfSClrM1pNRWsw2ChIYim0F+nry5JFy0Y+8Hbb
+6SDB340BFmtgDHbFHTGCApEwggKNAgEBMGkwXDELMAkGA1UEBhMCTkwxEzARBgNV
+BAgMClNvbWUtU3RhdGUxHzAdBgNVBAoMFkFETElOSyBUZWNobm9sb2N5IEluYy4x
+FzAVBgNVBAMMDmFkbGlua3RlY2guY29tAgkA2yveybQ2vKkwDQYJYIZIAWUDBAIB
+BQCggfowGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAcBgkqhkiG9w0BCQUxDxcN
+MTkwMzI5MTMwODAzWjAvBgkqhkiG9w0BCQQxIgQg44QSCYJrKGm9hdPbOKQjrnQ8
+LXMSbo0mve1cRKvrm3gwgY4GCSqGSIb3DQEJDzGBgDB+MAsGCWCGSAFlAwQBKjAI
+BgYqhQMCAgkwCAYGKoUDAgIVMAsGCWCGSAFlAwQBFjALBglghkgBZQMEAQIwCgYI
+KoZIhvcNAwcwDgYIKoZIhvcNAwICAgCAMA0GCCqGSIb3DQMCAgFAMAcGBSsOAwIH
+MA0GCCqGSIb3DQMCAgEoMA0GCSqGSIb3DQEBAQUABIIBAH/fJ90OwloC73faPAGC
+VRZrhW/gSsy/1VnprvWdDAU1ZZK+srIISFZAy19LcApTis0Vy9yz2PG8pue49R+y
+UF6mCDSuN/l9SRBdUN+CXQdQ8sGq5SHXNhGzSX/nbR20ol4cSUMpKlEGx66E0KUW
+tkk8HzYw7aHMiwK2E2Y0sbm/M/rdmAbgEoywYfvc25V4FHP66TstfCLBjN9Hz3bH
+WcrCZuPjZo6vBd/rIJQSlgH81aCWn5RfCIccbc3iogwzIhYxAr6d+4do3LNa6H80
+W6CMgl0AnWFfa4QwnXFUzb1/W2rFjHp453w1Cbqk4Ll4ZlVJr4fzIuyuJMQlMrmK
+1P0=
+
+------7B161F9203F175A7F82A389A3E044741--
+
diff --git a/src/security/builtin_plugins/tests/validate_remote_permissions/etc/Test_Permissions_unknown_subject.xml b/src/security/builtin_plugins/tests/validate_remote_permissions/etc/Test_Permissions_unknown_subject.xml
new file mode 100644
index 0000000..8a55faf
--- /dev/null
+++ b/src/security/builtin_plugins/tests/validate_remote_permissions/etc/Test_Permissions_unknown_subject.xml
@@ -0,0 +1,33 @@
+<?xml version="1.0" encoding="utf-8"?>
+<dds xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xsi:noNamespaceSchemaLocation="https://www.omg.org/spec/DDS-SECURITY/20170901/omg_shared_ca_permissions.xsd">
+    <permissions>
+        <grant name="OpenSplicePermissions">
+            <subject_name>gibberish</subject_name>
+            <validity>
+                <!-- Format is CCYY-MM-DDThh:mm:ss[Z|(+|-)hh:mm] in GMT -->
+                <not_before>2015-09-15T01:00:00</not_before>
+                <not_after>2115-09-15T01:00:00</not_after>
+            </validity>
+            <allow_rule>
+                <domains>
+                    <id_range>
+                        <min>0</min>
+                        <max>230</max>
+                    </id_range>
+                </domains>
+                <publish>
+                    <topics>
+                        <topic>*</topic>
+                    </topics>
+                </publish>
+                <subscribe>
+                    <topics>
+                        <topic>*</topic>
+                    </topics>
+                </subscribe>
+            </allow_rule>
+            <default>DENY</default>
+        </grant>
+    </permissions>
+</dds>
diff --git a/src/security/builtin_plugins/tests/validate_remote_permissions/src/validate_remote_permissions_utests.c b/src/security/builtin_plugins/tests/validate_remote_permissions/src/validate_remote_permissions_utests.c
new file mode 100644
index 0000000..137137a
--- /dev/null
+++ b/src/security/builtin_plugins/tests/validate_remote_permissions/src/validate_remote_permissions_utests.c
@@ -0,0 +1,1068 @@
+/*
+ * Copyright(c) 2006 to 2019 ADLINK Technology Limited and others
+ *
+ * This program and the accompanying materials are made available under the
+ * terms of the Eclipse Public License v. 2.0 which is available at
+ * http://www.eclipse.org/legal/epl-2.0, or the Eclipse Distribution License
+ * v. 1.0 which is available at
+ * http://www.eclipse.org/org/documents/edl-v10.php.
+ *
+ * SPDX-License-Identifier: EPL-2.0 OR BSD-3-Clause
+ */
+#include <assert.h>
+#include <openssl/evp.h>
+#include <openssl/hmac.h>
+#include <openssl/bio.h>
+#include <openssl/err.h>
+
+#include "dds/ddsrt/environ.h"
+#include "dds/ddsrt/heap.h"
+#include "dds/ddsrt/io.h"
+#include "dds/ddsrt/string.h"
+#include "dds/ddsrt/types.h"
+#include "dds/security/dds_security_api.h"
+#include "dds/security/core/dds_security_utils.h"
+#include "CUnit/CUnit.h"
+#include "CUnit/Test.h"
+#include "common/src/loader.h"
+#include "config_env.h"
+
+static const char *ACCESS_PERMISSIONS_TOKEN_ID = "DDS:Access:Permissions:1.0";
+static const char *AUTH_PROTOCOL_CLASS_ID = "DDS:Auth:PKI-DH:1.0";
+
+static const char *PROPERTY_IDENTITY_CA = "dds.sec.auth.identity_ca";
+static const char *PROPERTY_PRIVATE_KEY = "dds.sec.auth.private_key";
+static const char *PROPERTY_IDENTITY_CERT = "dds.sec.auth.identity_certificate";
+static const char *PROPERTY_PERMISSIONS_CA = "dds.sec.access.permissions_ca";
+static const char *PROPERTY_PERMISSIONS = "dds.sec.access.permissions";
+static const char *PROPERTY_GOVERNANCE = "dds.sec.access.governance";
+
+static const char *PROPERTY_PERMISSIONS_CA_SN = "dds.perm_ca.sn";
+static const char *PROPERTY_PERMISSIONS_CA_ALGO = "dds.perm_ca.algo";
+static const char *PROPERTY_C_ID = "c.id";
+static const char *PROPERTY_C_PERM = "c.perm";
+
+static const char *SUBJECT_NAME_PERMISSIONS_CA = "C=NL, ST=Some-State, O=ADLINK Technolocy Inc., CN=adlinktech.com";
+static const char *RSA_2048_ALGORITHM_NAME = "RSA-2048";
+
+static const char *RELATIVE_PATH_TO_ETC_DIR = "/validate_remote_permissions/etc/";
+
+static const char *identity_certificate =
+    "data:,-----BEGIN CERTIFICATE-----\n"
+    "MIIEQTCCAymgAwIBAgIINpuaAAnrQZIwDQYJKoZIhvcNAQELBQAwXzELMAkGA1UE\n"
+    "BhMCTkwxEzARBgNVBAgTClNvbWUtU3RhdGUxITAfBgNVBAoTGEludGVybmV0IFdp\n"
+    "ZGdpdHMgUHR5IEx0ZDEYMBYGA1UEAxMPQ0hBTTUwMCByb290IGNhMCAXDTE3MDIy\n"
+    "MjIyMjIwMFoYDzIyMjIwMjIyMjIyMjAwWjBcMQswCQYDVQQGEwJOTDETMBEGA1UE\n"
+    "CBMKU29tZS1TdGF0ZTEhMB8GA1UEChMYSW50ZXJuZXQgV2lkZ2l0cyBQdHkgTHRk\n"
+    "MRUwEwYDVQQDEwxDSEFNNTAwIGNlcnQwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw\n"
+    "ggEKAoIBAQDCpVhivH/wBIyu74rvQncnSZqKyspN6CvD1pmV9wft5PHhVt9jV79v\n"
+    "gSub5LADoRHAgFdv9duYgBr17Ob6uRrIY4B18CcrCjhQcC4gjx8y2jl9PeYm+qYD\n"
+    "3o44FYBrBq0QCnrQgKsb/qX9Z+Mw/VUiw65x68W876LEHQQoEgT4kxSuagwBoVRk\n"
+    "ePD6fYAKmT4XS3x+O0v+rHESTcsKF6yMadgp7h3eH1b8kJTzSx8JV9Zzq++mxjox\n"
+    "qhbBVP5nDze2hhSIeCkCvSrx7efkgKS4AQXa5/Z44GiAu1TfXXUqdic9rxwD0edn\n"
+    "ajNElnZe7sjok/0yuqvH+2hSqpNva/zpAgMBAAGjggEAMIH9MAwGA1UdDwQFAwMH\n"
+    "/4AwgewGA1UdJQSB5DCB4QYIKwYBBQUHAwEGCCsGAQUFBwMCBggrBgEFBQcDAwYI\n"
+    "KwYBBQUHAwQGCCsGAQUFBwMIBgorBgEEAYI3AgEVBgorBgEEAYI3AgEWBgorBgEE\n"
+    "AYI3CgMBBgorBgEEAYI3CgMDBgorBgEEAYI3CgMEBglghkgBhvhCBAEGCysGAQQB\n"
+    "gjcKAwQBBggrBgEFBQcDBQYIKwYBBQUHAwYGCCsGAQUFBwMHBggrBgEFBQgCAgYK\n"
+    "KwYBBAGCNxQCAgYIKwYBBQUHAwkGCCsGAQUFBwMNBggrBgEFBQcDDgYHKwYBBQID\n"
+    "BTANBgkqhkiG9w0BAQsFAAOCAQEAawdHy0Xw7nTK2ltp91Ion6fJ7hqYuj///zr7\n"
+    "Adt6uonpDh/xl3esuwcFimIJrJrHujnGkL0nLddRCikmnzuBMNDWS6yq0/Ckl/YG\n"
+    "yjNr44dlX24wo+MVAgkj3/8CyWDZ3a8kBg9QT3bs2SqbjmhTrXN1DRyf9S5vJysE\n"
+    "I7V1gTN66BeKL64hOrAlRVrEu8Ds6TWL6Q/YH+61ViZkoLTeSaPjH4nknaFr4C35\n"
+    "iji0JhkyfRHRRVPHFnaj25AkxOrSV64qVKoTMjDl5fji5iMGtjm6iJ7q05ml/qDl\n"
+    "nLotHXemZNvYhbwUmRzbt4Dls9EMH4VRbP85I94nM5TAvtHVNA==\n"
+    "-----END CERTIFICATE-----\n";
+
+static const char *identity_ca =
+    "data:,-----BEGIN CERTIFICATE-----\n"
+    "MIIEmTCCA4GgAwIBAgIIZ5gEIUFhO5wwDQYJKoZIhvcNAQELBQAwXzELMAkGA1UE\n"
+    "BhMCTkwxEzARBgNVBAgTClNvbWUtU3RhdGUxITAfBgNVBAoTGEludGVybmV0IFdp\n"
+    "ZGdpdHMgUHR5IEx0ZDEYMBYGA1UEAxMPQ0hBTTUwMCByb290IGNhMCAXDTE4MDIx\n"
+    "MjE1MDUwMFoYDzIyMjIwMjIyMjIyMjAwWjBfMQswCQYDVQQGEwJOTDETMBEGA1UE\n"
+    "CBMKU29tZS1TdGF0ZTEhMB8GA1UEChMYSW50ZXJuZXQgV2lkZ2l0cyBQdHkgTHRk\n"
+    "MRgwFgYDVQQDEw9DSEFNNTAwIHJvb3QgY2EwggEiMA0GCSqGSIb3DQEBAQUAA4IB\n"
+    "DwAwggEKAoIBAQC6Fa3TheL+UrdZCp9GhU/2WbneP2t/avUa3muwDttPxeI2XU9k\n"
+    "ZjBR95mAXme4SPXHk5+YDN319AqIje3oKhzky/ngvKH2GkoJKYxWnuDBfMEHdViz\n"
+    "2Q9/xso2ZvH50ukwWa0pfx2/EVV1wRxeQcRd/UVfq3KTJizG0M88mOYvGEAw3LFf\n"
+    "zef7k1aCuOofQmBvLukUudcYpMzfyHFp7lQqU4CcrrR5RtmfiUfrWfdGLea2iPDB\n"
+    "pJgN8ESOMwEHtOTEBDclYnH9L4t7CHQz+fXXS5IWFsDK9fCMQjnxDsDVeNrNzTYL\n"
+    "FaZrMg9S6IUQCEsQWsnq5weS8omOpVLUm9klAgMBAAGjggFVMIIBUTAMBgNVHRME\n"
+    "BTADAQH/MB0GA1UdDgQWBBQg2FZB/j8uWDVnJhjwXkX278znSTAfBgNVHSMEGDAW\n"
+    "gBQg2FZB/j8uWDVnJhjwXkX278znSTAPBgNVHQ8BAf8EBQMDB/+AMIHvBgNVHSUB\n"
+    "Af8EgeQwgeEGCCsGAQUFBwMBBggrBgEFBQcDAgYIKwYBBQUHAwMGCCsGAQUFBwME\n"
+    "BggrBgEFBQcDCAYKKwYBBAGCNwIBFQYKKwYBBAGCNwIBFgYKKwYBBAGCNwoDAQYK\n"
+    "KwYBBAGCNwoDAwYKKwYBBAGCNwoDBAYJYIZIAYb4QgQBBgsrBgEEAYI3CgMEAQYI\n"
+    "KwYBBQUHAwUGCCsGAQUFBwMGBggrBgEFBQcDBwYIKwYBBQUIAgIGCisGAQQBgjcU\n"
+    "AgIGCCsGAQUFBwMJBggrBgEFBQcDDQYIKwYBBQUHAw4GBysGAQUCAwUwDQYJKoZI\n"
+    "hvcNAQELBQADggEBAKHmwejWRwGE1wf1k2rG8SNRV/neGsZ6Qfqf6co3TpR/Wi1s\n"
+    "iZDvSeT/rbqNBS7z34xnG88NIUwu00y78e8Mfon31ZZbK4Uo7fla9/D3ukdJqPQC\n"
+    "LKdbKJjR2kH+KCukY/1rghjJ8/X+t2egBit0LCOdsFCl07Sfksb9kpGUIZSFcYYm\n"
+    "geqhjhoNwxazzHiw+QWHC5HG9248JIizBmy1aymNWuMnPudhjHAnPcsIlqMVNq3t\n"
+    "Rv9ap7S8JeCxHVRPJvJeCwXWvW3dW/v3xH52Yn/fqRblN1w9Fxz5NhopKx0gj/Jd\n"
+    "sw2N4Fk4gaOWEolFpa0bwNw8nAx7moehZpowzfw=\n"
+    "-----END CERTIFICATE-----\n";
+
+static const char *private_key =
+    "data:,-----BEGIN RSA PRIVATE KEY-----\n"
+    "MIIEogIBAAKCAQEAwqVYYrx/8ASMru+K70J3J0maisrKTegrw9aZlfcH7eTx4Vbf\n"
+    "Y1e/b4Erm+SwA6ERwIBXb/XbmIAa9ezm+rkayGOAdfAnKwo4UHAuII8fMto5fT3m\n"
+    "JvqmA96OOBWAawatEAp60ICrG/6l/WfjMP1VIsOucevFvO+ixB0EKBIE+JMUrmoM\n"
+    "AaFUZHjw+n2ACpk+F0t8fjtL/qxxEk3LChesjGnYKe4d3h9W/JCU80sfCVfWc6vv\n"
+    "psY6MaoWwVT+Zw83toYUiHgpAr0q8e3n5ICkuAEF2uf2eOBogLtU3111KnYnPa8c\n"
+    "A9HnZ2ozRJZ2Xu7I6JP9Mrqrx/toUqqTb2v86QIDAQABAoIBAC1q32DKkx+yMBFx\n"
+    "m32QiLUGG6VfBC2BixS7MkMnzRXZYgcuehl4FBc0kLRjfB6cqsO8LqrVN1QyMBhK\n"
+    "GutN3c38SbE7RChqzhEW2+yE+Mao3Nk4ZEecHLiyaYT0n25ZtHAVwep823BAzwJ+\n"
+    "BykbM45VEpNKbG1VjSktjBa9faNyZiZAEJEjVyla+6R8N4kHV52LbZcLjvJv3IQ2\n"
+    "iPYRrmMyI5C23qTni0vy7yJbAXBo3CqgSlwie9FARBWT7Puu7F4mF1O1c/SnTysw\n"
+    "Tm3e5FzgfHipQbnRVn0w4rDprPMKmPxMnvf/Wkw0zVgNadp1Tc1I6Yj525DEQ07i\n"
+    "2gIn/gECgYEA4jNnY1u2Eu7x3pAQF3dRO0x35boVtuq9iwQk7q+uaZaK4RJRr+0Y\n"
+    "T68S3bPnfer6SHvcxtST89Bvs/j/Ky4SOaX037UYjFh6T7OIzPl+MzO1yb+VOBT6\n"
+    "D6FVGEJGp8ZAITU1OfJPeTYViUeEC8tHFGoKUCk50FbB6jOf1oKtv/ECgYEA3EnB\n"
+    "Y7kSbJJaUuj9ciFUL/pAno86Cim3VjegK1wKgEiyDb610bhoMErovPwfVJbtcttG\n"
+    "eKJNuwizkRcVbj+vpjDvqqaP5eMxLl6/Nd4haPMJYzGo88Z8NJpwFRNF2KEWjOpQ\n"
+    "2NEvoCeRtVulCJyka2Tpljzw8cOXkxhPOe2UhHkCgYBo3entj0QO7QXm56T+LAvV\n"
+    "0PK45xdQEO3EuCwjGAFk5C0IgUSrqeCeeIzniZMltj1IQ1wsNbtNynEu3530t8wt\n"
+    "O7oVyFBUKGSz9IjUdkpClJOPr6kPMfJoMqRPtdIpz+hFPPSrI6IikKdVWHloOlp+\n"
+    "pVaYqTQrWT1XRY2xli3VEQKBgGySmZN6Cx+h/oywswIGdUT0VdcQhq2to+QFpJba\n"
+    "VX6m1cM6hMip2Ag9U3qZ1SNPBBdBBfm9HQybHE3dj713/C2wHuAAGhpXIM1W+20k\n"
+    "X1knuC/AsSH9aQhQOf/ZMOq1crTfZBuI9q0782/sjGmzMsKPySU4QhUWruVb7OiD\n"
+    "NVkZAoGAEvihW7G+8/iOE40vGHyBqUeopAAWLciTAUIEwM/Oi3BYfNWNTWF/FWNc\n"
+    "nMvCZPYigY8C1vO+1iT2Frtd3CIU+f01Q3fJNJoRLlEiKLNZUJRF48OKUqjKSmsi\n"
+    "w6pucFO40z05YW7utApj4L82rZnOS0pd1tUI1yexqvj0i4ThJfk=\n"
+    "-----END RSA PRIVATE KEY-----\n";
+
+static const char *permissions_ca =
+    "data:,-----BEGIN CERTIFICATE-----\n"
+    "MIIDjTCCAnWgAwIBAgIJANsr3sm0NrypMA0GCSqGSIb3DQEBCwUAMFwxCzAJBgNV\n"
+    "BAYTAk5MMRMwEQYDVQQIDApTb21lLVN0YXRlMR8wHQYDVQQKDBZBRExJTksgVGVj\n"
+    "aG5vbG9jeSBJbmMuMRcwFQYDVQQDDA5hZGxpbmt0ZWNoLmNvbTAgFw0xODA3MzAx\n"
+    "MjQ1NTVaGA8yMTE4MDcwNjEyNDU1NVowXDELMAkGA1UEBhMCTkwxEzARBgNVBAgM\n"
+    "ClNvbWUtU3RhdGUxHzAdBgNVBAoMFkFETElOSyBUZWNobm9sb2N5IEluYy4xFzAV\n"
+    "BgNVBAMMDmFkbGlua3RlY2guY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB\n"
+    "CgKCAQEAu7jfnJ0wYVuXgG+PgNawdN38+dRpa8jceqi+blIDehV6XCxrnGXusTCD\n"
+    "uFmo7HMOBVMVNDXlcBWgoGd+u5EultnOEiIeGTgtHc1O6V9wicp3BGSpZZax/TcO\n"
+    "NjMVORaqHCADbQ2J8wsz1FHxuKDwX6BJElYOlK77lb/x3yLsDFFC+a0qn2RFh37r\n"
+    "cWBRAHy8VEASXKZElT9ZmfKd+KUq34KojhNJ4DepKStTq074BRDXVivx+wVD951L\n"
+    "FNPiQXq+mgHcLj1k37KlZflTFhdP5oEMtATNsXNJPHlEymiySogRWAmKhysLQudu\n"
+    "kHfNKN+r0FEQMk/hzpYcFeZSOvbfNQIDAQABo1AwTjAdBgNVHQ4EFgQURWMbWvBK\n"
+    "ZwJvRV1/tyc1R82k0+gwHwYDVR0jBBgwFoAURWMbWvBKZwJvRV1/tyc1R82k0+gw\n"
+    "DAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAkPF+ysVtvHnk2hpu9yND\n"
+    "LCJ96ZzIoKOyY7uRj4ovzlAHFdpNOJQdcJihTmN8i7Trht9XVh0rGoR/6nHzo3TI\n"
+    "eiogRC80RlDtuA3PF2dDQBMVDStlZMTZPb693hfjdAjhyyw9yghhKHHqNDvSsAL0\n"
+    "KfBqjG4yGfGpJylYXIT5fWuKlo/ln/yyPa5s54T5XDo+CMbtlLX3QnwVOmaRyzyl\n"
+    "PiTcPCDIkdLBdXmlfyJcmW6fWa6kPx+35MOxPsXZbujCo+42+OyLqcH1rKT6Xhcs\n"
+    "hjXBEf+kdgUfSClrM1pNRWsw2ChIYim0F+nry5JFy0Y+8Hbb6SDB340BFmtgDHbF\n"
+    "HQ==\n"
+    "-----END CERTIFICATE-----\n";
+
+static struct plugins_hdl *plugins = NULL;
+static dds_security_authentication *auth = NULL;
+static dds_security_access_control *access_control = NULL;
+static DDS_Security_IdentityHandle local_identity_handle = DDS_SECURITY_HANDLE_NIL;
+static DDS_Security_IdentityHandle remote_identity_handle = DDS_SECURITY_HANDLE_NIL;
+static DDS_Security_PermissionsHandle local_permissions_handle = DDS_SECURITY_HANDLE_NIL;
+static DDS_Security_GUID_t local_participant_guid;
+static char *g_path_to_etc_dir = NULL;
+
+static void dds_security_property_init(DDS_Security_PropertySeq *seq, DDS_Security_unsigned_long size)
+{
+  seq->_length = size;
+  seq->_maximum = size;
+  seq->_buffer = ddsrt_malloc(size * sizeof(DDS_Security_Property_t));
+  memset(seq->_buffer, 0, size * sizeof(DDS_Security_Property_t));
+}
+
+static void dds_security_property_deinit(DDS_Security_PropertySeq *seq)
+{
+  uint32_t i;
+
+  for (i = 0; i < seq->_length; i++)
+  {
+    ddsrt_free(seq->_buffer[i].name);
+    ddsrt_free(seq->_buffer[i].value);
+  }
+  ddsrt_free(seq->_buffer);
+}
+
+static void reset_exception(DDS_Security_SecurityException *ex)
+{
+  ex->code = 0;
+  ex->minor_code = 0;
+  ddsrt_free(ex->message);
+  ex->message = NULL;
+}
+
+static void fill_participant_qos(DDS_Security_Qos *qos, const char *permission_filename, const char *governance_filename)
+{
+  char *permission_uri;
+  char *governance_uri;
+
+  ddsrt_asprintf(&permission_uri, "file:%s%s", g_path_to_etc_dir, permission_filename);
+  ddsrt_asprintf(&governance_uri, "file:%s%s", g_path_to_etc_dir, governance_filename);
+
+  memset(qos, 0, sizeof(*qos));
+  dds_security_property_init(&qos->property.value, 6);
+  qos->property.value._buffer[0].name = ddsrt_strdup(PROPERTY_IDENTITY_CERT);
+  qos->property.value._buffer[0].value = ddsrt_strdup(identity_certificate);
+  qos->property.value._buffer[1].name = ddsrt_strdup(PROPERTY_IDENTITY_CA);
+  qos->property.value._buffer[1].value = ddsrt_strdup(identity_ca);
+  qos->property.value._buffer[2].name = ddsrt_strdup(PROPERTY_PRIVATE_KEY);
+  qos->property.value._buffer[2].value = ddsrt_strdup(private_key);
+  qos->property.value._buffer[3].name = ddsrt_strdup(PROPERTY_PERMISSIONS_CA);
+  qos->property.value._buffer[3].value = ddsrt_strdup(permissions_ca);
+  qos->property.value._buffer[4].name = ddsrt_strdup(PROPERTY_PERMISSIONS);
+  qos->property.value._buffer[4].value = ddsrt_strdup(permission_uri);
+  qos->property.value._buffer[5].name = ddsrt_strdup(PROPERTY_GOVERNANCE);
+  qos->property.value._buffer[5].value = ddsrt_strdup(governance_uri);
+
+  ddsrt_free(permission_uri);
+  ddsrt_free(governance_uri);
+}
+
+static void fill_permissions_token(DDS_Security_PermissionsToken *token)
+{
+  memset(token, 0, sizeof(DDS_Security_PermissionsToken));
+
+  token->class_id = ddsrt_strdup(ACCESS_PERMISSIONS_TOKEN_ID);
+  token->properties._length = token->properties._maximum = 2;
+  token->properties._buffer = DDS_Security_PropertySeq_allocbuf(2);
+
+  token->properties._buffer[0].name = ddsrt_strdup(PROPERTY_PERMISSIONS_CA_SN);
+  token->properties._buffer[0].value = ddsrt_strdup(SUBJECT_NAME_PERMISSIONS_CA);
+
+  token->properties._buffer[1].name = ddsrt_strdup(PROPERTY_PERMISSIONS_CA_ALGO);
+  token->properties._buffer[1].value = ddsrt_strdup(RSA_2048_ALGORITHM_NAME);
+}
+
+static int fill_peer_credential_token(DDS_Security_AuthenticatedPeerCredentialToken *token, const char *permission_filename)
+{
+  int result = 1;
+  char *permission_uri;
+  char *permission_data;
+
+  memset(token, 0, sizeof(DDS_Security_AuthenticatedPeerCredentialToken));
+
+  ddsrt_asprintf(&permission_uri, "%s%s", g_path_to_etc_dir, permission_filename);
+
+  permission_data = load_file_contents(permission_uri);
+
+  if (permission_data)
+  {
+    token->class_id = ddsrt_strdup(AUTH_PROTOCOL_CLASS_ID);
+    token->properties._length = token->properties._maximum = 2;
+    token->properties._buffer = DDS_Security_PropertySeq_allocbuf(2);
+
+    token->properties._buffer[0].name = ddsrt_strdup(PROPERTY_C_ID);
+    token->properties._buffer[0].value = ddsrt_strdup(&identity_certificate[6]);
+
+    token->properties._buffer[1].name = ddsrt_strdup(PROPERTY_C_PERM);
+    token->properties._buffer[1].value = permission_data;
+  }
+  else
+  {
+    ddsrt_free(permission_data);
+    result = 0;
+  }
+  ddsrt_free(permission_uri);
+
+  return result;
+}
+
+static void corrupt_permission_signature(DDS_Security_AuthenticatedPeerCredentialToken *token)
+{
+  DDS_Security_string permissions;
+  size_t len;
+
+  /* It is expected that the permissions are available in a fixed location. */
+  CU_ASSERT_FATAL(token != NULL);
+  CU_ASSERT_FATAL(token->properties._buffer != NULL);
+  CU_ASSERT_FATAL(token->properties._length == 2);
+  CU_ASSERT_FATAL(token->properties._buffer[1].name != NULL);
+  CU_ASSERT_FATAL(token->properties._buffer[1].value != NULL);
+  CU_ASSERT_FATAL(strcmp(token->properties._buffer[1].name, PROPERTY_C_PERM) == 0);
+
+  /* Corrupt a byte somewhere in the signature. */
+  permissions = token->properties._buffer[1].value;
+  CU_ASSERT_FATAL(permissions != NULL);
+  len = strlen(permissions);
+  CU_ASSERT_FATAL(len > 100);
+  permissions[len - 75]--;
+}
+
+static int validate_local_identity_and_permissions(void)
+{
+  int res = 0;
+  DDS_Security_ValidationResult_t result;
+  DDS_Security_DomainId domain_id = 0;
+  DDS_Security_Qos participant_qos;
+  DDS_Security_GUID_t candidate_participant_guid;
+  DDS_Security_SecurityException exception = {NULL, 0, 0};
+  DDS_Security_GuidPrefix_t prefix = {0xb0, 0xb1, 0xb2, 0xb3, 0xb4, 0xb5, 0xb6, 0xb7, 0xb8, 0xb9, 0xba, 0xbb};
+  DDS_Security_EntityId_t entityId = {{0xb0, 0xb1, 0xb2}, 0x1};
+
+  memset(&local_participant_guid, 0, sizeof(local_participant_guid));
+  memcpy(&candidate_participant_guid.prefix, &prefix, sizeof(prefix));
+  memcpy(&candidate_participant_guid.entityId, &entityId, sizeof(entityId));
+
+  fill_participant_qos(&participant_qos, "Test_Permissions_ok.p7s", "Test_Governance_ok.p7s");
+
+  /* Now call the function. */
+  result = auth->validate_local_identity(
+      auth,
+      &local_identity_handle,
+      &local_participant_guid,
+      domain_id,
+      &participant_qos,
+      &candidate_participant_guid,
+      &exception);
+
+  if (result != DDS_SECURITY_VALIDATION_OK)
+  {
+    res = -1;
+    printf("validate_local_identity_failed: %s\n", exception.message ? exception.message : "Error message missing");
+  }
+
+  reset_exception(&exception);
+
+  if (res == 0)
+  {
+    local_permissions_handle = access_control->validate_local_permissions(
+        access_control,
+        auth,
+        local_identity_handle,
+        0,
+        &participant_qos,
+        &exception);
+
+    if (local_permissions_handle == DDS_SECURITY_HANDLE_NIL)
+    {
+      res = -1;
+      printf("validate_local_permissions_failed: %s\n", exception.message ? exception.message : "Error message missing");
+    }
+  }
+
+  dds_security_property_deinit(&participant_qos.property.value);
+
+  return res;
+}
+
+static void clear_local_identity_and_permissions(void)
+{
+  DDS_Security_SecurityException exception = {NULL, 0, 0};
+  DDS_Security_boolean success;
+
+  if (local_permissions_handle != DDS_SECURITY_HANDLE_NIL)
+  {
+    success = access_control->return_permissions_handle(access_control, local_permissions_handle, &exception);
+    if (!success)
+      printf("return_permission_handle failed: %s\n", exception.message ? exception.message : "Error message missing");
+    reset_exception(&exception);
+  }
+
+  if (local_identity_handle != DDS_SECURITY_HANDLE_NIL)
+  {
+    success = auth->return_identity_handle(auth, local_identity_handle, &exception);
+    if (!success)
+      printf("return_identity_handle failed: %s\n", exception.message ? exception.message : "Error message missing");
+    reset_exception(&exception);
+  }
+}
+
+static void set_path_to_etc_dir(void)
+{
+  ddsrt_asprintf(&g_path_to_etc_dir, "%s%s", CONFIG_ENV_TESTS_DIR, RELATIVE_PATH_TO_ETC_DIR);
+}
+
+static void suite_validate_remote_permissions_init(void)
+{
+  plugins = load_plugins(&access_control, &auth, NULL /* Cryptograpy */);
+  CU_ASSERT_FATAL(plugins != NULL);
+  set_path_to_etc_dir();
+  validate_local_identity_and_permissions();
+}
+
+static void suite_validate_remote_permissions_fini(void)
+{
+  clear_local_identity_and_permissions();
+  unload_plugins(plugins);
+  ddsrt_free(g_path_to_etc_dir);
+}
+
+CU_Test(ddssec_builtin_validate_remote_permissions, valid_permissions, .init = suite_validate_remote_permissions_init, .fini = suite_validate_remote_permissions_fini)
+{
+  DDS_Security_PermissionsHandle result;
+  DDS_Security_PermissionsToken permissions_token;
+  DDS_Security_AuthenticatedPeerCredentialToken credential_token;
+  DDS_Security_SecurityException exception = {NULL, 0, 0};
+  int r;
+
+  /* Check if we actually have validate_remote_permissions function. */
+  CU_ASSERT_FATAL(access_control != NULL);
+  CU_ASSERT_FATAL(local_identity_handle != DDS_SECURITY_HANDLE_NIL);
+  CU_ASSERT_FATAL(access_control->validate_remote_permissions != NULL);
+  CU_ASSERT_FATAL(access_control->return_permissions_handle != NULL);
+
+  fill_permissions_token(&permissions_token);
+  r = fill_peer_credential_token(&credential_token, "Test_Permissions_ok.p7s");
+  CU_ASSERT_FATAL(r);
+
+  remote_identity_handle++;
+
+  result = access_control->validate_remote_permissions(
+      access_control,
+      auth,
+      local_identity_handle,
+      remote_identity_handle,
+      &permissions_token,
+      &credential_token,
+      &exception);
+
+  if (result == 0)
+    printf("validate_remote_permissions_failed: %s\n", exception.message ? exception.message : "Error message missing");
+  reset_exception(&exception);
+  CU_ASSERT_FATAL(result != 0);
+  access_control->return_permissions_handle(access_control, result, &exception);
+  reset_exception(&exception);
+  DDS_Security_DataHolder_deinit((DDS_Security_DataHolder *)&permissions_token);
+  DDS_Security_DataHolder_deinit((DDS_Security_DataHolder *)&credential_token);
+}
+
+CU_Test(ddssec_builtin_validate_remote_permissions, permissions_unknown_ca, .init = suite_validate_remote_permissions_init, .fini = suite_validate_remote_permissions_fini)
+{
+  DDS_Security_PermissionsHandle result;
+  DDS_Security_PermissionsToken permissions_token;
+  DDS_Security_AuthenticatedPeerCredentialToken credential_token;
+  DDS_Security_SecurityException exception = {NULL, 0, 0};
+  int r;
+
+  /* Check if we actually have validate_remote_permissions function. */
+  CU_ASSERT_FATAL(access_control != NULL);
+  CU_ASSERT_FATAL(local_identity_handle != DDS_SECURITY_HANDLE_NIL);
+  CU_ASSERT_FATAL(access_control->validate_remote_permissions != NULL);
+  CU_ASSERT_FATAL(access_control->return_permissions_handle != NULL);
+
+  fill_permissions_token(&permissions_token);
+  r = fill_peer_credential_token(&credential_token, "Test_Permissions_unknown_ca.p7s");
+  CU_ASSERT_FATAL(r);
+
+  remote_identity_handle++;
+
+  result = access_control->validate_remote_permissions(
+      access_control,
+      auth,
+      local_identity_handle,
+      remote_identity_handle,
+      &permissions_token,
+      &credential_token,
+      &exception);
+
+  if (result == 0)
+  {
+    printf("validate_remote_permissions_failed: %s\n", exception.message ? exception.message : "Error message missing");
+  }
+
+  CU_ASSERT(result == 0);
+  if (result == 0)
+  {
+    CU_ASSERT(exception.code != 0);
+    CU_ASSERT(exception.message != NULL);
+  }
+  else
+  {
+    reset_exception(&exception);
+    access_control->return_permissions_handle(access_control, result, &exception);
+  }
+
+  reset_exception(&exception);
+
+  DDS_Security_DataHolder_deinit((DDS_Security_DataHolder *)&permissions_token);
+  DDS_Security_DataHolder_deinit((DDS_Security_DataHolder *)&credential_token);
+}
+
+CU_Test(ddssec_builtin_validate_remote_permissions, permissions_not_signed, .init = suite_validate_remote_permissions_init, .fini = suite_validate_remote_permissions_fini)
+{
+  DDS_Security_PermissionsHandle result;
+  DDS_Security_PermissionsToken permissions_token;
+  DDS_Security_AuthenticatedPeerCredentialToken credential_token;
+  DDS_Security_SecurityException exception = {NULL, 0, 0};
+  int r;
+
+  /* Check if we actually have validate_remote_permissions function. */
+  CU_ASSERT_FATAL(access_control != NULL);
+  CU_ASSERT_FATAL(local_identity_handle != DDS_SECURITY_HANDLE_NIL);
+  CU_ASSERT_FATAL(access_control->validate_remote_permissions != NULL);
+  CU_ASSERT_FATAL(access_control->return_permissions_handle != NULL);
+
+  fill_permissions_token(&permissions_token);
+  r = fill_peer_credential_token(&credential_token, "Test_Permissions_not_signed.p7s");
+  CU_ASSERT_FATAL(r);
+
+  remote_identity_handle++;
+
+  result = access_control->validate_remote_permissions(
+      access_control,
+      auth,
+      local_identity_handle,
+      remote_identity_handle,
+      &permissions_token,
+      &credential_token,
+      &exception);
+
+  if (result == 0)
+  {
+    printf("validate_remote_permissions_failed: %s\n", exception.message ? exception.message : "Error message missing");
+  }
+
+  CU_ASSERT(result == 0);
+  if (result == 0)
+  {
+    CU_ASSERT(exception.code != 0);
+    CU_ASSERT(exception.message != NULL);
+  }
+  else
+  {
+    reset_exception(&exception);
+    access_control->return_permissions_handle(access_control, result, &exception);
+  }
+
+  reset_exception(&exception);
+
+  DDS_Security_DataHolder_deinit((DDS_Security_DataHolder *)&permissions_token);
+  DDS_Security_DataHolder_deinit((DDS_Security_DataHolder *)&credential_token);
+}
+
+CU_Test(ddssec_builtin_validate_remote_permissions, invalid_credential_token, .init = suite_validate_remote_permissions_init, .fini = suite_validate_remote_permissions_fini)
+{
+  DDS_Security_PermissionsHandle result;
+  DDS_Security_PermissionsToken permissions_token;
+  DDS_Security_AuthenticatedPeerCredentialToken credential_token;
+  DDS_Security_SecurityException exception = {NULL, 0, 0};
+
+  /* Check if we actually have validate_remote_permissions function. */
+  CU_ASSERT_FATAL(access_control != NULL);
+  CU_ASSERT_FATAL(local_identity_handle != DDS_SECURITY_HANDLE_NIL);
+  CU_ASSERT_FATAL(access_control->validate_remote_permissions != NULL);
+  CU_ASSERT_FATAL(access_control->return_permissions_handle != NULL);
+
+  remote_identity_handle++;
+
+  fill_permissions_token(&permissions_token);
+
+  /* empty peer credential token */
+  memset(&credential_token, 0, sizeof(credential_token));
+
+  result = access_control->validate_remote_permissions(
+      access_control,
+      auth,
+      local_identity_handle,
+      remote_identity_handle,
+      &permissions_token,
+      &credential_token,
+      &exception);
+
+  if (result == 0)
+  {
+    printf("validate_remote_permissions_failed: %s\n", exception.message ? exception.message : "Error message missing");
+  }
+
+  CU_ASSERT(result == 0);
+  if (result == 0)
+  {
+    CU_ASSERT(exception.code != 0);
+    CU_ASSERT(exception.message != NULL);
+  }
+  else
+  {
+    reset_exception(&exception);
+    access_control->return_permissions_handle(access_control, result, &exception);
+  }
+
+  reset_exception(&exception);
+
+  /* peer credential token with invalid class id */
+  credential_token.class_id = "UNKNOWN";
+
+  result = access_control->validate_remote_permissions(
+      access_control,
+      auth,
+      local_identity_handle,
+      remote_identity_handle,
+      &permissions_token,
+      &credential_token,
+      &exception);
+
+  if (result == 0)
+  {
+    printf("validate_remote_permissions_failed: %s\n", exception.message ? exception.message : "Error message missing");
+  }
+
+  CU_ASSERT(result == 0);
+  if (result == 0)
+  {
+    CU_ASSERT(exception.code != 0);
+    CU_ASSERT(exception.message != NULL);
+  }
+  else
+  {
+    reset_exception(&exception);
+    access_control->return_permissions_handle(access_control, result, &exception);
+  }
+
+  reset_exception(&exception);
+
+  /* peer credential token with no properties */
+  credential_token.class_id = ddsrt_strdup(AUTH_PROTOCOL_CLASS_ID);
+
+  result = access_control->validate_remote_permissions(
+      access_control,
+      auth,
+      local_identity_handle,
+      remote_identity_handle,
+      &permissions_token,
+      &credential_token,
+      &exception);
+
+  if (result == 0)
+  {
+    printf("validate_remote_permissions_failed: %s\n", exception.message ? exception.message : "Error message missing");
+  }
+
+  CU_ASSERT(result == 0);
+  if (result == 0)
+  {
+    CU_ASSERT(exception.code != 0);
+    CU_ASSERT(exception.message != NULL);
+  }
+  else
+  {
+    reset_exception(&exception);
+    access_control->return_permissions_handle(access_control, result, &exception);
+  }
+
+  reset_exception(&exception);
+
+  /* peer credential token with empty properties */
+  credential_token.properties._length = credential_token.properties._maximum = 2;
+  credential_token.properties._buffer = DDS_Security_PropertySeq_allocbuf(2);
+
+  result = access_control->validate_remote_permissions(
+      access_control,
+      auth,
+      local_identity_handle,
+      remote_identity_handle,
+      &permissions_token,
+      &credential_token,
+      &exception);
+
+  if (result == 0)
+  {
+    printf("validate_remote_permissions_failed: %s\n", exception.message ? exception.message : "Error message missing");
+  }
+
+  CU_ASSERT(result == 0);
+  if (result == 0)
+  {
+    CU_ASSERT(exception.code != 0);
+    CU_ASSERT(exception.message != NULL);
+  }
+  else
+  {
+    reset_exception(&exception);
+    access_control->return_permissions_handle(access_control, result, &exception);
+  }
+
+  reset_exception(&exception);
+
+  /* peer credential token with no c.id value */
+  credential_token.properties._buffer[0].name = ddsrt_strdup(PROPERTY_C_ID);
+
+  result = access_control->validate_remote_permissions(
+      access_control,
+      auth,
+      local_identity_handle,
+      remote_identity_handle,
+      &permissions_token,
+      &credential_token,
+      &exception);
+
+  if (result == 0)
+  {
+    printf("validate_remote_permissions_failed: %s\n", exception.message ? exception.message : "Error message missing");
+  }
+
+  CU_ASSERT(result == 0);
+  if (result == 0)
+  {
+    CU_ASSERT(exception.code != 0);
+    CU_ASSERT(exception.message != NULL);
+  }
+  else
+  {
+    reset_exception(&exception);
+    access_control->return_permissions_handle(access_control, result, &exception);
+  }
+
+  reset_exception(&exception);
+
+  /* peer credential token with no c.perm */
+  credential_token.properties._buffer[0].value = ddsrt_strdup(PROPERTY_IDENTITY_CERT);
+
+  result = access_control->validate_remote_permissions(
+      access_control,
+      auth,
+      local_identity_handle,
+      remote_identity_handle,
+      &permissions_token,
+      &credential_token,
+      &exception);
+
+  if (result == 0)
+  {
+    printf("validate_remote_permissions_failed: %s\n", exception.message ? exception.message : "Error message missing");
+  }
+
+  CU_ASSERT(result == 0);
+  if (result == 0)
+  {
+    CU_ASSERT(exception.code != 0);
+    CU_ASSERT(exception.message != NULL);
+  }
+  else
+  {
+    reset_exception(&exception);
+    access_control->return_permissions_handle(access_control, result, &exception);
+  }
+
+  reset_exception(&exception);
+
+  /* peer credential token with no c.perm value*/
+  credential_token.properties._buffer[1].name = ddsrt_strdup(PROPERTY_C_PERM);
+
+  result = access_control->validate_remote_permissions(
+      access_control,
+      auth,
+      local_identity_handle,
+      remote_identity_handle,
+      &permissions_token,
+      &credential_token,
+      &exception);
+
+  if (result == 0)
+  {
+    printf("validate_remote_permissions_failed: %s\n", exception.message ? exception.message : "Error message missing");
+  }
+
+  CU_ASSERT(result == 0);
+  if (result == 0)
+  {
+    CU_ASSERT(exception.code != 0);
+    CU_ASSERT(exception.message != NULL);
+  }
+  else
+  {
+    reset_exception(&exception);
+    access_control->return_permissions_handle(access_control, result, &exception);
+  }
+
+  reset_exception(&exception);
+
+  /* peer credential token with invalid c.perm value */
+  credential_token.properties._buffer[1].value = ddsrt_strdup("Invalid value");
+
+  result = access_control->validate_remote_permissions(
+      access_control,
+      auth,
+      local_identity_handle,
+      remote_identity_handle,
+      &permissions_token,
+      &credential_token,
+      &exception);
+
+  if (result == 0)
+  {
+    printf("validate_remote_permissions_failed: %s\n", exception.message ? exception.message : "Error message missing");
+  }
+
+  CU_ASSERT(result == 0);
+  if (result == 0)
+  {
+    CU_ASSERT(exception.code != 0);
+    CU_ASSERT(exception.message != NULL);
+  }
+  else
+  {
+    reset_exception(&exception);
+    access_control->return_permissions_handle(access_control, result, &exception);
+  }
+
+  reset_exception(&exception);
+
+  DDS_Security_DataHolder_deinit((DDS_Security_DataHolder *)&permissions_token);
+  DDS_Security_DataHolder_deinit((DDS_Security_DataHolder *)&credential_token);
+}
+
+CU_Test(ddssec_builtin_validate_remote_permissions, invalid_xml, .init = suite_validate_remote_permissions_init, .fini = suite_validate_remote_permissions_fini)
+{
+  DDS_Security_PermissionsHandle result;
+  DDS_Security_PermissionsToken permissions_token;
+  DDS_Security_AuthenticatedPeerCredentialToken credential_token;
+  DDS_Security_SecurityException exception = {NULL, 0, 0};
+  int r;
+
+  /* Check if we actually have validate_remote_permissions function. */
+  CU_ASSERT_FATAL(access_control != NULL);
+  CU_ASSERT_FATAL(local_identity_handle != DDS_SECURITY_HANDLE_NIL);
+  CU_ASSERT_FATAL(access_control->validate_remote_permissions != NULL);
+  CU_ASSERT_FATAL(access_control->return_permissions_handle != NULL);
+
+  fill_permissions_token(&permissions_token);
+  //permissions_token.
+  r = fill_peer_credential_token(&credential_token, "Test_Permissions_invalid_data.p7s");
+  CU_ASSERT_FATAL(r);
+
+  remote_identity_handle++;
+
+  result = access_control->validate_remote_permissions(
+      access_control,
+      auth,
+      local_identity_handle,
+      remote_identity_handle,
+      &permissions_token,
+      &credential_token,
+      &exception);
+
+  CU_ASSERT(result == 0);
+  CU_ASSERT(exception.code == DDS_SECURITY_ERR_CAN_NOT_PARSE_PERMISSIONS_CODE);
+  CU_ASSERT(exception.message != NULL);
+  if (exception.message)
+  {
+    printf("(%d) %s\n", (int)exception.code, exception.message);
+  }
+  reset_exception(&exception);
+
+  DDS_Security_DataHolder_deinit((DDS_Security_DataHolder *)&permissions_token);
+  DDS_Security_DataHolder_deinit((DDS_Security_DataHolder *)&credential_token);
+}
+
+CU_Test(ddssec_builtin_validate_remote_permissions, permissions_expired, .init = suite_validate_remote_permissions_init, .fini = suite_validate_remote_permissions_fini)
+{
+  DDS_Security_PermissionsHandle result;
+  DDS_Security_PermissionsToken permissions_token;
+  DDS_Security_AuthenticatedPeerCredentialToken credential_token;
+  DDS_Security_SecurityException exception = {NULL, 0, 0};
+  int r;
+
+  /* Check if we actually have validate_remote_permissions function. */
+  CU_ASSERT_FATAL(access_control != NULL);
+  CU_ASSERT_FATAL(local_identity_handle != DDS_SECURITY_HANDLE_NIL);
+  CU_ASSERT_FATAL(access_control->validate_remote_permissions != NULL);
+  CU_ASSERT_FATAL(access_control->return_permissions_handle != NULL);
+
+  fill_permissions_token(&permissions_token);
+  r = fill_peer_credential_token(&credential_token, "Test_Permissions_expired.p7s");
+  CU_ASSERT_FATAL(r);
+
+  remote_identity_handle++;
+
+  result = access_control->validate_remote_permissions(
+      access_control,
+      auth,
+      local_identity_handle,
+      remote_identity_handle,
+      &permissions_token,
+      &credential_token,
+      &exception);
+
+  CU_ASSERT_FATAL(result == 0);
+  CU_ASSERT_FATAL(exception.code == DDS_SECURITY_ERR_VALIDITY_PERIOD_EXPIRED_CODE);
+  CU_ASSERT_NSTRING_EQUAL_FATAL(DDS_SECURITY_ERR_VALIDITY_PERIOD_EXPIRED_MESSAGE, exception.message, strlen(DDS_SECURITY_ERR_VALIDITY_PERIOD_EXPIRED_MESSAGE) - 16);
+  reset_exception(&exception);
+
+  DDS_Security_DataHolder_deinit((DDS_Security_DataHolder *)&permissions_token);
+  DDS_Security_DataHolder_deinit((DDS_Security_DataHolder *)&credential_token);
+}
+
+CU_Test(ddssec_builtin_validate_remote_permissions, permissions_not_yet, .init = suite_validate_remote_permissions_init, .fini = suite_validate_remote_permissions_fini)
+{
+  DDS_Security_PermissionsHandle result;
+  DDS_Security_PermissionsToken permissions_token;
+  DDS_Security_AuthenticatedPeerCredentialToken credential_token;
+  DDS_Security_SecurityException exception = {NULL, 0, 0};
+  int r;
+
+  /* Check if we actually have validate_remote_permissions function. */
+  CU_ASSERT_FATAL(access_control != NULL);
+  CU_ASSERT_FATAL(local_identity_handle != DDS_SECURITY_HANDLE_NIL);
+  CU_ASSERT_FATAL(access_control->validate_remote_permissions != NULL);
+  CU_ASSERT_FATAL(access_control->return_permissions_handle != NULL);
+
+  fill_permissions_token(&permissions_token);
+  r = fill_peer_credential_token(&credential_token, "Test_Permissions_notyet.p7s");
+  CU_ASSERT_FATAL(r);
+
+  remote_identity_handle++;
+
+  result = access_control->validate_remote_permissions(
+      access_control,
+      auth,
+      local_identity_handle,
+      remote_identity_handle,
+      &permissions_token,
+      &credential_token,
+      &exception);
+
+  CU_ASSERT_FATAL(result == 0);
+  CU_ASSERT_FATAL(exception.code == DDS_SECURITY_ERR_VALIDITY_PERIOD_NOT_STARTED_CODE);
+  CU_ASSERT_NSTRING_EQUAL_FATAL(DDS_SECURITY_ERR_VALIDITY_PERIOD_NOT_STARTED_MESSAGE, exception.message, strlen(DDS_SECURITY_ERR_VALIDITY_PERIOD_NOT_STARTED_MESSAGE) - 14);
+  reset_exception(&exception);
+
+  DDS_Security_DataHolder_deinit((DDS_Security_DataHolder *)&permissions_token);
+  DDS_Security_DataHolder_deinit((DDS_Security_DataHolder *)&credential_token);
+}
+
+CU_Test(ddssec_builtin_validate_remote_permissions, permissions_unknown_subject_name, .init = suite_validate_remote_permissions_init, .fini = suite_validate_remote_permissions_fini)
+{
+  DDS_Security_PermissionsHandle result;
+  DDS_Security_PermissionsToken permissions_token;
+  DDS_Security_AuthenticatedPeerCredentialToken credential_token;
+  DDS_Security_SecurityException exception = {NULL, 0, 0};
+  int r;
+
+  /* Check if we actually have validate_remote_permissions function. */
+  CU_ASSERT_FATAL(access_control != NULL);
+  CU_ASSERT_FATAL(local_identity_handle != DDS_SECURITY_HANDLE_NIL);
+  CU_ASSERT_FATAL(access_control->validate_remote_permissions != NULL);
+  CU_ASSERT_FATAL(access_control->return_permissions_handle != NULL);
+
+  fill_permissions_token(&permissions_token);
+  r = fill_peer_credential_token(&credential_token, "Test_Permissions_unknown_subject.p7s");
+  CU_ASSERT_FATAL(r);
+
+  remote_identity_handle++;
+
+  result = access_control->validate_remote_permissions(
+      access_control,
+      auth,
+      local_identity_handle,
+      remote_identity_handle,
+      &permissions_token,
+      &credential_token,
+      &exception);
+
+  CU_ASSERT_FATAL(result == 0);
+  CU_ASSERT_FATAL(exception.code == DDS_SECURITY_ERR_INVALID_SUBJECT_NAME_CODE);
+  CU_ASSERT_STRING_EQUAL_FATAL(DDS_SECURITY_ERR_INVALID_SUBJECT_NAME_MESSAGE, exception.message);
+  reset_exception(&exception);
+
+  DDS_Security_DataHolder_deinit((DDS_Security_DataHolder *)&permissions_token);
+  DDS_Security_DataHolder_deinit((DDS_Security_DataHolder *)&credential_token);
+
+  /* missing subject name component */
+
+  fill_permissions_token(&permissions_token);
+  r = fill_peer_credential_token(&credential_token, "Test_Permissions_missing_subject_component.p7s");
+  CU_ASSERT_FATAL(r);
+
+  remote_identity_handle++;
+
+  result = access_control->validate_remote_permissions(
+      access_control,
+      auth,
+      local_identity_handle,
+      remote_identity_handle,
+      &permissions_token,
+      &credential_token,
+      &exception);
+
+  CU_ASSERT_FATAL(result == 0);
+  CU_ASSERT_FATAL(exception.code == DDS_SECURITY_ERR_INVALID_SUBJECT_NAME_CODE);
+  CU_ASSERT_STRING_EQUAL_FATAL(DDS_SECURITY_ERR_INVALID_SUBJECT_NAME_MESSAGE, exception.message);
+  reset_exception(&exception);
+
+  DDS_Security_DataHolder_deinit((DDS_Security_DataHolder *)&permissions_token);
+  DDS_Security_DataHolder_deinit((DDS_Security_DataHolder *)&credential_token);
+}
+
+CU_Test(ddssec_builtin_validate_remote_permissions, permissions_different_subject, .init = suite_validate_remote_permissions_init, .fini = suite_validate_remote_permissions_fini)
+{
+  DDS_Security_PermissionsHandle result;
+  DDS_Security_PermissionsToken permissions_token;
+  DDS_Security_AuthenticatedPeerCredentialToken credential_token;
+  DDS_Security_SecurityException exception = {NULL, 0, 0};
+  int r;
+
+  /* Check if we actually have validate_remote_permissions function. */
+  CU_ASSERT_FATAL(access_control != NULL);
+  CU_ASSERT_FATAL(local_identity_handle != DDS_SECURITY_HANDLE_NIL);
+  CU_ASSERT_FATAL(access_control->validate_remote_permissions != NULL);
+  CU_ASSERT_FATAL(access_control->return_permissions_handle != NULL);
+
+  fill_permissions_token(&permissions_token);
+  r = fill_peer_credential_token(&credential_token, "Test_Permissions_different_subject_representation.p7s");
+  CU_ASSERT_FATAL(r);
+
+  remote_identity_handle++;
+
+  result = access_control->validate_remote_permissions(
+      access_control,
+      auth,
+      local_identity_handle,
+      remote_identity_handle,
+      &permissions_token,
+      &credential_token,
+      &exception);
+
+  CU_ASSERT_FATAL(result != 0);
+  CU_ASSERT_FATAL(exception.code == DDS_SECURITY_ERR_OK_CODE);
+
+  reset_exception(&exception);
+
+  DDS_Security_DataHolder_deinit((DDS_Security_DataHolder *)&permissions_token);
+  DDS_Security_DataHolder_deinit((DDS_Security_DataHolder *)&credential_token);
+}
+
+CU_Test(ddssec_builtin_validate_remote_permissions, corrupted_signature, .init = suite_validate_remote_permissions_init, .fini = suite_validate_remote_permissions_fini)
+{
+  DDS_Security_PermissionsHandle result;
+  DDS_Security_PermissionsToken permissions_token;
+  DDS_Security_AuthenticatedPeerCredentialToken credential_token;
+  DDS_Security_SecurityException exception = {NULL, 0, 0};
+  int r;
+
+  /* Check if we actually have validate_remote_permissions function. */
+  CU_ASSERT_FATAL(access_control != NULL);
+  CU_ASSERT_FATAL(local_identity_handle != DDS_SECURITY_HANDLE_NIL);
+  CU_ASSERT_FATAL(access_control->validate_remote_permissions != NULL);
+  CU_ASSERT_FATAL(access_control->return_permissions_handle != NULL);
+
+  fill_permissions_token(&permissions_token);
+  //permissions_token.
+  r = fill_peer_credential_token(&credential_token, "Test_Permissions_ok.p7s");
+  CU_ASSERT_FATAL(r);
+
+  corrupt_permission_signature(&credential_token);
+
+  remote_identity_handle++;
+
+  result = access_control->validate_remote_permissions(
+      access_control,
+      auth,
+      local_identity_handle,
+      remote_identity_handle,
+      &permissions_token,
+      &credential_token,
+      &exception);
+
+  CU_ASSERT(result == 0);
+  CU_ASSERT(exception.code == DDS_SECURITY_ERR_INVALID_SMIME_DOCUMENT_CODE);
+  CU_ASSERT(exception.message != NULL);
+  if (exception.message)
+  {
+    printf("(%d) %s\n", (int)exception.code, exception.message);
+  }
+  reset_exception(&exception);
+
+  DDS_Security_DataHolder_deinit((DDS_Security_DataHolder *)&permissions_token);
+  DDS_Security_DataHolder_deinit((DDS_Security_DataHolder *)&credential_token);
+}
diff --git a/src/security/core/include/dds/security/core/dds_security_utils.h b/src/security/core/include/dds/security/core/dds_security_utils.h
index fe975d6..a66c4d3 100644
--- a/src/security/core/include/dds/security/core/dds_security_utils.h
+++ b/src/security/core/include/dds/security/core/dds_security_utils.h
@@ -13,10 +13,12 @@
 #ifndef DSCMN_SECURITY_UTILS_H_
 #define DSCMN_SECURITY_UTILS_H_
 
-#include "dds/export.h"
 #include <stddef.h>
 #include <stdint.h>
 #include <stdbool.h>
+#include "dds/export.h"
+#include "dds/ddsrt/strtol.h"
+#include "dds/ddsrt/time.h"
 #include "dds/security/core/dds_security_types.h"
 #include "dds/security/dds_security_api.h"
 
@@ -339,6 +341,10 @@ ddssec_strchrs (
         const char *chrs,
         bool inc);
 
+DDS_EXPORT dds_time_t
+DDS_Security_parse_xml_date(
+        char *buf);
+
 
 #define DDS_Security_ParticipantCryptoTokenSeq_alloc() \
                     DDS_Security_DataHolderSeq_alloc())
diff --git a/src/security/core/src/dds_security_utils.c b/src/security/core/src/dds_security_utils.c
index 665e587..8a5cef7 100644
--- a/src/security/core/src/dds_security_utils.c
+++ b/src/security/core/src/dds_security_utils.c
@@ -807,47 +807,34 @@ DDS_Security_Exception_set(
 #if DDSI_INCLUDE_SSL
 DDS_EXPORT void
 DDS_Security_Exception_set_with_openssl_error(
-         DDS_Security_SecurityException *ex,
-         const char *context,
-         int code,
-         int minor_code,
-         const char *error_area
-        )
+    DDS_Security_SecurityException *ex,
+    const char *context,
+    int code,
+    int minor_code,
+    const char *error_area)
 {
+    BIO *bio;
+    assert(context);
+    assert(error_area);
+    assert(ex);
+    DDSRT_UNUSED_ARG(context);
 
-  BIO *bio;
-  char *buf = NULL;
-  char *str;
-  size_t len; /*BIO_get_mem_data requires long int */
-  assert(context);
-  assert(error_area);
-  assert(ex);
-  DDSRT_UNUSED_ARG( context );
-
-  bio = BIO_new(BIO_s_mem());
-
-  if (bio) {
-      size_t exception_msg_len;
-      ERR_print_errors(bio);
-      len = (size_t)BIO_get_mem_data (bio, &buf);
-      exception_msg_len = len + strlen(error_area) + 1;
-      str = ddsrt_malloc(  exception_msg_len );
-
-      ddsrt_strlcpy(str, error_area, exception_msg_len);
-      memcpy(str + strlen(error_area), buf, len );
-      str [ exception_msg_len -1 ] = '\0';
-      //snprintf( str, exception_msg_len, "%s%s", error_area, buf );
-
-      ex->message = str;
-      ex->code = code;
-      ex->minor_code = minor_code;
-
-      BIO_free(bio);
-
-  } else {
-      DDS_Security_Exception_set(ex, context, code,  minor_code, "BIO_new failed");
-  }
-
+    if ((bio = BIO_new(BIO_s_mem()))) {
+        ERR_print_errors(bio);
+        char *buf = NULL;
+        size_t len = (size_t)BIO_get_mem_data(bio, &buf);
+        size_t exception_msg_len = len + strlen(error_area) + 1;
+        char *str = ddsrt_malloc(exception_msg_len);
+        ddsrt_strlcpy(str, error_area, exception_msg_len);
+        memcpy(str + strlen(error_area), buf, len);
+        str[exception_msg_len - 1] = '\0';
+        ex->message = str;
+        ex->code = code;
+        ex->minor_code = minor_code;
+        BIO_free(bio);
+    } else {
+        DDS_Security_Exception_set(ex, context, code, minor_code, "BIO_new failed");
+    }
 }
 #endif
 
@@ -1104,6 +1091,203 @@ DDS_Security_normalize_file(
     }
 #undef __FILESEPCHAR
     return norm;
-
 }
 
+/**
+ * Parses an XML date string and returns this as a dds_time_t value. As leap seconds are not permitted
+ * in the XML date format (as stated in the XML Schema specification), this parser function does not
+ * accept leap seconds in its input string. This complies with the dds_time_t representation on posix,
+ * which is a unix timestamp (that also ignores leap seconds).
+ *
+ * As a dds_time_t is expressed as nanoseconds, the fractional seconds part of the input string will
+ * be rounded in case the fractional part has more than 9 digits.
+ */
+dds_time_t
+DDS_Security_parse_xml_date(
+    char *buf)
+{
+  int32_t year = -1;
+  int32_t month = -1;
+  int32_t day = -1;
+  int32_t hour = -1;
+  int32_t minute = -1;
+  int32_t second = -1;
+  int32_t hour_offset = -1;
+  int32_t minute_offset = -1;
+
+  int64_t frac_ns = 0;
+
+  size_t cnt = 0;
+  size_t cnt_frac_sec = 0;
+
+  assert(buf != NULL);
+
+  /* Make an integrity check of the string before the conversion*/
+  while (buf[cnt] != '\0')
+  {
+    if (cnt == 4 || cnt == 7)
+    {
+      if (buf[cnt] != '-')
+        return DDS_TIME_INVALID;
+    }
+    else if (cnt == 10)
+    {
+      if (buf[cnt] != 'T')
+        return DDS_TIME_INVALID;
+    }
+    else if (cnt == 13 || cnt == 16)
+    {
+      if (buf[cnt] != ':')
+        return DDS_TIME_INVALID;
+    }
+    else if (cnt == 19)
+    {
+      if (buf[cnt] != 'Z' && buf[cnt] != '+' && buf[cnt] != '-' && buf[cnt] != '.')
+        return DDS_TIME_INVALID;
+
+      /* If a dot is found then a variable number of fractional seconds is present.
+               A second integrity loop to account for the variability is used */
+      if (buf[cnt] == '.' && !cnt_frac_sec)
+      {
+        cnt_frac_sec = 1;
+        while (buf[cnt + 1] != '\0' && buf[cnt + 1] >= '0' && buf[cnt + 1] <= '9')
+        {
+          cnt_frac_sec++;
+          cnt++;
+        }
+      }
+    }
+    else if (cnt == 19 + cnt_frac_sec)
+    {
+      if (buf[cnt] != 'Z' && buf[cnt] != '+' && buf[cnt] != '-')
+        return DDS_TIME_INVALID;
+    }
+    else if (cnt == 22 + cnt_frac_sec)
+    {
+      if (buf[cnt] != ':')
+        return DDS_TIME_INVALID;
+    }
+    else
+    {
+      if (buf[cnt] < '0' || buf[cnt] > '9')
+        return DDS_TIME_INVALID;
+    }
+    cnt++;
+  }
+
+  /* Do not allow more than 12 (13 including the dot) and less than 1 fractional second digits if they are used */
+  if (cnt_frac_sec && (cnt_frac_sec < 2 || cnt_frac_sec > 13))
+    return DDS_TIME_INVALID;
+
+  /* Valid string length value at this stage are 19, 20 and 25 plus the fractional seconds part */
+  if (cnt != 19 + cnt_frac_sec && cnt != 20 + cnt_frac_sec && cnt != 25 + cnt_frac_sec)
+    return DDS_TIME_INVALID;
+
+  year = ddsrt_todigit(buf[0]) * 1000 + ddsrt_todigit(buf[1]) * 100 + ddsrt_todigit(buf[2]) * 10 + ddsrt_todigit(buf[3]);
+  month = ddsrt_todigit(buf[5]) * 10 + ddsrt_todigit(buf[6]);
+  day = ddsrt_todigit(buf[8]) * 10 + ddsrt_todigit(buf[9]);
+
+  hour = ddsrt_todigit(buf[11]) * 10 + ddsrt_todigit(buf[12]);
+  minute = ddsrt_todigit(buf[14]) * 10 + ddsrt_todigit(buf[15]);
+  second = ddsrt_todigit(buf[17]) * 10 + ddsrt_todigit(buf[18]);
+
+  {
+    int64_t frac_ns_pow = DDS_NSECS_IN_SEC / 10;
+    size_t n = 0;
+    for (n = 0; cnt_frac_sec && n < cnt_frac_sec - 1; n++)
+    {
+      /* Maximum granularity is nanosecond so round to maximum 9 digits */
+      if (n == 9)
+      {
+        if (ddsrt_todigit(buf[20 + n]) >= 5)
+          frac_ns++;
+        break;
+      }
+      frac_ns += ddsrt_todigit(buf[20 + n]) * frac_ns_pow;
+      frac_ns_pow = frac_ns_pow / 10;
+    }
+  }
+
+  /* If the length is 20 the last character must be a Z representing UTC time zone */
+  if (cnt == 19 + cnt_frac_sec || (cnt == 20 + cnt_frac_sec && buf[19 + cnt_frac_sec] == 'Z'))
+  {
+    hour_offset = 0;
+    minute_offset = 0;
+  }
+  else if (cnt == 25 + cnt_frac_sec)
+  {
+    hour_offset = ddsrt_todigit(buf[20 + cnt_frac_sec]) * 10 + ddsrt_todigit(buf[21 + cnt_frac_sec]);
+    minute_offset = ddsrt_todigit(buf[23 + cnt_frac_sec]) * 10 + ddsrt_todigit(buf[24 + cnt_frac_sec]);
+  }
+  else
+    return DDS_TIME_INVALID;
+
+  /* Make a limit check to make sure that all the numbers are within absolute boundaries.
+     Note that leap seconds are not allowed in XML dates and therefore not supported. */
+  if (year < 1970 || year > 2262 || month < 1 || month > 12 || day < 1 || day > 31 ||
+      hour < 0 || hour > 23 || minute < 0 || minute > 59 || second < 0 || second > 59 ||
+      ((hour_offset < 0 || hour_offset > 11 || minute_offset < 0 || minute_offset > 59) && (hour_offset != 12 || minute_offset != 0)))
+  {
+    return DDS_TIME_INVALID;
+  }
+
+  /*  Boundary check including consideration for month and leap years */
+  if (!(((month == 4 || month == 6 || month == 9 || month == 11) && (day >= 1 && day <= 30)) ||
+      ((month == 1 || month == 3 || month == 5 || month == 7 || month == 8 || month == 10 || month == 12) && (day >= 1 && day <= 31)) ||
+      (month == 2 && ((year % 100 != 0 && year % 4 == 0) || (year % 400 == 0)) && (day >= 1 && day <= 29)) ||
+      (month == 2 && (day >= 1 && day <= 28))))
+  {
+    return DDS_TIME_INVALID;
+  }
+
+  /* Convert the year-month-day to total number of days */
+  int32_t total_leap_years = (year - 1970 + 1) / 4;
+  /* Leap year count decreased by the number of xx00 years before current year because these are not leap years,
+     except for 2000. The year 2400 is not in the valid year range so we don't take that into account. */
+  if (year > 2100)
+    total_leap_years -= year / 100 - 20;
+  if (year == 2200)
+    total_leap_years++;
+
+  int32_t total_reg_years = year - 1970 - total_leap_years;
+  int32_t total_num_days = total_leap_years * 366 + total_reg_years * 365;
+  int32_t month_cnt;
+
+  for (month_cnt = 1; month_cnt < month; month_cnt++)
+  {
+    if (month_cnt == 4 || month_cnt == 6 || month_cnt == 9 || month_cnt == 11)
+      total_num_days += 30;
+    else if (month_cnt == 2)
+    {
+      if (year % 400 == 0 || (year % 100 != 0 && year % 4 == 0))
+        total_num_days += 29;
+      else
+        total_num_days += 28;
+    }
+    else
+      total_num_days += 31;
+  }
+  total_num_days += day - 1;
+
+  /* Correct the offset sign if negative */
+  if (buf[19 + cnt_frac_sec] == '-')
+  {
+    hour_offset = -hour_offset;
+    minute_offset = -minute_offset;
+  }
+  /* Convert the total number of days to seconds */
+  int64_t ts_days = (int64_t)total_num_days * 24 * 60 * 60;
+  int64_t ts_hms = hour * 60 * 60 + minute * 60 + second;
+  if (ts_days + ts_hms > INT64_MAX / DDS_NSECS_IN_SEC)
+    return DDS_TIME_INVALID;
+  int64_t ts = DDS_SECS(ts_days + ts_hms);
+
+  /* Apply the hour and minute offset */
+  int64_t ts_offset = DDS_SECS((int64_t)hour_offset * 60 * 60 + minute_offset * 60);
+
+  /* Prevent the offset from making the timestamp negative or overflow it */
+  if ((ts_offset <= 0 || (ts_offset > 0 && ts_offset < ts)) && INT64_MAX - ts - frac_ns >= -ts_offset)
+    return ts - ts_offset + frac_ns;
+
+  return DDS_TIME_INVALID;
+}
diff --git a/src/security/core/tests/CMakeLists.txt b/src/security/core/tests/CMakeLists.txt
index 9cd0e27..d240583 100644
--- a/src/security/core/tests/CMakeLists.txt
+++ b/src/security/core/tests/CMakeLists.txt
@@ -15,6 +15,7 @@ include (CUnit)
 set(security_core_test_sources
     "tc_fsm.c"
     "dds_security_core.c"
+    "security_utils.c"
   )
 
 add_definitions(-DDDSI_INCLUDE_SECURITY)
diff --git a/src/security/core/tests/security_utils.c b/src/security/core/tests/security_utils.c
new file mode 100644
index 0000000..ec4ab89
--- /dev/null
+++ b/src/security/core/tests/security_utils.c
@@ -0,0 +1,62 @@
+/*
+ * Copyright(c) 2006 to 2019 ADLINK Technology Limited and others
+ *
+ * This program and the accompanying materials are made available under the
+ * terms of the Eclipse Public License v. 2.0 which is available at
+ * http://www.eclipse.org/legal/epl-2.0, or the Eclipse Distribution License
+ * v. 1.0 which is available at
+ * http://www.eclipse.org/org/documents/edl-v10.php.
+ *
+ * SPDX-License-Identifier: EPL-2.0 OR BSD-3-Clause
+ */
+
+#include <stdio.h>
+#include <string.h>
+#include "CUnit/CUnit.h"
+#include "CUnit/Test.h"
+#include "dds/ddsrt/time.h"
+#include "dds/security/core/dds_security_utils.h"
+
+CU_Test(ddssec_security_utils, parse_xml_date)
+{
+  CU_ASSERT_EQUAL(DDS_Security_parse_xml_date(""), DDS_TIME_INVALID);
+  CU_ASSERT_EQUAL(DDS_Security_parse_xml_date("abc"), DDS_TIME_INVALID);
+  CU_ASSERT_EQUAL(DDS_Security_parse_xml_date("2020-01-01"), DDS_TIME_INVALID);
+  CU_ASSERT_EQUAL(DDS_Security_parse_xml_date("2020-01-01D01:01:01Z"), DDS_TIME_INVALID);
+  CU_ASSERT_EQUAL(DDS_Security_parse_xml_date("2019-02-29T01:01:01Z"), DDS_TIME_INVALID);
+  CU_ASSERT_EQUAL(DDS_Security_parse_xml_date("2100-02-29T01:01:01Z"), DDS_TIME_INVALID);
+  CU_ASSERT_EQUAL(DDS_Security_parse_xml_date("1969-01-01T01:01:01Z"), DDS_TIME_INVALID);
+  CU_ASSERT_EQUAL(DDS_Security_parse_xml_date("2010-01-01T23:59:60Z"), DDS_TIME_INVALID);
+  CU_ASSERT_EQUAL(DDS_Security_parse_xml_date("1969-01-01T01:01:01+01"), DDS_TIME_INVALID);
+  CU_ASSERT_EQUAL(DDS_Security_parse_xml_date("1969-01-01T01:01:01+0100"), DDS_TIME_INVALID);
+  CU_ASSERT_EQUAL(DDS_Security_parse_xml_date("1969-01-01T01:01:01+0:00"), DDS_TIME_INVALID);
+  CU_ASSERT_EQUAL(DDS_Security_parse_xml_date("1970-01-01T00:00:00+01:00"), DDS_TIME_INVALID);
+  CU_ASSERT_EQUAL(DDS_Security_parse_xml_date("2020-01-01T01:01:01.0000000000001+01:00"), DDS_TIME_INVALID);
+  CU_ASSERT_EQUAL(DDS_Security_parse_xml_date("2020-01-01T01:01:01.0.1+01:00"), DDS_TIME_INVALID);
+  CU_ASSERT_EQUAL(DDS_Security_parse_xml_date("2020-01-01T01:01:01.+01:00"), DDS_TIME_INVALID);
+
+  CU_ASSERT_EQUAL(DDS_Security_parse_xml_date("1970-01-01T00:00:00Z"), 0);
+  CU_ASSERT_EQUAL(DDS_Security_parse_xml_date("2000-02-29T00:00:00Z"), DDS_SECS(951782400));
+  CU_ASSERT_EQUAL(DDS_Security_parse_xml_date("2020-01-01T01:01:01Z"), DDS_SECS(1577840461));
+  CU_ASSERT_EQUAL(DDS_Security_parse_xml_date("2020-01-01T01:01:01+00:30"), DDS_SECS(1577840461 - 30 * 60));
+  CU_ASSERT_EQUAL(DDS_Security_parse_xml_date("2020-01-01T01:01:01+01:00"), DDS_SECS(1577840461 - 60 * 60));
+  CU_ASSERT_EQUAL(DDS_Security_parse_xml_date("2020-01-01T01:01:01+12:00"), DDS_SECS(1577840461 - 12 * 60 * 60));
+  CU_ASSERT_EQUAL(DDS_Security_parse_xml_date("2020-01-01T01:01:01-01:00"), DDS_SECS(1577840461 + 60 * 60));
+  CU_ASSERT_EQUAL(DDS_Security_parse_xml_date("2020-12-31T23:59:59Z"), DDS_SECS(1609459199));
+  CU_ASSERT_EQUAL(DDS_Security_parse_xml_date("2020-02-29T01:01:01Z"), DDS_SECS(1582938061));
+  CU_ASSERT_EQUAL(DDS_Security_parse_xml_date("2038-01-19T03:14:07Z"), DDS_SECS(INT32_MAX));
+  CU_ASSERT_EQUAL(DDS_Security_parse_xml_date("2038-01-19T03:14:08Z"), DDS_SECS(INT64_C(INT32_MAX + 1)));
+  CU_ASSERT_EQUAL(DDS_Security_parse_xml_date("2100-01-01T00:00:00Z"), DDS_SECS(4102444800));
+  CU_ASSERT_EQUAL(DDS_Security_parse_xml_date("2120-01-01T00:00:00Z"), DDS_SECS(4733510400));
+  CU_ASSERT_EQUAL(DDS_Security_parse_xml_date("2200-01-01T00:00:00Z"), DDS_SECS(7258118400));
+  CU_ASSERT_EQUAL(DDS_Security_parse_xml_date("2220-01-01T00:00:00Z"), DDS_SECS(7889184000));
+  CU_ASSERT_EQUAL(DDS_Security_parse_xml_date("2262-04-11T23:47:16.854775807Z"), INT64_MAX);
+  CU_ASSERT_EQUAL(DDS_Security_parse_xml_date("2262-04-11T23:47:16.854775808Z"), DDS_TIME_INVALID);
+  CU_ASSERT_EQUAL(DDS_Security_parse_xml_date("2262-04-11T23:47:16.854775807+00:01"), INT64_MAX - DDS_SECS(60));
+  CU_ASSERT_EQUAL(DDS_Security_parse_xml_date("2262-04-11T23:47:16.854775807-00:01"), DDS_TIME_INVALID);
+
+  CU_ASSERT_EQUAL(DDS_Security_parse_xml_date("2020-01-01T01:01:01.000000001+01:00"),  INT64_C(1577836861000000001));
+  CU_ASSERT_EQUAL(DDS_Security_parse_xml_date("2020-01-01T01:01:01.0000000004+01:00"), INT64_C(1577836861000000000));
+  CU_ASSERT_EQUAL(DDS_Security_parse_xml_date("2020-01-01T01:01:01.0000000005+01:00"), INT64_C(1577836861000000001));
+  CU_ASSERT_EQUAL(DDS_Security_parse_xml_date("2020-01-01T01:01:01.987654321+01:00"),  INT64_C(1577836861987654321));
+}