+START_TEST(test_inhibit_mapping_good)
+{
+ certificate_t *ca, *im, *sj;
+
+ ca = create_cert_ext(NULL, "CN=CA", extended, X509_CA, NULL, NULL,
+ X509_NO_CONSTRAINT, 1, X509_NO_CONSTRAINT);
+ im = create_cert(ca, "CN=IM", extended, X509_CA, baseline, extended);
+ sj = create_cert(im, "CN=SJ", baseline, 0, NULL, NULL);
+
+ creds->add_cert(creds, TRUE, ca);
+ creds->add_cert(creds, FALSE, im);
+ creds->add_cert(creds, FALSE, sj);
+
+ ck_assert(check_oid(sj->get_subject(sj), baseline));
+}
+END_TEST
+
+START_TEST(test_inhibit_mapping_bad)
+{
+ certificate_t *ca, *i1, *i2, *sj;
+
+ ca = create_cert_ext(NULL, "CN=CA", extended, X509_CA, NULL, NULL,
+ X509_NO_CONSTRAINT, 1, X509_NO_CONSTRAINT);
+ i1 = create_cert(ca, "CN=IM1", extended, X509_CA, NULL, NULL);
+ i2 = create_cert(i1, "CN=IM2", extended, X509_CA, baseline, extended);
+ sj = create_cert(i2, "CN=SJ", baseline, 0, NULL, NULL);
+
+ creds->add_cert(creds, TRUE, ca);
+ creds->add_cert(creds, FALSE, i1);
+ creds->add_cert(creds, FALSE, i2);
+ creds->add_cert(creds, FALSE, sj);
+
+ /* TODO: we currently reject the certificate completely, but should
+ * actually just invalidate the policy not mapped properly */
+ ck_assert(!check_trust(sj->get_subject(sj)));
+}
+END_TEST
+