udap_security_test_kit 0.9.0

data/lib/udap_security_test_kit/generate_client_certs_test.rb

@@ -0,0 +1,60 @@
+require_relative 'udap_x509_certificate'
+require_relative 'default_cert_file_loader'
+
+module UDAPSecurityTestKit
+  class GenerateClientCertsTest < Inferno::Test
+    title 'Generate Client Certificates'
+    id :udap_generate_client_certs
+    description %(
+      This test may be included in test groups to generate and output a new client certificate for use in UDAP dynamic
+      client registration or authentication/authorization tests.
+    )
+
+    input :udap_client_cert_pem,
+          title: 'X.509 Client Certificate(s) (PEM Format)',
+          description: %(
+            A list of one or more X.509 certificates in PEM format separated by a newline. The first (leaf) certificate
+            MUST represent the client entity and the certificate chain must resolve to a CA trusted by the authorization
+            server under test.
+            Will be auto-generated if left blank.
+          ),
+          type: 'textarea',
+          optional: true
+
+    input :udap_client_private_key_pem,
+          title: 'Client Private Key (PEM Format)',
+          description: %(
+          The private key corresponding to the client certificate used for registration, in PEM format.  Used to sign
+          registration and/or authentication JWTs.
+          Will be auto-generated if left blank.
+          ),
+          type: 'textarea',
+          optional: true
+
+    input :udap_cert_iss,
+          title: 'JWT Issuer (iss) Claim',
+          description: %(
+            MUST correspond to a unique URI entry in the Subject Alternative Name (SAN) extension of the client
+            certificate used for registration.
+            Will be auto-generated with the client cert if left blank.
+          ),
+          optional: true
+
+    output :udap_cert_iss
+    output :udap_client_cert_pem
+    output :udap_client_private_key_pem
+
+    run do
+      omit_if udap_client_cert_pem.present? && udap_client_private_key_pem.present?,
+              'User has opted to provide client certs'
+
+      signing_key = DefaultCertFileLoader.load_default_ca_private_key_file
+
+      cert = UDAPX509Certificate.new(DefaultCertFileLoader.load_default_ca_pem_file, signing_key)
+
+      output udap_cert_iss: cert.san
+      output udap_client_cert_pem: cert.cert.to_pem
+      output udap_client_private_key_pem: cert.cert_private_key.to_pem
+    end
+  end
+end

data/lib/udap_security_test_kit/grant_types_supported_field_test.rb

@@ -0,0 +1,53 @@
+require_relative 'common_assertions'
+
+module UDAPSecurityTestKit
+  extend CommonAssertions
+  class GrantTypesSupportedFieldTest < Inferno::Test
+    title 'grant_types_supported field'
+    id :udap_grant_types_supported_field
+    description %(
+        `grant_types_supported` is an array of one or more grant types
+      )
+
+    input :udap_well_known_metadata_json
+    input :required_flow_type
+    output :udap_registration_grant_type
+
+    run do
+      assert_valid_json(udap_well_known_metadata_json)
+      config = JSON.parse(udap_well_known_metadata_json)
+
+      assert config.key?('grant_types_supported'), '`grant_types_supported` is a required field'
+
+      CommonAssertions.assert_array_of_strings(config, 'grant_types_supported')
+
+      grant_types = config['grant_types_supported']
+
+      assert grant_types.present?, 'Must include at least 1 supported grant type'
+
+      if grant_types.include?('refresh_token')
+        assert grant_types.include?('authorization_code'),
+               'The `refresh_token` grant type **SHALL** only be included if the `authorization_code` grant type is ' \
+               'also included.'
+      end
+
+      if required_flow_type.include? 'authorization_code'
+        assert grant_types.include?('authorization_code'), 'grant types must
+        include authorization_code for this workflow'
+
+        unless required_flow_type.include? 'client_credentials'
+          output udap_registration_grant_type: 'authorization_code'
+        end
+      end
+
+      if required_flow_type.include? 'client_credentials'
+        assert grant_types.include?('client_credentials'),
+               'grant types must include client_credentials for this workflow'
+
+        unless required_flow_type.include? 'authorization_code'
+          output udap_registration_grant_type: 'client_credentials'
+        end
+      end
+    end
+  end
+end

data/lib/udap_security_test_kit/reg_endpoint_jwt_signing_alg_values_supported_field_test.rb

@@ -0,0 +1,29 @@
+require_relative 'common_assertions'
+
+module UDAPSecurityTestKit
+  extend CommonAssertions
+  class RegEndpointJWTSigningAlgValuesSupportedFieldTest < Inferno::Test
+    include Inferno::DSL::Assertions
+
+    title 'registration_endpoint_jwt_signing_alg_values_supported field'
+    id :udap_reg_endpoint_jwt_signing_alg_values_supported_field
+    description %(
+      If present, `registration_endpoint_jwt_signing_alg_values_supported` is
+      an array of one or more strings identifying signature algorithms supported by the Authorization Server for
+       validation of signed software statements, certifications, and endorsements
+      submitted to the registration endpoint.
+    )
+
+    input :udap_well_known_metadata_json
+
+    run do
+      assert_valid_json(udap_well_known_metadata_json)
+      config = JSON.parse(udap_well_known_metadata_json)
+
+      omit_if !config.key?('registration_endpoint_jwt_signing_alg_values_supported'),
+              '`registration_endpoint_jwt_signing_alg_values_supported` field is recommended but not required'
+
+      CommonAssertions.assert_array_of_strings(config, 'registration_endpoint_jwt_signing_alg_values_supported')
+    end
+  end
+end

data/lib/udap_security_test_kit/registration_endpoint_field_test.rb

@@ -0,0 +1,30 @@
+module UDAPSecurityTestKit
+  class RegistrationEndpointFieldTest < Inferno::Test
+    include Inferno::DSL::Assertions
+
+    title 'registration_endpoint field'
+    id :udap_registration_endpoint_field
+    description %(
+        `registration_endpoint` is a string containing the URL of
+        the Authorization Server's registration endpoint
+      )
+
+    input :udap_well_known_metadata_json
+    output :udap_registration_endpoint
+
+    run do
+      assert_valid_json(udap_well_known_metadata_json)
+      config = JSON.parse(udap_well_known_metadata_json)
+
+      assert config.key?('registration_endpoint'), '`registration_endpoint` is a required field'
+
+      endpoint = config['registration_endpoint']
+
+      assert endpoint.is_a?(String),
+             "`registration_endpoint` should be a String, but found #{endpoint.class.name}"
+      assert_valid_http_uri(endpoint, "`#{endpoint}` is not a valid URI")
+
+      output udap_registration_endpoint: endpoint
+    end
+  end
+end

data/lib/udap_security_test_kit/registration_failure_invalid_contents_test.rb

@@ -0,0 +1,68 @@
+require_relative 'software_statement_builder'
+require_relative 'udap_jwt_builder'
+
+module UDAPSecurityTestKit
+  class RegistrationFailureInvalidContentsTest < Inferno::Test
+    title 'Dynamic Client Registration request fails with improper software statement contents'
+    id :udap_registration_failure_invalid_contents
+    description %(
+      The [UDAP IG Section 3.1](https://hl7.org/fhir/us/udap-security/STU1/registration.html#software-statement) states:
+      > The unique client URI used for the iss claim SHALL match the uriName entry in the Subject Alternative Name
+      > extension of the client app operator’s X.509 certificate, and SHALL uniquely identify a single client app
+      > operator and application over time
+
+      The [UDAP IG Section 3.2.3](https://hl7.org/fhir/us/udap-security/STU1/registration.html#request-body) states:
+      > The Authorization Server SHALL validate the registration request as per Section 4 of UDAP Dynamic Client
+      > Registration. This includes validation of the JWT payload and signature, validation of the X.509 certificate
+      > chain, and **validation of the requested application registration parameters**.
+
+      This test will provide a software statement whose `iss` value does not match the uriName entry in the client's
+      certificate.  The authorization server must reject this request with a 400 response code per
+      [RFC 7591 OAuth 2.0 Dynamic Client Registration Protocol Section 3.2.2](https://datatracker.ietf.org/doc/html/rfc7591#section-3.2.2):
+      > When a registration error condition occurs, the authorization server
+      *returns an HTTP 400 status code* (unless otherwise specified) with
+      content type "application/json" consisting of a JSON object
+      describing the error in the response body.
+    )
+
+    input :udap_client_cert_pem
+    input :udap_client_private_key_pem
+
+    input :udap_registration_endpoint
+    input :udap_jwt_signing_alg
+    input :udap_registration_requested_scope
+    input :udap_registration_grant_type
+    input :udap_registration_certifications,
+          optional: true
+
+    run do
+      software_statement_payload = SoftwareStatementBuilder.build_payload(
+        'invalid_iss',
+        udap_registration_endpoint,
+        udap_registration_grant_type,
+        udap_registration_requested_scope
+      )
+
+      x5c_certs = UDAPSecurityTestKit::UDAPJWTBuilder.split_user_input_cert_string(
+        udap_client_cert_pem
+      )
+
+      signed_jwt = UDAPSecurityTestKit::UDAPJWTBuilder.encode_jwt_with_x5c_header(
+        software_statement_payload,
+        udap_client_private_key_pem,
+        udap_jwt_signing_alg,
+        x5c_certs
+      )
+
+      registration_headers, registration_body = UDAPSecurityTestKit::UDAPRequestBuilder.build_registration_request(
+        signed_jwt,
+        udap_registration_certifications
+      )
+
+      post(udap_registration_endpoint, body: registration_body, headers: registration_headers)
+
+      assert_response_status(400)
+      assert_valid_json(response[:body])
+    end
+  end
+end

data/lib/udap_security_test_kit/registration_failure_invalid_jwt_signature_test.rb

@@ -0,0 +1,70 @@
+require_relative 'software_statement_builder'
+require_relative 'udap_jwt_builder'
+require_relative 'udap_request_builder'
+
+module UDAPSecurityTestKit
+  class RegistrationFailureInvalidJWTSignatureTest < Inferno::Test
+    title 'Dynamic Client Registration request fails when software statement JWT is improperly signed'
+    id :udap_registration_failure_invalid_jwt_signature
+    description %(
+      The [UDAP IG Section 3.2.3](https://hl7.org/fhir/us/udap-security/STU1/registration.html#request-body) states:
+      > The Authorization Server SHALL validate the registration request as per Section 4 of UDAP Dynamic Client
+      > Registration. This includes **validation of the JWT payload and signature**, validation of the X.509 certificate
+      > chain, and validation of the requested application registration parameters.
+
+      Additionally, the [UDAP IG Section 1.2.3](https://hl7.org/fhir/us/udap-security/STU1/#jwt-headers) states that the
+      required `x5c` JWT header value is "An array of one or more strings containing the X.509 certificate or
+      certificate chain, where **the leaf certificate corresponds to the key used to digitally sign the JWT.**"
+
+      This test will provide a software statement signed with a randomly generated private key that does not correspond
+      to the client certificate included in the x5c header claim.
+      The authorization server must reject this request with a 400 response code per
+      [RFC 7591 OAuth 2.0 Dynamic Client Registration Protocol Section 3.2.2](https://datatracker.ietf.org/doc/html/rfc7591#section-3.2.2):
+      > When a registration error condition occurs, the authorization server
+      *returns an HTTP 400 status code* (unless otherwise specified) with
+      content type "application/json" consisting of a JSON object
+      describing the error in the response body.
+    )
+
+    input :udap_client_cert_pem
+    input :udap_cert_iss
+
+    input :udap_registration_endpoint
+    input :udap_jwt_signing_alg
+    input :udap_registration_requested_scope
+    input :udap_registration_grant_type
+    input :udap_registration_certifications,
+          optional: true
+
+    run do
+      software_statement_payload = SoftwareStatementBuilder.build_payload(
+        udap_cert_iss,
+        udap_registration_endpoint,
+        udap_registration_grant_type,
+        udap_registration_requested_scope
+      )
+
+      x5c_certs = UDAPSecurityTestKit::UDAPJWTBuilder.split_user_input_cert_string(
+        udap_client_cert_pem
+      )
+
+      random_private_key = OpenSSL::PKey::RSA.generate 2048
+      signed_jwt = UDAPSecurityTestKit::UDAPJWTBuilder.encode_jwt_with_x5c_header(
+        software_statement_payload,
+        random_private_key.to_pem,
+        udap_jwt_signing_alg,
+        x5c_certs
+      )
+
+      reg_headers, reg_body = UDAPSecurityTestKit::UDAPRequestBuilder.build_registration_request(
+        signed_jwt,
+        udap_registration_certifications
+      )
+
+      post(udap_registration_endpoint, body: reg_body, headers: reg_headers)
+
+      assert_response_status(400)
+      assert_valid_json(response[:body])
+    end
+  end
+end

data/lib/udap_security_test_kit/registration_success_contents_test.rb

@@ -0,0 +1,64 @@
+module UDAPSecurityTestKit
+  class RegistrationSuccessContentsTest < Inferno::Test
+    title 'Successful Dynamic Client Registration request response contains required contents'
+    id :udap_registration_success_contents
+    description %(
+      The [UDAP IG Section 3.2.3](https://hl7.org/fhir/us/udap-security/STU1/registration.html#request-body) states:
+      > If a new registration is successful, the Authorization Server SHALL return a registration response with a 201
+      > Created HTTP response code as per Section 5.1 of UDAP Dynamic Client Registration, including the unique
+      > client_id assigned by the Authorization Server to that client app.
+
+      And the [UDAP Profile Section 5.1](https://www.udap.org/udap-dynamic-client-registration-stu1.html#section-5.1)
+       states:
+      > If the request is granted, the Authorization Server returns a registration response as per Section 3.2.1 of RFC
+      > 7591. The top-level elements of the response SHALL include the client_id issued by the Authorization Server for
+      > use by the Client App, the software statement as submitted by the Client App, and all of the registration
+      > related parameters that were included in the software statement.
+
+      This test verifies:
+      - `client_id` claim is included in the registration response and its value is not blank
+      - `software_statement` claim in the registration response matches the software statement JWT provided in the
+      original registration request
+      - The registration response includes claims for `client_name`, `grant_types`, `token_endpoint_auth_method`, and
+      `scope`, whose values match those in the originally submitted software statement
+      - If the registered grant type is `authorization_code`, then the response includes claims for `redirect_uris` and
+      `response_type` whose values match those in the originally submitted software statement
+    )
+
+    input :udap_software_statement_json
+    input :udap_software_statement_jwt
+    input :udap_registration_response
+    input :udap_registration_grant_type
+
+    output :udap_client_id
+
+    run do
+      assert_valid_json(udap_registration_response)
+      registration_response = JSON.parse(udap_registration_response)
+
+      assert registration_response.key?('client_id'), 'Successful registration response must contain a client_id'
+      client_id = registration_response['client_id']
+      assert client_id.present?, 'client_id cannot be blank'
+
+      output udap_client_id: client_id
+
+      assert registration_response['software_statement'] == udap_software_statement_jwt,
+             'Successful registration response must include the ' \
+             'software statement JWT submitted by client'
+
+      original_software_statement = JSON.parse(udap_software_statement_json)
+
+      expected_claims = ['client_name', 'grant_types', 'token_endpoint_auth_method', 'scope']
+      auth_code_claims = ['redirect_uris', 'response_types']
+
+      expected_claims.concat auth_code_claims if udap_registration_grant_type == 'authorization_code'
+
+      expected_claims.each do |claim|
+        assert registration_response.key?(claim), "Successful registration response must include #{claim} claim"
+        assert registration_response[claim] == original_software_statement[claim],
+               "Registration response value for #{claim} does not match " \
+               'in client-submitted software statement'
+      end
+    end
+  end
+end

data/lib/udap_security_test_kit/registration_success_test.rb

@@ -0,0 +1,68 @@
+require_relative 'software_statement_builder'
+require_relative 'udap_jwt_builder'
+
+module UDAPSecurityTestKit
+  class RegistrationSuccessTest < Inferno::Test
+    title 'Dynamic Client Registration request succeeds with valid software statement, JWT signature, and client certs'
+
+    id :udap_registration_success
+    description %(
+      When the Dynamic Client registration request includes a properly signed software statement JWT with the required
+      contents, the registration request should succeed.
+
+      The [UDAP IG Section 3.2.3](https://hl7.org/fhir/us/udap-security/STU1/registration.html#request-body) states:
+      > If a new registration is successful, the Authorization Server SHALL return a registration response with a 201
+      > Created HTTP response code as per Section 5.1 of UDAP Dynamic Client Registration
+    )
+
+    input :udap_client_cert_pem
+    input :udap_client_private_key_pem
+    input :udap_cert_iss
+
+    input :udap_registration_endpoint
+    input :udap_jwt_signing_alg
+    input :udap_registration_requested_scope
+    input :udap_registration_grant_type
+    input :udap_registration_certifications,
+          optional: true
+
+    output :udap_software_statement_jwt
+    output :udap_software_statement_json
+    output :udap_registration_response
+
+    run do
+      software_statement_payload = SoftwareStatementBuilder.build_payload(
+        udap_cert_iss,
+        udap_registration_endpoint,
+        udap_registration_grant_type,
+        udap_registration_requested_scope
+      )
+
+      output udap_software_statement_json: software_statement_payload.to_json
+
+      x5c_certs = UDAPSecurityTestKit::UDAPJWTBuilder.split_user_input_cert_string(
+        udap_client_cert_pem
+      )
+
+      signed_jwt = UDAPSecurityTestKit::UDAPJWTBuilder.encode_jwt_with_x5c_header(
+        software_statement_payload,
+        udap_client_private_key_pem,
+        udap_jwt_signing_alg,
+        x5c_certs
+      )
+
+      output udap_software_statement_jwt: signed_jwt
+
+      reg_headers, reg_body = UDAPSecurityTestKit::UDAPRequestBuilder.build_registration_request(
+        signed_jwt,
+        udap_registration_certifications
+      )
+
+      post(udap_registration_endpoint, body: reg_body, headers: reg_headers)
+
+      assert_response_status(201)
+      assert_valid_json(response[:body])
+      output udap_registration_response: response[:body]
+    end
+  end
+end

data/lib/udap_security_test_kit/scopes_supported_field_test.rb

@@ -0,0 +1,26 @@
+require_relative 'common_assertions'
+
+module UDAPSecurityTestKit
+  extend CommonAssertions
+  class ScopesSupportedFieldTest < Inferno::Test
+    include Inferno::DSL::Assertions
+
+    title 'scopes_supported field'
+    id :udap_scopes_supported_field
+    description %(
+        If present, `scopes_supported` is an array of one or more
+        strings containing scopes
+      )
+
+    input :udap_well_known_metadata_json
+
+    run do
+      assert_valid_json(udap_well_known_metadata_json)
+      config = JSON.parse(udap_well_known_metadata_json)
+
+      omit_if !config.key?('scopes_supported')
+
+      CommonAssertions.assert_array_of_strings(config, 'scopes_supported')
+    end
+  end
+end

data/lib/udap_security_test_kit/signed_metadata_contents_test.rb

@@ -0,0 +1,89 @@
+require 'jwt'
+require_relative 'udap_jwt_validator'
+module UDAPSecurityTestKit
+  class SignedMetadataContentsTest < Inferno::Test
+    include Inferno::DSL::Assertions
+
+    title 'signed_metadata contents'
+    id :udap_signed_metadata_contents
+    description %(
+      `signed_metadata` is a string containing a JWT listing the server's endpoints.  This test will validate the JWT
+      signature as specified in [UDAP IG Section 1.2 JSON Web Token (JWT) Requirements](https://hl7.org/fhir/us/udap-security/STU1/index.html#json-web-token-jwt-requirements)
+      and validate the JWT contents as outlined in [UDAP Discovery IG Section 2.3 Signed Metadata Elements](https://hl7.org/fhir/us/udap-security/STU1/discovery.html#signed-metadata-elements).
+    )
+
+    input :signed_metadata_jwt, optional: true
+    input :udap_well_known_metadata_json, :udap_fhir_base_url
+
+    run do
+      skip_if signed_metadata_jwt.blank?
+
+      assert_valid_json(udap_well_known_metadata_json)
+      config = JSON.parse(udap_well_known_metadata_json)
+
+      token_body, token_header = JWT.decode(signed_metadata_jwt, nil, false)
+
+      assert token_header.key?('x5c'), 'JWT header does not contain `x5c` field'
+      assert token_header.key?('alg'), 'JWT header does not contain `alg` field'
+
+      leaf_cert_der = Base64.urlsafe_decode64(token_header['x5c'].first)
+      leaf_cert = OpenSSL::X509::Certificate.new(leaf_cert_der)
+      signature_validation_result = UDAPSecurityTestKit::UDAPJWTValidator.validate_signature(
+        signed_metadata_jwt,
+        token_header['alg'],
+        leaf_cert
+      )
+
+      assert signature_validation_result[:success], signature_validation_result[:error_message]
+
+      ['iss', 'sub', 'exp', 'iat', 'jti'].each do |key|
+        assert token_body.key?(key), "JWT does not contain `#{key}` claim"
+      end
+
+      ['token_endpoint', 'registration_endpoint']
+        .each do |key|
+          assert token_body.key?(key), "JWT must contain `#{key}` claim"
+          assert token_body[key].is_a?(String), "Value for `#{key}` must be a String"
+        end
+
+      if config.key?('authorization_endpoint')
+        assert token_body.key?('authorization_endpoint'),
+               'JWT must contain `authorization_endpoint` key because it is present in unsigned metadata'
+        assert token_body['authorization_endpoint'].is_a?(String), 'Value for `authorization_endpoint` must be a String'
+
+        assert token_body['iss'] == udap_fhir_base_url,
+               "`iss` claim `#{token_body['iss']}` is not the same as server base url `#{udap_fhir_base_url}`"
+
+        begin
+          alt_names =
+            leaf_cert.extensions
+              .find { |extension| extension.oid == 'subjectAltName' }
+              .value
+        rescue NoMethodError
+          assert false, 'Could not find Subject Alternative Name extension in leaf certificate'
+        end
+
+        # Certification may have more than one SAN value
+        assert alt_names.include?("URI:#{token_body['iss']}"),
+               "`iss` claim `#{token_body['iss']}` not found in Subject Alternative Name extension " \
+               "from the `x5c` JWT header: `#{alt_names}`"
+
+        assert token_body['iss'] == token_body['sub'],
+               "`iss` claim `#{token_body['iss']}` does not match `sub` claim `#{token_body['sub']}`"
+
+        ['iat', 'exp'].each do |key|
+          assert token_body[key].is_a?(Numeric),
+                 "Expected `#{key}` to be numeric, but found #{token_body[key].class.name}"
+        end
+        issue_time = Time.at(token_body['iat'])
+        expiration_time = Time.at(token_body['exp'])
+
+        assert expiration_time <= issue_time + 1.year, %(
+        `exp` is more than a year after `iat`'.
+        * `iat`: #{token_body['iat']} - #{issue_time.iso8601}
+        * `exp`: #{token_body['exp']} - #{expiration_time.iso8601}
+      )
+      end
+    end
+  end
+end

data/lib/udap_security_test_kit/signed_metadata_field_test.rb

@@ -0,0 +1,31 @@
+require 'jwt'
+
+module UDAPSecurityTestKit
+  class SignedMetadataFieldTest < Inferno::Test
+    include Inferno::DSL::Assertions
+
+    title 'signed_metadata field'
+    id :udap_signed_metadata_field
+    description %(
+       `signed_metadata` is a string containing a JWT listing the server's endpoints
+      )
+
+    input :udap_well_known_metadata_json
+    output :signed_metadata_jwt
+
+    run do
+      assert_valid_json(udap_well_known_metadata_json)
+      config = JSON.parse(udap_well_known_metadata_json)
+
+      assert config.key?('signed_metadata'), '`signed_metadata is a required field'
+      jwt = config['signed_metadata']
+
+      assert jwt.is_a?(String), "`signed_metadata` should be a String, but found #{jwt.class.name}"
+      output signed_metadata_jwt: jwt
+
+      jwt_regex = %r{^[A-Za-z0-9-_=]+\.[A-Za-z0-9-_=]+\.?[A-Za-z0-9-_.+/=]*$}
+
+      assert jwt.match?(jwt_regex), '`signed_metadata` is not a valid JWT'
+    end
+  end
+end

data/lib/udap_security_test_kit/signed_metadata_trust_verification_test.rb

@@ -0,0 +1,54 @@
+require 'jwt'
+require_relative 'udap_jwt_validator'
+module UDAPSecurityTestKit
+  class SignedMetadataTrustVerificationTest < Inferno::Test
+    include Inferno::DSL::Assertions
+
+    title 'signed_metadata contents: trust can be verified from server certificates'
+    id :udap_signed_metadata_trust_verification
+    description %(
+       The [UDAP IG profile on UDAP Server Metadata Section 3.2](https://www.udap.org/udap-server-metadata.html) says:
+       > The Client app attempts to construct a valid certificate chain from the Server’s certificate (cert1) to an
+       > anchor certificate trusted by the Client app using conventional X.509 chain building techniques and path
+       > validation, including certificate validity and revocation status checking. The Server MAY provide a complete
+       > certificate chain in the x5c element. The Client app MAY use additional certificates not included by the Server
+       > to construct a chain.
+
+       This test will establish trust against the root CA(s) provided as test inputs.
+       Currently, the use of Authority Information Access (AIA) extensions is NOT supported.  As such, servers must
+       include any intermediate CAs necessary for building a trust chain in the JWT `x5c` header OR as an additional
+       trust anchor certificate input to the test (see input instructions for more details).
+      )
+
+    input :signed_metadata_jwt
+    input :udap_server_trust_anchor_certs,
+          title: 'Auth Server Trust Anchor X509 Certificate(s) (PEM Format)',
+          description: %(
+            A list of one or more trust anchor root CA X.509 certificates, separated by a newline. Inferno will use
+            these to establish
+            trust with the authorization server's certificates provided in the discovery response signed_metadata JWT.
+          ),
+          type: 'textarea'
+
+    run do
+      skip_if udap_server_trust_anchor_certs.blank?
+      _token_body, token_header = JWT.decode(signed_metadata_jwt, nil, false)
+
+      assert token_header.key?('x5c'), 'JWT header does not contain `x5c` field'
+      assert token_header.key?('alg'), 'JWT header does not contain `alg` field'
+
+      trust_anchor_certs = UDAPJWTBuilder.split_user_input_cert_string(udap_server_trust_anchor_certs).map do |cert_pem|
+        OpenSSL::X509::Certificate.new(cert_pem)
+      end
+
+      validation_result = UDAPJWTValidator.validate_trust_chain(
+        token_header['x5c'],
+        trust_anchor_certs
+      )
+
+      assert validation_result[:success],
+             "Trust could not be established with server certificates, /
+             error message: #{validation_result[:error_message]}"
+    end
+  end
+end