From: Guido Vranken <guidovranken@gmail.com>
Date: Fri, 23 Jun 2017 14:27:45 +0000 (+0200)
Subject: Add ssl_verify* fuzzer
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=3cb53cd9ad414eb3f06ca4570d874ce0942b52fa;p=thirdparty%2Fopenvpn.git

Add ssl_verify* fuzzer
---

diff --git a/src/openvpn/Makefile.am b/src/openvpn/Makefile.am
index 31fe9723b..fd19bfb73 100644
--- a/src/openvpn/Makefile.am
+++ b/src/openvpn/Makefile.am
@@ -129,7 +129,8 @@ extra_PROGRAMS = \
 				 openvpn-fuzzer-dhcp openvpn-fuzzer-dhcp-standalone \
 				 openvpn-fuzzer-forward openvpn-fuzzer-forward-standalone \
 				 openvpn-fuzzer-proxy openvpn-fuzzer-proxy-standalone \
-				 openvpn-fuzzer-options openvpn-fuzzer-options-standalone
+				 openvpn-fuzzer-options openvpn-fuzzer-options-standalone \
+				 openvpn-fuzzer-verify-cert openvpn-fuzzer-verify-cert-standalone
 extradir = .
 fuzzer_sources = dummy.cpp
 fuzzer_cflags = \
@@ -182,6 +183,11 @@ openvpn_fuzzer_options_LDFLAGS = $(fuzzer_ldflags)
 openvpn_fuzzer_options_CFLAGS = $(fuzzer_cflags)
 openvpn_fuzzer_options_LDADD = $(fuzzer_ldadd) fuzzer-options.o libFuzzer.a
 
+openvpn_fuzzer_verify_cert_SOURCES = $(fuzzer_sources)
+openvpn_fuzzer_verify_cert_LDFLAGS = $(fuzzer_ldflags)
+openvpn_fuzzer_verify_cert_CFLAGS = $(fuzzer_cflags)
+openvpn_fuzzer_verify_cert_LDADD = $(fuzzer_ldadd) fuzzer-verify-cert.o libFuzzer.a
+
 openvpn_fuzzer_base64_standalone_SOURCES = fuzzer-standalone-loader.c
 openvpn_fuzzer_base64_standalone_LDFLAGS = $(fuzzer_ldflags)
 openvpn_fuzzer_base64_standalone_CFLAGS = $(fuzzer_cflags)
@@ -211,3 +217,8 @@ openvpn_fuzzer_options_standalone_SOURCES = fuzzer-standalone-loader.c
 openvpn_fuzzer_options_standalone_LDFLAGS = $(fuzzer_ldflags)
 openvpn_fuzzer_options_standalone_CFLAGS = $(fuzzer_cflags)
 openvpn_fuzzer_options_standalone_LDADD = $(fuzzer_ldadd) fuzzer-options.o
+
+openvpn_fuzzer_verify_cert_standalone_SOURCES = fuzzer-standalone-loader.c
+openvpn_fuzzer_verify_cert_standalone_LDFLAGS = $(fuzzer_ldflags)
+openvpn_fuzzer_verify_cert_standalone_CFLAGS = $(fuzzer_cflags)
+openvpn_fuzzer_verify_cert_standalone_LDADD = $(fuzzer_ldadd) fuzzer-verify-cert.o
diff --git a/src/openvpn/fuzzer-verify-cert.c b/src/openvpn/fuzzer-verify-cert.c
new file mode 100644
index 000000000..ec9c03560
--- /dev/null
+++ b/src/openvpn/fuzzer-verify-cert.c
@@ -0,0 +1,178 @@
+#include "config.h"
+#include "syshead.h"
+
+#if defined(ENABLE_CRYPTO_OPENSSL)
+#include <openssl/x509.h>
+#include <openssl/x509v3.h>
+#else
+#endif
+
+#include "fuzzing.h"
+#include "fuzzer-verify-cert.h"
+#include "misc.h"
+#include "manage.h"
+#include "otime.h"
+#include "base64.h"
+#include "ssl_verify.h"
+#include "ssl_verify_backend.h"
+
+#define SUBBUFFER_SIZE 256
+
+int LLVMFuzzerInitialize(int *argc, char ***argv)
+{
+    return 1;
+}
+int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)
+{
+    struct tls_session* session;
+    struct gc_arena gc;
+    unsigned int generic_uint;
+    ssize_t generic_ssizet;
+    ssize_t nid;
+#if defined(ENABLE_CRYPTO_OPENSSL)
+    X509* x509 = NULL;
+#else
+    mbedtls_x509_crt x509;
+#endif
+
+    if ( size < SUBBUFFER_SIZE )
+    {
+        return 0;
+    }
+
+    gc = gc_new();
+
+    fuzzer_set_input((unsigned char*)data, size);
+
+    data += SUBBUFFER_SIZE;
+    size -= SUBBUFFER_SIZE;
+
+#if defined(ENABLE_CRYPTO_OPENSSL)
+    x509 = d2i_X509(NULL, (const unsigned char**)&data, size);
+    if ( x509 == NULL )
+    {
+        gc_free(&gc);
+        return 0;
+    }
+#else
+    mbedtls_x509_crt_init(&x509);
+    if ( mbedtls_x509_crt_parse_der(&x509, data, size) != 0 ) {
+        return 0;
+    }
+#endif
+    ALLOC_OBJ_GC(session, struct tls_session, &gc);
+    if ( session == NULL )
+    {
+        goto cleanup;
+    }
+    memset(session, 0xFE, sizeof(struct tls_session));
+    
+    ALLOC_OBJ_GC(session->opt, struct tls_options, &gc);
+    if ( session->opt == NULL )
+    {
+        goto cleanup;
+    }
+    memset(session->opt, 0xFE, sizeof(struct tls_options));
+
+    session->opt->es = env_set_create(&gc);
+    session->common_name = NULL;
+    session->opt->x509_username_field = NULL;
+    session->opt->remote_cert_eku = NULL;
+    FUZZER_GET_DATA(&generic_uint, sizeof(generic_uint));
+
+    /* compat_flag() settings are accessed in string_mod_remap_name */
+    compat_flag(generic_uint);
+
+    /* Accessed in server_untrusted() */
+    session->untrusted_addr.dest.addr.sa.sa_family = AF_UNSPEC;
+
+    FUZZER_GET_INTEGER(generic_ssizet, 1);
+    switch ( generic_ssizet )
+    {
+        case    0:
+            FUZZER_GET_INTEGER(nid, (sizeof(nidstrs)/sizeof(nidstrs[0])) - 1);
+            session->opt->x509_username_field = nidstrs[nid];
+            break;
+        case    1:
+            session->opt->x509_username_field = "ext:subjectAltName";
+            break;
+    }
+
+    /* Accessed in set_common_name() */
+    FUZZER_GET_STRING(session->common_name, 256);
+
+    /* Prevents failure if x509 sha1 hashes do not match */
+    session->opt->verify_hash = NULL;
+
+    /* Prevent attempt to run --tls-verify script */
+    session->opt->verify_command = NULL;
+
+    /* Do not verify against CRL file */
+    session->opt->crl_file = NULL;
+
+    /* Do not run --tls-verify plugins */
+    session->opt->plugins = NULL;
+
+    FUZZER_GET_INTEGER(generic_ssizet, 1);
+    switch ( generic_ssizet )
+    {
+        case    0:
+#if defined(ENABLE_CRYPTO_OPENSSL)
+            session->opt->x509_track = NULL;
+#else
+            ALLOC_OBJ_GC(session->opt->x509_track, struct x509_track, &gc);
+            if ( session->opt->x509_track == NULL )
+            {
+                goto cleanup;
+            }
+#endif
+            break;
+        case    1:
+            session->opt->x509_track = NULL;
+            break;
+    }
+
+    FUZZER_GET_INTEGER(generic_ssizet, 2);
+    switch ( generic_ssizet )
+    {
+        case    0:
+            session->opt->ns_cert_type = NS_CERT_CHECK_NONE;
+            break;
+        case    1:
+            session->opt->ns_cert_type = NS_CERT_CHECK_SERVER;
+            break;
+        case    2:
+            session->opt->ns_cert_type = NS_CERT_CHECK_CLIENT;
+            break;
+    }
+    
+    FUZZER_GET_DATA(&session->opt->remote_cert_ku, sizeof(session->opt->remote_cert_ku));
+
+    FUZZER_GET_INTEGER(generic_ssizet, 1);
+    switch ( generic_ssizet )
+    {
+    case    0:
+        session->opt->remote_cert_eku = NULL;
+        break;
+    case    1:
+        FUZZER_GET_STRING(session->opt->remote_cert_eku, 256);
+    }
+
+    FUZZER_GET_INTEGER(generic_ssizet, 256);
+#if defined(ENABLE_CRYPTO_OPENSSL)
+    verify_cert(session, x509, generic_ssizet);
+#else
+    verify_cert(session, &x509, generic_ssizet);
+#endif
+
+cleanup:
+    free(session->common_name);
+    free((void*)session->opt->remote_cert_eku);
+#if defined(ENABLE_CRYPTO_OPENSSL)
+    X509_free(x509);
+#else
+    mbedtls_x509_crt_free(&x509);
+#endif
+    gc_free(&gc);
+    return 0;
+}
diff --git a/src/openvpn/fuzzer-verify-cert.h b/src/openvpn/fuzzer-verify-cert.h
new file mode 100644
index 000000000..dabc4ffa0
--- /dev/null
+++ b/src/openvpn/fuzzer-verify-cert.h
@@ -0,0 +1,1053 @@
+static char* nidstrs[] = {
+"AD_DVCS",
+"AES-128-CBC",
+"AES-128-CBC-HMAC-SHA1",
+"AES-128-CBC-HMAC-SHA256",
+"AES-128-CFB",
+"AES-128-CFB1",
+"AES-128-CFB8",
+"AES-128-CTR",
+"AES-128-ECB",
+"AES-128-OCB",
+"AES-128-OFB",
+"AES-128-XTS",
+"AES-192-CBC",
+"AES-192-CBC-HMAC-SHA1",
+"AES-192-CBC-HMAC-SHA256",
+"AES-192-CFB",
+"AES-192-CFB1",
+"AES-192-CFB8",
+"AES-192-CTR",
+"AES-192-ECB",
+"AES-192-OCB",
+"AES-192-OFB",
+"AES-256-CBC",
+"AES-256-CBC-HMAC-SHA1",
+"AES-256-CBC-HMAC-SHA256",
+"AES-256-CFB",
+"AES-256-CFB1",
+"AES-256-CFB8",
+"AES-256-CTR",
+"AES-256-ECB",
+"AES-256-OCB",
+"AES-256-OFB",
+"AES-256-XTS",
+"AuthDSS",
+"AuthECDSA",
+"AuthGOST01",
+"AuthGOST12",
+"AuthNULL",
+"AuthPSK",
+"AuthRSA",
+"AuthSRP",
+"BF-CBC",
+"BF-CFB",
+"BF-ECB",
+"BF-OFB",
+"BLAKE2b512",
+"BLAKE2s256",
+"C",
+"CAMELLIA-128-CBC",
+"CAMELLIA-128-CCM",
+"CAMELLIA-128-CFB",
+"CAMELLIA-128-CFB1",
+"CAMELLIA-128-CFB8",
+"CAMELLIA-128-CMAC",
+"CAMELLIA-128-CTR",
+"CAMELLIA-128-ECB",
+"CAMELLIA-128-GCM",
+"CAMELLIA-128-OFB",
+"CAMELLIA-192-CBC",
+"CAMELLIA-192-CCM",
+"CAMELLIA-192-CFB",
+"CAMELLIA-192-CFB1",
+"CAMELLIA-192-CFB8",
+"CAMELLIA-192-CMAC",
+"CAMELLIA-192-CTR",
+"CAMELLIA-192-ECB",
+"CAMELLIA-192-GCM",
+"CAMELLIA-192-OFB",
+"CAMELLIA-256-CBC",
+"CAMELLIA-256-CCM",
+"CAMELLIA-256-CFB",
+"CAMELLIA-256-CFB1",
+"CAMELLIA-256-CFB8",
+"CAMELLIA-256-CMAC",
+"CAMELLIA-256-CTR",
+"CAMELLIA-256-ECB",
+"CAMELLIA-256-GCM",
+"CAMELLIA-256-OFB",
+"CAST5-CBC",
+"CAST5-CFB",
+"CAST5-ECB",
+"CAST5-OFB",
+"CMAC",
+"CN",
+"CRLReason",
+"CSPName",
+"ChaCha20",
+"ChaCha20-Poly1305",
+"CrlID",
+"DC",
+"DES-CBC",
+"DES-CDMF",
+"DES-CFB",
+"DES-CFB1",
+"DES-CFB8",
+"DES-ECB",
+"DES-EDE",
+"DES-EDE-CBC",
+"DES-EDE-CFB",
+"DES-EDE-OFB",
+"DES-EDE3",
+"DES-EDE3-CBC",
+"DES-EDE3-CFB",
+"DES-EDE3-CFB1",
+"DES-EDE3-CFB8",
+"DES-EDE3-OFB",
+"DES-OFB",
+"DESX-CBC",
+"DOD",
+"DSA",
+"DSA-SHA",
+"DSA-SHA1",
+"DSA-SHA1-old",
+"DSA-old",
+"DVCS",
+"GN",
+"HKDF",
+"HMAC",
+"HMAC-MD5",
+"HMAC-SHA1",
+"IANA",
+"IDEA-CBC",
+"IDEA-CFB",
+"IDEA-ECB",
+"IDEA-OFB",
+"INN",
+"ISO",
+"ISO-US",
+"ITU-T",
+"JOINT-ISO-ITU-T",
+"KISA",
+"KxDHE",
+"KxDHE-PSK",
+"KxECDHE",
+"KxECDHE-PSK",
+"KxGOST",
+"KxPSK",
+"KxRSA",
+"KxRSA_PSK",
+"KxSRP",
+"L",
+"LocalKeySet",
+"MD2",
+"MD4",
+"MD5",
+"MD5-SHA1",
+"MDC2",
+"MGF1",
+"Mail",
+"NULL",
+"Netscape",
+"Nonce",
+"O",
+"OCSP",
+"OCSPSigning",
+"OGRN",
+"ORG",
+"OU",
+"Oakley-EC2N-3",
+"Oakley-EC2N-4",
+"PBE-MD2-DES",
+"PBE-MD2-RC2-64",
+"PBE-MD5-DES",
+"PBE-MD5-RC2-64",
+"PBE-SHA1-2DES",
+"PBE-SHA1-3DES",
+"PBE-SHA1-DES",
+"PBE-SHA1-RC2-128",
+"PBE-SHA1-RC2-40",
+"PBE-SHA1-RC2-64",
+"PBE-SHA1-RC4-128",
+"PBE-SHA1-RC4-40",
+"PBES2",
+"PBKDF2",
+"PBMAC1",
+"PKIX",
+"PSPECIFIED",
+"RC2-40-CBC",
+"RC2-64-CBC",
+"RC2-CBC",
+"RC2-CFB",
+"RC2-ECB",
+"RC2-OFB",
+"RC4",
+"RC4-40",
+"RC4-HMAC-MD5",
+"RC5-CBC",
+"RC5-CFB",
+"RC5-ECB",
+"RC5-OFB",
+"RIPEMD160",
+"RSA",
+"RSA-MD2",
+"RSA-MD4",
+"RSA-MD5",
+"RSA-MDC2",
+"RSA-NP-MD5",
+"RSA-RIPEMD160",
+"RSA-SHA",
+"RSA-SHA1",
+"RSA-SHA1-2",
+"RSA-SHA224",
+"RSA-SHA256",
+"RSA-SHA384",
+"RSA-SHA512",
+"RSAES-OAEP",
+"RSASSA-PSS",
+"SEED-CBC",
+"SEED-CFB",
+"SEED-ECB",
+"SEED-OFB",
+"SHA",
+"SHA1",
+"SHA224",
+"SHA256",
+"SHA384",
+"SHA512",
+"SMIME",
+"SMIME-CAPS",
+"SN",
+"SNILS",
+"ST",
+"SXNetID",
+"TLS1-PRF",
+"UID",
+"UNDEF",
+"X25519",
+"X448",
+"X500",
+"X500algorithms",
+"X509",
+"X9-57",
+"X9cm",
+"ZLIB",
+"aRecord",
+"aaControls",
+"ac-auditEntity",
+"ac-proxying",
+"ac-targeting",
+"acceptableResponses",
+"account",
+"ad_timestamping",
+"algorithm",
+"ansi-X9-62",
+"anyExtendedKeyUsage",
+"anyPolicy",
+"archiveCutoff",
+"associatedDomain",
+"associatedName",
+"audio",
+"authorityInfoAccess",
+"authorityKeyIdentifier",
+"authorityRevocationList",
+"basicConstraints",
+"basicOCSPResponse",
+"biometricInfo",
+"brainpoolP160r1",
+"brainpoolP160t1",
+"brainpoolP192r1",
+"brainpoolP192t1",
+"brainpoolP224r1",
+"brainpoolP224t1",
+"brainpoolP256r1",
+"brainpoolP256t1",
+"brainpoolP320r1",
+"brainpoolP320t1",
+"brainpoolP384r1",
+"brainpoolP384t1",
+"brainpoolP512r1",
+"brainpoolP512t1",
+"buildingName",
+"businessCategory",
+"c2onb191v4",
+"c2onb191v5",
+"c2onb239v4",
+"c2onb239v5",
+"c2pnb163v1",
+"c2pnb163v2",
+"c2pnb163v3",
+"c2pnb176v1",
+"c2pnb208w1",
+"c2pnb272w1",
+"c2pnb304w1",
+"c2pnb368w1",
+"c2tnb191v1",
+"c2tnb191v2",
+"c2tnb191v3",
+"c2tnb239v1",
+"c2tnb239v2",
+"c2tnb239v3",
+"c2tnb359v1",
+"c2tnb431r1",
+"cACertificate",
+"cNAMERecord",
+"caIssuers",
+"caRepository",
+"capwapAC",
+"capwapWTP",
+"caseIgnoreIA5StringSyntax",
+"certBag",
+"certicom-arc",
+"certificateIssuer",
+"certificatePolicies",
+"certificateRevocationList",
+"challengePassword",
+"characteristic-two-field",
+"clearance",
+"clientAuth",
+"codeSigning",
+"contentType",
+"countersignature",
+"crlBag",
+"crlDistributionPoints",
+"crlNumber",
+"crossCertificatePair",
+"cryptocom",
+"cryptopro",
+"ct_cert_scts",
+"ct_precert_poison",
+"ct_precert_scts",
+"ct_precert_signer",
+"dITRedirect",
+"dNSDomain",
+"dSAQuality",
+"data",
+"dcobject",
+"deltaCRL",
+"deltaRevocationList",
+"description",
+"destinationIndicator",
+"dh-cofactor-kdf",
+"dh-std-kdf",
+"dhKeyAgreement",
+"dhSinglePass-cofactorDH-sha1kdf-scheme",
+"dhSinglePass-cofactorDH-sha224kdf-scheme",
+"dhSinglePass-cofactorDH-sha256kdf-scheme",
+"dhSinglePass-cofactorDH-sha384kdf-scheme",
+"dhSinglePass-cofactorDH-sha512kdf-scheme",
+"dhSinglePass-stdDH-sha1kdf-scheme",
+"dhSinglePass-stdDH-sha224kdf-scheme",
+"dhSinglePass-stdDH-sha256kdf-scheme",
+"dhSinglePass-stdDH-sha384kdf-scheme",
+"dhSinglePass-stdDH-sha512kdf-scheme",
+"dhpublicnumber",
+"directory",
+"distinguishedName",
+"dmdName",
+"dnQualifier",
+"document",
+"documentAuthor",
+"documentIdentifier",
+"documentLocation",
+"documentPublisher",
+"documentSeries",
+"documentTitle",
+"documentVersion",
+"domain",
+"domainRelatedObject",
+"dsa_with_SHA224",
+"dsa_with_SHA256",
+"ecdsa-with-Recommended",
+"ecdsa-with-SHA1",
+"ecdsa-with-SHA224",
+"ecdsa-with-SHA256",
+"ecdsa-with-SHA384",
+"ecdsa-with-SHA512",
+"ecdsa-with-Specified",
+"emailAddress",
+"emailProtection",
+"enhancedSearchGuide",
+"enterprises",
+"experimental",
+"extReq",
+"extendedCertificateAttributes",
+"extendedKeyUsage",
+"extendedStatus",
+"facsimileTelephoneNumber",
+"favouriteDrink",
+"freshestCRL",
+"friendlyCountry",
+"friendlyCountryName",
+"friendlyName",
+"generationQualifier",
+"gost-mac",
+"gost-mac-12",
+"gost2001",
+"gost2001cc",
+"gost2012_256",
+"gost2012_512",
+"gost89",
+"gost89-cbc",
+"gost89-cnt",
+"gost89-cnt-12",
+"gost89-ctr",
+"gost89-ecb",
+"gost94",
+"gost94cc",
+"grasshopper-cbc",
+"grasshopper-cfb",
+"grasshopper-ctr",
+"grasshopper-ecb",
+"grasshopper-mac",
+"grasshopper-ofb",
+"hmacWithMD5",
+"hmacWithSHA1",
+"hmacWithSHA224",
+"hmacWithSHA256",
+"hmacWithSHA384",
+"hmacWithSHA512",
+"holdInstructionCallIssuer",
+"holdInstructionCode",
+"holdInstructionNone",
+"holdInstructionReject",
+"homePostalAddress",
+"homeTelephoneNumber",
+"host",
+"houseIdentifier",
+"iA5StringSyntax",
+"id-DHBasedMac",
+"id-Gost28147-89-CryptoPro-A-ParamSet",
+"id-Gost28147-89-CryptoPro-B-ParamSet",
+"id-Gost28147-89-CryptoPro-C-ParamSet",
+"id-Gost28147-89-CryptoPro-D-ParamSet",
+"id-Gost28147-89-CryptoPro-KeyMeshing",
+"id-Gost28147-89-CryptoPro-Oscar-1-0-ParamSet",
+"id-Gost28147-89-CryptoPro-Oscar-1-1-ParamSet",
+"id-Gost28147-89-CryptoPro-RIC-1-ParamSet",
+"id-Gost28147-89-None-KeyMeshing",
+"id-Gost28147-89-TestParamSet",
+"id-Gost28147-89-cc",
+"id-GostR3410-2001-CryptoPro-A-ParamSet",
+"id-GostR3410-2001-CryptoPro-B-ParamSet",
+"id-GostR3410-2001-CryptoPro-C-ParamSet",
+"id-GostR3410-2001-CryptoPro-XchA-ParamSet",
+"id-GostR3410-2001-CryptoPro-XchB-ParamSet",
+"id-GostR3410-2001-ParamSet-cc",
+"id-GostR3410-2001-TestParamSet",
+"id-GostR3410-2001DH",
+"id-GostR3410-94-CryptoPro-A-ParamSet",
+"id-GostR3410-94-CryptoPro-B-ParamSet",
+"id-GostR3410-94-CryptoPro-C-ParamSet",
+"id-GostR3410-94-CryptoPro-D-ParamSet",
+"id-GostR3410-94-CryptoPro-XchA-ParamSet",
+"id-GostR3410-94-CryptoPro-XchB-ParamSet",
+"id-GostR3410-94-CryptoPro-XchC-ParamSet",
+"id-GostR3410-94-TestParamSet",
+"id-GostR3410-94-a",
+"id-GostR3410-94-aBis",
+"id-GostR3410-94-b",
+"id-GostR3410-94-bBis",
+"id-GostR3410-94DH",
+"id-GostR3411-94-CryptoProParamSet",
+"id-GostR3411-94-TestParamSet",
+"id-GostR3411-94-with-GostR3410-2001",
+"id-GostR3411-94-with-GostR3410-2001-cc",
+"id-GostR3411-94-with-GostR3410-94",
+"id-GostR3411-94-with-GostR3410-94-cc",
+"id-HMACGostR3411-94",
+"id-PasswordBasedMAC",
+"id-aca",
+"id-aca-accessIdentity",
+"id-aca-authenticationInfo",
+"id-aca-chargingIdentity",
+"id-aca-encAttrs",
+"id-aca-group",
+"id-aca-role",
+"id-ad",
+"id-aes128-CCM",
+"id-aes128-GCM",
+"id-aes128-wrap",
+"id-aes128-wrap-pad",
+"id-aes192-CCM",
+"id-aes192-GCM",
+"id-aes192-wrap",
+"id-aes192-wrap-pad",
+"id-aes256-CCM",
+"id-aes256-GCM",
+"id-aes256-wrap",
+"id-aes256-wrap-pad",
+"id-alg",
+"id-alg-PWRI-KEK",
+"id-alg-des40",
+"id-alg-dh-pop",
+"id-alg-dh-sig-hmac-sha1",
+"id-alg-noSignature",
+"id-camellia128-wrap",
+"id-camellia192-wrap",
+"id-camellia256-wrap",
+"id-cct",
+"id-cct-PKIData",
+"id-cct-PKIResponse",
+"id-cct-crs",
+"id-ce",
+"id-characteristic-two-basis",
+"id-cmc",
+"id-cmc-addExtensions",
+"id-cmc-confirmCertAcceptance",
+"id-cmc-dataReturn",
+"id-cmc-decryptedPOP",
+"id-cmc-encryptedPOP",
+"id-cmc-getCRL",
+"id-cmc-getCert",
+"id-cmc-identification",
+"id-cmc-identityProof",
+"id-cmc-lraPOPWitness",
+"id-cmc-popLinkRandom",
+"id-cmc-popLinkWitness",
+"id-cmc-queryPending",
+"id-cmc-recipientNonce",
+"id-cmc-regInfo",
+"id-cmc-responseInfo",
+"id-cmc-revokeRequest",
+"id-cmc-senderNonce",
+"id-cmc-statusInfo",
+"id-cmc-transactionId",
+"id-ct-asciiTextWithCRLF",
+"id-ct-xml",
+"id-ecPublicKey",
+"id-hex-multipart-message",
+"id-hex-partial-message",
+"id-it",
+"id-it-caKeyUpdateInfo",
+"id-it-caProtEncCert",
+"id-it-confirmWaitTime",
+"id-it-currentCRL",
+"id-it-encKeyPairTypes",
+"id-it-implicitConfirm",
+"id-it-keyPairParamRep",
+"id-it-keyPairParamReq",
+"id-it-origPKIMessage",
+"id-it-preferredSymmAlg",
+"id-it-revPassphrase",
+"id-it-signKeyPairTypes",
+"id-it-subscriptionRequest",
+"id-it-subscriptionResponse",
+"id-it-suppLangTags",
+"id-it-unsupportedOIDs",
+"id-kp",
+"id-mod-attribute-cert",
+"id-mod-cmc",
+"id-mod-cmp",
+"id-mod-cmp2000",
+"id-mod-crmf",
+"id-mod-dvcs",
+"id-mod-kea-profile-88",
+"id-mod-kea-profile-93",
+"id-mod-ocsp",
+"id-mod-qualified-cert-88",
+"id-mod-qualified-cert-93",
+"id-mod-timestamp-protocol",
+"id-on",
+"id-on-permanentIdentifier",
+"id-on-personalData",
+"id-pda",
+"id-pda-countryOfCitizenship",
+"id-pda-countryOfResidence",
+"id-pda-dateOfBirth",
+"id-pda-gender",
+"id-pda-placeOfBirth",
+"id-pe",
+"id-pkinit",
+"id-pkip",
+"id-pkix-mod",
+"id-pkix1-explicit-88",
+"id-pkix1-explicit-93",
+"id-pkix1-implicit-88",
+"id-pkix1-implicit-93",
+"id-ppl",
+"id-ppl-anyLanguage",
+"id-ppl-independent",
+"id-ppl-inheritAll",
+"id-qcs",
+"id-qcs-pkixQCSyntax-v1",
+"id-qt",
+"id-qt-cps",
+"id-qt-unotice",
+"id-regCtrl",
+"id-regCtrl-authenticator",
+"id-regCtrl-oldCertID",
+"id-regCtrl-pkiArchiveOptions",
+"id-regCtrl-pkiPublicationInfo",
+"id-regCtrl-protocolEncrKey",
+"id-regCtrl-regToken",
+"id-regInfo",
+"id-regInfo-certReq",
+"id-regInfo-utf8Pairs",
+"id-scrypt",
+"id-set",
+"id-smime-aa",
+"id-smime-aa-contentHint",
+"id-smime-aa-contentIdentifier",
+"id-smime-aa-contentReference",
+"id-smime-aa-dvcs-dvc",
+"id-smime-aa-encapContentType",
+"id-smime-aa-encrypKeyPref",
+"id-smime-aa-equivalentLabels",
+"id-smime-aa-ets-CertificateRefs",
+"id-smime-aa-ets-RevocationRefs",
+"id-smime-aa-ets-archiveTimeStamp",
+"id-smime-aa-ets-certCRLTimestamp",
+"id-smime-aa-ets-certValues",
+"id-smime-aa-ets-commitmentType",
+"id-smime-aa-ets-contentTimestamp",
+"id-smime-aa-ets-escTimeStamp",
+"id-smime-aa-ets-otherSigCert",
+"id-smime-aa-ets-revocationValues",
+"id-smime-aa-ets-sigPolicyId",
+"id-smime-aa-ets-signerAttr",
+"id-smime-aa-ets-signerLocation",
+"id-smime-aa-macValue",
+"id-smime-aa-mlExpandHistory",
+"id-smime-aa-msgSigDigest",
+"id-smime-aa-receiptRequest",
+"id-smime-aa-securityLabel",
+"id-smime-aa-signatureType",
+"id-smime-aa-signingCertificate",
+"id-smime-aa-smimeEncryptCerts",
+"id-smime-aa-timeStampToken",
+"id-smime-alg",
+"id-smime-alg-3DESwrap",
+"id-smime-alg-CMS3DESwrap",
+"id-smime-alg-CMSRC2wrap",
+"id-smime-alg-ESDH",
+"id-smime-alg-ESDHwith3DES",
+"id-smime-alg-ESDHwithRC2",
+"id-smime-alg-RC2wrap",
+"id-smime-cd",
+"id-smime-cd-ldap",
+"id-smime-ct",
+"id-smime-ct-DVCSRequestData",
+"id-smime-ct-DVCSResponseData",
+"id-smime-ct-TDTInfo",
+"id-smime-ct-TSTInfo",
+"id-smime-ct-authData",
+"id-smime-ct-authEnvelopedData",
+"id-smime-ct-compressedData",
+"id-smime-ct-contentCollection",
+"id-smime-ct-contentInfo",
+"id-smime-ct-publishCert",
+"id-smime-ct-receipt",
+"id-smime-cti",
+"id-smime-cti-ets-proofOfApproval",
+"id-smime-cti-ets-proofOfCreation",
+"id-smime-cti-ets-proofOfDelivery",
+"id-smime-cti-ets-proofOfOrigin",
+"id-smime-cti-ets-proofOfReceipt",
+"id-smime-cti-ets-proofOfSender",
+"id-smime-mod",
+"id-smime-mod-cms",
+"id-smime-mod-ess",
+"id-smime-mod-ets-eSigPolicy-88",
+"id-smime-mod-ets-eSigPolicy-97",
+"id-smime-mod-ets-eSignature-88",
+"id-smime-mod-ets-eSignature-97",
+"id-smime-mod-msg-v3",
+"id-smime-mod-oid",
+"id-smime-spq",
+"id-smime-spq-ets-sqt-unotice",
+"id-smime-spq-ets-sqt-uri",
+"id-tc26",
+"id-tc26-agreement",
+"id-tc26-agreement-gost-3410-2012-256",
+"id-tc26-agreement-gost-3410-2012-512",
+"id-tc26-algorithms",
+"id-tc26-cipher",
+"id-tc26-cipher-constants",
+"id-tc26-constants",
+"id-tc26-digest",
+"id-tc26-digest-constants",
+"id-tc26-gost-28147-constants",
+"id-tc26-gost-28147-param-Z",
+"id-tc26-gost-3410-2012-512-constants",
+"id-tc26-gost-3410-2012-512-paramSetA",
+"id-tc26-gost-3410-2012-512-paramSetB",
+"id-tc26-gost-3410-2012-512-paramSetTest",
+"id-tc26-hmac-gost-3411-2012-256",
+"id-tc26-hmac-gost-3411-2012-512",
+"id-tc26-mac",
+"id-tc26-sign",
+"id-tc26-sign-constants",
+"id-tc26-signwithdigest",
+"id-tc26-signwithdigest-gost3410-2012-256",
+"id-tc26-signwithdigest-gost3410-2012-512",
+"identified-organization",
+"info",
+"inhibitAnyPolicy",
+"initials",
+"international-organizations",
+"internationaliSDNNumber",
+"invalidityDate",
+"ipsecEndSystem",
+"ipsecIKE",
+"ipsecTunnel",
+"ipsecUser",
+"issuerAltName",
+"issuerSignTool",
+"issuingDistributionPoint",
+"janetMailbox",
+"jurisdictionC",
+"jurisdictionL",
+"jurisdictionST",
+"keyBag",
+"keyUsage",
+"lastModifiedBy",
+"lastModifiedTime",
+"localKeyID",
+"mXRecord",
+"mail",
+"mailPreferenceOption",
+"manager",
+"md_gost12_256",
+"md_gost12_512",
+"md_gost94",
+"member",
+"member-body",
+"messageDigest",
+"mgmt",
+"mime-mhs",
+"mime-mhs-bodies",
+"mime-mhs-headings",
+"mobileTelephoneNumber",
+"msCTLSign",
+"msCodeCom",
+"msCodeInd",
+"msEFS",
+"msExtReq",
+"msSGC",
+"msSmartcardLogin",
+"msUPN",
+"nSRecord",
+"name",
+"nameConstraints",
+"noCheck",
+"noRevAvail",
+"nsBaseUrl",
+"nsCaPolicyUrl",
+"nsCaRevocationUrl",
+"nsCertExt",
+"nsCertSequence",
+"nsCertType",
+"nsComment",
+"nsDataType",
+"nsRenewalUrl",
+"nsRevocationUrl",
+"nsSGC",
+"nsSslServerName",
+"onBasis",
+"organizationalStatus",
+"otherMailbox",
+"owner",
+"pagerTelephoneNumber",
+"path",
+"pbeWithMD5AndCast5CBC",
+"personalSignature",
+"personalTitle",
+"photo",
+"physicalDeliveryOfficeName",
+"pilot",
+"pilotAttributeSyntax",
+"pilotAttributeType",
+"pilotAttributeType27",
+"pilotDSA",
+"pilotGroups",
+"pilotObject",
+"pilotObjectClass",
+"pilotOrganization",
+"pilotPerson",
+"pkInitClientAuth",
+"pkInitKDC",
+"pkcs",
+"pkcs1",
+"pkcs3",
+"pkcs5",
+"pkcs7",
+"pkcs7-data",
+"pkcs7-digestData",
+"pkcs7-encryptedData",
+"pkcs7-envelopedData",
+"pkcs7-signedAndEnvelopedData",
+"pkcs7-signedData",
+"pkcs8ShroudedKeyBag",
+"pkcs9",
+"policyConstraints",
+"policyMappings",
+"postOfficeBox",
+"postalAddress",
+"postalCode",
+"ppBasis",
+"preferredDeliveryMethod",
+"presentationAddress",
+"prf-gostr3411-94",
+"prime-field",
+"prime192v1",
+"prime192v2",
+"prime192v3",
+"prime239v1",
+"prime239v2",
+"prime239v3",
+"prime256v1",
+"private",
+"privateKeyUsagePeriod",
+"protocolInformation",
+"proxyCertInfo",
+"pseudonym",
+"pss",
+"qcStatements",
+"qualityLabelledData",
+"rFC822localPart",
+"registeredAddress",
+"role",
+"roleOccupant",
+"room",
+"roomNumber",
+"rsaEncryption",
+"rsaOAEPEncryptionSET",
+"rsaSignature",
+"rsadsi",
+"sOARecord",
+"safeContentsBag",
+"sbgp-autonomousSysNum",
+"sbgp-ipAddrBlock",
+"sbgp-routerIdentifier",
+"sdsiCertificate",
+"searchGuide",
+"secp112r1",
+"secp112r2",
+"secp128r1",
+"secp128r2",
+"secp160k1",
+"secp160r1",
+"secp160r2",
+"secp192k1",
+"secp224k1",
+"secp224r1",
+"secp256k1",
+"secp384r1",
+"secp521r1",
+"secretBag",
+"secretary",
+"sect113r1",
+"sect113r2",
+"sect131r1",
+"sect131r2",
+"sect163k1",
+"sect163r1",
+"sect163r2",
+"sect193r1",
+"sect193r2",
+"sect233k1",
+"sect233r1",
+"sect239k1",
+"sect283k1",
+"sect283r1",
+"sect409k1",
+"sect409r1",
+"sect571k1",
+"sect571r1",
+"secureShellClient",
+"secureShellServer",
+"security",
+"seeAlso",
+"selected-attribute-types",
+"sendOwner",
+"sendProxiedOwner",
+"sendProxiedRouter",
+"sendRouter",
+"serialNumber",
+"serverAuth",
+"serviceLocator",
+"set-addPolicy",
+"set-attr",
+"set-brand",
+"set-brand-AmericanExpress",
+"set-brand-Diners",
+"set-brand-IATA-ATA",
+"set-brand-JCB",
+"set-brand-MasterCard",
+"set-brand-Novus",
+"set-brand-Visa",
+"set-certExt",
+"set-ctype",
+"set-msgExt",
+"set-policy",
+"set-policy-root",
+"set-rootKeyThumb",
+"setAttr-Cert",
+"setAttr-GenCryptgrm",
+"setAttr-IssCap",
+"setAttr-IssCap-CVM",
+"setAttr-IssCap-Sig",
+"setAttr-IssCap-T2",
+"setAttr-PGWYcap",
+"setAttr-SecDevSig",
+"setAttr-T2Enc",
+"setAttr-T2cleartxt",
+"setAttr-TokICCsig",
+"setAttr-Token-B0Prime",
+"setAttr-Token-EMV",
+"setAttr-TokenType",
+"setCext-IssuerCapabilities",
+"setCext-PGWYcapabilities",
+"setCext-TokenIdentifier",
+"setCext-TokenType",
+"setCext-Track2Data",
+"setCext-cCertRequired",
+"setCext-certType",
+"setCext-hashedRoot",
+"setCext-merchData",
+"setCext-setExt",
+"setCext-setQualf",
+"setCext-tunneling",
+"setct-AcqCardCodeMsg",
+"setct-AcqCardCodeMsgTBE",
+"setct-AuthReqTBE",
+"setct-AuthReqTBS",
+"setct-AuthResBaggage",
+"setct-AuthResTBE",
+"setct-AuthResTBEX",
+"setct-AuthResTBS",
+"setct-AuthResTBSX",
+"setct-AuthRevReqBaggage",
+"setct-AuthRevReqTBE",
+"setct-AuthRevReqTBS",
+"setct-AuthRevResBaggage",
+"setct-AuthRevResData",
+"setct-AuthRevResTBE",
+"setct-AuthRevResTBEB",
+"setct-AuthRevResTBS",
+"setct-AuthTokenTBE",
+"setct-AuthTokenTBS",
+"setct-BCIDistributionTBS",
+"setct-BatchAdminReqData",
+"setct-BatchAdminReqTBE",
+"setct-BatchAdminResData",
+"setct-BatchAdminResTBE",
+"setct-CRLNotificationResTBS",
+"setct-CRLNotificationTBS",
+"setct-CapReqTBE",
+"setct-CapReqTBEX",
+"setct-CapReqTBS",
+"setct-CapReqTBSX",
+"setct-CapResData",
+"setct-CapResTBE",
+"setct-CapRevReqTBE",
+"setct-CapRevReqTBEX",
+"setct-CapRevReqTBS",
+"setct-CapRevReqTBSX",
+"setct-CapRevResData",
+"setct-CapRevResTBE",
+"setct-CapTokenData",
+"setct-CapTokenSeq",
+"setct-CapTokenTBE",
+"setct-CapTokenTBEX",
+"setct-CapTokenTBS",
+"setct-CardCInitResTBS",
+"setct-CertInqReqTBS",
+"setct-CertReqData",
+"setct-CertReqTBE",
+"setct-CertReqTBEX",
+"setct-CertReqTBS",
+"setct-CertResData",
+"setct-CertResTBE",
+"setct-CredReqTBE",
+"setct-CredReqTBEX",
+"setct-CredReqTBS",
+"setct-CredReqTBSX",
+"setct-CredResData",
+"setct-CredResTBE",
+"setct-CredRevReqTBE",
+"setct-CredRevReqTBEX",
+"setct-CredRevReqTBS",
+"setct-CredRevReqTBSX",
+"setct-CredRevResData",
+"setct-CredRevResTBE",
+"setct-ErrorTBS",
+"setct-HODInput",
+"setct-MeAqCInitResTBS",
+"setct-OIData",
+"setct-PANData",
+"setct-PANOnly",
+"setct-PANToken",
+"setct-PCertReqData",
+"setct-PCertResTBS",
+"setct-PI",
+"setct-PI-TBS",
+"setct-PIData",
+"setct-PIDataUnsigned",
+"setct-PIDualSignedTBE",
+"setct-PIUnsignedTBE",
+"setct-PInitResData",
+"setct-PResData",
+"setct-RegFormReqTBE",
+"setct-RegFormResTBS",
+"setext-cv",
+"setext-genCrypt",
+"setext-miAuth",
+"setext-pinAny",
+"setext-pinSecure",
+"setext-track2",
+"signingTime",
+"simpleSecurityObject",
+"singleLevelQuality",
+"snmpv2",
+"street",
+"subjectAltName",
+"subjectDirectoryAttributes",
+"subjectInfoAccess",
+"subjectKeyIdentifier",
+"subjectSignTool",
+"subtreeMaximumQuality",
+"subtreeMinimumQuality",
+"supportedAlgorithms",
+"supportedApplicationContext",
+"targetInformation",
+"telephoneNumber",
+"teletexTerminalIdentifier",
+"telexNumber",
+"textEncodedORAddress",
+"textNotice",
+"timeStamping",
+"title",
+"tlsfeature",
+"tpBasis",
+"trustRoot",
+"ucl",
+"uid",
+"uniqueMember",
+"unstructuredAddress",
+"unstructuredName",
+"userCertificate",
+"userClass",
+"userPassword",
+"valid",
+"wap",
+"wap-wsg",
+"wap-wsg-idm-ecid-wtls1",
+"wap-wsg-idm-ecid-wtls10",
+"wap-wsg-idm-ecid-wtls11",
+"wap-wsg-idm-ecid-wtls12",
+"wap-wsg-idm-ecid-wtls3",
+"wap-wsg-idm-ecid-wtls4",
+"wap-wsg-idm-ecid-wtls5",
+"wap-wsg-idm-ecid-wtls6",
+"wap-wsg-idm-ecid-wtls7",
+"wap-wsg-idm-ecid-wtls8",
+"wap-wsg-idm-ecid-wtls9",
+"whirlpool",
+"x121Address",
+"x500UniqueIdentifier",
+"x509Certificate",
+"x509Crl",
+};