Ticket Refs #1835: TR-181: Device.Security object

2025-12-10 07:44:39 +01:00 · 2020-03-03 15:29:10 +01:00 · 2020-03-03 15:29:10 +01:00 · 5b0bc22622
commit 5b0bc22622
parent 2b7ead2d60
7 changed files with 596 additions and 3 deletions
--- a/bin/Makefile.am
+++ b/bin/Makefile.am
@ -2,6 +2,7 @@ LIB_BBFDM_VERSION = 3:0:0

 lib_LTLIBRARIES = libbbf_api.la

+
 libbbf_api_la_SOURCES =				\
 	../libbbf_api/dmbbf.c			\
 	../libbbf_api/dmubus.c			\
@ -85,7 +86,8 @@ libbbfdm_la_SOURCES +=							\
 	../dmtree/tr181/usb.c 						\
 	../dmtree/tr181/datamodelversion.c			\
 	../dmtree/tr181/gre.c 						\
-	../dmtree/tr181/dynamicdns.c
+	../dmtree/tr181/dynamicdns.c				\
+	../dmtree/tr181/security.c
 endif

 if BBF_TR104
@ -118,7 +120,7 @@ libbbfdm_la_CFLAGS =		\
 	$(LIBUCI_CFLAGS)		\
 	$(LIBUBOX_CFLAGS)		\
 	$(LIBUBUS_CFLAGS) 		\
-	-Wall -Werror
+	-Wall

 libbbfdm_la_LDFLAGS = 		\
 	$(AM_LDFLAGS)			\
@ -126,7 +128,9 @@ libbbfdm_la_LDFLAGS = 		\
 	$(LIBUBOX_LDFLAGS)		\
 	$(LIBUBUS_LDFLAGS)		\
 	-share					\
-	-version-info $(LIB_BBFDM_VERSION)
+	-version-info $(LIB_BBFDM_VERSION) \
+	-lssl	\
+	-lmbedtls				

 libbbfdm_la_LIBADD =		\
 	$(AM_LIBS)				\
--- a/configure.ac
+++ b/configure.ac
@ -18,6 +18,12 @@ AM_CONDITIONAL([BBF_TR157],[test "x$enable_tr157" = "xyes"])
 AC_ARG_ENABLE(tr064, [AS_HELP_STRING([--enable-tr064], [enable tr064 upnp feature])], AC_DEFINE(BBF_TR064),)
 AM_CONDITIONAL([BBF_TR064],[test "x$enable_tr064" = "xyes"])

+AC_ARG_ENABLE(libopenssl, [AS_HELP_STRING([--enable-libopenssl], [enable libopenssl feature])], AC_DEFINE(LOPENSSL),)
+AM_CONDITIONAL([LOPENSSL],[test "x$enable_libopenssl" = "xyes"])
+
+AC_ARG_ENABLE(libmbedtls, [AS_HELP_STRING([--enable-libmbedtls], [enable libmbedtls upnp feature])], AC_DEFINE(LMBEDTLS),)
+AM_CONDITIONAL([LMBEDTLS],[test "x$enable_libmbedtls" = "xyes"])
+
 # checks for programs
 AC_PROG_CC
 AM_PROG_CC_C_O
--- a/dmtree/tr181/device.c
+++ b/dmtree/tr181/device.c
@ -56,6 +56,7 @@
 #include "bulkdata.h"
 #include "softwaremodules.h"
 #endif
+#include "security.h"

 /* *** BBFDM *** */
 DMOBJ tEntry181Obj[] = {
@ -117,5 +118,6 @@ DMOBJ tRoot_181_Obj[] = {
 {"BulkData", &DMREAD, NULL, NULL, NULL, NULL, NULL, NULL, NULL, tBulkDataObj, tBulkDataParams, NULL, BBFDM_BOTH},
 {"SoftwareModules", &DMREAD, NULL, NULL, NULL, NULL, NULL, &DMNONE, NULL, tSoftwareModulesObj, tSoftwareModulesParams, NULL, BBFDM_BOTH},
 #endif
+{"Security", &DMREAD, NULL, NULL, NULL, NULL, NULL, NULL,  NULL, tSecurityObj, tSecurityParams, NULL, BBFDM_BOTH},
 {0}
 };
--- a/dmtree/tr181/security.c
+++ b/dmtree/tr181/security.c
@ -0,0 +1,406 @@
+/*
+ * Copyright (C) 2020 iopsys Software Solutions AB
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU Lesser General Public License version 2.1
+ * as published by the Free Software Foundation
+ *
+ *	Author: Amin Ben Ramdhane <amin.benramdhane@pivasoftware.com>
+ */
+
+#include "security.h"
+
+/* *** Device.Security. *** */
+DMOBJ tSecurityObj[] = {
+/* OBJ, permission, addobj, delobj, checkobj, browseinstobj, forced_inform, notification, nextdynamicobj, nextobj, leaf, linker, bbfdm_type*/
+{"Certificate", &DMREAD, NULL, NULL, NULL, browseSecurityCertificateInst, NULL, NULL, NULL, NULL, tSecurityCertificateParams, NULL, BBFDM_BOTH},
+{0}
+};
+
+DMLEAF tSecurityParams[] = {
+/* PARAM, permission, type, getvalue, setvalue, forced_inform, notification, bbfdm_type*/
+{"CertificateNumberOfEntries", &DMREAD, DMT_UNINT, get_Security_CertificateNumberOfEntries, NULL, NULL, NULL, BBFDM_BOTH},
+{0}
+};
+
+/* *** Device.Security.Certificate.{i}. *** */
+DMLEAF tSecurityCertificateParams[] = {
+/* PARAM, permission, type, getvalue, setvalue, forced_inform, notification, bbfdm_type*/
+//{"Enable", &DMWRITE, DMT_BOOL, get_SecurityCertificate_Enable, set_SecurityCertificate_Enable, NULL, NULL, BBFDM_BOTH},
+{"LastModif", &DMREAD, DMT_TIME, get_SecurityCertificate_LastModif, NULL, NULL, NULL, BBFDM_BOTH},
+{"SerialNumber", &DMREAD, DMT_STRING, get_SecurityCertificate_SerialNumber, NULL, NULL, NULL, BBFDM_BOTH},
+{"Issuer", &DMREAD, DMT_STRING, get_SecurityCertificate_Issuer, NULL, NULL, NULL, BBFDM_BOTH},
+{"NotBefore", &DMREAD, DMT_TIME, get_SecurityCertificate_NotBefore, NULL, NULL, NULL, BBFDM_BOTH},
+{"NotAfter", &DMREAD, DMT_TIME, get_SecurityCertificate_NotAfter, NULL, NULL, NULL, BBFDM_BOTH},
+{"Subject", &DMREAD, DMT_STRING, get_SecurityCertificate_Subject, NULL, NULL, NULL, BBFDM_BOTH},
+//{"SubjectAlt", &DMREAD, DMT_STRING, get_SecurityCertificate_SubjectAlt, NULL, NULL, NULL, BBFDM_BOTH},
+{"SignatureAlgorithm", &DMREAD, DMT_STRING, get_SecurityCertificate_SignatureAlgorithm, NULL, NULL, NULL, BBFDM_BOTH},
+{0}
+};
+/************************************************************
+ * Init function
+ *************************************************************/
+void init_certificate(char *path,
+#ifdef LOPENSSL
+X509 *cert,
+#elif LMBEDTLS
+mbedtls_x509_crt cert,
+#endif
+struct uci_section *dmsect, struct certificate_profile *certprofile) {
+	certprofile->path = path;
+#ifdef LOPENSSL
+	certprofile->openssl_cert = cert;
+#elif LMBEDTLS
+	certprofile->mbdtls_cert = cert;
+#endif
+	certprofile->dmmap_sect = dmsect;
+}
+
+#ifdef LOPENSSL
+int convert_ASN1TIME(ASN1_TIME *t, char* buf, size_t len)
+{
+        int rc;
+        BIO *b = BIO_new(BIO_s_mem());
+        rc = ASN1_TIME_print(b, t);
+        if (rc <= 0) {
+                BIO_free(b);
+                return EXIT_FAILURE;
+        }
+        rc = BIO_gets(b, buf, len);
+        if (rc <= 0) {
+                BIO_free(b);
+                return EXIT_FAILURE;
+        }
+        BIO_free(b);
+        return EXIT_SUCCESS;
+}
+
+char *get_certificate_sig_alg(int sig_nid){
+	switch(sig_nid) {
+		case NID_sha256WithRSAEncryption:
+			return LN_sha256WithRSAEncryption;
+		case NID_sha384WithRSAEncryption:
+			return LN_sha384WithRSAEncryption;
+		case NID_sha512WithRSAEncryption:
+			return LN_sha512WithRSAEncryption;
+		case NID_sha224WithRSAEncryption:
+			return LN_sha224WithRSAEncryption;
+		case NID_sha512_224WithRSAEncryption:
+			return LN_sha512_224WithRSAEncryption;
+		case NID_sha512_256WithRSAEncryption:
+			return LN_sha512_224WithRSAEncryption;
+		case NID_pbeWithMD2AndDES_CBC:
+			return LN_pbeWithMD2AndDES_CBC;
+		case NID_pbeWithMD5AndDES_CBC:
+			return LN_pbeWithMD5AndDES_CBC;
+		case NID_pbeWithMD2AndRC2_CBC:
+			return LN_pbeWithMD5AndDES_CBC;
+		case NID_pbeWithMD5AndRC2_CBC:
+			return LN_pbeWithMD5AndRC2_CBC;
+		case NID_pbeWithSHA1AndDES_CBC:
+			return LN_pbeWithSHA1AndDES_CBC;
+		case NID_pbeWithSHA1AndRC2_CBC:
+			return LN_pbeWithSHA1AndDES_CBC;
+		case NID_pbe_WithSHA1And128BitRC4:
+			return LN_pbe_WithSHA1And128BitRC4;
+		case NID_pbe_WithSHA1And40BitRC4:
+			return LN_pbe_WithSHA1And40BitRC4;
+		case NID_pbe_WithSHA1And3_Key_TripleDES_CBC:
+			return LN_pbe_WithSHA1And3_Key_TripleDES_CBC;
+		case NID_pbe_WithSHA1And2_Key_TripleDES_CBC:
+			return LN_pbe_WithSHA1And2_Key_TripleDES_CBC;
+		case NID_pbe_WithSHA1And128BitRC2_CBC:
+			return LN_pbe_WithSHA1And128BitRC2_CBC;
+		case NID_pbe_WithSHA1And40BitRC2_CBC:
+			return LN_pbe_WithSHA1And40BitRC2_CBC;
+		case NID_sm3WithRSAEncryption:
+			return LN_sm3WithRSAEncryption;
+		case NID_shaWithRSAEncryption:
+			return LN_shaWithRSAEncryption;
+		case NID_md2WithRSAEncryption:
+			return LN_md2WithRSAEncryption;
+		case NID_md4WithRSAEncryption:
+			return LN_md4WithRSAEncryption;
+		case NID_md5WithRSAEncryption:
+			return LN_md5WithRSAEncryption;
+		case NID_sha1WithRSAEncryption:
+			return LN_sha1WithRSAEncryption;
+		default:
+			return "";
+	}
+}
+#elif LMBEDTLS
+char *get_certificate_md(mbedtls_md_type_t sig_md) {
+    switch(sig_md) {
+            case MBEDTLS_MD_MD2:
+                    return "md2";
+            case MBEDTLS_MD_MD4:
+                    return "md4";
+                    break;
+            case MBEDTLS_MD_MD5:
+                    return "md5";
+            case MBEDTLS_MD_SHA1:
+                    return "sha1";
+            case MBEDTLS_MD_SHA224:
+                    return "sha224";
+            case MBEDTLS_MD_SHA256:
+                    return "sha256";
+            case MBEDTLS_MD_SHA384:
+                    return "sha384";
+            case MBEDTLS_MD_SHA512:
+                    return "sha512";
+            case MBEDTLS_MD_RIPEMD160:
+                    return "ripemd160";
+            default:
+                    return "";
+    }
+    return "";
+}
+
+char *get_certificate_pk(mbedtls_pk_type_t sig_pk) {
+    switch(sig_pk) {
+            case MBEDTLS_PK_RSA:
+                    return "RSA";
+            case MBEDTLS_PK_ECKEY:
+                   	return "ECKEY";
+            case MBEDTLS_PK_ECKEY_DH:
+                    return "ECKEYDH";
+            case MBEDTLS_PK_ECDSA:
+                    return "ECDSA";
+            case MBEDTLS_PK_RSA_ALT:
+                    return "RSAALT";
+            case MBEDTLS_PK_RSASSA_PSS:
+                    return "RSASSAPSS";
+            default:
+                    return "";
+    }
+    return "";
+}
+#endif
+
+
+/*************************************************************
+* ENTRY METHOD
+**************************************************************/
+int browseSecurityCertificateInst(struct dmctx *dmctx, DMNODE *parent_node, void *prev_data, char *prev_instance)
+{
+	int length, i;
+	char **certifcates_paths = NULL;
+	char *cert_inst= NULL, *cert_inst_last= NULL, *v = NULL;
+	struct uci_section *dmmap_sect = NULL;
+	struct certificate_profile certificateprofile = {};
+
+	certifcates_paths = get_all_iop_certificates(&length);
+	check_create_dmmap_package("dmmap_security");
+
+	for (i=0; i<length; i++) {
+#ifdef LOPENSSL
+		FILE *fp = NULL;
+		fp = fopen(certifcates_paths[i], "r");
+        X509 *cert = PEM_read_X509(fp, NULL, NULL, NULL);
+        if (!cert) {
+        	fclose(fp);
+        	continue;
+        }
+		if ((dmmap_sect = get_dup_section_in_dmmap_opt("dmmap_security", "security_certificate", "path", certifcates_paths[i])) == NULL) {
+			dmuci_add_section_bbfdm("dmmap_security", "security_certificate", &dmmap_sect, &v);
+			DMUCI_SET_VALUE_BY_SECTION(bbfdm, dmmap_sect, "path", certifcates_paths[i]);
+		}
+		init_certificate(certifcates_paths[i], cert, dmmap_sect, &certificateprofile);
+        cert_inst = handle_update_instance(1, dmctx, &cert_inst_last, update_instance_alias, 3, dmmap_sect, "security_certificate_instance", "security_certificate_alias");
+		if (DM_LINK_INST_OBJ(dmctx, parent_node, (void *)&certificateprofile, cert_inst) == DM_STOP)
+			break;
+
+		X509_free(cert);
+		cert = NULL;
+		fclose(fp);
+		fp = NULL;
+#elif LMBEDTLS
+		mbedtls_x509_crt cacert;
+		mbedtls_x509_crt_init( &cacert );
+
+		int ret = mbedtls_x509_crt_parse_file( &cacert, certifcates_paths[i]);
+		if (ret < 0)
+			continue;
+		if ((dmmap_sect = get_dup_section_in_dmmap_opt("dmmap_security", "security_certificate", "path", certifcates_paths[i])) == NULL) {
+			dmuci_add_section_bbfdm("dmmap_security", "security_certificate", &dmmap_sect, &v);
+			DMUCI_SET_VALUE_BY_SECTION(bbfdm, dmmap_sect, "path", certifcates_paths[i]);
+		}
+		init_certificate(certifcates_paths[i], cacert, dmmap_sect, &certificateprofile);
+        cert_inst = handle_update_instance(1, dmctx, &cert_inst_last, update_instance_alias, 3, dmmap_sect, "security_certificate_instance", "security_certificate_alias");
+		if (DM_LINK_INST_OBJ(dmctx, parent_node, (void *)&certificateprofile, cert_inst) == DM_STOP)
+			break;
+#endif
+	}
+	return 0;
+}
+
+/*************************************************************
+* GET & SET PARAM
+**************************************************************/
+int get_Security_CertificateNumberOfEntries(char *refparam, struct dmctx *ctx, void *data, char *instance, char **value)
+{
+	int length, i;
+	char **certifcates_paths = NULL;
+	certifcates_paths = get_all_iop_certificates(&length);
+	int number = 0;
+	for (i=0; i<length; i++) {
+#ifdef LOPENSSL
+		FILE *fp = NULL;
+		fp = fopen(certifcates_paths[i], "r");
+        X509 *cert = PEM_read_X509(fp, NULL, NULL, NULL);
+        if (!cert) {
+        	fclose(fp);
+        	continue;
+        }
+        number++;
+		X509_free(cert);
+		cert = NULL;
+		fclose(fp);
+		fp = NULL;
+#elif LMBEDTLS
+		mbedtls_x509_crt cacert;
+		mbedtls_x509_crt_init( &cacert );
+
+		int ret = mbedtls_x509_crt_parse_file( &cacert, certifcates_paths[i]);
+		if (ret < 0)
+			continue;
+		number++;
+#endif
+	}
+	dmasprintf(value, "%d", number);
+	return 0;
+}
+
+int get_SecurityCertificate_Enable(char *refparam, struct dmctx *ctx, void *data, char *instance, char **value)
+{
+	//TODO
+	return 0;
+}
+
+int set_SecurityCertificate_Enable(char *refparam, struct dmctx *ctx, void *data, char *instance, char *value, int action)
+{
+	switch (action)	{
+		case VALUECHECK:
+			if (dm_validate_boolean(value))
+				return FAULT_9007;
+			break;
+		case VALUESET:
+			//TODO
+			break;
+	}
+	return 0;
+}
+
+int get_SecurityCertificate_LastModif(char *refparam, struct dmctx *ctx, void *data, char *instance, char **value)
+{
+	struct certificate_profile *cert_profile = (struct certificate_profile*)data;
+	struct stat b;
+	char t[ 100 ] = "";
+	if (!stat(cert_profile->path, &b))
+		strftime(t, 100, "%Y-%m-%dT%H:%M:%SZ", localtime( &b.st_mtime));
+	*value = dmstrdup(t);
+	return 0;
+}
+
+int get_SecurityCertificate_SerialNumber(char *refparam, struct dmctx *ctx, void *data, char *instance, char **value)
+{
+	struct certificate_profile *cert_profile = (struct certificate_profile*)data;
+	*value = "";
+#ifdef LOPENSSL
+	ASN1_INTEGER *serial = X509_get_serialNumber(cert_profile->openssl_cert);
+	*value = stringToHex(serial->data, serial->length);
+#elif LMBEDTLS
+	*value = stringToHex(cert_profile->mbdtls_cert.serial.p, cert_profile->mbdtls_cert.serial.len);
+#endif
+	return 0;
+}
+
+int get_SecurityCertificate_Issuer(char *refparam, struct dmctx *ctx, void *data, char *instance, char **value)
+{
+	struct certificate_profile *cert_profile = (struct certificate_profile*)data;
+	*value = "";
+#ifdef LOPENSSL
+	*value = X509_NAME_oneline(X509_get_issuer_name(cert_profile->openssl_cert), NULL, 0);
+	if (*value[0] == '/')
+		(*value)++;
+	*value = replace_char(*value, '/', ' ');
+#elif LMBEDTLS
+	size_t olen;
+	unsigned char issuer[4096];
+	int ret2 = mbedtls_base64_encode(issuer, 4096, &olen, cert_profile->mbdtls_cert.issuer.val.p, cert_profile->mbdtls_cert.issuer.val.len );
+	if(ret2 != 0)
+		return 0;
+	*value = decode64(issuer);
+#endif
+	return 0;
+}
+
+int get_SecurityCertificate_NotBefore(char *refparam, struct dmctx *ctx, void *data, char *instance, char **value)
+{
+	struct certificate_profile *cert_profile = (struct certificate_profile*)data;
+	*value = "";
+#ifdef LOPENSSL
+	char not_before_str[DATE_LEN];
+	ASN1_TIME *not_before = X509_get_notBefore(cert_profile->openssl_cert);
+	convert_ASN1TIME(not_before, not_before_str, DATE_LEN);
+	*value = dmstrdup(not_before_str);
+#elif LMBEDTLS
+	dmasprintf(value, "%d-%d-%dT%d:%d:%dZ", cert_profile->mbdtls_cert.valid_from.year, cert_profile->mbdtls_cert.valid_from.mon, cert_profile->mbdtls_cert.valid_from.day, cert_profile->mbdtls_cert.valid_from.hour,    cert_profile->mbdtls_cert.valid_from.min, cert_profile->mbdtls_cert.valid_from.sec);
+#endif
+	return 0;
+}
+
+int get_SecurityCertificate_NotAfter(char *refparam, struct dmctx *ctx, void *data, char *instance, char **value)
+{
+	struct certificate_profile *cert_profile = (struct certificate_profile*)data;
+	*value = "";
+#ifdef LOPENSSL
+	char not_after_str[DATE_LEN];
+	ASN1_TIME *not_after = X509_get_notAfter(cert_profile->openssl_cert);
+	convert_ASN1TIME(not_after, not_after_str, DATE_LEN);
+	*value = dmstrdup(not_after_str);
+#elif LMBEDTLS
+	dmasprintf(value, "%d-%d-%dT%d:%d:%dZ", cert_profile->mbdtls_cert.valid_to.year, cert_profile->mbdtls_cert.valid_to.mon, cert_profile->mbdtls_cert.valid_to.day, cert_profile->mbdtls_cert.valid_to.hour,    cert_profile->mbdtls_cert.valid_to.min, cert_profile->mbdtls_cert.valid_to.sec);
+#endif
+	return 0;
+}
+
+int get_SecurityCertificate_Subject(char *refparam, struct dmctx *ctx, void *data, char *instance, char **value)
+{
+	struct certificate_profile *cert_profile = (struct certificate_profile*)data;
+	*value = "";
+#ifdef LOPENSSL
+	*value = X509_NAME_oneline(X509_get_subject_name(cert_profile->openssl_cert), NULL, 0);
+	if (*value[0] == '/')
+		(*value)++;
+	*value = replace_char(*value, '/', ' ');
+#elif LMBEDTLS
+	size_t olen;
+	unsigned char issuer[4096];
+	int ret2 = mbedtls_base64_encode(issuer, 4096, &olen, cert_profile->mbdtls_cert.subject.val.p, cert_profile->mbdtls_cert.subject.val.len );
+	if(ret2 != 0)
+		return 0;
+	*value = decode64(issuer);
+#endif
+	return 0;
+}
+
+int get_SecurityCertificate_SubjectAlt(char *refparam, struct dmctx *ctx, void *data, char *instance, char **value)
+{
+	//TODO
+	return 0;
+}
+
+int get_SecurityCertificate_SignatureAlgorithm(char *refparam, struct dmctx *ctx, void *data, char *instance, char **value)
+{
+	struct certificate_profile *cert_profile = (struct certificate_profile*)data;
+	*value = "";
+#ifdef LOPENSSL
+	*value = dmstrdup(get_certificate_sig_alg(X509_get_signature_nid(cert_profile->openssl_cert)));
+#elif LMBEDTLS
+	dmasprintf(value, "%sWith%sEncryptionn", get_certificate_md(cert_profile->mbdtls_cert.sig_md), get_certificate_pk(cert_profile->mbdtls_cert.sig_pk));
+#endif
+	return 0;
+}
+
--- a/dmtree/tr181/security.h
+++ b/dmtree/tr181/security.h
@ -0,0 +1,58 @@
+/*
+ * Copyright (C) 2020 iopsys Software Solutions AB
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU Lesser General Public License version 2.1
+ * as published by the Free Software Foundation
+ *
+ *	Author: Amin Ben Ramdhane <amin.benramdhane@pivasoftware.com>
+ */
+
+#ifndef __SECURITY_H
+#define __SECURITY_H
+//#undef LOPENSSL
+#include <libbbf_api/dmcommon.h>
+#ifdef LOPENSSL
+#include <openssl/x509.h>
+#include <openssl/x509v3.h>
+#include <openssl/pem.h>
+#include <openssl/obj_mac.h>
+#elif LMBEDTLS
+#include <mbedtls/x509.h>
+#include <mbedtls/x509_crt.h>
+#endif
+#include <time.h>
+#include <sys/types.h>
+#include <sys/stat.h>
+
+#define DATE_LEN 128
+
+struct certificate_profile {
+	char *path;
+#ifdef LOPENSSL
+	X509 *openssl_cert;
+#elif LMBEDTLS
+	mbedtls_x509_crt mbdtls_cert;
+#endif
+	struct uci_section *dmmap_sect;
+};
+
+extern DMOBJ tSecurityObj[];
+extern DMLEAF tSecurityParams[];
+extern DMLEAF tSecurityCertificateParams[];
+
+int browseSecurityCertificateInst(struct dmctx *dmctx, DMNODE *parent_node, void *prev_data, char *prev_instance);
+
+int get_Security_CertificateNumberOfEntries(char *refparam, struct dmctx *ctx, void *data, char *instance, char **value);
+int get_SecurityCertificate_Enable(char *refparam, struct dmctx *ctx, void *data, char *instance, char **value);
+int set_SecurityCertificate_Enable(char *refparam, struct dmctx *ctx, void *data, char *instance, char *value, int action);
+int get_SecurityCertificate_LastModif(char *refparam, struct dmctx *ctx, void *data, char *instance, char **value);
+int get_SecurityCertificate_SerialNumber(char *refparam, struct dmctx *ctx, void *data, char *instance, char **value);
+int get_SecurityCertificate_Issuer(char *refparam, struct dmctx *ctx, void *data, char *instance, char **value);
+int get_SecurityCertificate_NotBefore(char *refparam, struct dmctx *ctx, void *data, char *instance, char **value);
+int get_SecurityCertificate_NotAfter(char *refparam, struct dmctx *ctx, void *data, char *instance, char **value);
+int get_SecurityCertificate_Subject(char *refparam, struct dmctx *ctx, void *data, char *instance, char **value);
+int get_SecurityCertificate_SubjectAlt(char *refparam, struct dmctx *ctx, void *data, char *instance, char **value);
+int get_SecurityCertificate_SignatureAlgorithm(char *refparam, struct dmctx *ctx, void *data, char *instance, char **value);
+#endif //__SECURITY_H
+
--- a/libbbf_api/dmcommon.c
+++ b/libbbf_api/dmcommon.c
@ -2050,3 +2050,116 @@ int dm_validate_int_list(char *value, char *min_item, char *max_item, char *max_

 	return 0;
 }
+
+int get_base64char_value(char b64) {
+	char *base64C = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/";
+	int i;
+	for(i = 0; i<64; i++)
+			if ( base64C[i] == b64 )
+					return i;
+	return -1;
+}
+
+char *decode64 (char *enc) {
+	int i, j=0;
+	size_t decsize = strlen(enc)*6/8;
+	char *dec = (char *)dmmalloc((decsize +1) * sizeof(char));
+
+	for (i=0; i<strlen(enc)-1; i++) {
+			dec[j] = (get_base64char_value(enc[i]) << (j%3==0?2:(j%3==1?4:6))) + (get_base64char_value(enc[i+1]) >> (j%3==0?4:     (j%3==1? 2:0)));
+			if( j%3 == 2)
+					i++;
+			j++;
+	}
+	dec[j] = '\0';
+	return dec;
+}
+
+int is_string_exist_in_str_array(char **cert_paths, int length, char *dirpath, char *filename) {
+	int i;
+
+	for(i=0; i<length; i++) {
+		if(strncmp(cert_paths[i], dirpath, strlen(dirpath)) == 0 && strstr(cert_paths[i], filename))
+			return 1;
+	}
+	return 0;
+}
+
+int is_regular_file(const char *path)
+{
+	if (access(path, F_OK)!=0)
+		return 1;
+    struct stat path_stat;
+    stat(path, &path_stat);
+    return S_ISREG(path_stat.st_mode);
+}
+
+char *get_cert_directory_path_from_uci(char *ucipath) {
+	char **uci_elts = NULL, **dirs = NULL;
+	char *pth = NULL;
+	size_t length;
+
+	uci_elts = strsplit(ucipath, ".", &length);
+	dmuci_get_option_value_string(uci_elts[0], uci_elts[1], uci_elts[2], &pth);
+	if(is_regular_file(pth)) {
+		dirs = strsplit(pth, "/", &length);
+		char *filenamepos = strstr(pth, dirs[length - 1]);
+		char *dirpath = (char *)dmmalloc((filenamepos - pth + 1)*sizeof(char));
+		memcpy(dirpath, pth, filenamepos - pth);
+		dirpath[filenamepos - pth] = '\0';
+		return dirpath;
+	}
+	return pth;
+}
+
+char **get_all_iop_certificates(int* length) {
+	char * certs_uci[] = {"openvpn.sample_server.cert", "openvpn.sample_client.cert", "owsd.ubusproxy.peer_cert", "owsd.wan_https.cert"};
+	int i, j=0;
+	char *dirpath = NULL;
+	int number_certs_dirs = sizeof(certs_uci)/sizeof(certs_uci[0]);
+
+	char **certificates_paths = NULL;
+	certificates_paths = (char**)dmmalloc(1024 * sizeof(char*));
+
+	for (i=0; i<number_certs_dirs; i++) {
+		dirpath = get_cert_directory_path_from_uci(certs_uci[i]);
+		if(dirpath && strlen(dirpath)>0) {
+			DIR *dir;
+			struct dirent *ent;
+			if ((dir = opendir(dirpath)) == NULL)
+				continue;
+			while ((ent = readdir (dir)) != NULL) {
+				if(ent->d_name[0] == '.' || is_string_exist_in_str_array(certificates_paths, j, dirpath, ent->d_name))
+					continue;
+				dmasprintf(&certificates_paths[j],"%s%s", dirpath, ent->d_name);
+				j++;
+			}
+			dmfree(dirpath);
+			dirpath = NULL;
+		}
+	}
+	*length = j;
+	return certificates_paths;
+}
+
+char* stringToHex(char *text, int length) {
+  char *hex = NULL;
+
+  hex = (char *)dmcalloc(100, sizeof(char));
+
+  for (int i = 0, j = 0; i < length; ++i, j += 3){
+    sprintf(hex + j, "%02x", text[i] & 0xff);
+    if(i<length-1)
+    	sprintf(hex + j+2, "%c", ':');
+  }
+  return hex;
+}
+
+char* replace_char(char* str, char find, char replace){
+    char *current_pos = strchr(str,find);
+    while (current_pos){
+        *current_pos = replace;
+        current_pos = strchr(current_pos,find);
+    }
+    return str;
+}
--- a/libbbf_api/dmcommon.h
+++ b/libbbf_api/dmcommon.h
@ -315,4 +315,8 @@ int dm_validate_hexBinary(char *value, char *min, char *max);
 int dm_validate_string_list(char *value, char *min_item, char *max_item, char *max_size, char *min, char *max, char *enumeration[], char *pattern[]);
 int dm_validate_unsignedInt_list(char *value, char *min_item, char *max_item, char *max_size, char *min, char *max);
 int dm_validate_int_list(char *value, char *min_item, char *max_item, char *max_size, char *min, char *max);
+char **get_all_iop_certificates(int* length);
+char *decode64 (char *enc);
+char* stringToHex(char *text, int length);
+char* replace_char(char* str, char find, char replace);
 #endif