Add a fuzzer for the config file machinery.
This fuzzes the config file parser, and the converrsion to X.509
extensions. The initial corpus was computed by:
1. Import every file from OpenSSL 1.1.1 that ends in .cnf.
2. For each section in each such file, add a copy with that section
copied to the top (the "default") section.
3. Also add a file for each unit test.
4. Minimize the corpus.
While I'm here, sort the targets in fuzz/CMakeLists.txt.
Change-Id: I0cfc1ae8e2be3e67dae361605ad19833aec3fe4d
Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/56167
Reviewed-by: Bob Beck <bbe@google.com>
Commit-Queue: David Benjamin <davidben@google.com>
diff --git a/fuzz/CMakeLists.txt b/fuzz/CMakeLists.txt
index 51da4a8..8db1b7e 100644
--- a/fuzz/CMakeLists.txt
+++ b/fuzz/CMakeLists.txt
@@ -15,19 +15,20 @@
endmacro()
fuzzer(arm_cpuinfo)
-fuzzer(bn_mod_exp)
fuzzer(bn_div)
-fuzzer(privkey)
+fuzzer(bn_mod_exp)
fuzzer(cert)
-fuzzer(spki)
-fuzzer(pkcs8)
-fuzzer(pkcs12)
-fuzzer(read_pem)
-fuzzer(server ssl)
fuzzer(client ssl)
-fuzzer(dtls_server ssl)
-fuzzer(dtls_client ssl)
-fuzzer(ssl_ctx_api ssl)
-fuzzer(session ssl)
+fuzzer(conf)
fuzzer(decode_client_hello_inner ssl)
fuzzer(der_roundtrip)
+fuzzer(dtls_client ssl)
+fuzzer(dtls_server ssl)
+fuzzer(pkcs12)
+fuzzer(pkcs8)
+fuzzer(privkey)
+fuzzer(read_pem)
+fuzzer(server ssl)
+fuzzer(session ssl)
+fuzzer(spki)
+fuzzer(ssl_ctx_api ssl)
diff --git a/fuzz/conf.cc b/fuzz/conf.cc
new file mode 100644
index 0000000..eed87f3
--- /dev/null
+++ b/fuzz/conf.cc
@@ -0,0 +1,35 @@
+/* Copyright (c) 2022, Google Inc.
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
+ * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
+ * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
+ * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
+
+#include <openssl/bio.h>
+#include <openssl/conf.h>
+#include <openssl/x509.h>
+#include <openssl/x509v3.h>
+
+extern "C" int LLVMFuzzerTestOneInput(const uint8_t *buf, size_t len) {
+ bssl::UniquePtr<BIO> bio(BIO_new_mem_buf(buf, len));
+ bssl::UniquePtr<CONF> conf(NCONF_new(nullptr));
+ if (NCONF_load_bio(conf.get(), bio.get(), nullptr)) {
+ // Run with and without |X509V3_CTX| information.
+ bssl::UniquePtr<X509> cert(X509_new());
+ X509V3_CTX ctx;
+ X509V3_set_ctx(&ctx, /*subject=*/cert.get(), /*issuer=*/cert.get(), nullptr,
+ nullptr, 0);
+ X509V3_EXT_add_nconf(conf.get(), &ctx, "default", cert.get());
+
+ cert.reset(X509_new());
+ X509V3_EXT_add_nconf(conf.get(), nullptr, "default", cert.get());
+ }
+ return 0;
+}
diff --git a/fuzz/conf_corpus/08dcd36db4461e27684979b5fc0686526e183c97 b/fuzz/conf_corpus/08dcd36db4461e27684979b5fc0686526e183c97
new file mode 100644
index 0000000..fa0363a
--- /dev/null
+++ b/fuzz/conf_corpus/08dcd36db4461e27684979b5fc0686526e183c97
@@ -0,0 +1,2 @@
+1.2.840.113554.4.1.72585.2 = ASN1:EXP:1?,NULL
+
diff --git a/fuzz/conf_corpus/0a1e01eb1f9e8e1803399255c4295a31f0d09d50 b/fuzz/conf_corpus/0a1e01eb1f9e8e1803399255c4295a31f0d09d50
new file mode 100644
index 0000000..7153121
--- /dev/null
+++ b/fuzz/conf_corpus/0a1e01eb1f9e8e1803399255c4295a31f0d09d50
@@ -0,0 +1,27 @@
+# [ req ]
+default_bits = 2432
+default_md = sha256
+distinguished_name = req_DN
+string_mask = utf8only
+
+req_extensions = v3_req # The extensions to add to a certificate request
+
+####################################################################
+[ req ]
+default_bits = 2432
+default_md = sha256
+distinguished_name = req_DN
+string_mask = utf8only
+
+req_extensions = v3_req # The extensions to add to a certificate request
+
+[ req_DN ]
+commonName = "Common Name"
+commonName_value = "A user"
+userId = "User ID"
+userId_value = "test"
+
+[ v3_req ]
+extendedKeyUsage = clientAuth
+subjectKeyIdentifier = hash
+basicConstraints = CA:false
diff --git a/fuzz/conf_corpus/0ab7d18185a7251b6ef04aef2f1e6e687e20130a b/fuzz/conf_corpus/0ab7d18185a7251b6ef04aef2f1e6e687e20130a
new file mode 100644
index 0000000..e26224d
--- /dev/null
+++ b/fuzz/conf_corpus/0ab7d18185a7251b6ef04aef2f1e6e687e20130a
@@ -0,0 +1,92 @@
+# [ ca ]
+default_ca = CA_default # The default ca section
+
+####################################################################
+#
+# SSLeay example configuration file.
+# This is mostly being used for generation of certificate requests.
+#
+
+RANDFILE = ./.rnd
+
+####################################################################
+[ ca ]
+default_ca = CA_default # The default ca section
+
+####################################################################
+[ CA_default ]
+
+dir = ./demoCA # Where everything is kept
+certs = $dir/certs # Where the issued certs are kept
+crl_dir = $dir/crl # Where the issued crl are kept
+database = $dir/index.txt # database index file.
+new_certs_dir = $dir/new_certs # default place for new certs.
+
+certificate = $dir/CAcert.pem # The CA certificate
+serial = $dir/serial # The current serial number
+crl = $dir/crl.pem # The current CRL
+private_key = $dir/private/CAkey.pem# The private key
+RANDFILE = $dir/private/.rand # private random number file
+
+default_days = 365 # how long to certify for
+default_crl_days= 30 # how long before next CRL
+default_md = md5 # which md to use.
+
+# A few difference way of specifying how similar the request should look
+# For type CA, the listed attributes must be the same, and the optional
+# and supplied fields are just that :-)
+policy = policy_match
+
+# For the CA policy
+[ policy_match ]
+countryName = match
+stateOrProvinceName = match
+organizationName = match
+organizationalUnitName = optional
+commonName = supplied
+emailAddress = optional
+
+# For the 'anything' policy
+# At this point in time, you must list all acceptable 'object'
+# types.
+[ policy_anything ]
+countryName = optional
+stateOrProvinceName = optional
+localityName = optional
+organizationName = optional
+organizationalUnitName = optional
+commonName = supplied
+emailAddress = optional
+
+####################################################################
+[ req ]
+default_bits = 2048
+default_keyfile = testkey.pem
+distinguished_name = req_distinguished_name
+encrypt_rsa_key = no
+
+[ req_distinguished_name ]
+countryName = Country Name (2 letter code)
+countryName_default = AU
+countryName_value = AU
+
+stateOrProvinceName = State or Province Name (full name)
+stateOrProvinceName_default = Queensland
+stateOrProvinceName_value =
+
+localityName = Locality Name (eg, city)
+localityName_value = Brisbane
+
+organizationName = Organization Name (eg, company)
+organizationName_default =
+organizationName_value = CryptSoft Pty Ltd
+
+organizationalUnitName = Organizational Unit Name (eg, section)
+organizationalUnitName_default =
+organizationalUnitName_value = .
+
+commonName = Common Name (eg, YOUR name)
+commonName_value = Eric Young
+
+emailAddress = Email Address
+emailAddress_value = eay@mincom.oz.au
diff --git a/fuzz/conf_corpus/0b252c0c9bda64bf1660ea4dbd8cf113fa42758b b/fuzz/conf_corpus/0b252c0c9bda64bf1660ea4dbd8cf113fa42758b
new file mode 100644
index 0000000..311136a
--- /dev/null
+++ b/fuzz/conf_corpus/0b252c0c9bda64bf1660ea4dbd8cf113fa42758b
@@ -0,0 +1,2 @@
+1.2.840.113554.4.1.72585.2 = ASN1:GENTIME:20001231235959Z
+
diff --git a/fuzz/conf_corpus/0d13a928828e81a04c821d7edc9ff2d2df41f1d7 b/fuzz/conf_corpus/0d13a928828e81a04c821d7edc9ff2d2df41f1d7
new file mode 100644
index 0000000..a276a04
--- /dev/null
+++ b/fuzz/conf_corpus/0d13a928828e81a04c821d7edc9ff2d2df41f1d7
@@ -0,0 +1,24 @@
+# [ v3_req ]
+extendedKeyUsage = clientAuth
+subjectKeyIdentifier = hash
+basicConstraints = CA:false
+
+####################################################################
+[ req ]
+default_bits = 2432
+default_md = sha256
+distinguished_name = req_DN
+string_mask = utf8only
+
+req_extensions = v3_req # The extensions to add to a certificate request
+
+[ req_DN ]
+commonName = "Common Name"
+commonName_value = "A user"
+userId = "User ID"
+userId_value = "test"
+
+[ v3_req ]
+extendedKeyUsage = clientAuth
+subjectKeyIdentifier = hash
+basicConstraints = CA:false
diff --git a/fuzz/conf_corpus/100bf54ae331e2042a88faf2638b166ff27e5e6f b/fuzz/conf_corpus/100bf54ae331e2042a88faf2638b166ff27e5e6f
new file mode 100644
index 0000000..366b80b
--- /dev/null
+++ b/fuzz/conf_corpus/100bf54ae331e2042a88faf2638b166ff27e5e6f
@@ -0,0 +1,2 @@
+1.2.840.113554.4.1.72585.2 = ASN1:IMP:1,IMP:1,NULL
+
diff --git a/fuzz/conf_corpus/170c6e9fa613ab2781f872c57cd2c59fc01e0767 b/fuzz/conf_corpus/170c6e9fa613ab2781f872c57cd2c59fc01e0767
new file mode 100644
index 0000000..e8ffb43
--- /dev/null
+++ b/fuzz/conf_corpus/170c6e9fa613ab2781f872c57cd2c59fc01e0767
@@ -0,0 +1,377 @@
+# [ tsa_config1 ]
+
+# These are used by the TSA reply generation only.
+dir = sys\$disk:[.demoCA # TSA root directory
+serial = $dir]tsaserial. # The current serial number (mandatory)
+crypto_device = builtin # OpenSSL engine to use for signing
+signer_cert = $dir/tsacert.pem # The TSA signing certificate
+ # (optional)
+certs = $dir.cacert.pem] # Certificate chain to include in reply
+ # (optional)
+signer_key = $dir/private/tsakey.pem # The TSA private key (optional)
+signer_digest = sha256 # Signing digest to use. (Optional)
+default_policy = tsa_policy1 # Policy if request did not specify it
+ # (optional)
+other_policies = tsa_policy2, tsa_policy3 # acceptable policies (optional)
+digests = sha1, sha256, sha384, sha512 # Acceptable message digests (mandatory)
+accuracy = secs:1, millisecs:500, microsecs:100 # (optional)
+clock_precision_digits = 0 # number of digits after dot. (optional)
+ordering = yes # Is ordering defined for timestamps?
+ # (optional, default: no)
+tsa_name = yes # Must the TSA name be included in the reply?
+ # (optional, default: no)
+ess_cert_id_chain = no # Must the ESS cert id chain be included?
+ # (optional, default: no)
+ess_cert_id_alg = sha1 # algorithm to compute certificate
+ # identifier (optional, default: sha1)
+
+#
+# OpenSSL example configuration file.
+# This is mostly being used for generation of certificate requests.
+#
+
+# Note that you can include other files from the main configuration
+# file using the .include directive.
+#.include filename
+
+# This definition stops the following lines choking if HOME isn't
+# defined.
+HOME = .
+
+# Extra OBJECT IDENTIFIER info:
+#oid_file = $ENV::HOME/.oid
+oid_section = new_oids
+
+# To use this configuration file with the "-extfile" option of the
+# "openssl x509" utility, name here the section containing the
+# X.509v3 extensions to use:
+# extensions =
+# (Alternatively, use a configuration file that has only
+# X.509v3 extensions in its main [= default] section.)
+
+[ new_oids ]
+
+# We can add new OIDs in here for use by 'ca', 'req' and 'ts'.
+# Add a simple OID like this:
+# testoid1=1.2.3.4
+# Or use config file substitution like this:
+# testoid2=${testoid1}.5.6
+
+# Policies used by the TSA examples.
+tsa_policy1 = 1.2.3.4.1
+tsa_policy2 = 1.2.3.4.5.6
+tsa_policy3 = 1.2.3.4.5.7
+
+####################################################################
+[ ca ]
+default_ca = CA_default # The default ca section
+
+####################################################################
+[ CA_default ]
+
+dir = sys\$disk:[.demoCA # Where everything is kept
+certs = $dir.certs] # Where the issued certs are kept
+crl_dir = $dir.crl] # Where the issued crl are kept
+database = $dir]index.txt # database index file.
+#unique_subject = no # Set to 'no' to allow creation of
+ # several certs with same subject.
+new_certs_dir = $dir.newcerts] # default place for new certs.
+
+certificate = $dir]cacert.pem # The CA certificate
+serial = $dir]serial. # The current serial number
+crlnumber = $dir]crlnumber. # the current crl number
+ # must be commented out to leave a V1 CRL
+crl = $dir]crl.pem # The current CRL
+private_key = $dir.private]cakey.pem# The private key
+
+x509_extensions = usr_cert # The extensions to add to the cert
+
+# Comment out the following two lines for the "traditional"
+# (and highly broken) format.
+name_opt = ca_default # Subject Name options
+cert_opt = ca_default # Certificate field options
+
+# Extension copying option: use with caution.
+# copy_extensions = copy
+
+# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
+# so this is commented out by default to leave a V1 CRL.
+# crlnumber must also be commented out to leave a V1 CRL.
+# crl_extensions = crl_ext
+
+default_days = 365 # how long to certify for
+default_crl_days= 30 # how long before next CRL
+default_md = default # use public key default MD
+preserve = no # keep passed DN ordering
+
+# A few difference way of specifying how similar the request should look
+# For type CA, the listed attributes must be the same, and the optional
+# and supplied fields are just that :-)
+policy = policy_match
+
+# For the CA policy
+[ policy_match ]
+countryName = match
+stateOrProvinceName = match
+organizationName = match
+organizationalUnitName = optional
+commonName = supplied
+emailAddress = optional
+
+# For the 'anything' policy
+# At this point in time, you must list all acceptable 'object'
+# types.
+[ policy_anything ]
+countryName = optional
+stateOrProvinceName = optional
+localityName = optional
+organizationName = optional
+organizationalUnitName = optional
+commonName = supplied
+emailAddress = optional
+
+####################################################################
+[ req ]
+default_bits = 2048
+default_keyfile = privkey.pem
+distinguished_name = req_distinguished_name
+attributes = req_attributes
+x509_extensions = v3_ca # The extensions to add to the self signed cert
+
+# Passwords for private keys if not present they will be prompted for
+# input_password = secret
+# output_password = secret
+
+# This sets a mask for permitted string types. There are several options.
+# default: PrintableString, T61String, BMPString.
+# pkix : PrintableString, BMPString (PKIX recommendation before 2004)
+# utf8only: only UTF8Strings (PKIX recommendation after 2004).
+# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings).
+# MASK:XXXX a literal mask value.
+# WARNING: ancient versions of Netscape crash on BMPStrings or UTF8Strings.
+string_mask = utf8only
+
+# req_extensions = v3_req # The extensions to add to a certificate request
+
+[ req_distinguished_name ]
+countryName = Country Name (2 letter code)
+countryName_default = AU
+countryName_min = 2
+countryName_max = 2
+
+stateOrProvinceName = State or Province Name (full name)
+stateOrProvinceName_default = Some-State
+
+localityName = Locality Name (eg, city)
+
+0.organizationName = Organization Name (eg, company)
+0.organizationName_default = Internet Widgits Pty Ltd
+
+# we can do this but it is not needed normally :-)
+#1.organizationName = Second Organization Name (eg, company)
+#1.organizationName_default = World Wide Web Pty Ltd
+
+organizationalUnitName = Organizational Unit Name (eg, section)
+#organizationalUnitName_default =
+
+commonName = Common Name (e.g. server FQDN or YOUR name)
+commonName_max = 64
+
+emailAddress = Email Address
+emailAddress_max = 64
+
+# SET-ex3 = SET extension number 3
+
+[ req_attributes ]
+challengePassword = A challenge password
+challengePassword_min = 4
+challengePassword_max = 20
+
+unstructuredName = An optional company name
+
+[ usr_cert ]
+
+# These extensions are added when 'ca' signs a request.
+
+# This goes against PKIX guidelines but some CAs do it and some software
+# requires this to avoid interpreting an end user certificate as a CA.
+
+basicConstraints=CA:FALSE
+
+# Here are some examples of the usage of nsCertType. If it is omitted
+# the certificate can be used for anything *except* object signing.
+
+# This is OK for an SSL server.
+# nsCertType = server
+
+# For an object signing certificate this would be used.
+# nsCertType = objsign
+
+# For normal client use this is typical
+# nsCertType = client, email
+
+# and for everything including object signing:
+# nsCertType = client, email, objsign
+
+# This is typical in keyUsage for a client certificate.
+# keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+
+# This will be displayed in Netscape's comment listbox.
+nsComment = "OpenSSL Generated Certificate"
+
+# PKIX recommendations harmless if included in all certificates.
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid,issuer
+
+# This stuff is for subjectAltName and issuerAltname.
+# Import the email address.
+# subjectAltName=email:copy
+# An alternative to produce certificates that aren't
+# deprecated according to PKIX.
+# subjectAltName=email:move
+
+# Copy subject details
+# issuerAltName=issuer:copy
+
+#nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem
+#nsBaseUrl
+#nsRevocationUrl
+#nsRenewalUrl
+#nsCaPolicyUrl
+#nsSslServerName
+
+# This is required for TSA certificates.
+# extendedKeyUsage = critical,timeStamping
+
+[ v3_req ]
+
+# Extensions to add to a certificate request
+
+basicConstraints = CA:FALSE
+keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+
+[ v3_ca ]
+
+
+# Extensions for a typical CA
+
+
+# PKIX recommendation.
+
+subjectKeyIdentifier=hash
+
+authorityKeyIdentifier=keyid:always,issuer
+
+basicConstraints = critical,CA:true
+
+# Key usage: this is typical for a CA certificate. However since it will
+# prevent it being used as an test self-signed certificate it is best
+# left out by default.
+# keyUsage = cRLSign, keyCertSign
+
+# Some might want this also
+# nsCertType = sslCA, emailCA
+
+# Include email address in subject alt name: another PKIX recommendation
+# subjectAltName=email:copy
+# Copy issuer details
+# issuerAltName=issuer:copy
+
+# DER hex encoding of an extension: beware experts only!
+# obj=DER:02:03
+# Where 'obj' is a standard or added object
+# You can even override a supported extension:
+# basicConstraints= critical, DER:30:03:01:01:FF
+
+[ crl_ext ]
+
+# CRL extensions.
+# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.
+
+# issuerAltName=issuer:copy
+authorityKeyIdentifier=keyid:always
+
+[ proxy_cert_ext ]
+# These extensions should be added when creating a proxy certificate
+
+# This goes against PKIX guidelines but some CAs do it and some software
+# requires this to avoid interpreting an end user certificate as a CA.
+
+basicConstraints=CA:FALSE
+
+# Here are some examples of the usage of nsCertType. If it is omitted
+# the certificate can be used for anything *except* object signing.
+
+# This is OK for an SSL server.
+# nsCertType = server
+
+# For an object signing certificate this would be used.
+# nsCertType = objsign
+
+# For normal client use this is typical
+# nsCertType = client, email
+
+# and for everything including object signing:
+# nsCertType = client, email, objsign
+
+# This is typical in keyUsage for a client certificate.
+# keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+
+# This will be displayed in Netscape's comment listbox.
+nsComment = "OpenSSL Generated Certificate"
+
+# PKIX recommendations harmless if included in all certificates.
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid,issuer
+
+# This stuff is for subjectAltName and issuerAltname.
+# Import the email address.
+# subjectAltName=email:copy
+# An alternative to produce certificates that aren't
+# deprecated according to PKIX.
+# subjectAltName=email:move
+
+# Copy subject details
+# issuerAltName=issuer:copy
+
+#nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem
+#nsBaseUrl
+#nsRevocationUrl
+#nsRenewalUrl
+#nsCaPolicyUrl
+#nsSslServerName
+
+# This really needs to be in place for it to be a proxy certificate.
+proxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:3,policy:foo
+
+####################################################################
+[ tsa ]
+
+default_tsa = tsa_config1 # the default TSA section
+
+[ tsa_config1 ]
+
+# These are used by the TSA reply generation only.
+dir = sys\$disk:[.demoCA # TSA root directory
+serial = $dir]tsaserial. # The current serial number (mandatory)
+crypto_device = builtin # OpenSSL engine to use for signing
+signer_cert = $dir/tsacert.pem # The TSA signing certificate
+ # (optional)
+certs = $dir.cacert.pem] # Certificate chain to include in reply
+ # (optional)
+signer_key = $dir/private/tsakey.pem # The TSA private key (optional)
+signer_digest = sha256 # Signing digest to use. (Optional)
+default_policy = tsa_policy1 # Policy if request did not specify it
+ # (optional)
+other_policies = tsa_policy2, tsa_policy3 # acceptable policies (optional)
+digests = sha1, sha256, sha384, sha512 # Acceptable message digests (mandatory)
+accuracy = secs:1, millisecs:500, microsecs:100 # (optional)
+clock_precision_digits = 0 # number of digits after dot. (optional)
+ordering = yes # Is ordering defined for timestamps?
+ # (optional, default: no)
+tsa_name = yes # Must the TSA name be included in the reply?
+ # (optional, default: no)
+ess_cert_id_chain = no # Must the ESS cert id chain be included?
+ # (optional, default: no)
+ess_cert_id_alg = sha1 # algorithm to compute certificate
+ # identifier (optional, default: sha1)
diff --git a/fuzz/conf_corpus/1797360721db937be80829d7055d265dc0ff8267 b/fuzz/conf_corpus/1797360721db937be80829d7055d265dc0ff8267
new file mode 100644
index 0000000..5e8ad5d
--- /dev/null
+++ b/fuzz/conf_corpus/1797360721db937be80829d7055d265dc0ff8267
@@ -0,0 +1,7 @@
+1.2.840.113554.4.1.72585.2 = ASN1:SEQUENCE:pkcs8
+
+[pkcs8]
+vers = INT:0
+alg = SEQWRAP,OID:1.3.101.112
+key = FORMAT:HEX,OCTWRAP,OCT:9d61b19deffd5a60ba844af492ec2cc44449c5697b326919703bac031cae7f60
+
diff --git a/fuzz/conf_corpus/18bec37e70eec020886a9800c6c56362917783a2 b/fuzz/conf_corpus/18bec37e70eec020886a9800c6c56362917783a2
new file mode 100644
index 0000000..5cd1829
--- /dev/null
+++ b/fuzz/conf_corpus/18bec37e70eec020886a9800c6c56362917783a2
@@ -0,0 +1,2 @@
+1.2.840.113554.4.1.72585.2 = ASN1:FORMAT:UTF8,T61:☃
+
diff --git a/fuzz/conf_corpus/2202e54f0d7738c3a783eaa429ccde4783616a54 b/fuzz/conf_corpus/2202e54f0d7738c3a783eaa429ccde4783616a54
new file mode 100644
index 0000000..9d37158
--- /dev/null
+++ b/fuzz/conf_corpus/2202e54f0d7738c3a783eaa429ccde4783616a54
@@ -0,0 +1,5 @@
+#
+# Example configuration file using includes.
+#
+
+.include=conf-includes
diff --git a/fuzz/conf_corpus/230abc23734a336467f2c5dec4c3a58559f2ed9a b/fuzz/conf_corpus/230abc23734a336467f2c5dec4c3a58559f2ed9a
new file mode 100644
index 0000000..652b4ac
--- /dev/null
+++ b/fuzz/conf_corpus/230abc23734a336467f2c5dec4c3a58559f2ed9a
@@ -0,0 +1,2 @@
+1.2.840.113554.4.1.72585.2 = ASN1:BITSTR:hello
+
diff --git a/fuzz/conf_corpus/275b81ee8a1ba2abb0acad60920505a89067535a b/fuzz/conf_corpus/275b81ee8a1ba2abb0acad60920505a89067535a
new file mode 100644
index 0000000..8064149
--- /dev/null
+++ b/fuzz/conf_corpus/275b81ee8a1ba2abb0acad60920505a89067535a
@@ -0,0 +1,21 @@
+# [p_test_configured]
+module = p_test.dylib
+activate = 1
+greeting = Hello OpenSSL, greetings from Test Provider
+
+# Comment out the next line to ignore configuration errors
+config_diagnostics = 1
+
+
+openssl_conf = openssl_init
+
+[openssl_init]
+providers = providers
+
+[providers]
+p_test_configured = p_test_configured
+
+[p_test_configured]
+module = p_test.dylib
+activate = 1
+greeting = Hello OpenSSL, greetings from Test Provider
diff --git a/fuzz/conf_corpus/281cc97b63f22afd0306f02883f74c4f718ab4f4 b/fuzz/conf_corpus/281cc97b63f22afd0306f02883f74c4f718ab4f4
new file mode 100644
index 0000000..f320569
--- /dev/null
+++ b/fuzz/conf_corpus/281cc97b63f22afd0306f02883f74c4f718ab4f4
@@ -0,0 +1,2 @@
+1.2.840.113554.4.1.72585.2 = ASN1:FORMAT:UTF8,BMP:☃
+
diff --git a/fuzz/conf_corpus/2a050eb8e3426bd96a1327acd6c8914597c4390c b/fuzz/conf_corpus/2a050eb8e3426bd96a1327acd6c8914597c4390c
new file mode 100644
index 0000000..c7f42d2
--- /dev/null
+++ b/fuzz/conf_corpus/2a050eb8e3426bd96a1327acd6c8914597c4390c
@@ -0,0 +1,2 @@
+1.2.840.113554.4.1.72585.2 = ASN1:INTEGER
+
diff --git a/fuzz/conf_corpus/2c63e3f7ec9e2111d9c6bf63a3022a58b0c24ecd b/fuzz/conf_corpus/2c63e3f7ec9e2111d9c6bf63a3022a58b0c24ecd
new file mode 100644
index 0000000..b18c3ce
--- /dev/null
+++ b/fuzz/conf_corpus/2c63e3f7ec9e2111d9c6bf63a3022a58b0c24ecd
@@ -0,0 +1,2 @@
+1.2.840.113554.4.1.72585.2 = ASN1:UTC:20001231235959Z
+
diff --git a/fuzz/conf_corpus/2cf0606462f76c0946ffe26e2e613a4fe3ce3099 b/fuzz/conf_corpus/2cf0606462f76c0946ffe26e2e613a4fe3ce3099
new file mode 100644
index 0000000..2091646
--- /dev/null
+++ b/fuzz/conf_corpus/2cf0606462f76c0946ffe26e2e613a4fe3ce3099
@@ -0,0 +1,2 @@
+1.2.840.113554.4.1.72585.2 = ASN1:FORMAT:UTF8,IA5:☃
+
diff --git a/fuzz/conf_corpus/30cfb27d45f0000106f031c87d4bc4c3074d70a4 b/fuzz/conf_corpus/30cfb27d45f0000106f031c87d4bc4c3074d70a4
new file mode 100644
index 0000000..a71e8ad
--- /dev/null
+++ b/fuzz/conf_corpus/30cfb27d45f0000106f031c87d4bc4c3074d70a4
@@ -0,0 +1,65 @@
+# [ req_distinguished_name ]
+countryName = Country Name (2 letter code)
+countryName_default = AU
+countryName_value = AU
+
+organizationName = Organization Name (eg, company)
+organizationName_value = Dodgy Brothers
+
+0.commonName = Common Name (eg, YOUR name)
+0.commonName_value = Brother 1
+
+1.commonName = Common Name (eg, YOUR name)
+1.commonName_value = Brother 2
+
+2.commonName = Common Name (eg, YOUR name)
+2.commonName_value = Proxy 1
+
+3.commonName = Common Name (eg, YOUR name)
+3.commonName_value = Proxy 2
+
+#
+# SSLeay example configuration file.
+# This is mostly being used for generation of certificate requests.
+#
+
+RANDFILE = ./.rnd
+
+####################################################################
+[ req ]
+default_bits = 2048
+default_keyfile = keySS.pem
+distinguished_name = req_distinguished_name
+encrypt_rsa_key = no
+default_md = sha256
+
+[ req_distinguished_name ]
+countryName = Country Name (2 letter code)
+countryName_default = AU
+countryName_value = AU
+
+organizationName = Organization Name (eg, company)
+organizationName_value = Dodgy Brothers
+
+0.commonName = Common Name (eg, YOUR name)
+0.commonName_value = Brother 1
+
+1.commonName = Common Name (eg, YOUR name)
+1.commonName_value = Brother 2
+
+2.commonName = Common Name (eg, YOUR name)
+2.commonName_value = Proxy 1
+
+3.commonName = Common Name (eg, YOUR name)
+3.commonName_value = Proxy 2
+
+[ v3_proxy ]
+basicConstraints=CA:FALSE
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid,issuer:always
+proxyCertInfo=critical,@proxy_ext
+
+[ proxy_ext ]
+language=id-ppl-anyLanguage
+pathlen=0
+policy=text:BC
diff --git a/fuzz/conf_corpus/328b0f18ee4445e85272d8956999d6141396bfdf b/fuzz/conf_corpus/328b0f18ee4445e85272d8956999d6141396bfdf
new file mode 100644
index 0000000..7bfbc53
--- /dev/null
+++ b/fuzz/conf_corpus/328b0f18ee4445e85272d8956999d6141396bfdf
@@ -0,0 +1,2 @@
+basicConstraints = critical,CA:true
+
diff --git a/fuzz/conf_corpus/32edc4bdd420e2aedf901789025250206e4e1386 b/fuzz/conf_corpus/32edc4bdd420e2aedf901789025250206e4e1386
new file mode 100644
index 0000000..eb24a6d
--- /dev/null
+++ b/fuzz/conf_corpus/32edc4bdd420e2aedf901789025250206e4e1386
@@ -0,0 +1,24 @@
+#
+# SSLeay example configuration file.
+# This is mostly being used for generation of certificate requests.
+#
+# create RSA certs - CA
+
+RANDFILE = ./.rnd
+
+####################################################################
+[ req ]
+distinguished_name = req_distinguished_name
+encrypt_key = no
+
+[ req_distinguished_name ]
+countryName = Country Name (2 letter code)
+countryName_default = ES
+countryName_value = ES
+
+organizationName = Organization Name (eg, company)
+organizationName_value = Hermanos Locos
+
+commonName = Common Name (eg, YOUR name)
+commonName_value = Hermanos Locos CA
+
diff --git a/fuzz/conf_corpus/35047bb8f4ab1d64027c5a849420b1696a353c8e b/fuzz/conf_corpus/35047bb8f4ab1d64027c5a849420b1696a353c8e
new file mode 100644
index 0000000..81432ae
--- /dev/null
+++ b/fuzz/conf_corpus/35047bb8f4ab1d64027c5a849420b1696a353c8e
@@ -0,0 +1,383 @@
+# [ v3_ca ]
+
+
+# Extensions for a typical CA
+
+
+# PKIX recommendation.
+
+subjectKeyIdentifier=hash
+
+authorityKeyIdentifier=keyid:always,issuer
+
+basicConstraints = critical,CA:true
+
+# Key usage: this is typical for a CA certificate. However since it will
+# prevent it being used as an test self-signed certificate it is best
+# left out by default.
+# keyUsage = cRLSign, keyCertSign
+
+# Some might want this also
+# nsCertType = sslCA, emailCA
+
+# Include email address in subject alt name: another PKIX recommendation
+# subjectAltName=email:copy
+# Copy issuer details
+# issuerAltName=issuer:copy
+
+# DER hex encoding of an extension: beware experts only!
+# obj=DER:02:03
+# Where 'obj' is a standard or added object
+# You can even override a supported extension:
+# basicConstraints= critical, DER:30:03:01:01:FF
+
+#
+# OpenSSL example configuration file.
+# This is mostly being used for generation of certificate requests.
+#
+
+# Note that you can include other files from the main configuration
+# file using the .include directive.
+#.include filename
+
+# This definition stops the following lines choking if HOME isn't
+# defined.
+HOME = .
+
+# Extra OBJECT IDENTIFIER info:
+#oid_file = $ENV::HOME/.oid
+oid_section = new_oids
+
+# To use this configuration file with the "-extfile" option of the
+# "openssl x509" utility, name here the section containing the
+# X.509v3 extensions to use:
+# extensions =
+# (Alternatively, use a configuration file that has only
+# X.509v3 extensions in its main [= default] section.)
+
+[ new_oids ]
+
+# We can add new OIDs in here for use by 'ca', 'req' and 'ts'.
+# Add a simple OID like this:
+# testoid1=1.2.3.4
+# Or use config file substitution like this:
+# testoid2=${testoid1}.5.6
+
+# Policies used by the TSA examples.
+tsa_policy1 = 1.2.3.4.1
+tsa_policy2 = 1.2.3.4.5.6
+tsa_policy3 = 1.2.3.4.5.7
+
+####################################################################
+[ ca ]
+default_ca = CA_default # The default ca section
+
+####################################################################
+[ CA_default ]
+
+dir = ./demoCA # Where everything is kept
+certs = $dir/certs # Where the issued certs are kept
+crl_dir = $dir/crl # Where the issued crl are kept
+database = $dir/index.txt # database index file.
+#unique_subject = no # Set to 'no' to allow creation of
+ # several certs with same subject.
+new_certs_dir = $dir/newcerts # default place for new certs.
+
+certificate = $dir/cacert.pem # The CA certificate
+serial = $dir/serial # The current serial number
+crlnumber = $dir/crlnumber # the current crl number
+ # must be commented out to leave a V1 CRL
+crl = $dir/crl.pem # The current CRL
+private_key = $dir/private/cakey.pem# The private key
+
+x509_extensions = usr_cert # The extensions to add to the cert
+
+# Comment out the following two lines for the "traditional"
+# (and highly broken) format.
+name_opt = ca_default # Subject Name options
+cert_opt = ca_default # Certificate field options
+
+# Extension copying option: use with caution.
+# copy_extensions = copy
+
+# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
+# so this is commented out by default to leave a V1 CRL.
+# crlnumber must also be commented out to leave a V1 CRL.
+# crl_extensions = crl_ext
+
+default_days = 365 # how long to certify for
+default_crl_days= 30 # how long before next CRL
+default_md = default # use public key default MD
+preserve = no # keep passed DN ordering
+
+# A few difference way of specifying how similar the request should look
+# For type CA, the listed attributes must be the same, and the optional
+# and supplied fields are just that :-)
+policy = policy_match
+
+# For the CA policy
+[ policy_match ]
+countryName = match
+stateOrProvinceName = match
+organizationName = match
+organizationalUnitName = optional
+commonName = supplied
+emailAddress = optional
+
+# For the 'anything' policy
+# At this point in time, you must list all acceptable 'object'
+# types.
+[ policy_anything ]
+countryName = optional
+stateOrProvinceName = optional
+localityName = optional
+organizationName = optional
+organizationalUnitName = optional
+commonName = supplied
+emailAddress = optional
+
+####################################################################
+[ req ]
+default_bits = 2048
+default_keyfile = privkey.pem
+distinguished_name = req_distinguished_name
+attributes = req_attributes
+x509_extensions = v3_ca # The extensions to add to the self signed cert
+
+# Passwords for private keys if not present they will be prompted for
+# input_password = secret
+# output_password = secret
+
+# This sets a mask for permitted string types. There are several options.
+# default: PrintableString, T61String, BMPString.
+# pkix : PrintableString, BMPString (PKIX recommendation before 2004)
+# utf8only: only UTF8Strings (PKIX recommendation after 2004).
+# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings).
+# MASK:XXXX a literal mask value.
+# WARNING: ancient versions of Netscape crash on BMPStrings or UTF8Strings.
+string_mask = utf8only
+
+# req_extensions = v3_req # The extensions to add to a certificate request
+
+[ req_distinguished_name ]
+countryName = Country Name (2 letter code)
+countryName_default = AU
+countryName_min = 2
+countryName_max = 2
+
+stateOrProvinceName = State or Province Name (full name)
+stateOrProvinceName_default = Some-State
+
+localityName = Locality Name (eg, city)
+
+0.organizationName = Organization Name (eg, company)
+0.organizationName_default = Internet Widgits Pty Ltd
+
+# we can do this but it is not needed normally :-)
+#1.organizationName = Second Organization Name (eg, company)
+#1.organizationName_default = World Wide Web Pty Ltd
+
+organizationalUnitName = Organizational Unit Name (eg, section)
+#organizationalUnitName_default =
+
+commonName = Common Name (e.g. server FQDN or YOUR name)
+commonName_max = 64
+
+emailAddress = Email Address
+emailAddress_max = 64
+
+# SET-ex3 = SET extension number 3
+
+[ req_attributes ]
+challengePassword = A challenge password
+challengePassword_min = 4
+challengePassword_max = 20
+
+unstructuredName = An optional company name
+
+[ usr_cert ]
+
+# These extensions are added when 'ca' signs a request.
+
+# This goes against PKIX guidelines but some CAs do it and some software
+# requires this to avoid interpreting an end user certificate as a CA.
+
+basicConstraints=CA:FALSE
+
+# Here are some examples of the usage of nsCertType. If it is omitted
+# the certificate can be used for anything *except* object signing.
+
+# This is OK for an SSL server.
+# nsCertType = server
+
+# For an object signing certificate this would be used.
+# nsCertType = objsign
+
+# For normal client use this is typical
+# nsCertType = client, email
+
+# and for everything including object signing:
+# nsCertType = client, email, objsign
+
+# This is typical in keyUsage for a client certificate.
+# keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+
+# This will be displayed in Netscape's comment listbox.
+nsComment = "OpenSSL Generated Certificate"
+
+# PKIX recommendations harmless if included in all certificates.
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid,issuer
+
+# This stuff is for subjectAltName and issuerAltname.
+# Import the email address.
+# subjectAltName=email:copy
+# An alternative to produce certificates that aren't
+# deprecated according to PKIX.
+# subjectAltName=email:move
+
+# Copy subject details
+# issuerAltName=issuer:copy
+
+#nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem
+#nsBaseUrl
+#nsRevocationUrl
+#nsRenewalUrl
+#nsCaPolicyUrl
+#nsSslServerName
+
+# This is required for TSA certificates.
+# extendedKeyUsage = critical,timeStamping
+
+[ v3_req ]
+
+# Extensions to add to a certificate request
+
+basicConstraints = CA:FALSE
+keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+
+[ v3_ca ]
+
+
+# Extensions for a typical CA
+
+
+# PKIX recommendation.
+
+subjectKeyIdentifier=hash
+
+authorityKeyIdentifier=keyid:always,issuer
+
+basicConstraints = critical,CA:true
+
+# Key usage: this is typical for a CA certificate. However since it will
+# prevent it being used as an test self-signed certificate it is best
+# left out by default.
+# keyUsage = cRLSign, keyCertSign
+
+# Some might want this also
+# nsCertType = sslCA, emailCA
+
+# Include email address in subject alt name: another PKIX recommendation
+# subjectAltName=email:copy
+# Copy issuer details
+# issuerAltName=issuer:copy
+
+# DER hex encoding of an extension: beware experts only!
+# obj=DER:02:03
+# Where 'obj' is a standard or added object
+# You can even override a supported extension:
+# basicConstraints= critical, DER:30:03:01:01:FF
+
+[ crl_ext ]
+
+# CRL extensions.
+# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.
+
+# issuerAltName=issuer:copy
+authorityKeyIdentifier=keyid:always
+
+[ proxy_cert_ext ]
+# These extensions should be added when creating a proxy certificate
+
+# This goes against PKIX guidelines but some CAs do it and some software
+# requires this to avoid interpreting an end user certificate as a CA.
+
+basicConstraints=CA:FALSE
+
+# Here are some examples of the usage of nsCertType. If it is omitted
+# the certificate can be used for anything *except* object signing.
+
+# This is OK for an SSL server.
+# nsCertType = server
+
+# For an object signing certificate this would be used.
+# nsCertType = objsign
+
+# For normal client use this is typical
+# nsCertType = client, email
+
+# and for everything including object signing:
+# nsCertType = client, email, objsign
+
+# This is typical in keyUsage for a client certificate.
+# keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+
+# This will be displayed in Netscape's comment listbox.
+nsComment = "OpenSSL Generated Certificate"
+
+# PKIX recommendations harmless if included in all certificates.
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid,issuer
+
+# This stuff is for subjectAltName and issuerAltname.
+# Import the email address.
+# subjectAltName=email:copy
+# An alternative to produce certificates that aren't
+# deprecated according to PKIX.
+# subjectAltName=email:move
+
+# Copy subject details
+# issuerAltName=issuer:copy
+
+#nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem
+#nsBaseUrl
+#nsRevocationUrl
+#nsRenewalUrl
+#nsCaPolicyUrl
+#nsSslServerName
+
+# This really needs to be in place for it to be a proxy certificate.
+proxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:3,policy:foo
+
+####################################################################
+[ tsa ]
+
+default_tsa = tsa_config1 # the default TSA section
+
+[ tsa_config1 ]
+
+# These are used by the TSA reply generation only.
+dir = ./demoCA # TSA root directory
+serial = $dir/tsaserial # The current serial number (mandatory)
+crypto_device = builtin # OpenSSL engine to use for signing
+signer_cert = $dir/tsacert.pem # The TSA signing certificate
+ # (optional)
+certs = $dir/cacert.pem # Certificate chain to include in reply
+ # (optional)
+signer_key = $dir/private/tsakey.pem # The TSA private key (optional)
+signer_digest = sha256 # Signing digest to use. (Optional)
+default_policy = tsa_policy1 # Policy if request did not specify it
+ # (optional)
+other_policies = tsa_policy2, tsa_policy3 # acceptable policies (optional)
+digests = sha1, sha256, sha384, sha512 # Acceptable message digests (mandatory)
+accuracy = secs:1, millisecs:500, microsecs:100 # (optional)
+clock_precision_digits = 0 # number of digits after dot. (optional)
+ordering = yes # Is ordering defined for timestamps?
+ # (optional, default: no)
+tsa_name = yes # Must the TSA name be included in the reply?
+ # (optional, default: no)
+ess_cert_id_chain = no # Must the ESS cert id chain be included?
+ # (optional, default: no)
+ess_cert_id_alg = sha1 # algorithm to compute certificate
+ # identifier (optional, default: sha1)
diff --git a/fuzz/conf_corpus/35c202e645ed1be5040eb358fe7eb4db6bfe624f b/fuzz/conf_corpus/35c202e645ed1be5040eb358fe7eb4db6bfe624f
new file mode 100644
index 0000000..3fc5ba9
--- /dev/null
+++ b/fuzz/conf_corpus/35c202e645ed1be5040eb358fe7eb4db6bfe624f
@@ -0,0 +1,168 @@
+# [ ca ]
+default_ca = CA_default # The default ca section
+
+
+#
+# This config is used by the Time Stamp Authority tests.
+#
+
+RANDFILE = ./.rnd
+
+# Extra OBJECT IDENTIFIER info:
+oid_section = new_oids
+
+TSDNSECT = ts_cert_dn
+INDEX = 1
+
+[ new_oids ]
+
+# Policies used by the TSA tests.
+tsa_policy1 = 1.2.3.4.1
+tsa_policy2 = 1.2.3.4.5.6
+tsa_policy3 = 1.2.3.4.5.7
+
+#----------------------------------------------------------------------
+[ ca ]
+default_ca = CA_default # The default ca section
+
+[ CA_default ]
+
+dir = ./demoCA
+certs = $dir/certs # Where the issued certs are kept
+database = $dir/index.txt # database index file.
+new_certs_dir = $dir/newcerts # default place for new certs.
+
+certificate = $dir/cacert.pem # The CA certificate
+serial = $dir/serial # The current serial number
+private_key = $dir/private/cakey.pem# The private key
+RANDFILE = $dir/private/.rand # private random number file
+
+default_days = 365 # how long to certify for
+default_md = sha256 # which md to use.
+preserve = no # keep passed DN ordering
+
+policy = policy_match
+
+# For the CA policy
+[ policy_match ]
+countryName = supplied
+stateOrProvinceName = supplied
+organizationName = supplied
+organizationalUnitName = optional
+commonName = supplied
+emailAddress = optional
+
+#----------------------------------------------------------------------
+[ req ]
+default_bits = 2048
+default_md = sha1
+distinguished_name = $ENV::TSDNSECT
+encrypt_rsa_key = no
+prompt = no
+# attributes = req_attributes
+x509_extensions = v3_ca # The extensions to add to the self signed cert
+
+string_mask = nombstr
+
+[ ts_ca_dn ]
+countryName = HU
+stateOrProvinceName = Budapest
+localityName = Budapest
+organizationName = Gov-CA Ltd.
+commonName = ca1
+
+[ ts_cert_dn ]
+countryName = HU
+stateOrProvinceName = Budapest
+localityName = Buda
+organizationName = Hun-TSA Ltd.
+commonName = tsa$ENV::INDEX
+
+[ tsa_cert ]
+
+# TSA server cert is not a CA cert.
+basicConstraints=CA:FALSE
+
+# The following key usage flags are needed for TSA server certificates.
+keyUsage = nonRepudiation, digitalSignature
+extendedKeyUsage = critical,timeStamping
+
+# PKIX recommendations harmless if included in all certificates.
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid,issuer:always
+
+[ non_tsa_cert ]
+
+# This is not a CA cert and not a TSA cert, either (timeStamping usage missing)
+basicConstraints=CA:FALSE
+
+# The following key usage flags are needed for TSA server certificates.
+keyUsage = nonRepudiation, digitalSignature
+# timeStamping is not supported by this certificate
+# extendedKeyUsage = critical,timeStamping
+
+# PKIX recommendations harmless if included in all certificates.
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid,issuer:always
+
+[ v3_req ]
+
+# Extensions to add to a certificate request
+basicConstraints = CA:FALSE
+keyUsage = nonRepudiation, digitalSignature
+
+[ v3_ca ]
+
+# Extensions for a typical CA
+
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid:always,issuer:always
+basicConstraints = critical,CA:true
+keyUsage = cRLSign, keyCertSign
+
+#----------------------------------------------------------------------
+[ tsa ]
+
+default_tsa = tsa_config1 # the default TSA section
+
+[ tsa_config1 ]
+
+# These are used by the TSA reply generation only.
+dir = . # TSA root directory
+serial = $dir/tsa_serial # The current serial number (mandatory)
+signer_cert = $dir/tsa_cert1.pem # The TSA signing certificate
+ # (optional)
+certs = $dir/tsaca.pem # Certificate chain to include in reply
+ # (optional)
+signer_key = $dir/tsa_key1.pem # The TSA private key (optional)
+signer_digest = sha256 # Signing digest to use. (Optional)
+default_policy = tsa_policy1 # Policy if request did not specify it
+ # (optional)
+other_policies = tsa_policy2, tsa_policy3 # acceptable policies (optional)
+digests = sha1, sha256, sha384, sha512 # Acceptable message digests (mandatory)
+accuracy = secs:1, millisecs:500, microsecs:100 # (optional)
+ordering = yes # Is ordering defined for timestamps?
+ # (optional, default: no)
+tsa_name = yes # Must the TSA name be included in the reply?
+ # (optional, default: no)
+ess_cert_id_chain = yes # Must the ESS cert id chain be included?
+ # (optional, default: no)
+ess_cert_id_alg = sha256 # algorithm to compute certificate
+ # identifier (optional, default: sha1)
+
+[ tsa_config2 ]
+
+# This configuration uses a certificate which doesn't have timeStamping usage.
+# These are used by the TSA reply generation only.
+dir = . # TSA root directory
+serial = $dir/tsa_serial # The current serial number (mandatory)
+signer_cert = $dir/tsa_cert2.pem # The TSA signing certificate
+ # (optional)
+certs = $dir/demoCA/cacert.pem# Certificate chain to include in reply
+ # (optional)
+signer_key = $dir/tsa_key2.pem # The TSA private key (optional)
+signer_digest = sha256 # Signing digest to use. (Optional)
+default_policy = tsa_policy1 # Policy if request did not specify it
+ # (optional)
+other_policies = tsa_policy2, tsa_policy3 # acceptable policies (optional)
+digests = sha1, sha256, sha384, sha512 # Acceptable message digests (mandatory)
diff --git a/fuzz/conf_corpus/37b929a109a89d8ef4e07e43b3d58ce53610e9a6 b/fuzz/conf_corpus/37b929a109a89d8ef4e07e43b3d58ce53610e9a6
new file mode 100644
index 0000000..f500686
--- /dev/null
+++ b/fuzz/conf_corpus/37b929a109a89d8ef4e07e43b3d58ce53610e9a6
@@ -0,0 +1,64 @@
+# [ req ]
+default_bits = 2432
+default_keyfile = cakey.pem
+default_md = sha256
+distinguished_name = req_DN
+string_mask = utf8only
+x509_extensions = v3_selfsign
+
+####################################################################
+[ req ]
+default_bits = 2432
+default_keyfile = cakey.pem
+default_md = sha256
+distinguished_name = req_DN
+string_mask = utf8only
+x509_extensions = v3_selfsign
+
+[ req_DN ]
+commonName = "Common Name"
+commonName_value = "CA"
+
+[ v3_selfsign ]
+basicConstraints = critical,CA:true
+keyUsage = keyCertSign
+subjectKeyIdentifier=hash
+
+####################################################################
+[ ca ]
+default_ca = CA_default # The default ca section
+
+####################################################################
+[ CA_default ]
+
+dir = ./demoCA
+certificate = ./demoCA/cacert.pem
+serial = ./demoCA/serial
+private_key = ./demoCA/private/cakey.pem
+new_certs_dir = ./demoCA/newcerts
+
+certificate = cacert.pem
+private_key = cakey.pem
+
+x509_extensions = v3_user
+
+name_opt = ca_default # Subject Name options
+cert_opt = ca_default # Certificate field options
+
+policy = policy_anything
+
+[ policy_anything ]
+countryName = optional
+stateOrProvinceName = optional
+localityName = optional
+organizationName = optional
+organizationalUnitName = optional
+commonName = supplied
+emailAddress = optional
+
+[ v3_user ]
+basicConstraints=critical,CA:FALSE
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid,issuer
+issuerAltName=issuer:copy
+
diff --git a/fuzz/conf_corpus/37ecd9fbc4d6027e0ccf6d43295958b7ccd6a6ae b/fuzz/conf_corpus/37ecd9fbc4d6027e0ccf6d43295958b7ccd6a6ae
new file mode 100644
index 0000000..b328763
--- /dev/null
+++ b/fuzz/conf_corpus/37ecd9fbc4d6027e0ccf6d43295958b7ccd6a6ae
@@ -0,0 +1,15 @@
+openssl_conf = openssl_init
+
+# Comment out the next line to ignore configuration errors
+config_diagnostics = 1
+
+[openssl_init]
+providers = provider_sect
+
+[provider_sect]
+default = default_sect
+
+[default_sect]
+activate = 1
+
+
diff --git a/fuzz/conf_corpus/38b948dd3fa55cb37982127562154068ecd8f7ec b/fuzz/conf_corpus/38b948dd3fa55cb37982127562154068ecd8f7ec
new file mode 100644
index 0000000..b30c2ac
--- /dev/null
+++ b/fuzz/conf_corpus/38b948dd3fa55cb37982127562154068ecd8f7ec
@@ -0,0 +1,2 @@
+1.2.840.113554.4.1.72585.2 = ASN1:EXP:-1,NULL
+
diff --git a/fuzz/conf_corpus/395410ecd6d2db9216f9ca77417b290a945243f2 b/fuzz/conf_corpus/395410ecd6d2db9216f9ca77417b290a945243f2
new file mode 100644
index 0000000..91f7969
--- /dev/null
+++ b/fuzz/conf_corpus/395410ecd6d2db9216f9ca77417b290a945243f2
@@ -0,0 +1,19 @@
+####################################################################
+[ req ]
+default_bits = 2432
+default_md = sha256
+distinguished_name = req_DN
+string_mask = utf8only
+
+req_extensions = v3_req # The extensions to add to a certificate request
+
+[ req_DN ]
+commonName = "Common Name"
+commonName_value = "A user"
+userId = "User ID"
+userId_value = "test"
+
+[ v3_req ]
+extendedKeyUsage = clientAuth
+subjectKeyIdentifier = hash
+basicConstraints = CA:false
diff --git a/fuzz/conf_corpus/395ad885030545f2fcf9c1e84c5fa7b173c7d256 b/fuzz/conf_corpus/395ad885030545f2fcf9c1e84c5fa7b173c7d256
new file mode 100644
index 0000000..163bbe1
--- /dev/null
+++ b/fuzz/conf_corpus/395ad885030545f2fcf9c1e84c5fa7b173c7d256
@@ -0,0 +1,63 @@
+# [ v3_user ]
+basicConstraints=critical,CA:FALSE
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid,issuer
+issuerAltName=issuer:copy
+
+
+####################################################################
+[ req ]
+default_bits = 2432
+default_keyfile = cakey.pem
+default_md = sha256
+distinguished_name = req_DN
+string_mask = utf8only
+x509_extensions = v3_selfsign
+
+[ req_DN ]
+commonName = "Common Name"
+commonName_value = "CA"
+
+[ v3_selfsign ]
+basicConstraints = critical,CA:true
+keyUsage = keyCertSign
+subjectKeyIdentifier=hash
+
+####################################################################
+[ ca ]
+default_ca = CA_default # The default ca section
+
+####################################################################
+[ CA_default ]
+
+dir = ./demoCA
+certificate = ./demoCA/cacert.pem
+serial = ./demoCA/serial
+private_key = ./demoCA/private/cakey.pem
+new_certs_dir = ./demoCA/newcerts
+
+certificate = cacert.pem
+private_key = cakey.pem
+
+x509_extensions = v3_user
+
+name_opt = ca_default # Subject Name options
+cert_opt = ca_default # Certificate field options
+
+policy = policy_anything
+
+[ policy_anything ]
+countryName = optional
+stateOrProvinceName = optional
+localityName = optional
+organizationName = optional
+organizationalUnitName = optional
+commonName = supplied
+emailAddress = optional
+
+[ v3_user ]
+basicConstraints=critical,CA:FALSE
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid,issuer
+issuerAltName=issuer:copy
+
diff --git a/fuzz/conf_corpus/3ae4a7d00132b473b7451164636c325fc3d6790f b/fuzz/conf_corpus/3ae4a7d00132b473b7451164636c325fc3d6790f
new file mode 100644
index 0000000..1b7e522
--- /dev/null
+++ b/fuzz/conf_corpus/3ae4a7d00132b473b7451164636c325fc3d6790f
@@ -0,0 +1,2 @@
+1.2.840.113554.4.1.72585.2 = ASN1:EXP:536870912,NULL
+
diff --git a/fuzz/conf_corpus/3dd3f33c2dabbd0dd23ac4712ec48b4804ff2a5c b/fuzz/conf_corpus/3dd3f33c2dabbd0dd23ac4712ec48b4804ff2a5c
new file mode 100644
index 0000000..3c509c4
--- /dev/null
+++ b/fuzz/conf_corpus/3dd3f33c2dabbd0dd23ac4712ec48b4804ff2a5c
@@ -0,0 +1,2 @@
+1.2.840.113554.4.1.72585.2 = ASN1:FORMAT:HEX,UTC:abcd
+
diff --git a/fuzz/conf_corpus/42742f12cd752ced1398001ae54d3d0d11620069 b/fuzz/conf_corpus/42742f12cd752ced1398001ae54d3d0d11620069
new file mode 100644
index 0000000..5a5d7c6
--- /dev/null
+++ b/fuzz/conf_corpus/42742f12cd752ced1398001ae54d3d0d11620069
@@ -0,0 +1,31 @@
+# [ req ]
+distinguished_name = req_distinguished_name
+encrypt_rsa_key = no
+
+#
+# SSLeay example configuration file.
+# This is mostly being used for generation of certificate requests.
+#
+# hacked by iang to do DSA certs - Server
+
+RANDFILE = ./.rnd
+
+####################################################################
+[ req ]
+distinguished_name = req_distinguished_name
+encrypt_rsa_key = no
+
+[ req_distinguished_name ]
+countryName = Country Name (2 letter code)
+countryName_default = ES
+countryName_value = ES
+
+organizationName = Organization Name (eg, company)
+organizationName_value = Tortilleras S.A.
+
+0.commonName = Common Name (eg, YOUR name)
+0.commonName_value = Torti
+
+1.commonName = Common Name (eg, YOUR name)
+1.commonName_value = Gordita
+
diff --git a/fuzz/conf_corpus/45290902222264dc36d93a7dd9669ef419dac293 b/fuzz/conf_corpus/45290902222264dc36d93a7dd9669ef419dac293
new file mode 100644
index 0000000..af4044f
--- /dev/null
+++ b/fuzz/conf_corpus/45290902222264dc36d93a7dd9669ef419dac293
@@ -0,0 +1,2 @@
+1.2.840.113554.4.1.72585.2 = ASN1:FORMAT:BITLIST,IA5:abcd
+
diff --git a/fuzz/conf_corpus/48380f4be820e22599410baa62bb004274cbfac2 b/fuzz/conf_corpus/48380f4be820e22599410baa62bb004274cbfac2
new file mode 100644
index 0000000..e64cc9f
--- /dev/null
+++ b/fuzz/conf_corpus/48380f4be820e22599410baa62bb004274cbfac2
@@ -0,0 +1,350 @@
+#
+# OpenSSL example configuration file.
+# This is mostly being used for generation of certificate requests.
+#
+
+# Note that you can include other files from the main configuration
+# file using the .include directive.
+#.include filename
+
+# This definition stops the following lines choking if HOME isn't
+# defined.
+HOME = .
+
+# Extra OBJECT IDENTIFIER info:
+#oid_file = $ENV::HOME/.oid
+oid_section = new_oids
+
+# To use this configuration file with the "-extfile" option of the
+# "openssl x509" utility, name here the section containing the
+# X.509v3 extensions to use:
+# extensions =
+# (Alternatively, use a configuration file that has only
+# X.509v3 extensions in its main [= default] section.)
+
+[ new_oids ]
+
+# We can add new OIDs in here for use by 'ca', 'req' and 'ts'.
+# Add a simple OID like this:
+# testoid1=1.2.3.4
+# Or use config file substitution like this:
+# testoid2=${testoid1}.5.6
+
+# Policies used by the TSA examples.
+tsa_policy1 = 1.2.3.4.1
+tsa_policy2 = 1.2.3.4.5.6
+tsa_policy3 = 1.2.3.4.5.7
+
+####################################################################
+[ ca ]
+default_ca = CA_default # The default ca section
+
+####################################################################
+[ CA_default ]
+
+dir = sys\$disk:[.demoCA # Where everything is kept
+certs = $dir.certs] # Where the issued certs are kept
+crl_dir = $dir.crl] # Where the issued crl are kept
+database = $dir]index.txt # database index file.
+#unique_subject = no # Set to 'no' to allow creation of
+ # several certs with same subject.
+new_certs_dir = $dir.newcerts] # default place for new certs.
+
+certificate = $dir]cacert.pem # The CA certificate
+serial = $dir]serial. # The current serial number
+crlnumber = $dir]crlnumber. # the current crl number
+ # must be commented out to leave a V1 CRL
+crl = $dir]crl.pem # The current CRL
+private_key = $dir.private]cakey.pem# The private key
+
+x509_extensions = usr_cert # The extensions to add to the cert
+
+# Comment out the following two lines for the "traditional"
+# (and highly broken) format.
+name_opt = ca_default # Subject Name options
+cert_opt = ca_default # Certificate field options
+
+# Extension copying option: use with caution.
+# copy_extensions = copy
+
+# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
+# so this is commented out by default to leave a V1 CRL.
+# crlnumber must also be commented out to leave a V1 CRL.
+# crl_extensions = crl_ext
+
+default_days = 365 # how long to certify for
+default_crl_days= 30 # how long before next CRL
+default_md = default # use public key default MD
+preserve = no # keep passed DN ordering
+
+# A few difference way of specifying how similar the request should look
+# For type CA, the listed attributes must be the same, and the optional
+# and supplied fields are just that :-)
+policy = policy_match
+
+# For the CA policy
+[ policy_match ]
+countryName = match
+stateOrProvinceName = match
+organizationName = match
+organizationalUnitName = optional
+commonName = supplied
+emailAddress = optional
+
+# For the 'anything' policy
+# At this point in time, you must list all acceptable 'object'
+# types.
+[ policy_anything ]
+countryName = optional
+stateOrProvinceName = optional
+localityName = optional
+organizationName = optional
+organizationalUnitName = optional
+commonName = supplied
+emailAddress = optional
+
+####################################################################
+[ req ]
+default_bits = 2048
+default_keyfile = privkey.pem
+distinguished_name = req_distinguished_name
+attributes = req_attributes
+x509_extensions = v3_ca # The extensions to add to the self signed cert
+
+# Passwords for private keys if not present they will be prompted for
+# input_password = secret
+# output_password = secret
+
+# This sets a mask for permitted string types. There are several options.
+# default: PrintableString, T61String, BMPString.
+# pkix : PrintableString, BMPString (PKIX recommendation before 2004)
+# utf8only: only UTF8Strings (PKIX recommendation after 2004).
+# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings).
+# MASK:XXXX a literal mask value.
+# WARNING: ancient versions of Netscape crash on BMPStrings or UTF8Strings.
+string_mask = utf8only
+
+# req_extensions = v3_req # The extensions to add to a certificate request
+
+[ req_distinguished_name ]
+countryName = Country Name (2 letter code)
+countryName_default = AU
+countryName_min = 2
+countryName_max = 2
+
+stateOrProvinceName = State or Province Name (full name)
+stateOrProvinceName_default = Some-State
+
+localityName = Locality Name (eg, city)
+
+0.organizationName = Organization Name (eg, company)
+0.organizationName_default = Internet Widgits Pty Ltd
+
+# we can do this but it is not needed normally :-)
+#1.organizationName = Second Organization Name (eg, company)
+#1.organizationName_default = World Wide Web Pty Ltd
+
+organizationalUnitName = Organizational Unit Name (eg, section)
+#organizationalUnitName_default =
+
+commonName = Common Name (e.g. server FQDN or YOUR name)
+commonName_max = 64
+
+emailAddress = Email Address
+emailAddress_max = 64
+
+# SET-ex3 = SET extension number 3
+
+[ req_attributes ]
+challengePassword = A challenge password
+challengePassword_min = 4
+challengePassword_max = 20
+
+unstructuredName = An optional company name
+
+[ usr_cert ]
+
+# These extensions are added when 'ca' signs a request.
+
+# This goes against PKIX guidelines but some CAs do it and some software
+# requires this to avoid interpreting an end user certificate as a CA.
+
+basicConstraints=CA:FALSE
+
+# Here are some examples of the usage of nsCertType. If it is omitted
+# the certificate can be used for anything *except* object signing.
+
+# This is OK for an SSL server.
+# nsCertType = server
+
+# For an object signing certificate this would be used.
+# nsCertType = objsign
+
+# For normal client use this is typical
+# nsCertType = client, email
+
+# and for everything including object signing:
+# nsCertType = client, email, objsign
+
+# This is typical in keyUsage for a client certificate.
+# keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+
+# This will be displayed in Netscape's comment listbox.
+nsComment = "OpenSSL Generated Certificate"
+
+# PKIX recommendations harmless if included in all certificates.
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid,issuer
+
+# This stuff is for subjectAltName and issuerAltname.
+# Import the email address.
+# subjectAltName=email:copy
+# An alternative to produce certificates that aren't
+# deprecated according to PKIX.
+# subjectAltName=email:move
+
+# Copy subject details
+# issuerAltName=issuer:copy
+
+#nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem
+#nsBaseUrl
+#nsRevocationUrl
+#nsRenewalUrl
+#nsCaPolicyUrl
+#nsSslServerName
+
+# This is required for TSA certificates.
+# extendedKeyUsage = critical,timeStamping
+
+[ v3_req ]
+
+# Extensions to add to a certificate request
+
+basicConstraints = CA:FALSE
+keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+
+[ v3_ca ]
+
+
+# Extensions for a typical CA
+
+
+# PKIX recommendation.
+
+subjectKeyIdentifier=hash
+
+authorityKeyIdentifier=keyid:always,issuer
+
+basicConstraints = critical,CA:true
+
+# Key usage: this is typical for a CA certificate. However since it will
+# prevent it being used as an test self-signed certificate it is best
+# left out by default.
+# keyUsage = cRLSign, keyCertSign
+
+# Some might want this also
+# nsCertType = sslCA, emailCA
+
+# Include email address in subject alt name: another PKIX recommendation
+# subjectAltName=email:copy
+# Copy issuer details
+# issuerAltName=issuer:copy
+
+# DER hex encoding of an extension: beware experts only!
+# obj=DER:02:03
+# Where 'obj' is a standard or added object
+# You can even override a supported extension:
+# basicConstraints= critical, DER:30:03:01:01:FF
+
+[ crl_ext ]
+
+# CRL extensions.
+# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.
+
+# issuerAltName=issuer:copy
+authorityKeyIdentifier=keyid:always
+
+[ proxy_cert_ext ]
+# These extensions should be added when creating a proxy certificate
+
+# This goes against PKIX guidelines but some CAs do it and some software
+# requires this to avoid interpreting an end user certificate as a CA.
+
+basicConstraints=CA:FALSE
+
+# Here are some examples of the usage of nsCertType. If it is omitted
+# the certificate can be used for anything *except* object signing.
+
+# This is OK for an SSL server.
+# nsCertType = server
+
+# For an object signing certificate this would be used.
+# nsCertType = objsign
+
+# For normal client use this is typical
+# nsCertType = client, email
+
+# and for everything including object signing:
+# nsCertType = client, email, objsign
+
+# This is typical in keyUsage for a client certificate.
+# keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+
+# This will be displayed in Netscape's comment listbox.
+nsComment = "OpenSSL Generated Certificate"
+
+# PKIX recommendations harmless if included in all certificates.
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid,issuer
+
+# This stuff is for subjectAltName and issuerAltname.
+# Import the email address.
+# subjectAltName=email:copy
+# An alternative to produce certificates that aren't
+# deprecated according to PKIX.
+# subjectAltName=email:move
+
+# Copy subject details
+# issuerAltName=issuer:copy
+
+#nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem
+#nsBaseUrl
+#nsRevocationUrl
+#nsRenewalUrl
+#nsCaPolicyUrl
+#nsSslServerName
+
+# This really needs to be in place for it to be a proxy certificate.
+proxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:3,policy:foo
+
+####################################################################
+[ tsa ]
+
+default_tsa = tsa_config1 # the default TSA section
+
+[ tsa_config1 ]
+
+# These are used by the TSA reply generation only.
+dir = sys\$disk:[.demoCA # TSA root directory
+serial = $dir]tsaserial. # The current serial number (mandatory)
+crypto_device = builtin # OpenSSL engine to use for signing
+signer_cert = $dir/tsacert.pem # The TSA signing certificate
+ # (optional)
+certs = $dir.cacert.pem] # Certificate chain to include in reply
+ # (optional)
+signer_key = $dir/private/tsakey.pem # The TSA private key (optional)
+signer_digest = sha256 # Signing digest to use. (Optional)
+default_policy = tsa_policy1 # Policy if request did not specify it
+ # (optional)
+other_policies = tsa_policy2, tsa_policy3 # acceptable policies (optional)
+digests = sha1, sha256, sha384, sha512 # Acceptable message digests (mandatory)
+accuracy = secs:1, millisecs:500, microsecs:100 # (optional)
+clock_precision_digits = 0 # number of digits after dot. (optional)
+ordering = yes # Is ordering defined for timestamps?
+ # (optional, default: no)
+tsa_name = yes # Must the TSA name be included in the reply?
+ # (optional, default: no)
+ess_cert_id_chain = no # Must the ESS cert id chain be included?
+ # (optional, default: no)
+ess_cert_id_alg = sha1 # algorithm to compute certificate
+ # identifier (optional, default: sha1)
diff --git a/fuzz/conf_corpus/4a69a44ef6160aaddd0361db4d35b49eb48dfcc1 b/fuzz/conf_corpus/4a69a44ef6160aaddd0361db4d35b49eb48dfcc1
new file mode 100644
index 0000000..93f5899
--- /dev/null
+++ b/fuzz/conf_corpus/4a69a44ef6160aaddd0361db4d35b49eb48dfcc1
@@ -0,0 +1,393 @@
+# [ CA_default ]
+
+dir = ./demoCA # Where everything is kept
+certs = $dir/certs # Where the issued certs are kept
+crl_dir = $dir/crl # Where the issued crl are kept
+database = $dir/index.txt # database index file.
+#unique_subject = no # Set to 'no' to allow creation of
+ # several certs with same subject.
+new_certs_dir = $dir/newcerts # default place for new certs.
+
+certificate = $dir/cacert.pem # The CA certificate
+serial = $dir/serial # The current serial number
+crlnumber = $dir/crlnumber # the current crl number
+ # must be commented out to leave a V1 CRL
+crl = $dir/crl.pem # The current CRL
+private_key = $dir/private/cakey.pem# The private key
+
+x509_extensions = usr_cert # The extensions to add to the cert
+
+# Comment out the following two lines for the "traditional"
+# (and highly broken) format.
+name_opt = ca_default # Subject Name options
+cert_opt = ca_default # Certificate field options
+
+# Extension copying option: use with caution.
+# copy_extensions = copy
+
+# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
+# so this is commented out by default to leave a V1 CRL.
+# crlnumber must also be commented out to leave a V1 CRL.
+# crl_extensions = crl_ext
+
+default_days = 365 # how long to certify for
+default_crl_days= 30 # how long before next CRL
+default_md = default # use public key default MD
+preserve = no # keep passed DN ordering
+
+# A few difference way of specifying how similar the request should look
+# For type CA, the listed attributes must be the same, and the optional
+# and supplied fields are just that :-)
+policy = policy_match
+
+# For the CA policy
+#
+# OpenSSL example configuration file.
+# This is mostly being used for generation of certificate requests.
+#
+
+# Note that you can include other files from the main configuration
+# file using the .include directive.
+#.include filename
+
+# This definition stops the following lines choking if HOME isn't
+# defined.
+HOME = .
+
+# Extra OBJECT IDENTIFIER info:
+#oid_file = $ENV::HOME/.oid
+oid_section = new_oids
+
+# To use this configuration file with the "-extfile" option of the
+# "openssl x509" utility, name here the section containing the
+# X.509v3 extensions to use:
+# extensions =
+# (Alternatively, use a configuration file that has only
+# X.509v3 extensions in its main [= default] section.)
+
+[ new_oids ]
+
+# We can add new OIDs in here for use by 'ca', 'req' and 'ts'.
+# Add a simple OID like this:
+# testoid1=1.2.3.4
+# Or use config file substitution like this:
+# testoid2=${testoid1}.5.6
+
+# Policies used by the TSA examples.
+tsa_policy1 = 1.2.3.4.1
+tsa_policy2 = 1.2.3.4.5.6
+tsa_policy3 = 1.2.3.4.5.7
+
+####################################################################
+[ ca ]
+default_ca = CA_default # The default ca section
+
+####################################################################
+[ CA_default ]
+
+dir = ./demoCA # Where everything is kept
+certs = $dir/certs # Where the issued certs are kept
+crl_dir = $dir/crl # Where the issued crl are kept
+database = $dir/index.txt # database index file.
+#unique_subject = no # Set to 'no' to allow creation of
+ # several certs with same subject.
+new_certs_dir = $dir/newcerts # default place for new certs.
+
+certificate = $dir/cacert.pem # The CA certificate
+serial = $dir/serial # The current serial number
+crlnumber = $dir/crlnumber # the current crl number
+ # must be commented out to leave a V1 CRL
+crl = $dir/crl.pem # The current CRL
+private_key = $dir/private/cakey.pem# The private key
+
+x509_extensions = usr_cert # The extensions to add to the cert
+
+# Comment out the following two lines for the "traditional"
+# (and highly broken) format.
+name_opt = ca_default # Subject Name options
+cert_opt = ca_default # Certificate field options
+
+# Extension copying option: use with caution.
+# copy_extensions = copy
+
+# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
+# so this is commented out by default to leave a V1 CRL.
+# crlnumber must also be commented out to leave a V1 CRL.
+# crl_extensions = crl_ext
+
+default_days = 365 # how long to certify for
+default_crl_days= 30 # how long before next CRL
+default_md = default # use public key default MD
+preserve = no # keep passed DN ordering
+
+# A few difference way of specifying how similar the request should look
+# For type CA, the listed attributes must be the same, and the optional
+# and supplied fields are just that :-)
+policy = policy_match
+
+# For the CA policy
+[ policy_match ]
+countryName = match
+stateOrProvinceName = match
+organizationName = match
+organizationalUnitName = optional
+commonName = supplied
+emailAddress = optional
+
+# For the 'anything' policy
+# At this point in time, you must list all acceptable 'object'
+# types.
+[ policy_anything ]
+countryName = optional
+stateOrProvinceName = optional
+localityName = optional
+organizationName = optional
+organizationalUnitName = optional
+commonName = supplied
+emailAddress = optional
+
+####################################################################
+[ req ]
+default_bits = 2048
+default_keyfile = privkey.pem
+distinguished_name = req_distinguished_name
+attributes = req_attributes
+x509_extensions = v3_ca # The extensions to add to the self signed cert
+
+# Passwords for private keys if not present they will be prompted for
+# input_password = secret
+# output_password = secret
+
+# This sets a mask for permitted string types. There are several options.
+# default: PrintableString, T61String, BMPString.
+# pkix : PrintableString, BMPString (PKIX recommendation before 2004)
+# utf8only: only UTF8Strings (PKIX recommendation after 2004).
+# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings).
+# MASK:XXXX a literal mask value.
+# WARNING: ancient versions of Netscape crash on BMPStrings or UTF8Strings.
+string_mask = utf8only
+
+# req_extensions = v3_req # The extensions to add to a certificate request
+
+[ req_distinguished_name ]
+countryName = Country Name (2 letter code)
+countryName_default = AU
+countryName_min = 2
+countryName_max = 2
+
+stateOrProvinceName = State or Province Name (full name)
+stateOrProvinceName_default = Some-State
+
+localityName = Locality Name (eg, city)
+
+0.organizationName = Organization Name (eg, company)
+0.organizationName_default = Internet Widgits Pty Ltd
+
+# we can do this but it is not needed normally :-)
+#1.organizationName = Second Organization Name (eg, company)
+#1.organizationName_default = World Wide Web Pty Ltd
+
+organizationalUnitName = Organizational Unit Name (eg, section)
+#organizationalUnitName_default =
+
+commonName = Common Name (e.g. server FQDN or YOUR name)
+commonName_max = 64
+
+emailAddress = Email Address
+emailAddress_max = 64
+
+# SET-ex3 = SET extension number 3
+
+[ req_attributes ]
+challengePassword = A challenge password
+challengePassword_min = 4
+challengePassword_max = 20
+
+unstructuredName = An optional company name
+
+[ usr_cert ]
+
+# These extensions are added when 'ca' signs a request.
+
+# This goes against PKIX guidelines but some CAs do it and some software
+# requires this to avoid interpreting an end user certificate as a CA.
+
+basicConstraints=CA:FALSE
+
+# Here are some examples of the usage of nsCertType. If it is omitted
+# the certificate can be used for anything *except* object signing.
+
+# This is OK for an SSL server.
+# nsCertType = server
+
+# For an object signing certificate this would be used.
+# nsCertType = objsign
+
+# For normal client use this is typical
+# nsCertType = client, email
+
+# and for everything including object signing:
+# nsCertType = client, email, objsign
+
+# This is typical in keyUsage for a client certificate.
+# keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+
+# This will be displayed in Netscape's comment listbox.
+nsComment = "OpenSSL Generated Certificate"
+
+# PKIX recommendations harmless if included in all certificates.
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid,issuer
+
+# This stuff is for subjectAltName and issuerAltname.
+# Import the email address.
+# subjectAltName=email:copy
+# An alternative to produce certificates that aren't
+# deprecated according to PKIX.
+# subjectAltName=email:move
+
+# Copy subject details
+# issuerAltName=issuer:copy
+
+#nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem
+#nsBaseUrl
+#nsRevocationUrl
+#nsRenewalUrl
+#nsCaPolicyUrl
+#nsSslServerName
+
+# This is required for TSA certificates.
+# extendedKeyUsage = critical,timeStamping
+
+[ v3_req ]
+
+# Extensions to add to a certificate request
+
+basicConstraints = CA:FALSE
+keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+
+[ v3_ca ]
+
+
+# Extensions for a typical CA
+
+
+# PKIX recommendation.
+
+subjectKeyIdentifier=hash
+
+authorityKeyIdentifier=keyid:always,issuer
+
+basicConstraints = critical,CA:true
+
+# Key usage: this is typical for a CA certificate. However since it will
+# prevent it being used as an test self-signed certificate it is best
+# left out by default.
+# keyUsage = cRLSign, keyCertSign
+
+# Some might want this also
+# nsCertType = sslCA, emailCA
+
+# Include email address in subject alt name: another PKIX recommendation
+# subjectAltName=email:copy
+# Copy issuer details
+# issuerAltName=issuer:copy
+
+# DER hex encoding of an extension: beware experts only!
+# obj=DER:02:03
+# Where 'obj' is a standard or added object
+# You can even override a supported extension:
+# basicConstraints= critical, DER:30:03:01:01:FF
+
+[ crl_ext ]
+
+# CRL extensions.
+# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.
+
+# issuerAltName=issuer:copy
+authorityKeyIdentifier=keyid:always
+
+[ proxy_cert_ext ]
+# These extensions should be added when creating a proxy certificate
+
+# This goes against PKIX guidelines but some CAs do it and some software
+# requires this to avoid interpreting an end user certificate as a CA.
+
+basicConstraints=CA:FALSE
+
+# Here are some examples of the usage of nsCertType. If it is omitted
+# the certificate can be used for anything *except* object signing.
+
+# This is OK for an SSL server.
+# nsCertType = server
+
+# For an object signing certificate this would be used.
+# nsCertType = objsign
+
+# For normal client use this is typical
+# nsCertType = client, email
+
+# and for everything including object signing:
+# nsCertType = client, email, objsign
+
+# This is typical in keyUsage for a client certificate.
+# keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+
+# This will be displayed in Netscape's comment listbox.
+nsComment = "OpenSSL Generated Certificate"
+
+# PKIX recommendations harmless if included in all certificates.
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid,issuer
+
+# This stuff is for subjectAltName and issuerAltname.
+# Import the email address.
+# subjectAltName=email:copy
+# An alternative to produce certificates that aren't
+# deprecated according to PKIX.
+# subjectAltName=email:move
+
+# Copy subject details
+# issuerAltName=issuer:copy
+
+#nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem
+#nsBaseUrl
+#nsRevocationUrl
+#nsRenewalUrl
+#nsCaPolicyUrl
+#nsSslServerName
+
+# This really needs to be in place for it to be a proxy certificate.
+proxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:3,policy:foo
+
+####################################################################
+[ tsa ]
+
+default_tsa = tsa_config1 # the default TSA section
+
+[ tsa_config1 ]
+
+# These are used by the TSA reply generation only.
+dir = ./demoCA # TSA root directory
+serial = $dir/tsaserial # The current serial number (mandatory)
+crypto_device = builtin # OpenSSL engine to use for signing
+signer_cert = $dir/tsacert.pem # The TSA signing certificate
+ # (optional)
+certs = $dir/cacert.pem # Certificate chain to include in reply
+ # (optional)
+signer_key = $dir/private/tsakey.pem # The TSA private key (optional)
+signer_digest = sha256 # Signing digest to use. (Optional)
+default_policy = tsa_policy1 # Policy if request did not specify it
+ # (optional)
+other_policies = tsa_policy2, tsa_policy3 # acceptable policies (optional)
+digests = sha1, sha256, sha384, sha512 # Acceptable message digests (mandatory)
+accuracy = secs:1, millisecs:500, microsecs:100 # (optional)
+clock_precision_digits = 0 # number of digits after dot. (optional)
+ordering = yes # Is ordering defined for timestamps?
+ # (optional, default: no)
+tsa_name = yes # Must the TSA name be included in the reply?
+ # (optional, default: no)
+ess_cert_id_chain = no # Must the ESS cert id chain be included?
+ # (optional, default: no)
+ess_cert_id_alg = sha1 # algorithm to compute certificate
+ # identifier (optional, default: sha1)
diff --git a/fuzz/conf_corpus/4accb3f43a191f145ec9a1c8a747ab09a4be32d2 b/fuzz/conf_corpus/4accb3f43a191f145ec9a1c8a747ab09a4be32d2
new file mode 100644
index 0000000..e8df30a
--- /dev/null
+++ b/fuzz/conf_corpus/4accb3f43a191f145ec9a1c8a747ab09a4be32d2
@@ -0,0 +1,2 @@
+1.2.840.113554.4.1.72585.2 = ASN1:EXP:1
+
diff --git a/fuzz/conf_corpus/4bdb476bbcb81b40c869319e1565606945c68374 b/fuzz/conf_corpus/4bdb476bbcb81b40c869319e1565606945c68374
new file mode 100644
index 0000000..2a65595
--- /dev/null
+++ b/fuzz/conf_corpus/4bdb476bbcb81b40c869319e1565606945c68374
@@ -0,0 +1,2 @@
+1.2.840.113554.4.1.72585.2 = ASN1:SEQ
+
diff --git a/fuzz/conf_corpus/4beed6b185c0a4958b7e4b5cbd272e78859c076b b/fuzz/conf_corpus/4beed6b185c0a4958b7e4b5cbd272e78859c076b
new file mode 100644
index 0000000..ff37938
--- /dev/null
+++ b/fuzz/conf_corpus/4beed6b185c0a4958b7e4b5cbd272e78859c076b
@@ -0,0 +1,80 @@
+# [ usr_cert ]
+
+# These extensions are added when 'ca' signs a request for an end entity
+# certificate
+
+basicConstraints=critical, CA:FALSE
+keyUsage=critical, nonRepudiation, digitalSignature, keyEncipherment
+
+# This will be displayed in Netscape's comment listbox.
+nsComment = "OpenSSL Generated Certificate"
+
+#
+# OpenSSL configuration file to create apps directory certificates
+#
+
+# This definition stops the following lines choking if HOME or CN
+# is undefined.
+HOME = .
+RANDFILE = $ENV::HOME/.rnd
+CN = "Not Defined"
+
+####################################################################
+[ req ]
+default_bits = 2048
+default_keyfile = privkey.pem
+# Don't prompt for fields: use those in section directly
+prompt = no
+distinguished_name = req_distinguished_name
+x509_extensions = v3_ca # The extensions to add to the self signed cert
+string_mask = utf8only
+
+# req_extensions = v3_req # The extensions to add to a certificate request
+
+[ req_distinguished_name ]
+countryName = UK
+
+organizationName = OpenSSL Group
+organizationalUnitName = FOR TESTING PURPOSES ONLY
+# Take CN from environment so it can come from a script.
+commonName = $ENV::CN
+
+[ usr_cert ]
+
+# These extensions are added when 'ca' signs a request for an end entity
+# certificate
+
+basicConstraints=critical, CA:FALSE
+keyUsage=critical, nonRepudiation, digitalSignature, keyEncipherment
+
+# This will be displayed in Netscape's comment listbox.
+nsComment = "OpenSSL Generated Certificate"
+
+[ ec_cert ]
+
+# These extensions are added when 'ca' signs a request for an end entity
+# certificate
+
+basicConstraints=critical, CA:FALSE
+keyUsage=critical, nonRepudiation, digitalSignature, keyAgreement
+
+# This will be displayed in Netscape's comment listbox.
+nsComment = "OpenSSL Generated Certificate"
+
+# PKIX recommendations harmless if included in all certificates.
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid
+
+[ v3_ca ]
+
+
+# Extensions for a typical CA
+
+# PKIX recommendation.
+
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid:always
+basicConstraints = critical,CA:true
+keyUsage = critical, cRLSign, keyCertSign
+
+
diff --git a/fuzz/conf_corpus/50076fd5bd0e9429817a7b21a70b6cf3d00f2613 b/fuzz/conf_corpus/50076fd5bd0e9429817a7b21a70b6cf3d00f2613
new file mode 100644
index 0000000..078db6e
--- /dev/null
+++ b/fuzz/conf_corpus/50076fd5bd0e9429817a7b21a70b6cf3d00f2613
@@ -0,0 +1,2 @@
+1.2.840.113554.4.1.72585.2 = ASN1:UTC:001231235959Z
+
diff --git a/fuzz/conf_corpus/50dad276fd8b2a80ee94b3cb1f3c24874989d022 b/fuzz/conf_corpus/50dad276fd8b2a80ee94b3cb1f3c24874989d022
new file mode 100644
index 0000000..22325e3
--- /dev/null
+++ b/fuzz/conf_corpus/50dad276fd8b2a80ee94b3cb1f3c24874989d022
@@ -0,0 +1,74 @@
+# [ CA_default ]
+
+dir = ./demoCA
+certificate = ./demoCA/cacert.pem
+serial = ./demoCA/serial
+private_key = ./demoCA/private/cakey.pem
+new_certs_dir = ./demoCA/newcerts
+
+certificate = cacert.pem
+private_key = cakey.pem
+
+x509_extensions = v3_user
+
+name_opt = ca_default # Subject Name options
+cert_opt = ca_default # Certificate field options
+
+policy = policy_anything
+
+####################################################################
+[ req ]
+default_bits = 2432
+default_keyfile = cakey.pem
+default_md = sha256
+distinguished_name = req_DN
+string_mask = utf8only
+x509_extensions = v3_selfsign
+
+[ req_DN ]
+commonName = "Common Name"
+commonName_value = "CA"
+
+[ v3_selfsign ]
+basicConstraints = critical,CA:true
+keyUsage = keyCertSign
+subjectKeyIdentifier=hash
+
+####################################################################
+[ ca ]
+default_ca = CA_default # The default ca section
+
+####################################################################
+[ CA_default ]
+
+dir = ./demoCA
+certificate = ./demoCA/cacert.pem
+serial = ./demoCA/serial
+private_key = ./demoCA/private/cakey.pem
+new_certs_dir = ./demoCA/newcerts
+
+certificate = cacert.pem
+private_key = cakey.pem
+
+x509_extensions = v3_user
+
+name_opt = ca_default # Subject Name options
+cert_opt = ca_default # Certificate field options
+
+policy = policy_anything
+
+[ policy_anything ]
+countryName = optional
+stateOrProvinceName = optional
+localityName = optional
+organizationName = optional
+organizationalUnitName = optional
+commonName = supplied
+emailAddress = optional
+
+[ v3_user ]
+basicConstraints=critical,CA:FALSE
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid,issuer
+issuerAltName=issuer:copy
+
diff --git a/fuzz/conf_corpus/530a33f20602dfa94747ccd7e802e5db91e81613 b/fuzz/conf_corpus/530a33f20602dfa94747ccd7e802e5db91e81613
new file mode 100644
index 0000000..695ccce
--- /dev/null
+++ b/fuzz/conf_corpus/530a33f20602dfa94747ccd7e802e5db91e81613
@@ -0,0 +1,30 @@
+# [ req ]
+distinguished_name = req_distinguished_name
+encrypt_key = no
+
+#
+# SSLeay example configuration file.
+# This is mostly being used for generation of certificate requests.
+#
+# create RSA certs - Server
+
+RANDFILE = ./.rnd
+
+####################################################################
+[ req ]
+distinguished_name = req_distinguished_name
+encrypt_key = no
+
+[ req_distinguished_name ]
+countryName = Country Name (2 letter code)
+countryName_default = ES
+countryName_value = ES
+
+organizationName = Organization Name (eg, company)
+organizationName_value = Tortilleras S.A.
+
+0.commonName = Common Name (eg, YOUR name)
+0.commonName_value = Torti
+
+1.commonName = Common Name (eg, YOUR name)
+1.commonName_value = Gordita
diff --git a/fuzz/conf_corpus/542737d901a0297a82735ae043b3fa63d654c992 b/fuzz/conf_corpus/542737d901a0297a82735ae043b3fa63d654c992
new file mode 100644
index 0000000..984050d
--- /dev/null
+++ b/fuzz/conf_corpus/542737d901a0297a82735ae043b3fa63d654c992
@@ -0,0 +1,361 @@
+# [ policy_match ]
+countryName = match
+stateOrProvinceName = match
+organizationName = match
+organizationalUnitName = optional
+commonName = supplied
+emailAddress = optional
+
+# For the 'anything' policy
+# At this point in time, you must list all acceptable 'object'
+# types.
+#
+# OpenSSL example configuration file.
+# This is mostly being used for generation of certificate requests.
+#
+
+# Note that you can include other files from the main configuration
+# file using the .include directive.
+#.include filename
+
+# This definition stops the following lines choking if HOME isn't
+# defined.
+HOME = .
+
+# Extra OBJECT IDENTIFIER info:
+#oid_file = $ENV::HOME/.oid
+oid_section = new_oids
+
+# To use this configuration file with the "-extfile" option of the
+# "openssl x509" utility, name here the section containing the
+# X.509v3 extensions to use:
+# extensions =
+# (Alternatively, use a configuration file that has only
+# X.509v3 extensions in its main [= default] section.)
+
+[ new_oids ]
+
+# We can add new OIDs in here for use by 'ca', 'req' and 'ts'.
+# Add a simple OID like this:
+# testoid1=1.2.3.4
+# Or use config file substitution like this:
+# testoid2=${testoid1}.5.6
+
+# Policies used by the TSA examples.
+tsa_policy1 = 1.2.3.4.1
+tsa_policy2 = 1.2.3.4.5.6
+tsa_policy3 = 1.2.3.4.5.7
+
+####################################################################
+[ ca ]
+default_ca = CA_default # The default ca section
+
+####################################################################
+[ CA_default ]
+
+dir = sys\$disk:[.demoCA # Where everything is kept
+certs = $dir.certs] # Where the issued certs are kept
+crl_dir = $dir.crl] # Where the issued crl are kept
+database = $dir]index.txt # database index file.
+#unique_subject = no # Set to 'no' to allow creation of
+ # several certs with same subject.
+new_certs_dir = $dir.newcerts] # default place for new certs.
+
+certificate = $dir]cacert.pem # The CA certificate
+serial = $dir]serial. # The current serial number
+crlnumber = $dir]crlnumber. # the current crl number
+ # must be commented out to leave a V1 CRL
+crl = $dir]crl.pem # The current CRL
+private_key = $dir.private]cakey.pem# The private key
+
+x509_extensions = usr_cert # The extensions to add to the cert
+
+# Comment out the following two lines for the "traditional"
+# (and highly broken) format.
+name_opt = ca_default # Subject Name options
+cert_opt = ca_default # Certificate field options
+
+# Extension copying option: use with caution.
+# copy_extensions = copy
+
+# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
+# so this is commented out by default to leave a V1 CRL.
+# crlnumber must also be commented out to leave a V1 CRL.
+# crl_extensions = crl_ext
+
+default_days = 365 # how long to certify for
+default_crl_days= 30 # how long before next CRL
+default_md = default # use public key default MD
+preserve = no # keep passed DN ordering
+
+# A few difference way of specifying how similar the request should look
+# For type CA, the listed attributes must be the same, and the optional
+# and supplied fields are just that :-)
+policy = policy_match
+
+# For the CA policy
+[ policy_match ]
+countryName = match
+stateOrProvinceName = match
+organizationName = match
+organizationalUnitName = optional
+commonName = supplied
+emailAddress = optional
+
+# For the 'anything' policy
+# At this point in time, you must list all acceptable 'object'
+# types.
+[ policy_anything ]
+countryName = optional
+stateOrProvinceName = optional
+localityName = optional
+organizationName = optional
+organizationalUnitName = optional
+commonName = supplied
+emailAddress = optional
+
+####################################################################
+[ req ]
+default_bits = 2048
+default_keyfile = privkey.pem
+distinguished_name = req_distinguished_name
+attributes = req_attributes
+x509_extensions = v3_ca # The extensions to add to the self signed cert
+
+# Passwords for private keys if not present they will be prompted for
+# input_password = secret
+# output_password = secret
+
+# This sets a mask for permitted string types. There are several options.
+# default: PrintableString, T61String, BMPString.
+# pkix : PrintableString, BMPString (PKIX recommendation before 2004)
+# utf8only: only UTF8Strings (PKIX recommendation after 2004).
+# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings).
+# MASK:XXXX a literal mask value.
+# WARNING: ancient versions of Netscape crash on BMPStrings or UTF8Strings.
+string_mask = utf8only
+
+# req_extensions = v3_req # The extensions to add to a certificate request
+
+[ req_distinguished_name ]
+countryName = Country Name (2 letter code)
+countryName_default = AU
+countryName_min = 2
+countryName_max = 2
+
+stateOrProvinceName = State or Province Name (full name)
+stateOrProvinceName_default = Some-State
+
+localityName = Locality Name (eg, city)
+
+0.organizationName = Organization Name (eg, company)
+0.organizationName_default = Internet Widgits Pty Ltd
+
+# we can do this but it is not needed normally :-)
+#1.organizationName = Second Organization Name (eg, company)
+#1.organizationName_default = World Wide Web Pty Ltd
+
+organizationalUnitName = Organizational Unit Name (eg, section)
+#organizationalUnitName_default =
+
+commonName = Common Name (e.g. server FQDN or YOUR name)
+commonName_max = 64
+
+emailAddress = Email Address
+emailAddress_max = 64
+
+# SET-ex3 = SET extension number 3
+
+[ req_attributes ]
+challengePassword = A challenge password
+challengePassword_min = 4
+challengePassword_max = 20
+
+unstructuredName = An optional company name
+
+[ usr_cert ]
+
+# These extensions are added when 'ca' signs a request.
+
+# This goes against PKIX guidelines but some CAs do it and some software
+# requires this to avoid interpreting an end user certificate as a CA.
+
+basicConstraints=CA:FALSE
+
+# Here are some examples of the usage of nsCertType. If it is omitted
+# the certificate can be used for anything *except* object signing.
+
+# This is OK for an SSL server.
+# nsCertType = server
+
+# For an object signing certificate this would be used.
+# nsCertType = objsign
+
+# For normal client use this is typical
+# nsCertType = client, email
+
+# and for everything including object signing:
+# nsCertType = client, email, objsign
+
+# This is typical in keyUsage for a client certificate.
+# keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+
+# This will be displayed in Netscape's comment listbox.
+nsComment = "OpenSSL Generated Certificate"
+
+# PKIX recommendations harmless if included in all certificates.
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid,issuer
+
+# This stuff is for subjectAltName and issuerAltname.
+# Import the email address.
+# subjectAltName=email:copy
+# An alternative to produce certificates that aren't
+# deprecated according to PKIX.
+# subjectAltName=email:move
+
+# Copy subject details
+# issuerAltName=issuer:copy
+
+#nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem
+#nsBaseUrl
+#nsRevocationUrl
+#nsRenewalUrl
+#nsCaPolicyUrl
+#nsSslServerName
+
+# This is required for TSA certificates.
+# extendedKeyUsage = critical,timeStamping
+
+[ v3_req ]
+
+# Extensions to add to a certificate request
+
+basicConstraints = CA:FALSE
+keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+
+[ v3_ca ]
+
+
+# Extensions for a typical CA
+
+
+# PKIX recommendation.
+
+subjectKeyIdentifier=hash
+
+authorityKeyIdentifier=keyid:always,issuer
+
+basicConstraints = critical,CA:true
+
+# Key usage: this is typical for a CA certificate. However since it will
+# prevent it being used as an test self-signed certificate it is best
+# left out by default.
+# keyUsage = cRLSign, keyCertSign
+
+# Some might want this also
+# nsCertType = sslCA, emailCA
+
+# Include email address in subject alt name: another PKIX recommendation
+# subjectAltName=email:copy
+# Copy issuer details
+# issuerAltName=issuer:copy
+
+# DER hex encoding of an extension: beware experts only!
+# obj=DER:02:03
+# Where 'obj' is a standard or added object
+# You can even override a supported extension:
+# basicConstraints= critical, DER:30:03:01:01:FF
+
+[ crl_ext ]
+
+# CRL extensions.
+# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.
+
+# issuerAltName=issuer:copy
+authorityKeyIdentifier=keyid:always
+
+[ proxy_cert_ext ]
+# These extensions should be added when creating a proxy certificate
+
+# This goes against PKIX guidelines but some CAs do it and some software
+# requires this to avoid interpreting an end user certificate as a CA.
+
+basicConstraints=CA:FALSE
+
+# Here are some examples of the usage of nsCertType. If it is omitted
+# the certificate can be used for anything *except* object signing.
+
+# This is OK for an SSL server.
+# nsCertType = server
+
+# For an object signing certificate this would be used.
+# nsCertType = objsign
+
+# For normal client use this is typical
+# nsCertType = client, email
+
+# and for everything including object signing:
+# nsCertType = client, email, objsign
+
+# This is typical in keyUsage for a client certificate.
+# keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+
+# This will be displayed in Netscape's comment listbox.
+nsComment = "OpenSSL Generated Certificate"
+
+# PKIX recommendations harmless if included in all certificates.
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid,issuer
+
+# This stuff is for subjectAltName and issuerAltname.
+# Import the email address.
+# subjectAltName=email:copy
+# An alternative to produce certificates that aren't
+# deprecated according to PKIX.
+# subjectAltName=email:move
+
+# Copy subject details
+# issuerAltName=issuer:copy
+
+#nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem
+#nsBaseUrl
+#nsRevocationUrl
+#nsRenewalUrl
+#nsCaPolicyUrl
+#nsSslServerName
+
+# This really needs to be in place for it to be a proxy certificate.
+proxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:3,policy:foo
+
+####################################################################
+[ tsa ]
+
+default_tsa = tsa_config1 # the default TSA section
+
+[ tsa_config1 ]
+
+# These are used by the TSA reply generation only.
+dir = sys\$disk:[.demoCA # TSA root directory
+serial = $dir]tsaserial. # The current serial number (mandatory)
+crypto_device = builtin # OpenSSL engine to use for signing
+signer_cert = $dir/tsacert.pem # The TSA signing certificate
+ # (optional)
+certs = $dir.cacert.pem] # Certificate chain to include in reply
+ # (optional)
+signer_key = $dir/private/tsakey.pem # The TSA private key (optional)
+signer_digest = sha256 # Signing digest to use. (Optional)
+default_policy = tsa_policy1 # Policy if request did not specify it
+ # (optional)
+other_policies = tsa_policy2, tsa_policy3 # acceptable policies (optional)
+digests = sha1, sha256, sha384, sha512 # Acceptable message digests (mandatory)
+accuracy = secs:1, millisecs:500, microsecs:100 # (optional)
+clock_precision_digits = 0 # number of digits after dot. (optional)
+ordering = yes # Is ordering defined for timestamps?
+ # (optional, default: no)
+tsa_name = yes # Must the TSA name be included in the reply?
+ # (optional, default: no)
+ess_cert_id_chain = no # Must the ESS cert id chain be included?
+ # (optional, default: no)
+ess_cert_id_alg = sha1 # algorithm to compute certificate
+ # identifier (optional, default: sha1)
diff --git a/fuzz/conf_corpus/5469e35d858278e3cb1aed54d0299dec6b485d6a b/fuzz/conf_corpus/5469e35d858278e3cb1aed54d0299dec6b485d6a
new file mode 100644
index 0000000..f141d8c
--- /dev/null
+++ b/fuzz/conf_corpus/5469e35d858278e3cb1aed54d0299dec6b485d6a
@@ -0,0 +1,2 @@
+1.2.840.113554.4.1.72585.2 = ASN1:INT:-10
+
diff --git a/fuzz/conf_corpus/55c19b8145675fb76d62b2700acb7fafb144bed7 b/fuzz/conf_corpus/55c19b8145675fb76d62b2700acb7fafb144bed7
new file mode 100644
index 0000000..2f34319
--- /dev/null
+++ b/fuzz/conf_corpus/55c19b8145675fb76d62b2700acb7fafb144bed7
@@ -0,0 +1,62 @@
+# [ v3_selfsign ]
+basicConstraints = critical,CA:true
+keyUsage = keyCertSign
+subjectKeyIdentifier=hash
+
+####################################################################
+####################################################################
+[ req ]
+default_bits = 2432
+default_keyfile = cakey.pem
+default_md = sha256
+distinguished_name = req_DN
+string_mask = utf8only
+x509_extensions = v3_selfsign
+
+[ req_DN ]
+commonName = "Common Name"
+commonName_value = "CA"
+
+[ v3_selfsign ]
+basicConstraints = critical,CA:true
+keyUsage = keyCertSign
+subjectKeyIdentifier=hash
+
+####################################################################
+[ ca ]
+default_ca = CA_default # The default ca section
+
+####################################################################
+[ CA_default ]
+
+dir = ./demoCA
+certificate = ./demoCA/cacert.pem
+serial = ./demoCA/serial
+private_key = ./demoCA/private/cakey.pem
+new_certs_dir = ./demoCA/newcerts
+
+certificate = cacert.pem
+private_key = cakey.pem
+
+x509_extensions = v3_user
+
+name_opt = ca_default # Subject Name options
+cert_opt = ca_default # Certificate field options
+
+policy = policy_anything
+
+[ policy_anything ]
+countryName = optional
+stateOrProvinceName = optional
+localityName = optional
+organizationName = optional
+organizationalUnitName = optional
+commonName = supplied
+emailAddress = optional
+
+[ v3_user ]
+basicConstraints=critical,CA:FALSE
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid,issuer
+issuerAltName=issuer:copy
+
diff --git a/fuzz/conf_corpus/57ebcafc9b0e27dd2fdf746a753d4a9b22d0ad62 b/fuzz/conf_corpus/57ebcafc9b0e27dd2fdf746a753d4a9b22d0ad62
new file mode 100644
index 0000000..2efe653
--- /dev/null
+++ b/fuzz/conf_corpus/57ebcafc9b0e27dd2fdf746a753d4a9b22d0ad62
@@ -0,0 +1,2 @@
+1.2.840.113554.4.1.72585.2 = DER:00:01:02:03:04
+
diff --git a/fuzz/conf_corpus/594a3570ef3c76647f001bf85539b9dc0dee0617 b/fuzz/conf_corpus/594a3570ef3c76647f001bf85539b9dc0dee0617
new file mode 100644
index 0000000..793dc58
--- /dev/null
+++ b/fuzz/conf_corpus/594a3570ef3c76647f001bf85539b9dc0dee0617
@@ -0,0 +1,2 @@
+1.2.840.113554.4.1.72585.2 = ASN1:UTF8:hello
+
diff --git a/fuzz/conf_corpus/59a8acfc2d50d5d2bcd638f2e82e168d1c3d419b b/fuzz/conf_corpus/59a8acfc2d50d5d2bcd638f2e82e168d1c3d419b
new file mode 100644
index 0000000..e6118dc
--- /dev/null
+++ b/fuzz/conf_corpus/59a8acfc2d50d5d2bcd638f2e82e168d1c3d419b
@@ -0,0 +1,37 @@
+#
+# SSLeay example configuration file.
+# This is mostly being used for generation of certificate requests.
+#
+
+RANDFILE = ./.rnd
+
+####################################################################
+[ req ]
+default_bits = 2048
+default_keyfile = keySS.pem
+distinguished_name = req_distinguished_name
+encrypt_rsa_key = no
+default_md = sha256
+
+[ req_distinguished_name ]
+countryName = Country Name (2 letter code)
+countryName_default = AU
+countryName_value = AU
+
+organizationName = Organization Name (eg, company)
+organizationName_value = Dodgy Brothers
+
+0.commonName = Common Name (eg, YOUR name)
+0.commonName_value = Brother 1
+
+1.commonName = Common Name (eg, YOUR name)
+1.commonName_value = Brother 2
+
+2.commonName = Common Name (eg, YOUR name)
+2.commonName_value = Proxy 1
+
+[ v3_proxy ]
+basicConstraints=CA:FALSE
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid,issuer:always
+proxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:1,policy:text:AB
diff --git a/fuzz/conf_corpus/5b6a90c5ed62c8fc6f2a84d73002d83e4b75d269 b/fuzz/conf_corpus/5b6a90c5ed62c8fc6f2a84d73002d83e4b75d269
new file mode 100644
index 0000000..df059f2
--- /dev/null
+++ b/fuzz/conf_corpus/5b6a90c5ed62c8fc6f2a84d73002d83e4b75d269
@@ -0,0 +1,19 @@
+# [openssl_init]
+providers = providers
+
+# Comment out the next line to ignore configuration errors
+config_diagnostics = 1
+
+
+openssl_conf = openssl_init
+
+[openssl_init]
+providers = providers
+
+[providers]
+p_test_configured = p_test_configured
+
+[p_test_configured]
+module = p_test.dylib
+activate = 1
+greeting = Hello OpenSSL, greetings from Test Provider
diff --git a/fuzz/conf_corpus/5c59d0963dca28f161b3fad9c1aebb6c91759d31 b/fuzz/conf_corpus/5c59d0963dca28f161b3fad9c1aebb6c91759d31
new file mode 100644
index 0000000..e81c6be
--- /dev/null
+++ b/fuzz/conf_corpus/5c59d0963dca28f161b3fad9c1aebb6c91759d31
@@ -0,0 +1,2 @@
+1.2.840.113554.4.1.72585.2 = ASN1:OID:2.5.29.19
+
diff --git a/fuzz/conf_corpus/60bc256c3ce7683798ab1ede1ed3a7379b4cfd8e b/fuzz/conf_corpus/60bc256c3ce7683798ab1ede1ed3a7379b4cfd8e
new file mode 100644
index 0000000..a1e26ad
--- /dev/null
+++ b/fuzz/conf_corpus/60bc256c3ce7683798ab1ede1ed3a7379b4cfd8e
@@ -0,0 +1,2 @@
+1.2.840.113554.4.1.72585.2 = ASN1:NULL,invalid
+
diff --git a/fuzz/conf_corpus/6140664f9791c7c0da4efcdb8997b0a21041f88a b/fuzz/conf_corpus/6140664f9791c7c0da4efcdb8997b0a21041f88a
new file mode 100644
index 0000000..e5196fa
--- /dev/null
+++ b/fuzz/conf_corpus/6140664f9791c7c0da4efcdb8997b0a21041f88a
@@ -0,0 +1,2 @@
+1.2.840.113554.4.1.72585.2 = ASN1:BOOL:yes
+
diff --git a/fuzz/conf_corpus/616049a4fd7c60684de8d3b7886f950fa21b9869 b/fuzz/conf_corpus/616049a4fd7c60684de8d3b7886f950fa21b9869
new file mode 100644
index 0000000..4ac4fae
--- /dev/null
+++ b/fuzz/conf_corpus/616049a4fd7c60684de8d3b7886f950fa21b9869
@@ -0,0 +1,2 @@
+1.2.840.113554.4.1.72585.2 = ASN1:IMP:1,EXP:1,NULL
+
diff --git a/fuzz/conf_corpus/68c1b4bbad7a11989b929f8aed14d65b31536164 b/fuzz/conf_corpus/68c1b4bbad7a11989b929f8aed14d65b31536164
new file mode 100644
index 0000000..f6f7c24
--- /dev/null
+++ b/fuzz/conf_corpus/68c1b4bbad7a11989b929f8aed14d65b31536164
@@ -0,0 +1,2 @@
+1.2.840.113554.4.1.72585.2 = ASN1:FORMAT:HEX,IA5:abcd
+
diff --git a/fuzz/conf_corpus/697f1761f9030af0a8cb280eccf9edd5ecaaa0c7 b/fuzz/conf_corpus/697f1761f9030af0a8cb280eccf9edd5ecaaa0c7
new file mode 100644
index 0000000..6f69d32
--- /dev/null
+++ b/fuzz/conf_corpus/697f1761f9030af0a8cb280eccf9edd5ecaaa0c7
@@ -0,0 +1,2 @@
+basicConstraints = critical,@section
+
diff --git a/fuzz/conf_corpus/69ad9ff26f71fd6aa54c0c1ed94df85bdba1d5cc b/fuzz/conf_corpus/69ad9ff26f71fd6aa54c0c1ed94df85bdba1d5cc
new file mode 100644
index 0000000..c173a31
--- /dev/null
+++ b/fuzz/conf_corpus/69ad9ff26f71fd6aa54c0c1ed94df85bdba1d5cc
@@ -0,0 +1,52 @@
+# [ req ]
+default_bits = 2048
+default_keyfile = keySS.pem
+distinguished_name = req_distinguished_name
+encrypt_rsa_key = no
+default_md = sha256
+
+#
+# SSLeay example configuration file.
+# This is mostly being used for generation of certificate requests.
+#
+
+RANDFILE = ./.rnd
+
+####################################################################
+[ req ]
+default_bits = 2048
+default_keyfile = keySS.pem
+distinguished_name = req_distinguished_name
+encrypt_rsa_key = no
+default_md = sha256
+
+[ req_distinguished_name ]
+countryName = Country Name (2 letter code)
+countryName_default = AU
+countryName_value = AU
+
+organizationName = Organization Name (eg, company)
+organizationName_value = Dodgy Brothers
+
+0.commonName = Common Name (eg, YOUR name)
+0.commonName_value = Brother 1
+
+1.commonName = Common Name (eg, YOUR name)
+1.commonName_value = Brother 2
+
+2.commonName = Common Name (eg, YOUR name)
+2.commonName_value = Proxy 1
+
+3.commonName = Common Name (eg, YOUR name)
+3.commonName_value = Proxy 2
+
+[ v3_proxy ]
+basicConstraints=CA:FALSE
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid,issuer:always
+proxyCertInfo=critical,@proxy_ext
+
+[ proxy_ext ]
+language=id-ppl-anyLanguage
+pathlen=0
+policy=text:BC
diff --git a/fuzz/conf_corpus/6c7f8c2045867641dd5ae32a8ceb25b8faa39808 b/fuzz/conf_corpus/6c7f8c2045867641dd5ae32a8ceb25b8faa39808
new file mode 100644
index 0000000..5ba1e55
--- /dev/null
+++ b/fuzz/conf_corpus/6c7f8c2045867641dd5ae32a8ceb25b8faa39808
@@ -0,0 +1,4 @@
+basicConstraints = critical,@section
+[section]
+CA = true
+
diff --git a/fuzz/conf_corpus/6cc82d1312421cee8a07f13e6fb27d49f08b9840 b/fuzz/conf_corpus/6cc82d1312421cee8a07f13e6fb27d49f08b9840
new file mode 100644
index 0000000..1737b70
--- /dev/null
+++ b/fuzz/conf_corpus/6cc82d1312421cee8a07f13e6fb27d49f08b9840
@@ -0,0 +1,5 @@
+#
+# Example configuration file using includes.
+#
+
+.include includes.cnf
diff --git a/fuzz/conf_corpus/6d7936a8355956094938102f653df82c4a99b099 b/fuzz/conf_corpus/6d7936a8355956094938102f653df82c4a99b099
new file mode 100644
index 0000000..d4b675b
--- /dev/null
+++ b/fuzz/conf_corpus/6d7936a8355956094938102f653df82c4a99b099
@@ -0,0 +1,2 @@
+1.2.840.113554.4.1.72585.2 = ASN1:FORMAT:UTF8,T61:÷
+
diff --git a/fuzz/conf_corpus/702d7bd05ada6355620ace60e9b2cd4e0a1b3757 b/fuzz/conf_corpus/702d7bd05ada6355620ace60e9b2cd4e0a1b3757
new file mode 100644
index 0000000..835b2c6
--- /dev/null
+++ b/fuzz/conf_corpus/702d7bd05ada6355620ace60e9b2cd4e0a1b3757
@@ -0,0 +1,66 @@
+#
+# OpenSSL example configuration file for automated certificate creation.
+#
+
+# This definition stops the following lines choking if HOME or CN
+# is undefined.
+HOME = .
+RANDFILE = $ENV::HOME/.rnd
+CN = "Not Defined"
+default_ca = ca
+
+####################################################################
+[ req ]
+default_bits = 2048
+default_keyfile = privkey.pem
+# Don't prompt for fields: use those in section directly
+prompt = no
+distinguished_name = req_distinguished_name
+x509_extensions = v3_ca # The extensions to add to the self signed cert
+string_mask = utf8only
+
+# req_extensions = v3_req # The extensions to add to a certificate request
+
+[ req_distinguished_name ]
+countryName = UK
+
+organizationName = OpenSSL Group
+# Take CN from environment so it can come from a script.
+commonName = $ENV::CN
+
+[ usr_cert ]
+
+# These extensions are added when 'ca' signs a request for an end entity
+# certificate
+
+basicConstraints=critical, CA:FALSE
+keyUsage=critical, nonRepudiation, digitalSignature, keyEncipherment
+
+# PKIX recommendations harmless if included in all certificates.
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid
+
+[ dh_cert ]
+
+# These extensions are added when 'ca' signs a request for an end entity
+# DH certificate
+
+basicConstraints=critical, CA:FALSE
+keyUsage=critical, keyAgreement
+
+# PKIX recommendations harmless if included in all certificates.
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid
+
+[ v3_ca ]
+
+
+# Extensions for a typical CA
+
+# PKIX recommendation.
+
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid:always
+basicConstraints = critical,CA:true
+keyUsage = critical, cRLSign, keyCertSign
+
diff --git a/fuzz/conf_corpus/7090fdb7e0d8e7106490d37f9aec664c7d050cf5 b/fuzz/conf_corpus/7090fdb7e0d8e7106490d37f9aec664c7d050cf5
new file mode 100644
index 0000000..ad67743
--- /dev/null
+++ b/fuzz/conf_corpus/7090fdb7e0d8e7106490d37f9aec664c7d050cf5
@@ -0,0 +1,2 @@
+1.2.840.113554.4.1.72585.2 = ASN1:FORMAT:UTF8,UTF8:☃
+
diff --git a/fuzz/conf_corpus/76ae6d85df626927a0be162a6b3846132d40957b b/fuzz/conf_corpus/76ae6d85df626927a0be162a6b3846132d40957b
new file mode 100644
index 0000000..b3a5a64
--- /dev/null
+++ b/fuzz/conf_corpus/76ae6d85df626927a0be162a6b3846132d40957b
@@ -0,0 +1,19 @@
+# [ default_conf ]
+
+ssl_conf = ssl_sect
+
+# Configuration file to test system default SSL configuration
+
+openssl_conf = default_conf
+
+[ default_conf ]
+
+ssl_conf = ssl_sect
+
+[ssl_sect]
+
+system_default = ssl_default_sect
+
+[ssl_default_sect]
+MaxProtocol = TLSv1.2
+MinProtocol = TLSv1.2
diff --git a/fuzz/conf_corpus/788ddbf9d4770cced2a860ac60c81eea9dea7f92 b/fuzz/conf_corpus/788ddbf9d4770cced2a860ac60c81eea9dea7f92
new file mode 100644
index 0000000..4a1b3fa
--- /dev/null
+++ b/fuzz/conf_corpus/788ddbf9d4770cced2a860ac60c81eea9dea7f92
@@ -0,0 +1,361 @@
+# [ policy_match ]
+countryName = match
+stateOrProvinceName = match
+organizationName = match
+organizationalUnitName = optional
+commonName = supplied
+emailAddress = optional
+
+# For the 'anything' policy
+# At this point in time, you must list all acceptable 'object'
+# types.
+#
+# OpenSSL example configuration file.
+# This is mostly being used for generation of certificate requests.
+#
+
+# Note that you can include other files from the main configuration
+# file using the .include directive.
+#.include filename
+
+# This definition stops the following lines choking if HOME isn't
+# defined.
+HOME = .
+
+# Extra OBJECT IDENTIFIER info:
+#oid_file = $ENV::HOME/.oid
+oid_section = new_oids
+
+# To use this configuration file with the "-extfile" option of the
+# "openssl x509" utility, name here the section containing the
+# X.509v3 extensions to use:
+# extensions =
+# (Alternatively, use a configuration file that has only
+# X.509v3 extensions in its main [= default] section.)
+
+[ new_oids ]
+
+# We can add new OIDs in here for use by 'ca', 'req' and 'ts'.
+# Add a simple OID like this:
+# testoid1=1.2.3.4
+# Or use config file substitution like this:
+# testoid2=${testoid1}.5.6
+
+# Policies used by the TSA examples.
+tsa_policy1 = 1.2.3.4.1
+tsa_policy2 = 1.2.3.4.5.6
+tsa_policy3 = 1.2.3.4.5.7
+
+####################################################################
+[ ca ]
+default_ca = CA_default # The default ca section
+
+####################################################################
+[ CA_default ]
+
+dir = ./demoCA # Where everything is kept
+certs = $dir/certs # Where the issued certs are kept
+crl_dir = $dir/crl # Where the issued crl are kept
+database = $dir/index.txt # database index file.
+#unique_subject = no # Set to 'no' to allow creation of
+ # several certs with same subject.
+new_certs_dir = $dir/newcerts # default place for new certs.
+
+certificate = $dir/cacert.pem # The CA certificate
+serial = $dir/serial # The current serial number
+crlnumber = $dir/crlnumber # the current crl number
+ # must be commented out to leave a V1 CRL
+crl = $dir/crl.pem # The current CRL
+private_key = $dir/private/cakey.pem# The private key
+
+x509_extensions = usr_cert # The extensions to add to the cert
+
+# Comment out the following two lines for the "traditional"
+# (and highly broken) format.
+name_opt = ca_default # Subject Name options
+cert_opt = ca_default # Certificate field options
+
+# Extension copying option: use with caution.
+# copy_extensions = copy
+
+# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
+# so this is commented out by default to leave a V1 CRL.
+# crlnumber must also be commented out to leave a V1 CRL.
+# crl_extensions = crl_ext
+
+default_days = 365 # how long to certify for
+default_crl_days= 30 # how long before next CRL
+default_md = default # use public key default MD
+preserve = no # keep passed DN ordering
+
+# A few difference way of specifying how similar the request should look
+# For type CA, the listed attributes must be the same, and the optional
+# and supplied fields are just that :-)
+policy = policy_match
+
+# For the CA policy
+[ policy_match ]
+countryName = match
+stateOrProvinceName = match
+organizationName = match
+organizationalUnitName = optional
+commonName = supplied
+emailAddress = optional
+
+# For the 'anything' policy
+# At this point in time, you must list all acceptable 'object'
+# types.
+[ policy_anything ]
+countryName = optional
+stateOrProvinceName = optional
+localityName = optional
+organizationName = optional
+organizationalUnitName = optional
+commonName = supplied
+emailAddress = optional
+
+####################################################################
+[ req ]
+default_bits = 2048
+default_keyfile = privkey.pem
+distinguished_name = req_distinguished_name
+attributes = req_attributes
+x509_extensions = v3_ca # The extensions to add to the self signed cert
+
+# Passwords for private keys if not present they will be prompted for
+# input_password = secret
+# output_password = secret
+
+# This sets a mask for permitted string types. There are several options.
+# default: PrintableString, T61String, BMPString.
+# pkix : PrintableString, BMPString (PKIX recommendation before 2004)
+# utf8only: only UTF8Strings (PKIX recommendation after 2004).
+# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings).
+# MASK:XXXX a literal mask value.
+# WARNING: ancient versions of Netscape crash on BMPStrings or UTF8Strings.
+string_mask = utf8only
+
+# req_extensions = v3_req # The extensions to add to a certificate request
+
+[ req_distinguished_name ]
+countryName = Country Name (2 letter code)
+countryName_default = AU
+countryName_min = 2
+countryName_max = 2
+
+stateOrProvinceName = State or Province Name (full name)
+stateOrProvinceName_default = Some-State
+
+localityName = Locality Name (eg, city)
+
+0.organizationName = Organization Name (eg, company)
+0.organizationName_default = Internet Widgits Pty Ltd
+
+# we can do this but it is not needed normally :-)
+#1.organizationName = Second Organization Name (eg, company)
+#1.organizationName_default = World Wide Web Pty Ltd
+
+organizationalUnitName = Organizational Unit Name (eg, section)
+#organizationalUnitName_default =
+
+commonName = Common Name (e.g. server FQDN or YOUR name)
+commonName_max = 64
+
+emailAddress = Email Address
+emailAddress_max = 64
+
+# SET-ex3 = SET extension number 3
+
+[ req_attributes ]
+challengePassword = A challenge password
+challengePassword_min = 4
+challengePassword_max = 20
+
+unstructuredName = An optional company name
+
+[ usr_cert ]
+
+# These extensions are added when 'ca' signs a request.
+
+# This goes against PKIX guidelines but some CAs do it and some software
+# requires this to avoid interpreting an end user certificate as a CA.
+
+basicConstraints=CA:FALSE
+
+# Here are some examples of the usage of nsCertType. If it is omitted
+# the certificate can be used for anything *except* object signing.
+
+# This is OK for an SSL server.
+# nsCertType = server
+
+# For an object signing certificate this would be used.
+# nsCertType = objsign
+
+# For normal client use this is typical
+# nsCertType = client, email
+
+# and for everything including object signing:
+# nsCertType = client, email, objsign
+
+# This is typical in keyUsage for a client certificate.
+# keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+
+# This will be displayed in Netscape's comment listbox.
+nsComment = "OpenSSL Generated Certificate"
+
+# PKIX recommendations harmless if included in all certificates.
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid,issuer
+
+# This stuff is for subjectAltName and issuerAltname.
+# Import the email address.
+# subjectAltName=email:copy
+# An alternative to produce certificates that aren't
+# deprecated according to PKIX.
+# subjectAltName=email:move
+
+# Copy subject details
+# issuerAltName=issuer:copy
+
+#nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem
+#nsBaseUrl
+#nsRevocationUrl
+#nsRenewalUrl
+#nsCaPolicyUrl
+#nsSslServerName
+
+# This is required for TSA certificates.
+# extendedKeyUsage = critical,timeStamping
+
+[ v3_req ]
+
+# Extensions to add to a certificate request
+
+basicConstraints = CA:FALSE
+keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+
+[ v3_ca ]
+
+
+# Extensions for a typical CA
+
+
+# PKIX recommendation.
+
+subjectKeyIdentifier=hash
+
+authorityKeyIdentifier=keyid:always,issuer
+
+basicConstraints = critical,CA:true
+
+# Key usage: this is typical for a CA certificate. However since it will
+# prevent it being used as an test self-signed certificate it is best
+# left out by default.
+# keyUsage = cRLSign, keyCertSign
+
+# Some might want this also
+# nsCertType = sslCA, emailCA
+
+# Include email address in subject alt name: another PKIX recommendation
+# subjectAltName=email:copy
+# Copy issuer details
+# issuerAltName=issuer:copy
+
+# DER hex encoding of an extension: beware experts only!
+# obj=DER:02:03
+# Where 'obj' is a standard or added object
+# You can even override a supported extension:
+# basicConstraints= critical, DER:30:03:01:01:FF
+
+[ crl_ext ]
+
+# CRL extensions.
+# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.
+
+# issuerAltName=issuer:copy
+authorityKeyIdentifier=keyid:always
+
+[ proxy_cert_ext ]
+# These extensions should be added when creating a proxy certificate
+
+# This goes against PKIX guidelines but some CAs do it and some software
+# requires this to avoid interpreting an end user certificate as a CA.
+
+basicConstraints=CA:FALSE
+
+# Here are some examples of the usage of nsCertType. If it is omitted
+# the certificate can be used for anything *except* object signing.
+
+# This is OK for an SSL server.
+# nsCertType = server
+
+# For an object signing certificate this would be used.
+# nsCertType = objsign
+
+# For normal client use this is typical
+# nsCertType = client, email
+
+# and for everything including object signing:
+# nsCertType = client, email, objsign
+
+# This is typical in keyUsage for a client certificate.
+# keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+
+# This will be displayed in Netscape's comment listbox.
+nsComment = "OpenSSL Generated Certificate"
+
+# PKIX recommendations harmless if included in all certificates.
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid,issuer
+
+# This stuff is for subjectAltName and issuerAltname.
+# Import the email address.
+# subjectAltName=email:copy
+# An alternative to produce certificates that aren't
+# deprecated according to PKIX.
+# subjectAltName=email:move
+
+# Copy subject details
+# issuerAltName=issuer:copy
+
+#nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem
+#nsBaseUrl
+#nsRevocationUrl
+#nsRenewalUrl
+#nsCaPolicyUrl
+#nsSslServerName
+
+# This really needs to be in place for it to be a proxy certificate.
+proxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:3,policy:foo
+
+####################################################################
+[ tsa ]
+
+default_tsa = tsa_config1 # the default TSA section
+
+[ tsa_config1 ]
+
+# These are used by the TSA reply generation only.
+dir = ./demoCA # TSA root directory
+serial = $dir/tsaserial # The current serial number (mandatory)
+crypto_device = builtin # OpenSSL engine to use for signing
+signer_cert = $dir/tsacert.pem # The TSA signing certificate
+ # (optional)
+certs = $dir/cacert.pem # Certificate chain to include in reply
+ # (optional)
+signer_key = $dir/private/tsakey.pem # The TSA private key (optional)
+signer_digest = sha256 # Signing digest to use. (Optional)
+default_policy = tsa_policy1 # Policy if request did not specify it
+ # (optional)
+other_policies = tsa_policy2, tsa_policy3 # acceptable policies (optional)
+digests = sha1, sha256, sha384, sha512 # Acceptable message digests (mandatory)
+accuracy = secs:1, millisecs:500, microsecs:100 # (optional)
+clock_precision_digits = 0 # number of digits after dot. (optional)
+ordering = yes # Is ordering defined for timestamps?
+ # (optional, default: no)
+tsa_name = yes # Must the TSA name be included in the reply?
+ # (optional, default: no)
+ess_cert_id_chain = no # Must the ESS cert id chain be included?
+ # (optional, default: no)
+ess_cert_id_alg = sha1 # algorithm to compute certificate
+ # identifier (optional, default: sha1)
diff --git a/fuzz/conf_corpus/78b9cf1525d06cddf920ee48dbd148b76c1ff33c b/fuzz/conf_corpus/78b9cf1525d06cddf920ee48dbd148b76c1ff33c
new file mode 100644
index 0000000..5473d83
--- /dev/null
+++ b/fuzz/conf_corpus/78b9cf1525d06cddf920ee48dbd148b76c1ff33c
@@ -0,0 +1,15 @@
+# Configuration file to test system default SSL configuration
+
+openssl_conf = default_conf
+
+[ default_conf ]
+
+ssl_conf = ssl_sect
+
+[ssl_sect]
+
+system_default = ssl_default_sect
+
+[ssl_default_sect]
+MaxProtocol = TLSv1.2
+MinProtocol = TLSv1.2
diff --git a/fuzz/conf_corpus/7aff02c03b03f36d83de3129397fa854d3ab8120 b/fuzz/conf_corpus/7aff02c03b03f36d83de3129397fa854d3ab8120
new file mode 100644
index 0000000..0e0244e
--- /dev/null
+++ b/fuzz/conf_corpus/7aff02c03b03f36d83de3129397fa854d3ab8120
@@ -0,0 +1,2 @@
+1.2.840.113554.4.1.72585.2 = ASN1:ENUM:0
+
diff --git a/fuzz/conf_corpus/7d0c17dc2a2dc49ec014bed83b834a59d035b856 b/fuzz/conf_corpus/7d0c17dc2a2dc49ec014bed83b834a59d035b856
new file mode 100644
index 0000000..345eeb9
--- /dev/null
+++ b/fuzz/conf_corpus/7d0c17dc2a2dc49ec014bed83b834a59d035b856
@@ -0,0 +1,5 @@
+#
+# Example configuration file using includes.
+#
+
+.include conf-includes
diff --git a/fuzz/conf_corpus/81206f43ddab64bebeada8eca34dbe377dcf0586 b/fuzz/conf_corpus/81206f43ddab64bebeada8eca34dbe377dcf0586
new file mode 100644
index 0000000..8e13300
--- /dev/null
+++ b/fuzz/conf_corpus/81206f43ddab64bebeada8eca34dbe377dcf0586
@@ -0,0 +1,2 @@
+1.2.840.113554.4.1.72585.2 = ASN1:FORMAT:UTF8,IA5:hello
+
diff --git a/fuzz/conf_corpus/814af1dfe1b44feed24d1a09264146d1a067b104 b/fuzz/conf_corpus/814af1dfe1b44feed24d1a09264146d1a067b104
new file mode 100644
index 0000000..affc929
--- /dev/null
+++ b/fuzz/conf_corpus/814af1dfe1b44feed24d1a09264146d1a067b104
@@ -0,0 +1,2 @@
+1.2.840.113554.4.1.72585.2 = ASN1:FORMAT:HEX,OCT:0123abcd
+
diff --git a/fuzz/conf_corpus/81b46b866d7db2cbcb9120d37c580362ee87a38f b/fuzz/conf_corpus/81b46b866d7db2cbcb9120d37c580362ee87a38f
new file mode 100644
index 0000000..fd71c48
--- /dev/null
+++ b/fuzz/conf_corpus/81b46b866d7db2cbcb9120d37c580362ee87a38f
@@ -0,0 +1,2 @@
+1.2.840.113554.4.1.72585.2 = ASN1:GENTIME:invalid
+
diff --git a/fuzz/conf_corpus/8206704aa14a2bde67c185e80255b7549069c432 b/fuzz/conf_corpus/8206704aa14a2bde67c185e80255b7549069c432
new file mode 100644
index 0000000..23f29ab
--- /dev/null
+++ b/fuzz/conf_corpus/8206704aa14a2bde67c185e80255b7549069c432
@@ -0,0 +1,357 @@
+# [ v3_req ]
+
+# Extensions to add to a certificate request
+
+basicConstraints = CA:FALSE
+keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+
+#
+# OpenSSL example configuration file.
+# This is mostly being used for generation of certificate requests.
+#
+
+# Note that you can include other files from the main configuration
+# file using the .include directive.
+#.include filename
+
+# This definition stops the following lines choking if HOME isn't
+# defined.
+HOME = .
+
+# Extra OBJECT IDENTIFIER info:
+#oid_file = $ENV::HOME/.oid
+oid_section = new_oids
+
+# To use this configuration file with the "-extfile" option of the
+# "openssl x509" utility, name here the section containing the
+# X.509v3 extensions to use:
+# extensions =
+# (Alternatively, use a configuration file that has only
+# X.509v3 extensions in its main [= default] section.)
+
+[ new_oids ]
+
+# We can add new OIDs in here for use by 'ca', 'req' and 'ts'.
+# Add a simple OID like this:
+# testoid1=1.2.3.4
+# Or use config file substitution like this:
+# testoid2=${testoid1}.5.6
+
+# Policies used by the TSA examples.
+tsa_policy1 = 1.2.3.4.1
+tsa_policy2 = 1.2.3.4.5.6
+tsa_policy3 = 1.2.3.4.5.7
+
+####################################################################
+[ ca ]
+default_ca = CA_default # The default ca section
+
+####################################################################
+[ CA_default ]
+
+dir = ./demoCA # Where everything is kept
+certs = $dir/certs # Where the issued certs are kept
+crl_dir = $dir/crl # Where the issued crl are kept
+database = $dir/index.txt # database index file.
+#unique_subject = no # Set to 'no' to allow creation of
+ # several certs with same subject.
+new_certs_dir = $dir/newcerts # default place for new certs.
+
+certificate = $dir/cacert.pem # The CA certificate
+serial = $dir/serial # The current serial number
+crlnumber = $dir/crlnumber # the current crl number
+ # must be commented out to leave a V1 CRL
+crl = $dir/crl.pem # The current CRL
+private_key = $dir/private/cakey.pem# The private key
+
+x509_extensions = usr_cert # The extensions to add to the cert
+
+# Comment out the following two lines for the "traditional"
+# (and highly broken) format.
+name_opt = ca_default # Subject Name options
+cert_opt = ca_default # Certificate field options
+
+# Extension copying option: use with caution.
+# copy_extensions = copy
+
+# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
+# so this is commented out by default to leave a V1 CRL.
+# crlnumber must also be commented out to leave a V1 CRL.
+# crl_extensions = crl_ext
+
+default_days = 365 # how long to certify for
+default_crl_days= 30 # how long before next CRL
+default_md = default # use public key default MD
+preserve = no # keep passed DN ordering
+
+# A few difference way of specifying how similar the request should look
+# For type CA, the listed attributes must be the same, and the optional
+# and supplied fields are just that :-)
+policy = policy_match
+
+# For the CA policy
+[ policy_match ]
+countryName = match
+stateOrProvinceName = match
+organizationName = match
+organizationalUnitName = optional
+commonName = supplied
+emailAddress = optional
+
+# For the 'anything' policy
+# At this point in time, you must list all acceptable 'object'
+# types.
+[ policy_anything ]
+countryName = optional
+stateOrProvinceName = optional
+localityName = optional
+organizationName = optional
+organizationalUnitName = optional
+commonName = supplied
+emailAddress = optional
+
+####################################################################
+[ req ]
+default_bits = 2048
+default_keyfile = privkey.pem
+distinguished_name = req_distinguished_name
+attributes = req_attributes
+x509_extensions = v3_ca # The extensions to add to the self signed cert
+
+# Passwords for private keys if not present they will be prompted for
+# input_password = secret
+# output_password = secret
+
+# This sets a mask for permitted string types. There are several options.
+# default: PrintableString, T61String, BMPString.
+# pkix : PrintableString, BMPString (PKIX recommendation before 2004)
+# utf8only: only UTF8Strings (PKIX recommendation after 2004).
+# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings).
+# MASK:XXXX a literal mask value.
+# WARNING: ancient versions of Netscape crash on BMPStrings or UTF8Strings.
+string_mask = utf8only
+
+# req_extensions = v3_req # The extensions to add to a certificate request
+
+[ req_distinguished_name ]
+countryName = Country Name (2 letter code)
+countryName_default = AU
+countryName_min = 2
+countryName_max = 2
+
+stateOrProvinceName = State or Province Name (full name)
+stateOrProvinceName_default = Some-State
+
+localityName = Locality Name (eg, city)
+
+0.organizationName = Organization Name (eg, company)
+0.organizationName_default = Internet Widgits Pty Ltd
+
+# we can do this but it is not needed normally :-)
+#1.organizationName = Second Organization Name (eg, company)
+#1.organizationName_default = World Wide Web Pty Ltd
+
+organizationalUnitName = Organizational Unit Name (eg, section)
+#organizationalUnitName_default =
+
+commonName = Common Name (e.g. server FQDN or YOUR name)
+commonName_max = 64
+
+emailAddress = Email Address
+emailAddress_max = 64
+
+# SET-ex3 = SET extension number 3
+
+[ req_attributes ]
+challengePassword = A challenge password
+challengePassword_min = 4
+challengePassword_max = 20
+
+unstructuredName = An optional company name
+
+[ usr_cert ]
+
+# These extensions are added when 'ca' signs a request.
+
+# This goes against PKIX guidelines but some CAs do it and some software
+# requires this to avoid interpreting an end user certificate as a CA.
+
+basicConstraints=CA:FALSE
+
+# Here are some examples of the usage of nsCertType. If it is omitted
+# the certificate can be used for anything *except* object signing.
+
+# This is OK for an SSL server.
+# nsCertType = server
+
+# For an object signing certificate this would be used.
+# nsCertType = objsign
+
+# For normal client use this is typical
+# nsCertType = client, email
+
+# and for everything including object signing:
+# nsCertType = client, email, objsign
+
+# This is typical in keyUsage for a client certificate.
+# keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+
+# This will be displayed in Netscape's comment listbox.
+nsComment = "OpenSSL Generated Certificate"
+
+# PKIX recommendations harmless if included in all certificates.
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid,issuer
+
+# This stuff is for subjectAltName and issuerAltname.
+# Import the email address.
+# subjectAltName=email:copy
+# An alternative to produce certificates that aren't
+# deprecated according to PKIX.
+# subjectAltName=email:move
+
+# Copy subject details
+# issuerAltName=issuer:copy
+
+#nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem
+#nsBaseUrl
+#nsRevocationUrl
+#nsRenewalUrl
+#nsCaPolicyUrl
+#nsSslServerName
+
+# This is required for TSA certificates.
+# extendedKeyUsage = critical,timeStamping
+
+[ v3_req ]
+
+# Extensions to add to a certificate request
+
+basicConstraints = CA:FALSE
+keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+
+[ v3_ca ]
+
+
+# Extensions for a typical CA
+
+
+# PKIX recommendation.
+
+subjectKeyIdentifier=hash
+
+authorityKeyIdentifier=keyid:always,issuer
+
+basicConstraints = critical,CA:true
+
+# Key usage: this is typical for a CA certificate. However since it will
+# prevent it being used as an test self-signed certificate it is best
+# left out by default.
+# keyUsage = cRLSign, keyCertSign
+
+# Some might want this also
+# nsCertType = sslCA, emailCA
+
+# Include email address in subject alt name: another PKIX recommendation
+# subjectAltName=email:copy
+# Copy issuer details
+# issuerAltName=issuer:copy
+
+# DER hex encoding of an extension: beware experts only!
+# obj=DER:02:03
+# Where 'obj' is a standard or added object
+# You can even override a supported extension:
+# basicConstraints= critical, DER:30:03:01:01:FF
+
+[ crl_ext ]
+
+# CRL extensions.
+# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.
+
+# issuerAltName=issuer:copy
+authorityKeyIdentifier=keyid:always
+
+[ proxy_cert_ext ]
+# These extensions should be added when creating a proxy certificate
+
+# This goes against PKIX guidelines but some CAs do it and some software
+# requires this to avoid interpreting an end user certificate as a CA.
+
+basicConstraints=CA:FALSE
+
+# Here are some examples of the usage of nsCertType. If it is omitted
+# the certificate can be used for anything *except* object signing.
+
+# This is OK for an SSL server.
+# nsCertType = server
+
+# For an object signing certificate this would be used.
+# nsCertType = objsign
+
+# For normal client use this is typical
+# nsCertType = client, email
+
+# and for everything including object signing:
+# nsCertType = client, email, objsign
+
+# This is typical in keyUsage for a client certificate.
+# keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+
+# This will be displayed in Netscape's comment listbox.
+nsComment = "OpenSSL Generated Certificate"
+
+# PKIX recommendations harmless if included in all certificates.
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid,issuer
+
+# This stuff is for subjectAltName and issuerAltname.
+# Import the email address.
+# subjectAltName=email:copy
+# An alternative to produce certificates that aren't
+# deprecated according to PKIX.
+# subjectAltName=email:move
+
+# Copy subject details
+# issuerAltName=issuer:copy
+
+#nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem
+#nsBaseUrl
+#nsRevocationUrl
+#nsRenewalUrl
+#nsCaPolicyUrl
+#nsSslServerName
+
+# This really needs to be in place for it to be a proxy certificate.
+proxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:3,policy:foo
+
+####################################################################
+[ tsa ]
+
+default_tsa = tsa_config1 # the default TSA section
+
+[ tsa_config1 ]
+
+# These are used by the TSA reply generation only.
+dir = ./demoCA # TSA root directory
+serial = $dir/tsaserial # The current serial number (mandatory)
+crypto_device = builtin # OpenSSL engine to use for signing
+signer_cert = $dir/tsacert.pem # The TSA signing certificate
+ # (optional)
+certs = $dir/cacert.pem # Certificate chain to include in reply
+ # (optional)
+signer_key = $dir/private/tsakey.pem # The TSA private key (optional)
+signer_digest = sha256 # Signing digest to use. (Optional)
+default_policy = tsa_policy1 # Policy if request did not specify it
+ # (optional)
+other_policies = tsa_policy2, tsa_policy3 # acceptable policies (optional)
+digests = sha1, sha256, sha384, sha512 # Acceptable message digests (mandatory)
+accuracy = secs:1, millisecs:500, microsecs:100 # (optional)
+clock_precision_digits = 0 # number of digits after dot. (optional)
+ordering = yes # Is ordering defined for timestamps?
+ # (optional, default: no)
+tsa_name = yes # Must the TSA name be included in the reply?
+ # (optional, default: no)
+ess_cert_id_chain = no # Must the ESS cert id chain be included?
+ # (optional, default: no)
+ess_cert_id_alg = sha1 # algorithm to compute certificate
+ # identifier (optional, default: sha1)
diff --git a/fuzz/conf_corpus/822571601d5d7086fa241d10f8177dfbbdc7f13d b/fuzz/conf_corpus/822571601d5d7086fa241d10f8177dfbbdc7f13d
new file mode 100644
index 0000000..3f9f1a0
--- /dev/null
+++ b/fuzz/conf_corpus/822571601d5d7086fa241d10f8177dfbbdc7f13d
@@ -0,0 +1,104 @@
+# [ CA_default ]
+
+dir = ./demoCA # Where everything is kept
+certs = $dir/certs # Where the issued certs are kept
+crl_dir = $dir/crl # Where the issued crl are kept
+database = $dir/index.txt # database index file.
+#unique_subject = no # Set to 'no' to allow creation of
+ # several certificates with same subject.
+new_certs_dir = $dir/newcerts # default place for new certs.
+
+certificate = $dir/cacert.pem # The CA certificate
+serial = $dir/serial # The current serial number
+crl = $dir/crl.pem # The current CRL
+private_key = $dir/private/cakey.pem# The private key
+RANDFILE = $dir/private/.rand # private random number file
+
+x509_extensions = v3_ca # The extensions to add to the cert
+
+name_opt = ca_default # Subject Name options
+cert_opt = ca_default # Certificate field options
+
+default_days = 365 # how long to certify for
+default_crl_days= 30 # how long before next CRL
+default_md = md5 # which md to use.
+preserve = no # keep passed DN ordering
+
+policy = policy_anything
+
+#
+# SSLeay example configuration file.
+# This is mostly being used for generation of certificate requests.
+#
+
+RANDFILE = ./.rnd
+
+####################################################################
+[ req ]
+default_bits = 2048
+default_keyfile = keySS.pem
+distinguished_name = req_distinguished_name
+encrypt_rsa_key = no
+default_md = sha1
+
+[ req_distinguished_name ]
+countryName = Country Name (2 letter code)
+countryName_default = AU
+countryName_value = AU
+
+organizationName = Organization Name (eg, company)
+organizationName_value = Dodgy Brothers
+
+commonName = Common Name (eg, YOUR name)
+commonName_value = Dodgy CA
+
+####################################################################
+[ ca ]
+default_ca = CA_default # The default ca section
+
+####################################################################
+[ CA_default ]
+
+dir = ./demoCA # Where everything is kept
+certs = $dir/certs # Where the issued certs are kept
+crl_dir = $dir/crl # Where the issued crl are kept
+database = $dir/index.txt # database index file.
+#unique_subject = no # Set to 'no' to allow creation of
+ # several certificates with same subject.
+new_certs_dir = $dir/newcerts # default place for new certs.
+
+certificate = $dir/cacert.pem # The CA certificate
+serial = $dir/serial # The current serial number
+crl = $dir/crl.pem # The current CRL
+private_key = $dir/private/cakey.pem# The private key
+RANDFILE = $dir/private/.rand # private random number file
+
+x509_extensions = v3_ca # The extensions to add to the cert
+
+name_opt = ca_default # Subject Name options
+cert_opt = ca_default # Certificate field options
+
+default_days = 365 # how long to certify for
+default_crl_days= 30 # how long before next CRL
+default_md = md5 # which md to use.
+preserve = no # keep passed DN ordering
+
+policy = policy_anything
+
+[ policy_anything ]
+countryName = optional
+stateOrProvinceName = optional
+localityName = optional
+organizationName = optional
+organizationalUnitName = optional
+commonName = supplied
+emailAddress = optional
+
+
+
+[ v3_ca ]
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid:always,issuer:always
+basicConstraints = critical,CA:true,pathlen:1
+keyUsage = cRLSign, keyCertSign
+issuerAltName=issuer:copy
diff --git a/fuzz/conf_corpus/823bec7091ae3be48a31a9813abcc49eef62622f b/fuzz/conf_corpus/823bec7091ae3be48a31a9813abcc49eef62622f
new file mode 100644
index 0000000..19ed239
--- /dev/null
+++ b/fuzz/conf_corpus/823bec7091ae3be48a31a9813abcc49eef62622f
@@ -0,0 +1,2 @@
+1.2.840.113554.4.1.72585.2 = ASN1:OBJECT:invalid
+
diff --git a/fuzz/conf_corpus/83c71dd51a38cb8a1c79ffe6aad360758b4e08ea b/fuzz/conf_corpus/83c71dd51a38cb8a1c79ffe6aad360758b4e08ea
new file mode 100644
index 0000000..c395a15
--- /dev/null
+++ b/fuzz/conf_corpus/83c71dd51a38cb8a1c79ffe6aad360758b4e08ea
@@ -0,0 +1,2 @@
+1.2.840.113554.4.1.72585.2 = ASN1:GENTIME:001231235959Z
+
diff --git a/fuzz/conf_corpus/84e212e03800aae7eac44321017a75523b500aec b/fuzz/conf_corpus/84e212e03800aae7eac44321017a75523b500aec
new file mode 100644
index 0000000..5114f02
--- /dev/null
+++ b/fuzz/conf_corpus/84e212e03800aae7eac44321017a75523b500aec
@@ -0,0 +1,357 @@
+# [ req_attributes ]
+challengePassword = A challenge password
+challengePassword_min = 4
+challengePassword_max = 20
+
+unstructuredName = An optional company name
+
+#
+# OpenSSL example configuration file.
+# This is mostly being used for generation of certificate requests.
+#
+
+# Note that you can include other files from the main configuration
+# file using the .include directive.
+#.include filename
+
+# This definition stops the following lines choking if HOME isn't
+# defined.
+HOME = .
+
+# Extra OBJECT IDENTIFIER info:
+#oid_file = $ENV::HOME/.oid
+oid_section = new_oids
+
+# To use this configuration file with the "-extfile" option of the
+# "openssl x509" utility, name here the section containing the
+# X.509v3 extensions to use:
+# extensions =
+# (Alternatively, use a configuration file that has only
+# X.509v3 extensions in its main [= default] section.)
+
+[ new_oids ]
+
+# We can add new OIDs in here for use by 'ca', 'req' and 'ts'.
+# Add a simple OID like this:
+# testoid1=1.2.3.4
+# Or use config file substitution like this:
+# testoid2=${testoid1}.5.6
+
+# Policies used by the TSA examples.
+tsa_policy1 = 1.2.3.4.1
+tsa_policy2 = 1.2.3.4.5.6
+tsa_policy3 = 1.2.3.4.5.7
+
+####################################################################
+[ ca ]
+default_ca = CA_default # The default ca section
+
+####################################################################
+[ CA_default ]
+
+dir = ./demoCA # Where everything is kept
+certs = $dir/certs # Where the issued certs are kept
+crl_dir = $dir/crl # Where the issued crl are kept
+database = $dir/index.txt # database index file.
+#unique_subject = no # Set to 'no' to allow creation of
+ # several certs with same subject.
+new_certs_dir = $dir/newcerts # default place for new certs.
+
+certificate = $dir/cacert.pem # The CA certificate
+serial = $dir/serial # The current serial number
+crlnumber = $dir/crlnumber # the current crl number
+ # must be commented out to leave a V1 CRL
+crl = $dir/crl.pem # The current CRL
+private_key = $dir/private/cakey.pem# The private key
+
+x509_extensions = usr_cert # The extensions to add to the cert
+
+# Comment out the following two lines for the "traditional"
+# (and highly broken) format.
+name_opt = ca_default # Subject Name options
+cert_opt = ca_default # Certificate field options
+
+# Extension copying option: use with caution.
+# copy_extensions = copy
+
+# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
+# so this is commented out by default to leave a V1 CRL.
+# crlnumber must also be commented out to leave a V1 CRL.
+# crl_extensions = crl_ext
+
+default_days = 365 # how long to certify for
+default_crl_days= 30 # how long before next CRL
+default_md = default # use public key default MD
+preserve = no # keep passed DN ordering
+
+# A few difference way of specifying how similar the request should look
+# For type CA, the listed attributes must be the same, and the optional
+# and supplied fields are just that :-)
+policy = policy_match
+
+# For the CA policy
+[ policy_match ]
+countryName = match
+stateOrProvinceName = match
+organizationName = match
+organizationalUnitName = optional
+commonName = supplied
+emailAddress = optional
+
+# For the 'anything' policy
+# At this point in time, you must list all acceptable 'object'
+# types.
+[ policy_anything ]
+countryName = optional
+stateOrProvinceName = optional
+localityName = optional
+organizationName = optional
+organizationalUnitName = optional
+commonName = supplied
+emailAddress = optional
+
+####################################################################
+[ req ]
+default_bits = 2048
+default_keyfile = privkey.pem
+distinguished_name = req_distinguished_name
+attributes = req_attributes
+x509_extensions = v3_ca # The extensions to add to the self signed cert
+
+# Passwords for private keys if not present they will be prompted for
+# input_password = secret
+# output_password = secret
+
+# This sets a mask for permitted string types. There are several options.
+# default: PrintableString, T61String, BMPString.
+# pkix : PrintableString, BMPString (PKIX recommendation before 2004)
+# utf8only: only UTF8Strings (PKIX recommendation after 2004).
+# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings).
+# MASK:XXXX a literal mask value.
+# WARNING: ancient versions of Netscape crash on BMPStrings or UTF8Strings.
+string_mask = utf8only
+
+# req_extensions = v3_req # The extensions to add to a certificate request
+
+[ req_distinguished_name ]
+countryName = Country Name (2 letter code)
+countryName_default = AU
+countryName_min = 2
+countryName_max = 2
+
+stateOrProvinceName = State or Province Name (full name)
+stateOrProvinceName_default = Some-State
+
+localityName = Locality Name (eg, city)
+
+0.organizationName = Organization Name (eg, company)
+0.organizationName_default = Internet Widgits Pty Ltd
+
+# we can do this but it is not needed normally :-)
+#1.organizationName = Second Organization Name (eg, company)
+#1.organizationName_default = World Wide Web Pty Ltd
+
+organizationalUnitName = Organizational Unit Name (eg, section)
+#organizationalUnitName_default =
+
+commonName = Common Name (e.g. server FQDN or YOUR name)
+commonName_max = 64
+
+emailAddress = Email Address
+emailAddress_max = 64
+
+# SET-ex3 = SET extension number 3
+
+[ req_attributes ]
+challengePassword = A challenge password
+challengePassword_min = 4
+challengePassword_max = 20
+
+unstructuredName = An optional company name
+
+[ usr_cert ]
+
+# These extensions are added when 'ca' signs a request.
+
+# This goes against PKIX guidelines but some CAs do it and some software
+# requires this to avoid interpreting an end user certificate as a CA.
+
+basicConstraints=CA:FALSE
+
+# Here are some examples of the usage of nsCertType. If it is omitted
+# the certificate can be used for anything *except* object signing.
+
+# This is OK for an SSL server.
+# nsCertType = server
+
+# For an object signing certificate this would be used.
+# nsCertType = objsign
+
+# For normal client use this is typical
+# nsCertType = client, email
+
+# and for everything including object signing:
+# nsCertType = client, email, objsign
+
+# This is typical in keyUsage for a client certificate.
+# keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+
+# This will be displayed in Netscape's comment listbox.
+nsComment = "OpenSSL Generated Certificate"
+
+# PKIX recommendations harmless if included in all certificates.
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid,issuer
+
+# This stuff is for subjectAltName and issuerAltname.
+# Import the email address.
+# subjectAltName=email:copy
+# An alternative to produce certificates that aren't
+# deprecated according to PKIX.
+# subjectAltName=email:move
+
+# Copy subject details
+# issuerAltName=issuer:copy
+
+#nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem
+#nsBaseUrl
+#nsRevocationUrl
+#nsRenewalUrl
+#nsCaPolicyUrl
+#nsSslServerName
+
+# This is required for TSA certificates.
+# extendedKeyUsage = critical,timeStamping
+
+[ v3_req ]
+
+# Extensions to add to a certificate request
+
+basicConstraints = CA:FALSE
+keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+
+[ v3_ca ]
+
+
+# Extensions for a typical CA
+
+
+# PKIX recommendation.
+
+subjectKeyIdentifier=hash
+
+authorityKeyIdentifier=keyid:always,issuer
+
+basicConstraints = critical,CA:true
+
+# Key usage: this is typical for a CA certificate. However since it will
+# prevent it being used as an test self-signed certificate it is best
+# left out by default.
+# keyUsage = cRLSign, keyCertSign
+
+# Some might want this also
+# nsCertType = sslCA, emailCA
+
+# Include email address in subject alt name: another PKIX recommendation
+# subjectAltName=email:copy
+# Copy issuer details
+# issuerAltName=issuer:copy
+
+# DER hex encoding of an extension: beware experts only!
+# obj=DER:02:03
+# Where 'obj' is a standard or added object
+# You can even override a supported extension:
+# basicConstraints= critical, DER:30:03:01:01:FF
+
+[ crl_ext ]
+
+# CRL extensions.
+# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.
+
+# issuerAltName=issuer:copy
+authorityKeyIdentifier=keyid:always
+
+[ proxy_cert_ext ]
+# These extensions should be added when creating a proxy certificate
+
+# This goes against PKIX guidelines but some CAs do it and some software
+# requires this to avoid interpreting an end user certificate as a CA.
+
+basicConstraints=CA:FALSE
+
+# Here are some examples of the usage of nsCertType. If it is omitted
+# the certificate can be used for anything *except* object signing.
+
+# This is OK for an SSL server.
+# nsCertType = server
+
+# For an object signing certificate this would be used.
+# nsCertType = objsign
+
+# For normal client use this is typical
+# nsCertType = client, email
+
+# and for everything including object signing:
+# nsCertType = client, email, objsign
+
+# This is typical in keyUsage for a client certificate.
+# keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+
+# This will be displayed in Netscape's comment listbox.
+nsComment = "OpenSSL Generated Certificate"
+
+# PKIX recommendations harmless if included in all certificates.
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid,issuer
+
+# This stuff is for subjectAltName and issuerAltname.
+# Import the email address.
+# subjectAltName=email:copy
+# An alternative to produce certificates that aren't
+# deprecated according to PKIX.
+# subjectAltName=email:move
+
+# Copy subject details
+# issuerAltName=issuer:copy
+
+#nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem
+#nsBaseUrl
+#nsRevocationUrl
+#nsRenewalUrl
+#nsCaPolicyUrl
+#nsSslServerName
+
+# This really needs to be in place for it to be a proxy certificate.
+proxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:3,policy:foo
+
+####################################################################
+[ tsa ]
+
+default_tsa = tsa_config1 # the default TSA section
+
+[ tsa_config1 ]
+
+# These are used by the TSA reply generation only.
+dir = ./demoCA # TSA root directory
+serial = $dir/tsaserial # The current serial number (mandatory)
+crypto_device = builtin # OpenSSL engine to use for signing
+signer_cert = $dir/tsacert.pem # The TSA signing certificate
+ # (optional)
+certs = $dir/cacert.pem # Certificate chain to include in reply
+ # (optional)
+signer_key = $dir/private/tsakey.pem # The TSA private key (optional)
+signer_digest = sha256 # Signing digest to use. (Optional)
+default_policy = tsa_policy1 # Policy if request did not specify it
+ # (optional)
+other_policies = tsa_policy2, tsa_policy3 # acceptable policies (optional)
+digests = sha1, sha256, sha384, sha512 # Acceptable message digests (mandatory)
+accuracy = secs:1, millisecs:500, microsecs:100 # (optional)
+clock_precision_digits = 0 # number of digits after dot. (optional)
+ordering = yes # Is ordering defined for timestamps?
+ # (optional, default: no)
+tsa_name = yes # Must the TSA name be included in the reply?
+ # (optional, default: no)
+ess_cert_id_chain = no # Must the ESS cert id chain be included?
+ # (optional, default: no)
+ess_cert_id_alg = sha1 # algorithm to compute certificate
+ # identifier (optional, default: sha1)
diff --git a/fuzz/conf_corpus/86b04c728a03d3d796e5a02ec57c22d16b80b59a b/fuzz/conf_corpus/86b04c728a03d3d796e5a02ec57c22d16b80b59a
new file mode 100644
index 0000000..856561f
--- /dev/null
+++ b/fuzz/conf_corpus/86b04c728a03d3d796e5a02ec57c22d16b80b59a
@@ -0,0 +1,2 @@
+1.2.840.113554.4.1.72585.2 = ASN1:FORMAT:invalid,IA5:abcd
+
diff --git a/fuzz/conf_corpus/8814ab1d77628a2e35cf59dded05a1ba09986b9a b/fuzz/conf_corpus/8814ab1d77628a2e35cf59dded05a1ba09986b9a
new file mode 100644
index 0000000..b8f5f40
--- /dev/null
+++ b/fuzz/conf_corpus/8814ab1d77628a2e35cf59dded05a1ba09986b9a
@@ -0,0 +1,2 @@
+1.2.840.113554.4.1.72585.2 = ASN1:OBJECT:basicConstraints
+
diff --git a/fuzz/conf_corpus/896af997791eac9fbccdd9d86eb46d45e7a8ddf2 b/fuzz/conf_corpus/896af997791eac9fbccdd9d86eb46d45e7a8ddf2
new file mode 100644
index 0000000..e01504f
--- /dev/null
+++ b/fuzz/conf_corpus/896af997791eac9fbccdd9d86eb46d45e7a8ddf2
@@ -0,0 +1,357 @@
+# [ req_attributes ]
+challengePassword = A challenge password
+challengePassword_min = 4
+challengePassword_max = 20
+
+unstructuredName = An optional company name
+
+#
+# OpenSSL example configuration file.
+# This is mostly being used for generation of certificate requests.
+#
+
+# Note that you can include other files from the main configuration
+# file using the .include directive.
+#.include filename
+
+# This definition stops the following lines choking if HOME isn't
+# defined.
+HOME = .
+
+# Extra OBJECT IDENTIFIER info:
+#oid_file = $ENV::HOME/.oid
+oid_section = new_oids
+
+# To use this configuration file with the "-extfile" option of the
+# "openssl x509" utility, name here the section containing the
+# X.509v3 extensions to use:
+# extensions =
+# (Alternatively, use a configuration file that has only
+# X.509v3 extensions in its main [= default] section.)
+
+[ new_oids ]
+
+# We can add new OIDs in here for use by 'ca', 'req' and 'ts'.
+# Add a simple OID like this:
+# testoid1=1.2.3.4
+# Or use config file substitution like this:
+# testoid2=${testoid1}.5.6
+
+# Policies used by the TSA examples.
+tsa_policy1 = 1.2.3.4.1
+tsa_policy2 = 1.2.3.4.5.6
+tsa_policy3 = 1.2.3.4.5.7
+
+####################################################################
+[ ca ]
+default_ca = CA_default # The default ca section
+
+####################################################################
+[ CA_default ]
+
+dir = sys\$disk:[.demoCA # Where everything is kept
+certs = $dir.certs] # Where the issued certs are kept
+crl_dir = $dir.crl] # Where the issued crl are kept
+database = $dir]index.txt # database index file.
+#unique_subject = no # Set to 'no' to allow creation of
+ # several certs with same subject.
+new_certs_dir = $dir.newcerts] # default place for new certs.
+
+certificate = $dir]cacert.pem # The CA certificate
+serial = $dir]serial. # The current serial number
+crlnumber = $dir]crlnumber. # the current crl number
+ # must be commented out to leave a V1 CRL
+crl = $dir]crl.pem # The current CRL
+private_key = $dir.private]cakey.pem# The private key
+
+x509_extensions = usr_cert # The extensions to add to the cert
+
+# Comment out the following two lines for the "traditional"
+# (and highly broken) format.
+name_opt = ca_default # Subject Name options
+cert_opt = ca_default # Certificate field options
+
+# Extension copying option: use with caution.
+# copy_extensions = copy
+
+# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
+# so this is commented out by default to leave a V1 CRL.
+# crlnumber must also be commented out to leave a V1 CRL.
+# crl_extensions = crl_ext
+
+default_days = 365 # how long to certify for
+default_crl_days= 30 # how long before next CRL
+default_md = default # use public key default MD
+preserve = no # keep passed DN ordering
+
+# A few difference way of specifying how similar the request should look
+# For type CA, the listed attributes must be the same, and the optional
+# and supplied fields are just that :-)
+policy = policy_match
+
+# For the CA policy
+[ policy_match ]
+countryName = match
+stateOrProvinceName = match
+organizationName = match
+organizationalUnitName = optional
+commonName = supplied
+emailAddress = optional
+
+# For the 'anything' policy
+# At this point in time, you must list all acceptable 'object'
+# types.
+[ policy_anything ]
+countryName = optional
+stateOrProvinceName = optional
+localityName = optional
+organizationName = optional
+organizationalUnitName = optional
+commonName = supplied
+emailAddress = optional
+
+####################################################################
+[ req ]
+default_bits = 2048
+default_keyfile = privkey.pem
+distinguished_name = req_distinguished_name
+attributes = req_attributes
+x509_extensions = v3_ca # The extensions to add to the self signed cert
+
+# Passwords for private keys if not present they will be prompted for
+# input_password = secret
+# output_password = secret
+
+# This sets a mask for permitted string types. There are several options.
+# default: PrintableString, T61String, BMPString.
+# pkix : PrintableString, BMPString (PKIX recommendation before 2004)
+# utf8only: only UTF8Strings (PKIX recommendation after 2004).
+# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings).
+# MASK:XXXX a literal mask value.
+# WARNING: ancient versions of Netscape crash on BMPStrings or UTF8Strings.
+string_mask = utf8only
+
+# req_extensions = v3_req # The extensions to add to a certificate request
+
+[ req_distinguished_name ]
+countryName = Country Name (2 letter code)
+countryName_default = AU
+countryName_min = 2
+countryName_max = 2
+
+stateOrProvinceName = State or Province Name (full name)
+stateOrProvinceName_default = Some-State
+
+localityName = Locality Name (eg, city)
+
+0.organizationName = Organization Name (eg, company)
+0.organizationName_default = Internet Widgits Pty Ltd
+
+# we can do this but it is not needed normally :-)
+#1.organizationName = Second Organization Name (eg, company)
+#1.organizationName_default = World Wide Web Pty Ltd
+
+organizationalUnitName = Organizational Unit Name (eg, section)
+#organizationalUnitName_default =
+
+commonName = Common Name (e.g. server FQDN or YOUR name)
+commonName_max = 64
+
+emailAddress = Email Address
+emailAddress_max = 64
+
+# SET-ex3 = SET extension number 3
+
+[ req_attributes ]
+challengePassword = A challenge password
+challengePassword_min = 4
+challengePassword_max = 20
+
+unstructuredName = An optional company name
+
+[ usr_cert ]
+
+# These extensions are added when 'ca' signs a request.
+
+# This goes against PKIX guidelines but some CAs do it and some software
+# requires this to avoid interpreting an end user certificate as a CA.
+
+basicConstraints=CA:FALSE
+
+# Here are some examples of the usage of nsCertType. If it is omitted
+# the certificate can be used for anything *except* object signing.
+
+# This is OK for an SSL server.
+# nsCertType = server
+
+# For an object signing certificate this would be used.
+# nsCertType = objsign
+
+# For normal client use this is typical
+# nsCertType = client, email
+
+# and for everything including object signing:
+# nsCertType = client, email, objsign
+
+# This is typical in keyUsage for a client certificate.
+# keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+
+# This will be displayed in Netscape's comment listbox.
+nsComment = "OpenSSL Generated Certificate"
+
+# PKIX recommendations harmless if included in all certificates.
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid,issuer
+
+# This stuff is for subjectAltName and issuerAltname.
+# Import the email address.
+# subjectAltName=email:copy
+# An alternative to produce certificates that aren't
+# deprecated according to PKIX.
+# subjectAltName=email:move
+
+# Copy subject details
+# issuerAltName=issuer:copy
+
+#nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem
+#nsBaseUrl
+#nsRevocationUrl
+#nsRenewalUrl
+#nsCaPolicyUrl
+#nsSslServerName
+
+# This is required for TSA certificates.
+# extendedKeyUsage = critical,timeStamping
+
+[ v3_req ]
+
+# Extensions to add to a certificate request
+
+basicConstraints = CA:FALSE
+keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+
+[ v3_ca ]
+
+
+# Extensions for a typical CA
+
+
+# PKIX recommendation.
+
+subjectKeyIdentifier=hash
+
+authorityKeyIdentifier=keyid:always,issuer
+
+basicConstraints = critical,CA:true
+
+# Key usage: this is typical for a CA certificate. However since it will
+# prevent it being used as an test self-signed certificate it is best
+# left out by default.
+# keyUsage = cRLSign, keyCertSign
+
+# Some might want this also
+# nsCertType = sslCA, emailCA
+
+# Include email address in subject alt name: another PKIX recommendation
+# subjectAltName=email:copy
+# Copy issuer details
+# issuerAltName=issuer:copy
+
+# DER hex encoding of an extension: beware experts only!
+# obj=DER:02:03
+# Where 'obj' is a standard or added object
+# You can even override a supported extension:
+# basicConstraints= critical, DER:30:03:01:01:FF
+
+[ crl_ext ]
+
+# CRL extensions.
+# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.
+
+# issuerAltName=issuer:copy
+authorityKeyIdentifier=keyid:always
+
+[ proxy_cert_ext ]
+# These extensions should be added when creating a proxy certificate
+
+# This goes against PKIX guidelines but some CAs do it and some software
+# requires this to avoid interpreting an end user certificate as a CA.
+
+basicConstraints=CA:FALSE
+
+# Here are some examples of the usage of nsCertType. If it is omitted
+# the certificate can be used for anything *except* object signing.
+
+# This is OK for an SSL server.
+# nsCertType = server
+
+# For an object signing certificate this would be used.
+# nsCertType = objsign
+
+# For normal client use this is typical
+# nsCertType = client, email
+
+# and for everything including object signing:
+# nsCertType = client, email, objsign
+
+# This is typical in keyUsage for a client certificate.
+# keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+
+# This will be displayed in Netscape's comment listbox.
+nsComment = "OpenSSL Generated Certificate"
+
+# PKIX recommendations harmless if included in all certificates.
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid,issuer
+
+# This stuff is for subjectAltName and issuerAltname.
+# Import the email address.
+# subjectAltName=email:copy
+# An alternative to produce certificates that aren't
+# deprecated according to PKIX.
+# subjectAltName=email:move
+
+# Copy subject details
+# issuerAltName=issuer:copy
+
+#nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem
+#nsBaseUrl
+#nsRevocationUrl
+#nsRenewalUrl
+#nsCaPolicyUrl
+#nsSslServerName
+
+# This really needs to be in place for it to be a proxy certificate.
+proxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:3,policy:foo
+
+####################################################################
+[ tsa ]
+
+default_tsa = tsa_config1 # the default TSA section
+
+[ tsa_config1 ]
+
+# These are used by the TSA reply generation only.
+dir = sys\$disk:[.demoCA # TSA root directory
+serial = $dir]tsaserial. # The current serial number (mandatory)
+crypto_device = builtin # OpenSSL engine to use for signing
+signer_cert = $dir/tsacert.pem # The TSA signing certificate
+ # (optional)
+certs = $dir.cacert.pem] # Certificate chain to include in reply
+ # (optional)
+signer_key = $dir/private/tsakey.pem # The TSA private key (optional)
+signer_digest = sha256 # Signing digest to use. (Optional)
+default_policy = tsa_policy1 # Policy if request did not specify it
+ # (optional)
+other_policies = tsa_policy2, tsa_policy3 # acceptable policies (optional)
+digests = sha1, sha256, sha384, sha512 # Acceptable message digests (mandatory)
+accuracy = secs:1, millisecs:500, microsecs:100 # (optional)
+clock_precision_digits = 0 # number of digits after dot. (optional)
+ordering = yes # Is ordering defined for timestamps?
+ # (optional, default: no)
+tsa_name = yes # Must the TSA name be included in the reply?
+ # (optional, default: no)
+ess_cert_id_chain = no # Must the ESS cert id chain be included?
+ # (optional, default: no)
+ess_cert_id_alg = sha1 # algorithm to compute certificate
+ # identifier (optional, default: sha1)
diff --git a/fuzz/conf_corpus/8baa38c5c8540561d86491916d0bb36cc13c1218 b/fuzz/conf_corpus/8baa38c5c8540561d86491916d0bb36cc13c1218
new file mode 100644
index 0000000..3566bb0
--- /dev/null
+++ b/fuzz/conf_corpus/8baa38c5c8540561d86491916d0bb36cc13c1218
@@ -0,0 +1,43 @@
+# [ v3_proxy ]
+basicConstraints=CA:FALSE
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid,issuer:always
+proxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:1,policy:text:AB
+
+#
+# SSLeay example configuration file.
+# This is mostly being used for generation of certificate requests.
+#
+
+RANDFILE = ./.rnd
+
+####################################################################
+[ req ]
+default_bits = 2048
+default_keyfile = keySS.pem
+distinguished_name = req_distinguished_name
+encrypt_rsa_key = no
+default_md = sha256
+
+[ req_distinguished_name ]
+countryName = Country Name (2 letter code)
+countryName_default = AU
+countryName_value = AU
+
+organizationName = Organization Name (eg, company)
+organizationName_value = Dodgy Brothers
+
+0.commonName = Common Name (eg, YOUR name)
+0.commonName_value = Brother 1
+
+1.commonName = Common Name (eg, YOUR name)
+1.commonName_value = Brother 2
+
+2.commonName = Common Name (eg, YOUR name)
+2.commonName_value = Proxy 1
+
+[ v3_proxy ]
+basicConstraints=CA:FALSE
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid,issuer:always
+proxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:1,policy:text:AB
diff --git a/fuzz/conf_corpus/8d4c7ac088d1cc761b4f79c9ccd7b40d05567aaf b/fuzz/conf_corpus/8d4c7ac088d1cc761b4f79c9ccd7b40d05567aaf
new file mode 100644
index 0000000..ab13474
--- /dev/null
+++ b/fuzz/conf_corpus/8d4c7ac088d1cc761b4f79c9ccd7b40d05567aaf
@@ -0,0 +1,2 @@
+1.2.840.113554.4.1.72585.2 = ASN1:FORMAT:UTF8,OCT:abcd
+
diff --git a/fuzz/conf_corpus/8de6365ad8ab8315fe22408785ed5d1121e0324b b/fuzz/conf_corpus/8de6365ad8ab8315fe22408785ed5d1121e0324b
new file mode 100644
index 0000000..4501af1
--- /dev/null
+++ b/fuzz/conf_corpus/8de6365ad8ab8315fe22408785ed5d1121e0324b
@@ -0,0 +1,45 @@
+# [ default ]
+#
+# SSLeay example configuration file.
+# This is mostly being used for generation of certificate requests.
+#
+
+RANDFILE = ./.rnd
+
+####################################################################
+[ default ]
+#
+# SSLeay example configuration file.
+# This is mostly being used for generation of certificate requests.
+#
+
+RANDFILE = ./.rnd
+
+####################################################################
+[ ca ]
+default_ca = CA_default # The default ca section
+
+####################################################################
+[ CA_default ]
+
+dir = ./demoCA # Where everything is kept
+certs = $dir/certs # Where the issued certs are kept
+crl_dir = $dir/crl # Where the issued crl are kept
+database = $dir/index.txt # database index file.
+new_certs_dir = $dir/new_certs # default place for new certs.
+
+certificate = $dir/CAcert.pem # The CA certificate
+serial = $dir/serial # The current serial number
+crl = $dir/crl.pem # The current CRL
+private_key = $dir/private/CAkey.pem# The private key
+RANDFILE = $dir/private/.rand # private random number file
+
+default_days = 365 # how long to certify for
+default_crl_days= 30 # how long before next CRL
+default_md = md5 # which md to use.
+
+# A few difference way of specifying how similar the request should look
+# For type CA, the listed attributes must be the same, and the optional
+# and supplied fields are just that :-)
+policy = policy_match
+
diff --git a/fuzz/conf_corpus/8e740a2d8429b288d9b034c8331393211d784167 b/fuzz/conf_corpus/8e740a2d8429b288d9b034c8331393211d784167
new file mode 100644
index 0000000..ea2ec34
--- /dev/null
+++ b/fuzz/conf_corpus/8e740a2d8429b288d9b034c8331393211d784167
@@ -0,0 +1,79 @@
+# [ v3_ca ]
+
+
+# Extensions for a typical CA
+
+# PKIX recommendation.
+
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid:always
+basicConstraints = critical,CA:true
+keyUsage = critical, cRLSign, keyCertSign
+
+
+#
+# OpenSSL example configuration file for automated certificate creation.
+#
+
+# This definition stops the following lines choking if HOME or CN
+# is undefined.
+HOME = .
+RANDFILE = $ENV::HOME/.rnd
+CN = "Not Defined"
+default_ca = ca
+
+####################################################################
+[ req ]
+default_bits = 2048
+default_keyfile = privkey.pem
+# Don't prompt for fields: use those in section directly
+prompt = no
+distinguished_name = req_distinguished_name
+x509_extensions = v3_ca # The extensions to add to the self signed cert
+string_mask = utf8only
+
+# req_extensions = v3_req # The extensions to add to a certificate request
+
+[ req_distinguished_name ]
+countryName = UK
+
+organizationName = OpenSSL Group
+# Take CN from environment so it can come from a script.
+commonName = $ENV::CN
+
+[ usr_cert ]
+
+# These extensions are added when 'ca' signs a request for an end entity
+# certificate
+
+basicConstraints=critical, CA:FALSE
+keyUsage=critical, nonRepudiation, digitalSignature, keyEncipherment
+
+# PKIX recommendations harmless if included in all certificates.
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid
+
+[ dh_cert ]
+
+# These extensions are added when 'ca' signs a request for an end entity
+# DH certificate
+
+basicConstraints=critical, CA:FALSE
+keyUsage=critical, keyAgreement
+
+# PKIX recommendations harmless if included in all certificates.
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid
+
+[ v3_ca ]
+
+
+# Extensions for a typical CA
+
+# PKIX recommendation.
+
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid:always
+basicConstraints = critical,CA:true
+keyUsage = critical, cRLSign, keyCertSign
+
diff --git a/fuzz/conf_corpus/8f7a36c905a0203b2cc27323b2b90a3ba5b8b9fe b/fuzz/conf_corpus/8f7a36c905a0203b2cc27323b2b90a3ba5b8b9fe
new file mode 100644
index 0000000..7065527
--- /dev/null
+++ b/fuzz/conf_corpus/8f7a36c905a0203b2cc27323b2b90a3ba5b8b9fe
@@ -0,0 +1,176 @@
+# [ req ]
+default_bits = 2048
+default_md = sha1
+distinguished_name = $ENV::TSDNSECT
+encrypt_rsa_key = no
+prompt = no
+# attributes = req_attributes
+x509_extensions = v3_ca # The extensions to add to the self signed cert
+
+string_mask = nombstr
+
+
+#
+# This config is used by the Time Stamp Authority tests.
+#
+
+RANDFILE = ./.rnd
+
+# Extra OBJECT IDENTIFIER info:
+oid_section = new_oids
+
+TSDNSECT = ts_cert_dn
+INDEX = 1
+
+[ new_oids ]
+
+# Policies used by the TSA tests.
+tsa_policy1 = 1.2.3.4.1
+tsa_policy2 = 1.2.3.4.5.6
+tsa_policy3 = 1.2.3.4.5.7
+
+#----------------------------------------------------------------------
+[ ca ]
+default_ca = CA_default # The default ca section
+
+[ CA_default ]
+
+dir = ./demoCA
+certs = $dir/certs # Where the issued certs are kept
+database = $dir/index.txt # database index file.
+new_certs_dir = $dir/newcerts # default place for new certs.
+
+certificate = $dir/cacert.pem # The CA certificate
+serial = $dir/serial # The current serial number
+private_key = $dir/private/cakey.pem# The private key
+RANDFILE = $dir/private/.rand # private random number file
+
+default_days = 365 # how long to certify for
+default_md = sha256 # which md to use.
+preserve = no # keep passed DN ordering
+
+policy = policy_match
+
+# For the CA policy
+[ policy_match ]
+countryName = supplied
+stateOrProvinceName = supplied
+organizationName = supplied
+organizationalUnitName = optional
+commonName = supplied
+emailAddress = optional
+
+#----------------------------------------------------------------------
+[ req ]
+default_bits = 2048
+default_md = sha1
+distinguished_name = $ENV::TSDNSECT
+encrypt_rsa_key = no
+prompt = no
+# attributes = req_attributes
+x509_extensions = v3_ca # The extensions to add to the self signed cert
+
+string_mask = nombstr
+
+[ ts_ca_dn ]
+countryName = HU
+stateOrProvinceName = Budapest
+localityName = Budapest
+organizationName = Gov-CA Ltd.
+commonName = ca1
+
+[ ts_cert_dn ]
+countryName = HU
+stateOrProvinceName = Budapest
+localityName = Buda
+organizationName = Hun-TSA Ltd.
+commonName = tsa$ENV::INDEX
+
+[ tsa_cert ]
+
+# TSA server cert is not a CA cert.
+basicConstraints=CA:FALSE
+
+# The following key usage flags are needed for TSA server certificates.
+keyUsage = nonRepudiation, digitalSignature
+extendedKeyUsage = critical,timeStamping
+
+# PKIX recommendations harmless if included in all certificates.
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid,issuer:always
+
+[ non_tsa_cert ]
+
+# This is not a CA cert and not a TSA cert, either (timeStamping usage missing)
+basicConstraints=CA:FALSE
+
+# The following key usage flags are needed for TSA server certificates.
+keyUsage = nonRepudiation, digitalSignature
+# timeStamping is not supported by this certificate
+# extendedKeyUsage = critical,timeStamping
+
+# PKIX recommendations harmless if included in all certificates.
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid,issuer:always
+
+[ v3_req ]
+
+# Extensions to add to a certificate request
+basicConstraints = CA:FALSE
+keyUsage = nonRepudiation, digitalSignature
+
+[ v3_ca ]
+
+# Extensions for a typical CA
+
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid:always,issuer:always
+basicConstraints = critical,CA:true
+keyUsage = cRLSign, keyCertSign
+
+#----------------------------------------------------------------------
+[ tsa ]
+
+default_tsa = tsa_config1 # the default TSA section
+
+[ tsa_config1 ]
+
+# These are used by the TSA reply generation only.
+dir = . # TSA root directory
+serial = $dir/tsa_serial # The current serial number (mandatory)
+signer_cert = $dir/tsa_cert1.pem # The TSA signing certificate
+ # (optional)
+certs = $dir/tsaca.pem # Certificate chain to include in reply
+ # (optional)
+signer_key = $dir/tsa_key1.pem # The TSA private key (optional)
+signer_digest = sha256 # Signing digest to use. (Optional)
+default_policy = tsa_policy1 # Policy if request did not specify it
+ # (optional)
+other_policies = tsa_policy2, tsa_policy3 # acceptable policies (optional)
+digests = sha1, sha256, sha384, sha512 # Acceptable message digests (mandatory)
+accuracy = secs:1, millisecs:500, microsecs:100 # (optional)
+ordering = yes # Is ordering defined for timestamps?
+ # (optional, default: no)
+tsa_name = yes # Must the TSA name be included in the reply?
+ # (optional, default: no)
+ess_cert_id_chain = yes # Must the ESS cert id chain be included?
+ # (optional, default: no)
+ess_cert_id_alg = sha256 # algorithm to compute certificate
+ # identifier (optional, default: sha1)
+
+[ tsa_config2 ]
+
+# This configuration uses a certificate which doesn't have timeStamping usage.
+# These are used by the TSA reply generation only.
+dir = . # TSA root directory
+serial = $dir/tsa_serial # The current serial number (mandatory)
+signer_cert = $dir/tsa_cert2.pem # The TSA signing certificate
+ # (optional)
+certs = $dir/demoCA/cacert.pem# Certificate chain to include in reply
+ # (optional)
+signer_key = $dir/tsa_key2.pem # The TSA private key (optional)
+signer_digest = sha256 # Signing digest to use. (Optional)
+default_policy = tsa_policy1 # Policy if request did not specify it
+ # (optional)
+other_policies = tsa_policy2, tsa_policy3 # acceptable policies (optional)
+digests = sha1, sha256, sha384, sha512 # Acceptable message digests (mandatory)
diff --git a/fuzz/conf_corpus/917a403d9a6e8db8462cfd2d9f7958b80025dafc b/fuzz/conf_corpus/917a403d9a6e8db8462cfd2d9f7958b80025dafc
new file mode 100644
index 0000000..ba84ff4
--- /dev/null
+++ b/fuzz/conf_corpus/917a403d9a6e8db8462cfd2d9f7958b80025dafc
@@ -0,0 +1,2 @@
+1.2.840.113554.4.1.72585.2 = ASN1:EXP:0,EXP:16U,EXP:100A,EXP:1000C,OCTWRAP,SEQWRAP,SETWRAP,BITWRAP,NULL
+
diff --git a/fuzz/conf_corpus/91ded87bf790e2b94c6b4e3e046ea8534b8fc385 b/fuzz/conf_corpus/91ded87bf790e2b94c6b4e3e046ea8534b8fc385
new file mode 100644
index 0000000..b8860e9
--- /dev/null
+++ b/fuzz/conf_corpus/91ded87bf790e2b94c6b4e3e046ea8534b8fc385
@@ -0,0 +1,357 @@
+# [ v3_req ]
+
+# Extensions to add to a certificate request
+
+basicConstraints = CA:FALSE
+keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+
+#
+# OpenSSL example configuration file.
+# This is mostly being used for generation of certificate requests.
+#
+
+# Note that you can include other files from the main configuration
+# file using the .include directive.
+#.include filename
+
+# This definition stops the following lines choking if HOME isn't
+# defined.
+HOME = .
+
+# Extra OBJECT IDENTIFIER info:
+#oid_file = $ENV::HOME/.oid
+oid_section = new_oids
+
+# To use this configuration file with the "-extfile" option of the
+# "openssl x509" utility, name here the section containing the
+# X.509v3 extensions to use:
+# extensions =
+# (Alternatively, use a configuration file that has only
+# X.509v3 extensions in its main [= default] section.)
+
+[ new_oids ]
+
+# We can add new OIDs in here for use by 'ca', 'req' and 'ts'.
+# Add a simple OID like this:
+# testoid1=1.2.3.4
+# Or use config file substitution like this:
+# testoid2=${testoid1}.5.6
+
+# Policies used by the TSA examples.
+tsa_policy1 = 1.2.3.4.1
+tsa_policy2 = 1.2.3.4.5.6
+tsa_policy3 = 1.2.3.4.5.7
+
+####################################################################
+[ ca ]
+default_ca = CA_default # The default ca section
+
+####################################################################
+[ CA_default ]
+
+dir = sys\$disk:[.demoCA # Where everything is kept
+certs = $dir.certs] # Where the issued certs are kept
+crl_dir = $dir.crl] # Where the issued crl are kept
+database = $dir]index.txt # database index file.
+#unique_subject = no # Set to 'no' to allow creation of
+ # several certs with same subject.
+new_certs_dir = $dir.newcerts] # default place for new certs.
+
+certificate = $dir]cacert.pem # The CA certificate
+serial = $dir]serial. # The current serial number
+crlnumber = $dir]crlnumber. # the current crl number
+ # must be commented out to leave a V1 CRL
+crl = $dir]crl.pem # The current CRL
+private_key = $dir.private]cakey.pem# The private key
+
+x509_extensions = usr_cert # The extensions to add to the cert
+
+# Comment out the following two lines for the "traditional"
+# (and highly broken) format.
+name_opt = ca_default # Subject Name options
+cert_opt = ca_default # Certificate field options
+
+# Extension copying option: use with caution.
+# copy_extensions = copy
+
+# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
+# so this is commented out by default to leave a V1 CRL.
+# crlnumber must also be commented out to leave a V1 CRL.
+# crl_extensions = crl_ext
+
+default_days = 365 # how long to certify for
+default_crl_days= 30 # how long before next CRL
+default_md = default # use public key default MD
+preserve = no # keep passed DN ordering
+
+# A few difference way of specifying how similar the request should look
+# For type CA, the listed attributes must be the same, and the optional
+# and supplied fields are just that :-)
+policy = policy_match
+
+# For the CA policy
+[ policy_match ]
+countryName = match
+stateOrProvinceName = match
+organizationName = match
+organizationalUnitName = optional
+commonName = supplied
+emailAddress = optional
+
+# For the 'anything' policy
+# At this point in time, you must list all acceptable 'object'
+# types.
+[ policy_anything ]
+countryName = optional
+stateOrProvinceName = optional
+localityName = optional
+organizationName = optional
+organizationalUnitName = optional
+commonName = supplied
+emailAddress = optional
+
+####################################################################
+[ req ]
+default_bits = 2048
+default_keyfile = privkey.pem
+distinguished_name = req_distinguished_name
+attributes = req_attributes
+x509_extensions = v3_ca # The extensions to add to the self signed cert
+
+# Passwords for private keys if not present they will be prompted for
+# input_password = secret
+# output_password = secret
+
+# This sets a mask for permitted string types. There are several options.
+# default: PrintableString, T61String, BMPString.
+# pkix : PrintableString, BMPString (PKIX recommendation before 2004)
+# utf8only: only UTF8Strings (PKIX recommendation after 2004).
+# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings).
+# MASK:XXXX a literal mask value.
+# WARNING: ancient versions of Netscape crash on BMPStrings or UTF8Strings.
+string_mask = utf8only
+
+# req_extensions = v3_req # The extensions to add to a certificate request
+
+[ req_distinguished_name ]
+countryName = Country Name (2 letter code)
+countryName_default = AU
+countryName_min = 2
+countryName_max = 2
+
+stateOrProvinceName = State or Province Name (full name)
+stateOrProvinceName_default = Some-State
+
+localityName = Locality Name (eg, city)
+
+0.organizationName = Organization Name (eg, company)
+0.organizationName_default = Internet Widgits Pty Ltd
+
+# we can do this but it is not needed normally :-)
+#1.organizationName = Second Organization Name (eg, company)
+#1.organizationName_default = World Wide Web Pty Ltd
+
+organizationalUnitName = Organizational Unit Name (eg, section)
+#organizationalUnitName_default =
+
+commonName = Common Name (e.g. server FQDN or YOUR name)
+commonName_max = 64
+
+emailAddress = Email Address
+emailAddress_max = 64
+
+# SET-ex3 = SET extension number 3
+
+[ req_attributes ]
+challengePassword = A challenge password
+challengePassword_min = 4
+challengePassword_max = 20
+
+unstructuredName = An optional company name
+
+[ usr_cert ]
+
+# These extensions are added when 'ca' signs a request.
+
+# This goes against PKIX guidelines but some CAs do it and some software
+# requires this to avoid interpreting an end user certificate as a CA.
+
+basicConstraints=CA:FALSE
+
+# Here are some examples of the usage of nsCertType. If it is omitted
+# the certificate can be used for anything *except* object signing.
+
+# This is OK for an SSL server.
+# nsCertType = server
+
+# For an object signing certificate this would be used.
+# nsCertType = objsign
+
+# For normal client use this is typical
+# nsCertType = client, email
+
+# and for everything including object signing:
+# nsCertType = client, email, objsign
+
+# This is typical in keyUsage for a client certificate.
+# keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+
+# This will be displayed in Netscape's comment listbox.
+nsComment = "OpenSSL Generated Certificate"
+
+# PKIX recommendations harmless if included in all certificates.
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid,issuer
+
+# This stuff is for subjectAltName and issuerAltname.
+# Import the email address.
+# subjectAltName=email:copy
+# An alternative to produce certificates that aren't
+# deprecated according to PKIX.
+# subjectAltName=email:move
+
+# Copy subject details
+# issuerAltName=issuer:copy
+
+#nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem
+#nsBaseUrl
+#nsRevocationUrl
+#nsRenewalUrl
+#nsCaPolicyUrl
+#nsSslServerName
+
+# This is required for TSA certificates.
+# extendedKeyUsage = critical,timeStamping
+
+[ v3_req ]
+
+# Extensions to add to a certificate request
+
+basicConstraints = CA:FALSE
+keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+
+[ v3_ca ]
+
+
+# Extensions for a typical CA
+
+
+# PKIX recommendation.
+
+subjectKeyIdentifier=hash
+
+authorityKeyIdentifier=keyid:always,issuer
+
+basicConstraints = critical,CA:true
+
+# Key usage: this is typical for a CA certificate. However since it will
+# prevent it being used as an test self-signed certificate it is best
+# left out by default.
+# keyUsage = cRLSign, keyCertSign
+
+# Some might want this also
+# nsCertType = sslCA, emailCA
+
+# Include email address in subject alt name: another PKIX recommendation
+# subjectAltName=email:copy
+# Copy issuer details
+# issuerAltName=issuer:copy
+
+# DER hex encoding of an extension: beware experts only!
+# obj=DER:02:03
+# Where 'obj' is a standard or added object
+# You can even override a supported extension:
+# basicConstraints= critical, DER:30:03:01:01:FF
+
+[ crl_ext ]
+
+# CRL extensions.
+# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.
+
+# issuerAltName=issuer:copy
+authorityKeyIdentifier=keyid:always
+
+[ proxy_cert_ext ]
+# These extensions should be added when creating a proxy certificate
+
+# This goes against PKIX guidelines but some CAs do it and some software
+# requires this to avoid interpreting an end user certificate as a CA.
+
+basicConstraints=CA:FALSE
+
+# Here are some examples of the usage of nsCertType. If it is omitted
+# the certificate can be used for anything *except* object signing.
+
+# This is OK for an SSL server.
+# nsCertType = server
+
+# For an object signing certificate this would be used.
+# nsCertType = objsign
+
+# For normal client use this is typical
+# nsCertType = client, email
+
+# and for everything including object signing:
+# nsCertType = client, email, objsign
+
+# This is typical in keyUsage for a client certificate.
+# keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+
+# This will be displayed in Netscape's comment listbox.
+nsComment = "OpenSSL Generated Certificate"
+
+# PKIX recommendations harmless if included in all certificates.
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid,issuer
+
+# This stuff is for subjectAltName and issuerAltname.
+# Import the email address.
+# subjectAltName=email:copy
+# An alternative to produce certificates that aren't
+# deprecated according to PKIX.
+# subjectAltName=email:move
+
+# Copy subject details
+# issuerAltName=issuer:copy
+
+#nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem
+#nsBaseUrl
+#nsRevocationUrl
+#nsRenewalUrl
+#nsCaPolicyUrl
+#nsSslServerName
+
+# This really needs to be in place for it to be a proxy certificate.
+proxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:3,policy:foo
+
+####################################################################
+[ tsa ]
+
+default_tsa = tsa_config1 # the default TSA section
+
+[ tsa_config1 ]
+
+# These are used by the TSA reply generation only.
+dir = sys\$disk:[.demoCA # TSA root directory
+serial = $dir]tsaserial. # The current serial number (mandatory)
+crypto_device = builtin # OpenSSL engine to use for signing
+signer_cert = $dir/tsacert.pem # The TSA signing certificate
+ # (optional)
+certs = $dir.cacert.pem] # Certificate chain to include in reply
+ # (optional)
+signer_key = $dir/private/tsakey.pem # The TSA private key (optional)
+signer_digest = sha256 # Signing digest to use. (Optional)
+default_policy = tsa_policy1 # Policy if request did not specify it
+ # (optional)
+other_policies = tsa_policy2, tsa_policy3 # acceptable policies (optional)
+digests = sha1, sha256, sha384, sha512 # Acceptable message digests (mandatory)
+accuracy = secs:1, millisecs:500, microsecs:100 # (optional)
+clock_precision_digits = 0 # number of digits after dot. (optional)
+ordering = yes # Is ordering defined for timestamps?
+ # (optional, default: no)
+tsa_name = yes # Must the TSA name be included in the reply?
+ # (optional, default: no)
+ess_cert_id_chain = no # Must the ESS cert id chain be included?
+ # (optional, default: no)
+ess_cert_id_alg = sha1 # algorithm to compute certificate
+ # identifier (optional, default: sha1)
diff --git a/fuzz/conf_corpus/92fde7b859f6f3f548690b89126c09a9f3057b82 b/fuzz/conf_corpus/92fde7b859f6f3f548690b89126c09a9f3057b82
new file mode 100644
index 0000000..3d889d5
--- /dev/null
+++ b/fuzz/conf_corpus/92fde7b859f6f3f548690b89126c09a9f3057b82
@@ -0,0 +1,65 @@
+# [ policy_anything ]
+countryName = optional
+stateOrProvinceName = optional
+localityName = optional
+organizationName = optional
+organizationalUnitName = optional
+commonName = supplied
+emailAddress = optional
+
+####################################################################
+[ req ]
+default_bits = 2432
+default_keyfile = cakey.pem
+default_md = sha256
+distinguished_name = req_DN
+string_mask = utf8only
+x509_extensions = v3_selfsign
+
+[ req_DN ]
+commonName = "Common Name"
+commonName_value = "CA"
+
+[ v3_selfsign ]
+basicConstraints = critical,CA:true
+keyUsage = keyCertSign
+subjectKeyIdentifier=hash
+
+####################################################################
+[ ca ]
+default_ca = CA_default # The default ca section
+
+####################################################################
+[ CA_default ]
+
+dir = ./demoCA
+certificate = ./demoCA/cacert.pem
+serial = ./demoCA/serial
+private_key = ./demoCA/private/cakey.pem
+new_certs_dir = ./demoCA/newcerts
+
+certificate = cacert.pem
+private_key = cakey.pem
+
+x509_extensions = v3_user
+
+name_opt = ca_default # Subject Name options
+cert_opt = ca_default # Certificate field options
+
+policy = policy_anything
+
+[ policy_anything ]
+countryName = optional
+stateOrProvinceName = optional
+localityName = optional
+organizationName = optional
+organizationalUnitName = optional
+commonName = supplied
+emailAddress = optional
+
+[ v3_user ]
+basicConstraints=critical,CA:FALSE
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid,issuer
+issuerAltName=issuer:copy
+
diff --git a/fuzz/conf_corpus/93e31109bf290a5a77f1ac5a8695533b700f7f39 b/fuzz/conf_corpus/93e31109bf290a5a77f1ac5a8695533b700f7f39
new file mode 100644
index 0000000..aa5e67c
--- /dev/null
+++ b/fuzz/conf_corpus/93e31109bf290a5a77f1ac5a8695533b700f7f39
@@ -0,0 +1,53 @@
+# For the CA policy
+[ policy_match ]
+countryName = match
+stateOrProvinceName = match
+organizationName = match
+organizationalUnitName = optional
+commonName = supplied
+emailAddress = optional
+
+# For the 'anything' policy
+# At this point in time, you must list all acceptable 'object'
+# types.
+[ policy_anything ]
+countryName = optional
+stateOrProvinceName = optional
+localityName = optional
+organizationName = optional
+organizationalUnitName = optional
+commonName = supplied
+emailAddress = optional
+
+####################################################################
+[ req ]
+default_bits = 2048
+default_keyfile = testkey.pem
+distinguished_name = req_distinguished_name
+encrypt_rsa_key = no
+
+[ req_distinguished_name ]
+countryName = Country Name (2 letter code)
+countryName_default = AU
+countryName_value = AU
+
+stateOrProvinceName = State or Province Name (full name)
+stateOrProvinceName_default = Queensland
+stateOrProvinceName_value =
+
+localityName = Locality Name (eg, city)
+localityName_value = Brisbane
+
+organizationName = Organization Name (eg, company)
+organizationName_default =
+organizationName_value = CryptSoft Pty Ltd
+
+organizationalUnitName = Organizational Unit Name (eg, section)
+organizationalUnitName_default =
+organizationalUnitName_value = .
+
+commonName = Common Name (eg, YOUR name)
+commonName_value = Eric Young
+
+emailAddress = Email Address
+emailAddress_value = eay@mincom.oz.au
diff --git a/fuzz/conf_corpus/9997ee4592ed989c1dfb0f7b93fbd20d5e22702b b/fuzz/conf_corpus/9997ee4592ed989c1dfb0f7b93fbd20d5e22702b
new file mode 100644
index 0000000..b718f41
--- /dev/null
+++ b/fuzz/conf_corpus/9997ee4592ed989c1dfb0f7b93fbd20d5e22702b
@@ -0,0 +1,25 @@
+# [ req_DN ]
+commonName = "Common Name"
+commonName_value = "A user"
+userId = "User ID"
+userId_value = "test"
+
+####################################################################
+[ req ]
+default_bits = 2432
+default_md = sha256
+distinguished_name = req_DN
+string_mask = utf8only
+
+req_extensions = v3_req # The extensions to add to a certificate request
+
+[ req_DN ]
+commonName = "Common Name"
+commonName_value = "A user"
+userId = "User ID"
+userId_value = "test"
+
+[ v3_req ]
+extendedKeyUsage = clientAuth
+subjectKeyIdentifier = hash
+basicConstraints = CA:false
diff --git a/fuzz/conf_corpus/99d8dd3e2036dde9df15123c52517767f14f4480 b/fuzz/conf_corpus/99d8dd3e2036dde9df15123c52517767f14f4480
new file mode 100644
index 0000000..1eb1065
--- /dev/null
+++ b/fuzz/conf_corpus/99d8dd3e2036dde9df15123c52517767f14f4480
@@ -0,0 +1,47 @@
+# [ req_distinguished_name ]
+countryName = AU
+organizationName = Dodgy Brothers
+0.commonName = Brother 1
+1.commonName = $ENV::CN2
+
+#
+# SSLeay example configuration file.
+# This is mostly being used for generation of certificate requests.
+#
+
+RANDFILE = ./.rnd
+CN2 = Brother 2
+
+####################################################################
+[ req ]
+default_bits = 2048
+default_keyfile = keySS.pem
+distinguished_name = req_distinguished_name
+encrypt_rsa_key = no
+default_md = sha256
+prompt = no
+
+[ req_distinguished_name ]
+countryName = AU
+organizationName = Dodgy Brothers
+0.commonName = Brother 1
+1.commonName = $ENV::CN2
+
+[ v3_ee ]
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid,issuer:always
+basicConstraints = CA:false
+keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+
+[ v3_ee_dsa ]
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid:always
+basicConstraints = CA:false
+keyUsage = nonRepudiation, digitalSignature
+
+[ v3_ee_ec ]
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid:always
+basicConstraints = CA:false
+keyUsage = nonRepudiation, digitalSignature, keyAgreement
+
diff --git a/fuzz/conf_corpus/9bc8f7c02576f19eb229d6906b12044fb97cff85 b/fuzz/conf_corpus/9bc8f7c02576f19eb229d6906b12044fb97cff85
new file mode 100644
index 0000000..62e4502
--- /dev/null
+++ b/fuzz/conf_corpus/9bc8f7c02576f19eb229d6906b12044fb97cff85
@@ -0,0 +1,2 @@
+1.2.840.113554.4.1.72585.2 = ASN1:FORMAT:HEX,OCT:invalid hex
+
diff --git a/fuzz/conf_corpus/9cd1477e0647cbf3bbb49c69a5baf5f20e20c296 b/fuzz/conf_corpus/9cd1477e0647cbf3bbb49c69a5baf5f20e20c296
new file mode 100644
index 0000000..f5a58d6
--- /dev/null
+++ b/fuzz/conf_corpus/9cd1477e0647cbf3bbb49c69a5baf5f20e20c296
@@ -0,0 +1,2 @@
+1.2.840.113554.4.1.72585.2 = ASN1:invalid
+
diff --git a/fuzz/conf_corpus/9d87d1e51de8f52272efaf32bb355b9b049e253b b/fuzz/conf_corpus/9d87d1e51de8f52272efaf32bb355b9b049e253b
new file mode 100644
index 0000000..12796ea
--- /dev/null
+++ b/fuzz/conf_corpus/9d87d1e51de8f52272efaf32bb355b9b049e253b
@@ -0,0 +1,2 @@
+1.2.840.113554.4.1.72585.2 = ASN1:INT:-0x10
+
diff --git a/fuzz/conf_corpus/a2587c4e97408b64274e5e052b74e3754892c13a b/fuzz/conf_corpus/a2587c4e97408b64274e5e052b74e3754892c13a
new file mode 100644
index 0000000..e643cfd
--- /dev/null
+++ b/fuzz/conf_corpus/a2587c4e97408b64274e5e052b74e3754892c13a
@@ -0,0 +1,9 @@
+# This file specifies the Certificate Transparency logs
+# that are to be trusted.
+
+# Google's list of logs can be found here:
+# www.certificate-transparency.org/known-logs
+# A Python program to convert the log list to OpenSSL's format can be
+# found here:
+# https://github.com/google/certificate-transparency/blob/master/python/utilities/log_list/print_log_list.py
+# Use the "--openssl_output" flag.
diff --git a/fuzz/conf_corpus/a2b7a9ae5cc4c1a4811b86c67950ea1782b1b214 b/fuzz/conf_corpus/a2b7a9ae5cc4c1a4811b86c67950ea1782b1b214
new file mode 100644
index 0000000..336363f
--- /dev/null
+++ b/fuzz/conf_corpus/a2b7a9ae5cc4c1a4811b86c67950ea1782b1b214
@@ -0,0 +1,14 @@
+1.2.840.113554.4.1.72585.2 = ASN1:SEQ:seq
+
+[seq]
+val1 = NULL
+val2 = IA5:a
+val3 = SET:set
+[set]
+# Config names do not matter, only the order.
+val4 = INT:1
+val3 = INT:2
+val2 = SEQ:empty
+val1 = INT:3
+[empty]
+
diff --git a/fuzz/conf_corpus/a59ae53ccd6bc5f2a351bef57079029ac18a7d41 b/fuzz/conf_corpus/a59ae53ccd6bc5f2a351bef57079029ac18a7d41
new file mode 100644
index 0000000..1c71be9
--- /dev/null
+++ b/fuzz/conf_corpus/a59ae53ccd6bc5f2a351bef57079029ac18a7d41
@@ -0,0 +1,2 @@
+1.2.840.113554.4.1.72585.2 = ASN1: EXP:0 , IA5: a, b
+
diff --git a/fuzz/conf_corpus/a7d597a082be78a8a48a49bbbccaefcf7375ec24 b/fuzz/conf_corpus/a7d597a082be78a8a48a49bbbccaefcf7375ec24
new file mode 100644
index 0000000..b2678b5
--- /dev/null
+++ b/fuzz/conf_corpus/a7d597a082be78a8a48a49bbbccaefcf7375ec24
@@ -0,0 +1,404 @@
+# [ proxy_cert_ext ]
+# These extensions should be added when creating a proxy certificate
+
+# This goes against PKIX guidelines but some CAs do it and some software
+# requires this to avoid interpreting an end user certificate as a CA.
+
+basicConstraints=CA:FALSE
+
+# Here are some examples of the usage of nsCertType. If it is omitted
+# the certificate can be used for anything *except* object signing.
+
+# This is OK for an SSL server.
+# nsCertType = server
+
+# For an object signing certificate this would be used.
+# nsCertType = objsign
+
+# For normal client use this is typical
+# nsCertType = client, email
+
+# and for everything including object signing:
+# nsCertType = client, email, objsign
+
+# This is typical in keyUsage for a client certificate.
+# keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+
+# This will be displayed in Netscape's comment listbox.
+nsComment = "OpenSSL Generated Certificate"
+
+# PKIX recommendations harmless if included in all certificates.
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid,issuer
+
+# This stuff is for subjectAltName and issuerAltname.
+# Import the email address.
+# subjectAltName=email:copy
+# An alternative to produce certificates that aren't
+# deprecated according to PKIX.
+# subjectAltName=email:move
+
+# Copy subject details
+# issuerAltName=issuer:copy
+
+#nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem
+#nsBaseUrl
+#nsRevocationUrl
+#nsRenewalUrl
+#nsCaPolicyUrl
+#nsSslServerName
+
+# This really needs to be in place for it to be a proxy certificate.
+proxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:3,policy:foo
+
+####################################################################
+#
+# OpenSSL example configuration file.
+# This is mostly being used for generation of certificate requests.
+#
+
+# Note that you can include other files from the main configuration
+# file using the .include directive.
+#.include filename
+
+# This definition stops the following lines choking if HOME isn't
+# defined.
+HOME = .
+
+# Extra OBJECT IDENTIFIER info:
+#oid_file = $ENV::HOME/.oid
+oid_section = new_oids
+
+# To use this configuration file with the "-extfile" option of the
+# "openssl x509" utility, name here the section containing the
+# X.509v3 extensions to use:
+# extensions =
+# (Alternatively, use a configuration file that has only
+# X.509v3 extensions in its main [= default] section.)
+
+[ new_oids ]
+
+# We can add new OIDs in here for use by 'ca', 'req' and 'ts'.
+# Add a simple OID like this:
+# testoid1=1.2.3.4
+# Or use config file substitution like this:
+# testoid2=${testoid1}.5.6
+
+# Policies used by the TSA examples.
+tsa_policy1 = 1.2.3.4.1
+tsa_policy2 = 1.2.3.4.5.6
+tsa_policy3 = 1.2.3.4.5.7
+
+####################################################################
+[ ca ]
+default_ca = CA_default # The default ca section
+
+####################################################################
+[ CA_default ]
+
+dir = ./demoCA # Where everything is kept
+certs = $dir/certs # Where the issued certs are kept
+crl_dir = $dir/crl # Where the issued crl are kept
+database = $dir/index.txt # database index file.
+#unique_subject = no # Set to 'no' to allow creation of
+ # several certs with same subject.
+new_certs_dir = $dir/newcerts # default place for new certs.
+
+certificate = $dir/cacert.pem # The CA certificate
+serial = $dir/serial # The current serial number
+crlnumber = $dir/crlnumber # the current crl number
+ # must be commented out to leave a V1 CRL
+crl = $dir/crl.pem # The current CRL
+private_key = $dir/private/cakey.pem# The private key
+
+x509_extensions = usr_cert # The extensions to add to the cert
+
+# Comment out the following two lines for the "traditional"
+# (and highly broken) format.
+name_opt = ca_default # Subject Name options
+cert_opt = ca_default # Certificate field options
+
+# Extension copying option: use with caution.
+# copy_extensions = copy
+
+# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
+# so this is commented out by default to leave a V1 CRL.
+# crlnumber must also be commented out to leave a V1 CRL.
+# crl_extensions = crl_ext
+
+default_days = 365 # how long to certify for
+default_crl_days= 30 # how long before next CRL
+default_md = default # use public key default MD
+preserve = no # keep passed DN ordering
+
+# A few difference way of specifying how similar the request should look
+# For type CA, the listed attributes must be the same, and the optional
+# and supplied fields are just that :-)
+policy = policy_match
+
+# For the CA policy
+[ policy_match ]
+countryName = match
+stateOrProvinceName = match
+organizationName = match
+organizationalUnitName = optional
+commonName = supplied
+emailAddress = optional
+
+# For the 'anything' policy
+# At this point in time, you must list all acceptable 'object'
+# types.
+[ policy_anything ]
+countryName = optional
+stateOrProvinceName = optional
+localityName = optional
+organizationName = optional
+organizationalUnitName = optional
+commonName = supplied
+emailAddress = optional
+
+####################################################################
+[ req ]
+default_bits = 2048
+default_keyfile = privkey.pem
+distinguished_name = req_distinguished_name
+attributes = req_attributes
+x509_extensions = v3_ca # The extensions to add to the self signed cert
+
+# Passwords for private keys if not present they will be prompted for
+# input_password = secret
+# output_password = secret
+
+# This sets a mask for permitted string types. There are several options.
+# default: PrintableString, T61String, BMPString.
+# pkix : PrintableString, BMPString (PKIX recommendation before 2004)
+# utf8only: only UTF8Strings (PKIX recommendation after 2004).
+# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings).
+# MASK:XXXX a literal mask value.
+# WARNING: ancient versions of Netscape crash on BMPStrings or UTF8Strings.
+string_mask = utf8only
+
+# req_extensions = v3_req # The extensions to add to a certificate request
+
+[ req_distinguished_name ]
+countryName = Country Name (2 letter code)
+countryName_default = AU
+countryName_min = 2
+countryName_max = 2
+
+stateOrProvinceName = State or Province Name (full name)
+stateOrProvinceName_default = Some-State
+
+localityName = Locality Name (eg, city)
+
+0.organizationName = Organization Name (eg, company)
+0.organizationName_default = Internet Widgits Pty Ltd
+
+# we can do this but it is not needed normally :-)
+#1.organizationName = Second Organization Name (eg, company)
+#1.organizationName_default = World Wide Web Pty Ltd
+
+organizationalUnitName = Organizational Unit Name (eg, section)
+#organizationalUnitName_default =
+
+commonName = Common Name (e.g. server FQDN or YOUR name)
+commonName_max = 64
+
+emailAddress = Email Address
+emailAddress_max = 64
+
+# SET-ex3 = SET extension number 3
+
+[ req_attributes ]
+challengePassword = A challenge password
+challengePassword_min = 4
+challengePassword_max = 20
+
+unstructuredName = An optional company name
+
+[ usr_cert ]
+
+# These extensions are added when 'ca' signs a request.
+
+# This goes against PKIX guidelines but some CAs do it and some software
+# requires this to avoid interpreting an end user certificate as a CA.
+
+basicConstraints=CA:FALSE
+
+# Here are some examples of the usage of nsCertType. If it is omitted
+# the certificate can be used for anything *except* object signing.
+
+# This is OK for an SSL server.
+# nsCertType = server
+
+# For an object signing certificate this would be used.
+# nsCertType = objsign
+
+# For normal client use this is typical
+# nsCertType = client, email
+
+# and for everything including object signing:
+# nsCertType = client, email, objsign
+
+# This is typical in keyUsage for a client certificate.
+# keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+
+# This will be displayed in Netscape's comment listbox.
+nsComment = "OpenSSL Generated Certificate"
+
+# PKIX recommendations harmless if included in all certificates.
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid,issuer
+
+# This stuff is for subjectAltName and issuerAltname.
+# Import the email address.
+# subjectAltName=email:copy
+# An alternative to produce certificates that aren't
+# deprecated according to PKIX.
+# subjectAltName=email:move
+
+# Copy subject details
+# issuerAltName=issuer:copy
+
+#nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem
+#nsBaseUrl
+#nsRevocationUrl
+#nsRenewalUrl
+#nsCaPolicyUrl
+#nsSslServerName
+
+# This is required for TSA certificates.
+# extendedKeyUsage = critical,timeStamping
+
+[ v3_req ]
+
+# Extensions to add to a certificate request
+
+basicConstraints = CA:FALSE
+keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+
+[ v3_ca ]
+
+
+# Extensions for a typical CA
+
+
+# PKIX recommendation.
+
+subjectKeyIdentifier=hash
+
+authorityKeyIdentifier=keyid:always,issuer
+
+basicConstraints = critical,CA:true
+
+# Key usage: this is typical for a CA certificate. However since it will
+# prevent it being used as an test self-signed certificate it is best
+# left out by default.
+# keyUsage = cRLSign, keyCertSign
+
+# Some might want this also
+# nsCertType = sslCA, emailCA
+
+# Include email address in subject alt name: another PKIX recommendation
+# subjectAltName=email:copy
+# Copy issuer details
+# issuerAltName=issuer:copy
+
+# DER hex encoding of an extension: beware experts only!
+# obj=DER:02:03
+# Where 'obj' is a standard or added object
+# You can even override a supported extension:
+# basicConstraints= critical, DER:30:03:01:01:FF
+
+[ crl_ext ]
+
+# CRL extensions.
+# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.
+
+# issuerAltName=issuer:copy
+authorityKeyIdentifier=keyid:always
+
+[ proxy_cert_ext ]
+# These extensions should be added when creating a proxy certificate
+
+# This goes against PKIX guidelines but some CAs do it and some software
+# requires this to avoid interpreting an end user certificate as a CA.
+
+basicConstraints=CA:FALSE
+
+# Here are some examples of the usage of nsCertType. If it is omitted
+# the certificate can be used for anything *except* object signing.
+
+# This is OK for an SSL server.
+# nsCertType = server
+
+# For an object signing certificate this would be used.
+# nsCertType = objsign
+
+# For normal client use this is typical
+# nsCertType = client, email
+
+# and for everything including object signing:
+# nsCertType = client, email, objsign
+
+# This is typical in keyUsage for a client certificate.
+# keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+
+# This will be displayed in Netscape's comment listbox.
+nsComment = "OpenSSL Generated Certificate"
+
+# PKIX recommendations harmless if included in all certificates.
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid,issuer
+
+# This stuff is for subjectAltName and issuerAltname.
+# Import the email address.
+# subjectAltName=email:copy
+# An alternative to produce certificates that aren't
+# deprecated according to PKIX.
+# subjectAltName=email:move
+
+# Copy subject details
+# issuerAltName=issuer:copy
+
+#nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem
+#nsBaseUrl
+#nsRevocationUrl
+#nsRenewalUrl
+#nsCaPolicyUrl
+#nsSslServerName
+
+# This really needs to be in place for it to be a proxy certificate.
+proxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:3,policy:foo
+
+####################################################################
+[ tsa ]
+
+default_tsa = tsa_config1 # the default TSA section
+
+[ tsa_config1 ]
+
+# These are used by the TSA reply generation only.
+dir = ./demoCA # TSA root directory
+serial = $dir/tsaserial # The current serial number (mandatory)
+crypto_device = builtin # OpenSSL engine to use for signing
+signer_cert = $dir/tsacert.pem # The TSA signing certificate
+ # (optional)
+certs = $dir/cacert.pem # Certificate chain to include in reply
+ # (optional)
+signer_key = $dir/private/tsakey.pem # The TSA private key (optional)
+signer_digest = sha256 # Signing digest to use. (Optional)
+default_policy = tsa_policy1 # Policy if request did not specify it
+ # (optional)
+other_policies = tsa_policy2, tsa_policy3 # acceptable policies (optional)
+digests = sha1, sha256, sha384, sha512 # Acceptable message digests (mandatory)
+accuracy = secs:1, millisecs:500, microsecs:100 # (optional)
+clock_precision_digits = 0 # number of digits after dot. (optional)
+ordering = yes # Is ordering defined for timestamps?
+ # (optional, default: no)
+tsa_name = yes # Must the TSA name be included in the reply?
+ # (optional, default: no)
+ess_cert_id_chain = no # Must the ESS cert id chain be included?
+ # (optional, default: no)
+ess_cert_id_alg = sha1 # algorithm to compute certificate
+ # identifier (optional, default: sha1)
diff --git a/fuzz/conf_corpus/a9efbc43a88aedba79010aded171e39498be0c2f b/fuzz/conf_corpus/a9efbc43a88aedba79010aded171e39498be0c2f
new file mode 100644
index 0000000..ffaeb92
--- /dev/null
+++ b/fuzz/conf_corpus/a9efbc43a88aedba79010aded171e39498be0c2f
@@ -0,0 +1,404 @@
+# [ usr_cert ]
+
+# These extensions are added when 'ca' signs a request.
+
+# This goes against PKIX guidelines but some CAs do it and some software
+# requires this to avoid interpreting an end user certificate as a CA.
+
+basicConstraints=CA:FALSE
+
+# Here are some examples of the usage of nsCertType. If it is omitted
+# the certificate can be used for anything *except* object signing.
+
+# This is OK for an SSL server.
+# nsCertType = server
+
+# For an object signing certificate this would be used.
+# nsCertType = objsign
+
+# For normal client use this is typical
+# nsCertType = client, email
+
+# and for everything including object signing:
+# nsCertType = client, email, objsign
+
+# This is typical in keyUsage for a client certificate.
+# keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+
+# This will be displayed in Netscape's comment listbox.
+nsComment = "OpenSSL Generated Certificate"
+
+# PKIX recommendations harmless if included in all certificates.
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid,issuer
+
+# This stuff is for subjectAltName and issuerAltname.
+# Import the email address.
+# subjectAltName=email:copy
+# An alternative to produce certificates that aren't
+# deprecated according to PKIX.
+# subjectAltName=email:move
+
+# Copy subject details
+# issuerAltName=issuer:copy
+
+#nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem
+#nsBaseUrl
+#nsRevocationUrl
+#nsRenewalUrl
+#nsCaPolicyUrl
+#nsSslServerName
+
+# This is required for TSA certificates.
+# extendedKeyUsage = critical,timeStamping
+
+#
+# OpenSSL example configuration file.
+# This is mostly being used for generation of certificate requests.
+#
+
+# Note that you can include other files from the main configuration
+# file using the .include directive.
+#.include filename
+
+# This definition stops the following lines choking if HOME isn't
+# defined.
+HOME = .
+
+# Extra OBJECT IDENTIFIER info:
+#oid_file = $ENV::HOME/.oid
+oid_section = new_oids
+
+# To use this configuration file with the "-extfile" option of the
+# "openssl x509" utility, name here the section containing the
+# X.509v3 extensions to use:
+# extensions =
+# (Alternatively, use a configuration file that has only
+# X.509v3 extensions in its main [= default] section.)
+
+[ new_oids ]
+
+# We can add new OIDs in here for use by 'ca', 'req' and 'ts'.
+# Add a simple OID like this:
+# testoid1=1.2.3.4
+# Or use config file substitution like this:
+# testoid2=${testoid1}.5.6
+
+# Policies used by the TSA examples.
+tsa_policy1 = 1.2.3.4.1
+tsa_policy2 = 1.2.3.4.5.6
+tsa_policy3 = 1.2.3.4.5.7
+
+####################################################################
+[ ca ]
+default_ca = CA_default # The default ca section
+
+####################################################################
+[ CA_default ]
+
+dir = ./demoCA # Where everything is kept
+certs = $dir/certs # Where the issued certs are kept
+crl_dir = $dir/crl # Where the issued crl are kept
+database = $dir/index.txt # database index file.
+#unique_subject = no # Set to 'no' to allow creation of
+ # several certs with same subject.
+new_certs_dir = $dir/newcerts # default place for new certs.
+
+certificate = $dir/cacert.pem # The CA certificate
+serial = $dir/serial # The current serial number
+crlnumber = $dir/crlnumber # the current crl number
+ # must be commented out to leave a V1 CRL
+crl = $dir/crl.pem # The current CRL
+private_key = $dir/private/cakey.pem# The private key
+
+x509_extensions = usr_cert # The extensions to add to the cert
+
+# Comment out the following two lines for the "traditional"
+# (and highly broken) format.
+name_opt = ca_default # Subject Name options
+cert_opt = ca_default # Certificate field options
+
+# Extension copying option: use with caution.
+# copy_extensions = copy
+
+# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
+# so this is commented out by default to leave a V1 CRL.
+# crlnumber must also be commented out to leave a V1 CRL.
+# crl_extensions = crl_ext
+
+default_days = 365 # how long to certify for
+default_crl_days= 30 # how long before next CRL
+default_md = default # use public key default MD
+preserve = no # keep passed DN ordering
+
+# A few difference way of specifying how similar the request should look
+# For type CA, the listed attributes must be the same, and the optional
+# and supplied fields are just that :-)
+policy = policy_match
+
+# For the CA policy
+[ policy_match ]
+countryName = match
+stateOrProvinceName = match
+organizationName = match
+organizationalUnitName = optional
+commonName = supplied
+emailAddress = optional
+
+# For the 'anything' policy
+# At this point in time, you must list all acceptable 'object'
+# types.
+[ policy_anything ]
+countryName = optional
+stateOrProvinceName = optional
+localityName = optional
+organizationName = optional
+organizationalUnitName = optional
+commonName = supplied
+emailAddress = optional
+
+####################################################################
+[ req ]
+default_bits = 2048
+default_keyfile = privkey.pem
+distinguished_name = req_distinguished_name
+attributes = req_attributes
+x509_extensions = v3_ca # The extensions to add to the self signed cert
+
+# Passwords for private keys if not present they will be prompted for
+# input_password = secret
+# output_password = secret
+
+# This sets a mask for permitted string types. There are several options.
+# default: PrintableString, T61String, BMPString.
+# pkix : PrintableString, BMPString (PKIX recommendation before 2004)
+# utf8only: only UTF8Strings (PKIX recommendation after 2004).
+# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings).
+# MASK:XXXX a literal mask value.
+# WARNING: ancient versions of Netscape crash on BMPStrings or UTF8Strings.
+string_mask = utf8only
+
+# req_extensions = v3_req # The extensions to add to a certificate request
+
+[ req_distinguished_name ]
+countryName = Country Name (2 letter code)
+countryName_default = AU
+countryName_min = 2
+countryName_max = 2
+
+stateOrProvinceName = State or Province Name (full name)
+stateOrProvinceName_default = Some-State
+
+localityName = Locality Name (eg, city)
+
+0.organizationName = Organization Name (eg, company)
+0.organizationName_default = Internet Widgits Pty Ltd
+
+# we can do this but it is not needed normally :-)
+#1.organizationName = Second Organization Name (eg, company)
+#1.organizationName_default = World Wide Web Pty Ltd
+
+organizationalUnitName = Organizational Unit Name (eg, section)
+#organizationalUnitName_default =
+
+commonName = Common Name (e.g. server FQDN or YOUR name)
+commonName_max = 64
+
+emailAddress = Email Address
+emailAddress_max = 64
+
+# SET-ex3 = SET extension number 3
+
+[ req_attributes ]
+challengePassword = A challenge password
+challengePassword_min = 4
+challengePassword_max = 20
+
+unstructuredName = An optional company name
+
+[ usr_cert ]
+
+# These extensions are added when 'ca' signs a request.
+
+# This goes against PKIX guidelines but some CAs do it and some software
+# requires this to avoid interpreting an end user certificate as a CA.
+
+basicConstraints=CA:FALSE
+
+# Here are some examples of the usage of nsCertType. If it is omitted
+# the certificate can be used for anything *except* object signing.
+
+# This is OK for an SSL server.
+# nsCertType = server
+
+# For an object signing certificate this would be used.
+# nsCertType = objsign
+
+# For normal client use this is typical
+# nsCertType = client, email
+
+# and for everything including object signing:
+# nsCertType = client, email, objsign
+
+# This is typical in keyUsage for a client certificate.
+# keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+
+# This will be displayed in Netscape's comment listbox.
+nsComment = "OpenSSL Generated Certificate"
+
+# PKIX recommendations harmless if included in all certificates.
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid,issuer
+
+# This stuff is for subjectAltName and issuerAltname.
+# Import the email address.
+# subjectAltName=email:copy
+# An alternative to produce certificates that aren't
+# deprecated according to PKIX.
+# subjectAltName=email:move
+
+# Copy subject details
+# issuerAltName=issuer:copy
+
+#nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem
+#nsBaseUrl
+#nsRevocationUrl
+#nsRenewalUrl
+#nsCaPolicyUrl
+#nsSslServerName
+
+# This is required for TSA certificates.
+# extendedKeyUsage = critical,timeStamping
+
+[ v3_req ]
+
+# Extensions to add to a certificate request
+
+basicConstraints = CA:FALSE
+keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+
+[ v3_ca ]
+
+
+# Extensions for a typical CA
+
+
+# PKIX recommendation.
+
+subjectKeyIdentifier=hash
+
+authorityKeyIdentifier=keyid:always,issuer
+
+basicConstraints = critical,CA:true
+
+# Key usage: this is typical for a CA certificate. However since it will
+# prevent it being used as an test self-signed certificate it is best
+# left out by default.
+# keyUsage = cRLSign, keyCertSign
+
+# Some might want this also
+# nsCertType = sslCA, emailCA
+
+# Include email address in subject alt name: another PKIX recommendation
+# subjectAltName=email:copy
+# Copy issuer details
+# issuerAltName=issuer:copy
+
+# DER hex encoding of an extension: beware experts only!
+# obj=DER:02:03
+# Where 'obj' is a standard or added object
+# You can even override a supported extension:
+# basicConstraints= critical, DER:30:03:01:01:FF
+
+[ crl_ext ]
+
+# CRL extensions.
+# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.
+
+# issuerAltName=issuer:copy
+authorityKeyIdentifier=keyid:always
+
+[ proxy_cert_ext ]
+# These extensions should be added when creating a proxy certificate
+
+# This goes against PKIX guidelines but some CAs do it and some software
+# requires this to avoid interpreting an end user certificate as a CA.
+
+basicConstraints=CA:FALSE
+
+# Here are some examples of the usage of nsCertType. If it is omitted
+# the certificate can be used for anything *except* object signing.
+
+# This is OK for an SSL server.
+# nsCertType = server
+
+# For an object signing certificate this would be used.
+# nsCertType = objsign
+
+# For normal client use this is typical
+# nsCertType = client, email
+
+# and for everything including object signing:
+# nsCertType = client, email, objsign
+
+# This is typical in keyUsage for a client certificate.
+# keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+
+# This will be displayed in Netscape's comment listbox.
+nsComment = "OpenSSL Generated Certificate"
+
+# PKIX recommendations harmless if included in all certificates.
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid,issuer
+
+# This stuff is for subjectAltName and issuerAltname.
+# Import the email address.
+# subjectAltName=email:copy
+# An alternative to produce certificates that aren't
+# deprecated according to PKIX.
+# subjectAltName=email:move
+
+# Copy subject details
+# issuerAltName=issuer:copy
+
+#nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem
+#nsBaseUrl
+#nsRevocationUrl
+#nsRenewalUrl
+#nsCaPolicyUrl
+#nsSslServerName
+
+# This really needs to be in place for it to be a proxy certificate.
+proxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:3,policy:foo
+
+####################################################################
+[ tsa ]
+
+default_tsa = tsa_config1 # the default TSA section
+
+[ tsa_config1 ]
+
+# These are used by the TSA reply generation only.
+dir = ./demoCA # TSA root directory
+serial = $dir/tsaserial # The current serial number (mandatory)
+crypto_device = builtin # OpenSSL engine to use for signing
+signer_cert = $dir/tsacert.pem # The TSA signing certificate
+ # (optional)
+certs = $dir/cacert.pem # Certificate chain to include in reply
+ # (optional)
+signer_key = $dir/private/tsakey.pem # The TSA private key (optional)
+signer_digest = sha256 # Signing digest to use. (Optional)
+default_policy = tsa_policy1 # Policy if request did not specify it
+ # (optional)
+other_policies = tsa_policy2, tsa_policy3 # acceptable policies (optional)
+digests = sha1, sha256, sha384, sha512 # Acceptable message digests (mandatory)
+accuracy = secs:1, millisecs:500, microsecs:100 # (optional)
+clock_precision_digits = 0 # number of digits after dot. (optional)
+ordering = yes # Is ordering defined for timestamps?
+ # (optional, default: no)
+tsa_name = yes # Must the TSA name be included in the reply?
+ # (optional, default: no)
+ess_cert_id_chain = no # Must the ESS cert id chain be included?
+ # (optional, default: no)
+ess_cert_id_alg = sha1 # algorithm to compute certificate
+ # identifier (optional, default: sha1)
diff --git a/fuzz/conf_corpus/aa38fc31f54f2020bbf5335c1a3ef54f9d54a7a7 b/fuzz/conf_corpus/aa38fc31f54f2020bbf5335c1a3ef54f9d54a7a7
new file mode 100644
index 0000000..b844928
--- /dev/null
+++ b/fuzz/conf_corpus/aa38fc31f54f2020bbf5335c1a3ef54f9d54a7a7
@@ -0,0 +1,2 @@
+1.2.840.113554.4.1.72585.2 = ASN1:IA5:hello
+
diff --git a/fuzz/conf_corpus/ac5814a191294c3f7c6c68d44cbf3519b3eb644f b/fuzz/conf_corpus/ac5814a191294c3f7c6c68d44cbf3519b3eb644f
new file mode 100644
index 0000000..c474c9b
--- /dev/null
+++ b/fuzz/conf_corpus/ac5814a191294c3f7c6c68d44cbf3519b3eb644f
@@ -0,0 +1,83 @@
+# [ v3_ca ]
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid:always,issuer:always
+basicConstraints = critical,CA:true,pathlen:1
+keyUsage = cRLSign, keyCertSign
+issuerAltName=issuer:copy
+
+#
+# SSLeay example configuration file.
+# This is mostly being used for generation of certificate requests.
+#
+
+RANDFILE = ./.rnd
+
+####################################################################
+[ req ]
+default_bits = 2048
+default_keyfile = keySS.pem
+distinguished_name = req_distinguished_name
+encrypt_rsa_key = no
+default_md = sha1
+
+[ req_distinguished_name ]
+countryName = Country Name (2 letter code)
+countryName_default = AU
+countryName_value = AU
+
+organizationName = Organization Name (eg, company)
+organizationName_value = Dodgy Brothers
+
+commonName = Common Name (eg, YOUR name)
+commonName_value = Dodgy CA
+
+####################################################################
+[ ca ]
+default_ca = CA_default # The default ca section
+
+####################################################################
+[ CA_default ]
+
+dir = ./demoCA # Where everything is kept
+certs = $dir/certs # Where the issued certs are kept
+crl_dir = $dir/crl # Where the issued crl are kept
+database = $dir/index.txt # database index file.
+#unique_subject = no # Set to 'no' to allow creation of
+ # several certificates with same subject.
+new_certs_dir = $dir/newcerts # default place for new certs.
+
+certificate = $dir/cacert.pem # The CA certificate
+serial = $dir/serial # The current serial number
+crl = $dir/crl.pem # The current CRL
+private_key = $dir/private/cakey.pem# The private key
+RANDFILE = $dir/private/.rand # private random number file
+
+x509_extensions = v3_ca # The extensions to add to the cert
+
+name_opt = ca_default # Subject Name options
+cert_opt = ca_default # Certificate field options
+
+default_days = 365 # how long to certify for
+default_crl_days= 30 # how long before next CRL
+default_md = md5 # which md to use.
+preserve = no # keep passed DN ordering
+
+policy = policy_anything
+
+[ policy_anything ]
+countryName = optional
+stateOrProvinceName = optional
+localityName = optional
+organizationName = optional
+organizationalUnitName = optional
+commonName = supplied
+emailAddress = optional
+
+
+
+[ v3_ca ]
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid:always,issuer:always
+basicConstraints = critical,CA:true,pathlen:1
+keyUsage = cRLSign, keyCertSign
+issuerAltName=issuer:copy
diff --git a/fuzz/conf_corpus/acee4ed8c6d6fdc20ff2a54f66b552bd335de75d b/fuzz/conf_corpus/acee4ed8c6d6fdc20ff2a54f66b552bd335de75d
new file mode 100644
index 0000000..efed266
--- /dev/null
+++ b/fuzz/conf_corpus/acee4ed8c6d6fdc20ff2a54f66b552bd335de75d
@@ -0,0 +1,2 @@
+1.2.840.113554.4.1.72585.2 = ASN1:FORMAT:UTF8,PRINTABLE:hello
+
diff --git a/fuzz/conf_corpus/aeab5e8bbc2417d92b0009a23a6a0b74fb31fbe9 b/fuzz/conf_corpus/aeab5e8bbc2417d92b0009a23a6a0b74fb31fbe9
new file mode 100644
index 0000000..5af2221
--- /dev/null
+++ b/fuzz/conf_corpus/aeab5e8bbc2417d92b0009a23a6a0b74fb31fbe9
@@ -0,0 +1,2 @@
+1.2.840.113554.4.1.72585.2 = ASN1:T61:hello
+
diff --git a/fuzz/conf_corpus/af9f2cbae84ac395975f31730212c68ba4d73d11 b/fuzz/conf_corpus/af9f2cbae84ac395975f31730212c68ba4d73d11
new file mode 100644
index 0000000..34df69e
--- /dev/null
+++ b/fuzz/conf_corpus/af9f2cbae84ac395975f31730212c68ba4d73d11
@@ -0,0 +1,2 @@
+1.2.840.113554.4.1.72585.2 = DER:invalid hex
+
diff --git a/fuzz/conf_corpus/afd1e920f075355a478e95142b2062ee6119fc9d b/fuzz/conf_corpus/afd1e920f075355a478e95142b2062ee6119fc9d
new file mode 100644
index 0000000..0d60975
--- /dev/null
+++ b/fuzz/conf_corpus/afd1e920f075355a478e95142b2062ee6119fc9d
@@ -0,0 +1,2 @@
+1.2.840.113554.4.1.72585.2 = ASN1:BOOLEAN
+
diff --git a/fuzz/conf_corpus/b031873c1d543faefa84c94e772a8af2e38932d8 b/fuzz/conf_corpus/b031873c1d543faefa84c94e772a8af2e38932d8
new file mode 100644
index 0000000..1e53f28
--- /dev/null
+++ b/fuzz/conf_corpus/b031873c1d543faefa84c94e772a8af2e38932d8
@@ -0,0 +1,2 @@
+1.2.840.113554.4.1.72585.2 = ASN1:IMP:1A,OCTWRAP,IMP:10,SEQWRAP,IMP:100,SETWRAP,IMP:1000,BITWRAP,IMP:10000,NULL
+
diff --git a/fuzz/conf_corpus/b3ea0a503ac2fdbe8b36642ca820b3f2d960cede b/fuzz/conf_corpus/b3ea0a503ac2fdbe8b36642ca820b3f2d960cede
new file mode 100644
index 0000000..0036443
--- /dev/null
+++ b/fuzz/conf_corpus/b3ea0a503ac2fdbe8b36642ca820b3f2d960cede
@@ -0,0 +1,2 @@
+1.2.840.113554.4.1.72585.2 = ASN1:FORMAT:UTF8,UTF8:ÿ
+
diff --git a/fuzz/conf_corpus/b3f3cc61e482ee9dbbea624b41bd423acd1e00b6 b/fuzz/conf_corpus/b3f3cc61e482ee9dbbea624b41bd423acd1e00b6
new file mode 100644
index 0000000..a7355cd
--- /dev/null
+++ b/fuzz/conf_corpus/b3f3cc61e482ee9dbbea624b41bd423acd1e00b6
@@ -0,0 +1,2 @@
+1.2.840.113554.4.1.72585.2 = ASN1:PRINTABLE:hello
+
diff --git a/fuzz/conf_corpus/b43a40ec0466f347383475cf6e4907ea4cefb129 b/fuzz/conf_corpus/b43a40ec0466f347383475cf6e4907ea4cefb129
new file mode 100644
index 0000000..35df398
--- /dev/null
+++ b/fuzz/conf_corpus/b43a40ec0466f347383475cf6e4907ea4cefb129
@@ -0,0 +1,73 @@
+# [ req_distinguished_name ]
+countryName = UK
+
+organizationName = OpenSSL Group
+# Take CN from environment so it can come from a script.
+commonName = $ENV::CN
+
+#
+# OpenSSL example configuration file for automated certificate creation.
+#
+
+# This definition stops the following lines choking if HOME or CN
+# is undefined.
+HOME = .
+RANDFILE = $ENV::HOME/.rnd
+CN = "Not Defined"
+default_ca = ca
+
+####################################################################
+[ req ]
+default_bits = 2048
+default_keyfile = privkey.pem
+# Don't prompt for fields: use those in section directly
+prompt = no
+distinguished_name = req_distinguished_name
+x509_extensions = v3_ca # The extensions to add to the self signed cert
+string_mask = utf8only
+
+# req_extensions = v3_req # The extensions to add to a certificate request
+
+[ req_distinguished_name ]
+countryName = UK
+
+organizationName = OpenSSL Group
+# Take CN from environment so it can come from a script.
+commonName = $ENV::CN
+
+[ usr_cert ]
+
+# These extensions are added when 'ca' signs a request for an end entity
+# certificate
+
+basicConstraints=critical, CA:FALSE
+keyUsage=critical, nonRepudiation, digitalSignature, keyEncipherment
+
+# PKIX recommendations harmless if included in all certificates.
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid
+
+[ dh_cert ]
+
+# These extensions are added when 'ca' signs a request for an end entity
+# DH certificate
+
+basicConstraints=critical, CA:FALSE
+keyUsage=critical, keyAgreement
+
+# PKIX recommendations harmless if included in all certificates.
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid
+
+[ v3_ca ]
+
+
+# Extensions for a typical CA
+
+# PKIX recommendation.
+
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid:always
+basicConstraints = critical,CA:true
+keyUsage = critical, cRLSign, keyCertSign
+
diff --git a/fuzz/conf_corpus/b6638728fde6ba062209cce4cd0f51956634a981 b/fuzz/conf_corpus/b6638728fde6ba062209cce4cd0f51956634a981
new file mode 100644
index 0000000..1fb0855
--- /dev/null
+++ b/fuzz/conf_corpus/b6638728fde6ba062209cce4cd0f51956634a981
@@ -0,0 +1,19 @@
+# [ssl_sect]
+
+system_default = ssl_default_sect
+
+# Configuration file to test system default SSL configuration
+
+openssl_conf = default_conf
+
+[ default_conf ]
+
+ssl_conf = ssl_sect
+
+[ssl_sect]
+
+system_default = ssl_default_sect
+
+[ssl_default_sect]
+MaxProtocol = TLSv1.2
+MinProtocol = TLSv1.2
diff --git a/fuzz/conf_corpus/b7cfc698eae9584a7daa5721a1ebdb4c7eda78d9 b/fuzz/conf_corpus/b7cfc698eae9584a7daa5721a1ebdb4c7eda78d9
new file mode 100644
index 0000000..66c8900
--- /dev/null
+++ b/fuzz/conf_corpus/b7cfc698eae9584a7daa5721a1ebdb4c7eda78d9
@@ -0,0 +1,36 @@
+[ default ]
+#
+# SSLeay example configuration file.
+# This is mostly being used for generation of certificate requests.
+#
+
+RANDFILE = ./.rnd
+
+####################################################################
+[ ca ]
+default_ca = CA_default # The default ca section
+
+####################################################################
+[ CA_default ]
+
+dir = ./demoCA # Where everything is kept
+certs = $dir/certs # Where the issued certs are kept
+crl_dir = $dir/crl # Where the issued crl are kept
+database = $dir/index.txt # database index file.
+new_certs_dir = $dir/new_certs # default place for new certs.
+
+certificate = $dir/CAcert.pem # The CA certificate
+serial = $dir/serial # The current serial number
+crl = $dir/crl.pem # The current CRL
+private_key = $dir/private/CAkey.pem# The private key
+RANDFILE = $dir/private/.rand # private random number file
+
+default_days = 365 # how long to certify for
+default_crl_days= 30 # how long before next CRL
+default_md = md5 # which md to use.
+
+# A few difference way of specifying how similar the request should look
+# For type CA, the listed attributes must be the same, and the optional
+# and supplied fields are just that :-)
+policy = policy_match
+
diff --git a/fuzz/conf_corpus/b7e7338c20733d3bd2924fb53d8e2b619e059818 b/fuzz/conf_corpus/b7e7338c20733d3bd2924fb53d8e2b619e059818
new file mode 100644
index 0000000..5ee247a
--- /dev/null
+++ b/fuzz/conf_corpus/b7e7338c20733d3bd2924fb53d8e2b619e059818
@@ -0,0 +1,2 @@
+1.2.840.113554.4.1.72585.2 = ASN1:OCT:hello
+
diff --git a/fuzz/conf_corpus/b9c9c2d24d6dd35b445dc6da03603055715ec4e7 b/fuzz/conf_corpus/b9c9c2d24d6dd35b445dc6da03603055715ec4e7
new file mode 100644
index 0000000..ab76440
--- /dev/null
+++ b/fuzz/conf_corpus/b9c9c2d24d6dd35b445dc6da03603055715ec4e7
@@ -0,0 +1,9 @@
+# Example configuration file
+# Connects to the default port of s_server
+Connect = localhost:4433
+# Disable TLS v1.2 for test.
+# Protocol = ALL, -TLSv1.2
+# Only support 3 curves
+Curves = P-521:P-384:P-256
+# Restricted signature algorithms
+SignatureAlgorithms = RSA+SHA512:ECDSA+SHA512
diff --git a/fuzz/conf_corpus/ba3adaea0e8015875583e258bda44aaa3d433b36 b/fuzz/conf_corpus/ba3adaea0e8015875583e258bda44aaa3d433b36
new file mode 100644
index 0000000..b23ebd0
--- /dev/null
+++ b/fuzz/conf_corpus/ba3adaea0e8015875583e258bda44aaa3d433b36
@@ -0,0 +1,190 @@
+# [ tsa_config1 ]
+
+# These are used by the TSA reply generation only.
+dir = . # TSA root directory
+serial = $dir/tsa_serial # The current serial number (mandatory)
+signer_cert = $dir/tsa_cert1.pem # The TSA signing certificate
+ # (optional)
+certs = $dir/tsaca.pem # Certificate chain to include in reply
+ # (optional)
+signer_key = $dir/tsa_key1.pem # The TSA private key (optional)
+signer_digest = sha256 # Signing digest to use. (Optional)
+default_policy = tsa_policy1 # Policy if request did not specify it
+ # (optional)
+other_policies = tsa_policy2, tsa_policy3 # acceptable policies (optional)
+digests = sha1, sha256, sha384, sha512 # Acceptable message digests (mandatory)
+accuracy = secs:1, millisecs:500, microsecs:100 # (optional)
+ordering = yes # Is ordering defined for timestamps?
+ # (optional, default: no)
+tsa_name = yes # Must the TSA name be included in the reply?
+ # (optional, default: no)
+ess_cert_id_chain = yes # Must the ESS cert id chain be included?
+ # (optional, default: no)
+ess_cert_id_alg = sha256 # algorithm to compute certificate
+ # identifier (optional, default: sha1)
+
+
+#
+# This config is used by the Time Stamp Authority tests.
+#
+
+RANDFILE = ./.rnd
+
+# Extra OBJECT IDENTIFIER info:
+oid_section = new_oids
+
+TSDNSECT = ts_cert_dn
+INDEX = 1
+
+[ new_oids ]
+
+# Policies used by the TSA tests.
+tsa_policy1 = 1.2.3.4.1
+tsa_policy2 = 1.2.3.4.5.6
+tsa_policy3 = 1.2.3.4.5.7
+
+#----------------------------------------------------------------------
+[ ca ]
+default_ca = CA_default # The default ca section
+
+[ CA_default ]
+
+dir = ./demoCA
+certs = $dir/certs # Where the issued certs are kept
+database = $dir/index.txt # database index file.
+new_certs_dir = $dir/newcerts # default place for new certs.
+
+certificate = $dir/cacert.pem # The CA certificate
+serial = $dir/serial # The current serial number
+private_key = $dir/private/cakey.pem# The private key
+RANDFILE = $dir/private/.rand # private random number file
+
+default_days = 365 # how long to certify for
+default_md = sha256 # which md to use.
+preserve = no # keep passed DN ordering
+
+policy = policy_match
+
+# For the CA policy
+[ policy_match ]
+countryName = supplied
+stateOrProvinceName = supplied
+organizationName = supplied
+organizationalUnitName = optional
+commonName = supplied
+emailAddress = optional
+
+#----------------------------------------------------------------------
+[ req ]
+default_bits = 2048
+default_md = sha1
+distinguished_name = $ENV::TSDNSECT
+encrypt_rsa_key = no
+prompt = no
+# attributes = req_attributes
+x509_extensions = v3_ca # The extensions to add to the self signed cert
+
+string_mask = nombstr
+
+[ ts_ca_dn ]
+countryName = HU
+stateOrProvinceName = Budapest
+localityName = Budapest
+organizationName = Gov-CA Ltd.
+commonName = ca1
+
+[ ts_cert_dn ]
+countryName = HU
+stateOrProvinceName = Budapest
+localityName = Buda
+organizationName = Hun-TSA Ltd.
+commonName = tsa$ENV::INDEX
+
+[ tsa_cert ]
+
+# TSA server cert is not a CA cert.
+basicConstraints=CA:FALSE
+
+# The following key usage flags are needed for TSA server certificates.
+keyUsage = nonRepudiation, digitalSignature
+extendedKeyUsage = critical,timeStamping
+
+# PKIX recommendations harmless if included in all certificates.
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid,issuer:always
+
+[ non_tsa_cert ]
+
+# This is not a CA cert and not a TSA cert, either (timeStamping usage missing)
+basicConstraints=CA:FALSE
+
+# The following key usage flags are needed for TSA server certificates.
+keyUsage = nonRepudiation, digitalSignature
+# timeStamping is not supported by this certificate
+# extendedKeyUsage = critical,timeStamping
+
+# PKIX recommendations harmless if included in all certificates.
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid,issuer:always
+
+[ v3_req ]
+
+# Extensions to add to a certificate request
+basicConstraints = CA:FALSE
+keyUsage = nonRepudiation, digitalSignature
+
+[ v3_ca ]
+
+# Extensions for a typical CA
+
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid:always,issuer:always
+basicConstraints = critical,CA:true
+keyUsage = cRLSign, keyCertSign
+
+#----------------------------------------------------------------------
+[ tsa ]
+
+default_tsa = tsa_config1 # the default TSA section
+
+[ tsa_config1 ]
+
+# These are used by the TSA reply generation only.
+dir = . # TSA root directory
+serial = $dir/tsa_serial # The current serial number (mandatory)
+signer_cert = $dir/tsa_cert1.pem # The TSA signing certificate
+ # (optional)
+certs = $dir/tsaca.pem # Certificate chain to include in reply
+ # (optional)
+signer_key = $dir/tsa_key1.pem # The TSA private key (optional)
+signer_digest = sha256 # Signing digest to use. (Optional)
+default_policy = tsa_policy1 # Policy if request did not specify it
+ # (optional)
+other_policies = tsa_policy2, tsa_policy3 # acceptable policies (optional)
+digests = sha1, sha256, sha384, sha512 # Acceptable message digests (mandatory)
+accuracy = secs:1, millisecs:500, microsecs:100 # (optional)
+ordering = yes # Is ordering defined for timestamps?
+ # (optional, default: no)
+tsa_name = yes # Must the TSA name be included in the reply?
+ # (optional, default: no)
+ess_cert_id_chain = yes # Must the ESS cert id chain be included?
+ # (optional, default: no)
+ess_cert_id_alg = sha256 # algorithm to compute certificate
+ # identifier (optional, default: sha1)
+
+[ tsa_config2 ]
+
+# This configuration uses a certificate which doesn't have timeStamping usage.
+# These are used by the TSA reply generation only.
+dir = . # TSA root directory
+serial = $dir/tsa_serial # The current serial number (mandatory)
+signer_cert = $dir/tsa_cert2.pem # The TSA signing certificate
+ # (optional)
+certs = $dir/demoCA/cacert.pem# Certificate chain to include in reply
+ # (optional)
+signer_key = $dir/tsa_key2.pem # The TSA private key (optional)
+signer_digest = sha256 # Signing digest to use. (Optional)
+default_policy = tsa_policy1 # Policy if request did not specify it
+ # (optional)
+other_policies = tsa_policy2, tsa_policy3 # acceptable policies (optional)
+digests = sha1, sha256, sha384, sha512 # Acceptable message digests (mandatory)
diff --git a/fuzz/conf_corpus/bc9109c3decb01fbf6c711238a3670efccb8ff72 b/fuzz/conf_corpus/bc9109c3decb01fbf6c711238a3670efccb8ff72
new file mode 100644
index 0000000..ebb352d
--- /dev/null
+++ b/fuzz/conf_corpus/bc9109c3decb01fbf6c711238a3670efccb8ff72
@@ -0,0 +1,33 @@
+# [server_sect]
+# Only support 3 curves
+Curves = P-521:P-384:P-256
+# Restricted signature algorithms
+SignatureAlgorithms = RSA+SHA512:ECDSA+SHA512
+# Certificates and keys
+RSA.Certificate=server.pem
+ECDSA.Certificate=server-ec.pem
+
+# Example config module configuration
+
+# Name supplied by application to CONF_modules_load_file
+# and section containing configuration
+testapp = test_sect
+
+[test_sect]
+# list of configuration modules
+
+# SSL configuration module
+ssl_conf = ssl_sect
+
+[ssl_sect]
+# list of SSL configurations
+server = server_sect
+
+[server_sect]
+# Only support 3 curves
+Curves = P-521:P-384:P-256
+# Restricted signature algorithms
+SignatureAlgorithms = RSA+SHA512:ECDSA+SHA512
+# Certificates and keys
+RSA.Certificate=server.pem
+ECDSA.Certificate=server-ec.pem
diff --git a/fuzz/conf_corpus/bd049724a30d9e151ed04f2c630b9bb994d1c4d7 b/fuzz/conf_corpus/bd049724a30d9e151ed04f2c630b9bb994d1c4d7
new file mode 100644
index 0000000..6f1d815
--- /dev/null
+++ b/fuzz/conf_corpus/bd049724a30d9e151ed04f2c630b9bb994d1c4d7
@@ -0,0 +1,2 @@
+1.2.840.113554.4.1.72585.2 = ASN1:BOOLEAN:NO
+
diff --git a/fuzz/conf_corpus/be4100590164af4b7689bdaaff5fa34eeaae331f b/fuzz/conf_corpus/be4100590164af4b7689bdaaff5fa34eeaae331f
new file mode 100644
index 0000000..24ba4b6
--- /dev/null
+++ b/fuzz/conf_corpus/be4100590164af4b7689bdaaff5fa34eeaae331f
@@ -0,0 +1,51 @@
+# [ v3_proxy ]
+basicConstraints=CA:FALSE
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid,issuer:always
+proxyCertInfo=critical,@proxy_ext
+
+#
+# SSLeay example configuration file.
+# This is mostly being used for generation of certificate requests.
+#
+
+RANDFILE = ./.rnd
+
+####################################################################
+[ req ]
+default_bits = 2048
+default_keyfile = keySS.pem
+distinguished_name = req_distinguished_name
+encrypt_rsa_key = no
+default_md = sha256
+
+[ req_distinguished_name ]
+countryName = Country Name (2 letter code)
+countryName_default = AU
+countryName_value = AU
+
+organizationName = Organization Name (eg, company)
+organizationName_value = Dodgy Brothers
+
+0.commonName = Common Name (eg, YOUR name)
+0.commonName_value = Brother 1
+
+1.commonName = Common Name (eg, YOUR name)
+1.commonName_value = Brother 2
+
+2.commonName = Common Name (eg, YOUR name)
+2.commonName_value = Proxy 1
+
+3.commonName = Common Name (eg, YOUR name)
+3.commonName_value = Proxy 2
+
+[ v3_proxy ]
+basicConstraints=CA:FALSE
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid,issuer:always
+proxyCertInfo=critical,@proxy_ext
+
+[ proxy_ext ]
+language=id-ppl-anyLanguage
+pathlen=0
+policy=text:BC
diff --git a/fuzz/conf_corpus/c06bb154438af6218b8f58bc0f70520674fb3090 b/fuzz/conf_corpus/c06bb154438af6218b8f58bc0f70520674fb3090
new file mode 100644
index 0000000..4acca4b
--- /dev/null
+++ b/fuzz/conf_corpus/c06bb154438af6218b8f58bc0f70520674fb3090
@@ -0,0 +1,350 @@
+#
+# OpenSSL example configuration file.
+# This is mostly being used for generation of certificate requests.
+#
+
+# Note that you can include other files from the main configuration
+# file using the .include directive.
+#.include filename
+
+# This definition stops the following lines choking if HOME isn't
+# defined.
+HOME = .
+
+# Extra OBJECT IDENTIFIER info:
+#oid_file = $ENV::HOME/.oid
+oid_section = new_oids
+
+# To use this configuration file with the "-extfile" option of the
+# "openssl x509" utility, name here the section containing the
+# X.509v3 extensions to use:
+# extensions =
+# (Alternatively, use a configuration file that has only
+# X.509v3 extensions in its main [= default] section.)
+
+[ new_oids ]
+
+# We can add new OIDs in here for use by 'ca', 'req' and 'ts'.
+# Add a simple OID like this:
+# testoid1=1.2.3.4
+# Or use config file substitution like this:
+# testoid2=${testoid1}.5.6
+
+# Policies used by the TSA examples.
+tsa_policy1 = 1.2.3.4.1
+tsa_policy2 = 1.2.3.4.5.6
+tsa_policy3 = 1.2.3.4.5.7
+
+####################################################################
+[ ca ]
+default_ca = CA_default # The default ca section
+
+####################################################################
+[ CA_default ]
+
+dir = ./demoCA # Where everything is kept
+certs = $dir/certs # Where the issued certs are kept
+crl_dir = $dir/crl # Where the issued crl are kept
+database = $dir/index.txt # database index file.
+#unique_subject = no # Set to 'no' to allow creation of
+ # several certs with same subject.
+new_certs_dir = $dir/newcerts # default place for new certs.
+
+certificate = $dir/cacert.pem # The CA certificate
+serial = $dir/serial # The current serial number
+crlnumber = $dir/crlnumber # the current crl number
+ # must be commented out to leave a V1 CRL
+crl = $dir/crl.pem # The current CRL
+private_key = $dir/private/cakey.pem# The private key
+
+x509_extensions = usr_cert # The extensions to add to the cert
+
+# Comment out the following two lines for the "traditional"
+# (and highly broken) format.
+name_opt = ca_default # Subject Name options
+cert_opt = ca_default # Certificate field options
+
+# Extension copying option: use with caution.
+# copy_extensions = copy
+
+# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
+# so this is commented out by default to leave a V1 CRL.
+# crlnumber must also be commented out to leave a V1 CRL.
+# crl_extensions = crl_ext
+
+default_days = 365 # how long to certify for
+default_crl_days= 30 # how long before next CRL
+default_md = default # use public key default MD
+preserve = no # keep passed DN ordering
+
+# A few difference way of specifying how similar the request should look
+# For type CA, the listed attributes must be the same, and the optional
+# and supplied fields are just that :-)
+policy = policy_match
+
+# For the CA policy
+[ policy_match ]
+countryName = match
+stateOrProvinceName = match
+organizationName = match
+organizationalUnitName = optional
+commonName = supplied
+emailAddress = optional
+
+# For the 'anything' policy
+# At this point in time, you must list all acceptable 'object'
+# types.
+[ policy_anything ]
+countryName = optional
+stateOrProvinceName = optional
+localityName = optional
+organizationName = optional
+organizationalUnitName = optional
+commonName = supplied
+emailAddress = optional
+
+####################################################################
+[ req ]
+default_bits = 2048
+default_keyfile = privkey.pem
+distinguished_name = req_distinguished_name
+attributes = req_attributes
+x509_extensions = v3_ca # The extensions to add to the self signed cert
+
+# Passwords for private keys if not present they will be prompted for
+# input_password = secret
+# output_password = secret
+
+# This sets a mask for permitted string types. There are several options.
+# default: PrintableString, T61String, BMPString.
+# pkix : PrintableString, BMPString (PKIX recommendation before 2004)
+# utf8only: only UTF8Strings (PKIX recommendation after 2004).
+# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings).
+# MASK:XXXX a literal mask value.
+# WARNING: ancient versions of Netscape crash on BMPStrings or UTF8Strings.
+string_mask = utf8only
+
+# req_extensions = v3_req # The extensions to add to a certificate request
+
+[ req_distinguished_name ]
+countryName = Country Name (2 letter code)
+countryName_default = AU
+countryName_min = 2
+countryName_max = 2
+
+stateOrProvinceName = State or Province Name (full name)
+stateOrProvinceName_default = Some-State
+
+localityName = Locality Name (eg, city)
+
+0.organizationName = Organization Name (eg, company)
+0.organizationName_default = Internet Widgits Pty Ltd
+
+# we can do this but it is not needed normally :-)
+#1.organizationName = Second Organization Name (eg, company)
+#1.organizationName_default = World Wide Web Pty Ltd
+
+organizationalUnitName = Organizational Unit Name (eg, section)
+#organizationalUnitName_default =
+
+commonName = Common Name (e.g. server FQDN or YOUR name)
+commonName_max = 64
+
+emailAddress = Email Address
+emailAddress_max = 64
+
+# SET-ex3 = SET extension number 3
+
+[ req_attributes ]
+challengePassword = A challenge password
+challengePassword_min = 4
+challengePassword_max = 20
+
+unstructuredName = An optional company name
+
+[ usr_cert ]
+
+# These extensions are added when 'ca' signs a request.
+
+# This goes against PKIX guidelines but some CAs do it and some software
+# requires this to avoid interpreting an end user certificate as a CA.
+
+basicConstraints=CA:FALSE
+
+# Here are some examples of the usage of nsCertType. If it is omitted
+# the certificate can be used for anything *except* object signing.
+
+# This is OK for an SSL server.
+# nsCertType = server
+
+# For an object signing certificate this would be used.
+# nsCertType = objsign
+
+# For normal client use this is typical
+# nsCertType = client, email
+
+# and for everything including object signing:
+# nsCertType = client, email, objsign
+
+# This is typical in keyUsage for a client certificate.
+# keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+
+# This will be displayed in Netscape's comment listbox.
+nsComment = "OpenSSL Generated Certificate"
+
+# PKIX recommendations harmless if included in all certificates.
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid,issuer
+
+# This stuff is for subjectAltName and issuerAltname.
+# Import the email address.
+# subjectAltName=email:copy
+# An alternative to produce certificates that aren't
+# deprecated according to PKIX.
+# subjectAltName=email:move
+
+# Copy subject details
+# issuerAltName=issuer:copy
+
+#nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem
+#nsBaseUrl
+#nsRevocationUrl
+#nsRenewalUrl
+#nsCaPolicyUrl
+#nsSslServerName
+
+# This is required for TSA certificates.
+# extendedKeyUsage = critical,timeStamping
+
+[ v3_req ]
+
+# Extensions to add to a certificate request
+
+basicConstraints = CA:FALSE
+keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+
+[ v3_ca ]
+
+
+# Extensions for a typical CA
+
+
+# PKIX recommendation.
+
+subjectKeyIdentifier=hash
+
+authorityKeyIdentifier=keyid:always,issuer
+
+basicConstraints = critical,CA:true
+
+# Key usage: this is typical for a CA certificate. However since it will
+# prevent it being used as an test self-signed certificate it is best
+# left out by default.
+# keyUsage = cRLSign, keyCertSign
+
+# Some might want this also
+# nsCertType = sslCA, emailCA
+
+# Include email address in subject alt name: another PKIX recommendation
+# subjectAltName=email:copy
+# Copy issuer details
+# issuerAltName=issuer:copy
+
+# DER hex encoding of an extension: beware experts only!
+# obj=DER:02:03
+# Where 'obj' is a standard or added object
+# You can even override a supported extension:
+# basicConstraints= critical, DER:30:03:01:01:FF
+
+[ crl_ext ]
+
+# CRL extensions.
+# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.
+
+# issuerAltName=issuer:copy
+authorityKeyIdentifier=keyid:always
+
+[ proxy_cert_ext ]
+# These extensions should be added when creating a proxy certificate
+
+# This goes against PKIX guidelines but some CAs do it and some software
+# requires this to avoid interpreting an end user certificate as a CA.
+
+basicConstraints=CA:FALSE
+
+# Here are some examples of the usage of nsCertType. If it is omitted
+# the certificate can be used for anything *except* object signing.
+
+# This is OK for an SSL server.
+# nsCertType = server
+
+# For an object signing certificate this would be used.
+# nsCertType = objsign
+
+# For normal client use this is typical
+# nsCertType = client, email
+
+# and for everything including object signing:
+# nsCertType = client, email, objsign
+
+# This is typical in keyUsage for a client certificate.
+# keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+
+# This will be displayed in Netscape's comment listbox.
+nsComment = "OpenSSL Generated Certificate"
+
+# PKIX recommendations harmless if included in all certificates.
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid,issuer
+
+# This stuff is for subjectAltName and issuerAltname.
+# Import the email address.
+# subjectAltName=email:copy
+# An alternative to produce certificates that aren't
+# deprecated according to PKIX.
+# subjectAltName=email:move
+
+# Copy subject details
+# issuerAltName=issuer:copy
+
+#nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem
+#nsBaseUrl
+#nsRevocationUrl
+#nsRenewalUrl
+#nsCaPolicyUrl
+#nsSslServerName
+
+# This really needs to be in place for it to be a proxy certificate.
+proxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:3,policy:foo
+
+####################################################################
+[ tsa ]
+
+default_tsa = tsa_config1 # the default TSA section
+
+[ tsa_config1 ]
+
+# These are used by the TSA reply generation only.
+dir = ./demoCA # TSA root directory
+serial = $dir/tsaserial # The current serial number (mandatory)
+crypto_device = builtin # OpenSSL engine to use for signing
+signer_cert = $dir/tsacert.pem # The TSA signing certificate
+ # (optional)
+certs = $dir/cacert.pem # Certificate chain to include in reply
+ # (optional)
+signer_key = $dir/private/tsakey.pem # The TSA private key (optional)
+signer_digest = sha256 # Signing digest to use. (Optional)
+default_policy = tsa_policy1 # Policy if request did not specify it
+ # (optional)
+other_policies = tsa_policy2, tsa_policy3 # acceptable policies (optional)
+digests = sha1, sha256, sha384, sha512 # Acceptable message digests (mandatory)
+accuracy = secs:1, millisecs:500, microsecs:100 # (optional)
+clock_precision_digits = 0 # number of digits after dot. (optional)
+ordering = yes # Is ordering defined for timestamps?
+ # (optional, default: no)
+tsa_name = yes # Must the TSA name be included in the reply?
+ # (optional, default: no)
+ess_cert_id_chain = no # Must the ESS cert id chain be included?
+ # (optional, default: no)
+ess_cert_id_alg = sha1 # algorithm to compute certificate
+ # identifier (optional, default: sha1)
diff --git a/fuzz/conf_corpus/c53c55a556815bf0869da3fab9bbc94f946e7f17 b/fuzz/conf_corpus/c53c55a556815bf0869da3fab9bbc94f946e7f17
new file mode 100644
index 0000000..05c1930
--- /dev/null
+++ b/fuzz/conf_corpus/c53c55a556815bf0869da3fab9bbc94f946e7f17
@@ -0,0 +1,2 @@
+1.2.840.113554.4.1.72585.2 = ASN1:BOOLEAN:TRUE
+
diff --git a/fuzz/conf_corpus/c8a605981467c909bef7ea586d7daf2bdbb9357c b/fuzz/conf_corpus/c8a605981467c909bef7ea586d7daf2bdbb9357c
new file mode 100644
index 0000000..62e460c
--- /dev/null
+++ b/fuzz/conf_corpus/c8a605981467c909bef7ea586d7daf2bdbb9357c
@@ -0,0 +1,79 @@
+# [ req_distinguished_name ]
+countryName = Country Name (2 letter code)
+countryName_default = AU
+countryName_value = AU
+
+stateOrProvinceName = State or Province Name (full name)
+stateOrProvinceName_default = Queensland
+stateOrProvinceName_value =
+
+localityName = Locality Name (eg, city)
+localityName_value = Brisbane
+
+organizationName = Organization Name (eg, company)
+organizationName_default =
+organizationName_value = CryptSoft Pty Ltd
+
+organizationalUnitName = Organizational Unit Name (eg, section)
+organizationalUnitName_default =
+organizationalUnitName_value = .
+
+commonName = Common Name (eg, YOUR name)
+commonName_value = Eric Young
+
+emailAddress = Email Address
+emailAddress_value = eay@mincom.oz.au
+
+# For the CA policy
+[ policy_match ]
+countryName = match
+stateOrProvinceName = match
+organizationName = match
+organizationalUnitName = optional
+commonName = supplied
+emailAddress = optional
+
+# For the 'anything' policy
+# At this point in time, you must list all acceptable 'object'
+# types.
+[ policy_anything ]
+countryName = optional
+stateOrProvinceName = optional
+localityName = optional
+organizationName = optional
+organizationalUnitName = optional
+commonName = supplied
+emailAddress = optional
+
+####################################################################
+[ req ]
+default_bits = 2048
+default_keyfile = testkey.pem
+distinguished_name = req_distinguished_name
+encrypt_rsa_key = no
+
+[ req_distinguished_name ]
+countryName = Country Name (2 letter code)
+countryName_default = AU
+countryName_value = AU
+
+stateOrProvinceName = State or Province Name (full name)
+stateOrProvinceName_default = Queensland
+stateOrProvinceName_value =
+
+localityName = Locality Name (eg, city)
+localityName_value = Brisbane
+
+organizationName = Organization Name (eg, company)
+organizationName_default =
+organizationName_value = CryptSoft Pty Ltd
+
+organizationalUnitName = Organizational Unit Name (eg, section)
+organizationalUnitName_default =
+organizationalUnitName_value = .
+
+commonName = Common Name (eg, YOUR name)
+commonName_value = Eric Young
+
+emailAddress = Email Address
+emailAddress_value = eay@mincom.oz.au
diff --git a/fuzz/conf_corpus/c951357508c09946709f3b7085080aa7882351a0 b/fuzz/conf_corpus/c951357508c09946709f3b7085080aa7882351a0
new file mode 100644
index 0000000..b875fbe
--- /dev/null
+++ b/fuzz/conf_corpus/c951357508c09946709f3b7085080aa7882351a0
@@ -0,0 +1,2 @@
+1.2.840.113554.4.1.72585.2 = ASN1:SET:missing_confdb
+
diff --git a/fuzz/conf_corpus/cb8807caf78392bc3f6866b416b84b57423f0a92 b/fuzz/conf_corpus/cb8807caf78392bc3f6866b416b84b57423f0a92
new file mode 100644
index 0000000..74c29bb
--- /dev/null
+++ b/fuzz/conf_corpus/cb8807caf78392bc3f6866b416b84b57423f0a92
@@ -0,0 +1,2 @@
+1.2.840.113554.4.1.72585.2 = ASN1:FORMAT:UTF8,PRINTABLE:☃
+
diff --git a/fuzz/conf_corpus/ce326c4f904c6409744a00ac16a570b11baa8d0f b/fuzz/conf_corpus/ce326c4f904c6409744a00ac16a570b11baa8d0f
new file mode 100644
index 0000000..cb0cefb
--- /dev/null
+++ b/fuzz/conf_corpus/ce326c4f904c6409744a00ac16a570b11baa8d0f
@@ -0,0 +1,17 @@
+# Example configuration file
+# Port to listen on
+Port = 4433
+# Disable TLS v1.2 for test.
+# Protocol = ALL, -TLSv1.2
+# Only support 3 curves
+Curves = P-521:P-384:P-256
+# Restricted signature algorithms
+SignatureAlgorithms = RSA+SHA512:ECDSA+SHA512
+Certificate=server.pem
+PrivateKey=server.pem
+ChainCAFile=root.pem
+VerifyCAFile=root.pem
+
+# Request certificate
+VerifyMode=Request
+ClientCAFile=root.pem
diff --git a/fuzz/conf_corpus/d0a275bdfa6bb34b83e810a82fc46549bbdb2ebf b/fuzz/conf_corpus/d0a275bdfa6bb34b83e810a82fc46549bbdb2ebf
new file mode 100644
index 0000000..1db5453
--- /dev/null
+++ b/fuzz/conf_corpus/d0a275bdfa6bb34b83e810a82fc46549bbdb2ebf
@@ -0,0 +1,2 @@
+1.2.840.113554.4.1.72585.2 = ASN1:SET
+
diff --git a/fuzz/conf_corpus/d0eaa3dcf6ee87d82500f0dc7faec1c68a9332c8 b/fuzz/conf_corpus/d0eaa3dcf6ee87d82500f0dc7faec1c68a9332c8
new file mode 100644
index 0000000..bb6f6d2
--- /dev/null
+++ b/fuzz/conf_corpus/d0eaa3dcf6ee87d82500f0dc7faec1c68a9332c8
@@ -0,0 +1,2 @@
+1.2.840.113554.4.1.72585.2 = ASN1:FORMAT:UTF8,UNIV:☃
+
diff --git a/fuzz/conf_corpus/d209fb4ee746274b928fc2fe0d738c3489cfad3e b/fuzz/conf_corpus/d209fb4ee746274b928fc2fe0d738c3489cfad3e
new file mode 100644
index 0000000..42aa081
--- /dev/null
+++ b/fuzz/conf_corpus/d209fb4ee746274b928fc2fe0d738c3489cfad3e
@@ -0,0 +1,2 @@
+1.2.840.113554.4.1.72585.2 = ASN1:ENUMERATED:0
+
diff --git a/fuzz/conf_corpus/d40d0a5fae0458fe75a49ae5aa9d77b54b6e4147 b/fuzz/conf_corpus/d40d0a5fae0458fe75a49ae5aa9d77b54b6e4147
new file mode 100644
index 0000000..e679173
--- /dev/null
+++ b/fuzz/conf_corpus/d40d0a5fae0458fe75a49ae5aa9d77b54b6e4147
@@ -0,0 +1,44 @@
+# [ req ]
+default_bits = 2048
+default_keyfile = keySS.pem
+distinguished_name = req_distinguished_name
+encrypt_rsa_key = no
+default_md = sha256
+
+#
+# SSLeay example configuration file.
+# This is mostly being used for generation of certificate requests.
+#
+
+RANDFILE = ./.rnd
+
+####################################################################
+[ req ]
+default_bits = 2048
+default_keyfile = keySS.pem
+distinguished_name = req_distinguished_name
+encrypt_rsa_key = no
+default_md = sha256
+
+[ req_distinguished_name ]
+countryName = Country Name (2 letter code)
+countryName_default = AU
+countryName_value = AU
+
+organizationName = Organization Name (eg, company)
+organizationName_value = Dodgy Brothers
+
+0.commonName = Common Name (eg, YOUR name)
+0.commonName_value = Brother 1
+
+1.commonName = Common Name (eg, YOUR name)
+1.commonName_value = Brother 2
+
+2.commonName = Common Name (eg, YOUR name)
+2.commonName_value = Proxy 1
+
+[ v3_proxy ]
+basicConstraints=CA:FALSE
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid,issuer:always
+proxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:1,policy:text:AB
diff --git a/fuzz/conf_corpus/d61f5a98c3aaf7e8e428815fd44d166bfa4d6467 b/fuzz/conf_corpus/d61f5a98c3aaf7e8e428815fd44d166bfa4d6467
new file mode 100644
index 0000000..f655e74
--- /dev/null
+++ b/fuzz/conf_corpus/d61f5a98c3aaf7e8e428815fd44d166bfa4d6467
@@ -0,0 +1,41 @@
+#
+# SSLeay example configuration file.
+# This is mostly being used for generation of certificate requests.
+#
+
+RANDFILE = ./.rnd
+CN2 = Brother 2
+
+####################################################################
+[ req ]
+default_bits = 2048
+default_keyfile = keySS.pem
+distinguished_name = req_distinguished_name
+encrypt_rsa_key = no
+default_md = sha256
+prompt = no
+
+[ req_distinguished_name ]
+countryName = AU
+organizationName = Dodgy Brothers
+0.commonName = Brother 1
+1.commonName = $ENV::CN2
+
+[ v3_ee ]
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid,issuer:always
+basicConstraints = CA:false
+keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+
+[ v3_ee_dsa ]
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid:always
+basicConstraints = CA:false
+keyUsage = nonRepudiation, digitalSignature
+
+[ v3_ee_ec ]
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid:always
+basicConstraints = CA:false
+keyUsage = nonRepudiation, digitalSignature, keyAgreement
+
diff --git a/fuzz/conf_corpus/dafef760e88c3ab60b70bb9cd40c838525e21844 b/fuzz/conf_corpus/dafef760e88c3ab60b70bb9cd40c838525e21844
new file mode 100644
index 0000000..fe32e8d
--- /dev/null
+++ b/fuzz/conf_corpus/dafef760e88c3ab60b70bb9cd40c838525e21844
@@ -0,0 +1,112 @@
+# [ CA_default ]
+
+dir = ./demoCA # Where everything is kept
+certs = $dir/certs # Where the issued certs are kept
+crl_dir = $dir/crl # Where the issued crl are kept
+database = $dir/index.txt # database index file.
+new_certs_dir = $dir/new_certs # default place for new certs.
+
+certificate = $dir/CAcert.pem # The CA certificate
+serial = $dir/serial # The current serial number
+crl = $dir/crl.pem # The current CRL
+private_key = $dir/private/CAkey.pem# The private key
+RANDFILE = $dir/private/.rand # private random number file
+
+default_days = 365 # how long to certify for
+default_crl_days= 30 # how long before next CRL
+default_md = md5 # which md to use.
+
+# A few difference way of specifying how similar the request should look
+# For type CA, the listed attributes must be the same, and the optional
+# and supplied fields are just that :-)
+policy = policy_match
+
+# For the CA policy
+#
+# SSLeay example configuration file.
+# This is mostly being used for generation of certificate requests.
+#
+
+RANDFILE = ./.rnd
+
+####################################################################
+[ ca ]
+default_ca = CA_default # The default ca section
+
+####################################################################
+[ CA_default ]
+
+dir = ./demoCA # Where everything is kept
+certs = $dir/certs # Where the issued certs are kept
+crl_dir = $dir/crl # Where the issued crl are kept
+database = $dir/index.txt # database index file.
+new_certs_dir = $dir/new_certs # default place for new certs.
+
+certificate = $dir/CAcert.pem # The CA certificate
+serial = $dir/serial # The current serial number
+crl = $dir/crl.pem # The current CRL
+private_key = $dir/private/CAkey.pem# The private key
+RANDFILE = $dir/private/.rand # private random number file
+
+default_days = 365 # how long to certify for
+default_crl_days= 30 # how long before next CRL
+default_md = md5 # which md to use.
+
+# A few difference way of specifying how similar the request should look
+# For type CA, the listed attributes must be the same, and the optional
+# and supplied fields are just that :-)
+policy = policy_match
+
+# For the CA policy
+[ policy_match ]
+countryName = match
+stateOrProvinceName = match
+organizationName = match
+organizationalUnitName = optional
+commonName = supplied
+emailAddress = optional
+
+# For the 'anything' policy
+# At this point in time, you must list all acceptable 'object'
+# types.
+[ policy_anything ]
+countryName = optional
+stateOrProvinceName = optional
+localityName = optional
+organizationName = optional
+organizationalUnitName = optional
+commonName = supplied
+emailAddress = optional
+
+####################################################################
+[ req ]
+default_bits = 2048
+default_keyfile = testkey.pem
+distinguished_name = req_distinguished_name
+encrypt_rsa_key = no
+
+[ req_distinguished_name ]
+countryName = Country Name (2 letter code)
+countryName_default = AU
+countryName_value = AU
+
+stateOrProvinceName = State or Province Name (full name)
+stateOrProvinceName_default = Queensland
+stateOrProvinceName_value =
+
+localityName = Locality Name (eg, city)
+localityName_value = Brisbane
+
+organizationName = Organization Name (eg, company)
+organizationName_default =
+organizationName_value = CryptSoft Pty Ltd
+
+organizationalUnitName = Organizational Unit Name (eg, section)
+organizationalUnitName_default =
+organizationalUnitName_value = .
+
+commonName = Common Name (eg, YOUR name)
+commonName_value = Eric Young
+
+emailAddress = Email Address
+emailAddress_value = eay@mincom.oz.au
diff --git a/fuzz/conf_corpus/db3c104f8df5992c03182c0815ff2e18f55ab6e9 b/fuzz/conf_corpus/db3c104f8df5992c03182c0815ff2e18f55ab6e9
new file mode 100644
index 0000000..729aa2b
--- /dev/null
+++ b/fuzz/conf_corpus/db3c104f8df5992c03182c0815ff2e18f55ab6e9
@@ -0,0 +1,2 @@
+1.2.840.113554.4.1.72585.2 = ASN1:BMP:hello
+
diff --git a/fuzz/conf_corpus/db88bc928305afb566adefef5015363f43ec722d b/fuzz/conf_corpus/db88bc928305afb566adefef5015363f43ec722d
new file mode 100644
index 0000000..b20a242
--- /dev/null
+++ b/fuzz/conf_corpus/db88bc928305afb566adefef5015363f43ec722d
@@ -0,0 +1,76 @@
+#
+# SSLeay example configuration file.
+# This is mostly being used for generation of certificate requests.
+#
+
+RANDFILE = ./.rnd
+
+####################################################################
+[ req ]
+default_bits = 2048
+default_keyfile = keySS.pem
+distinguished_name = req_distinguished_name
+encrypt_rsa_key = no
+default_md = sha1
+
+[ req_distinguished_name ]
+countryName = Country Name (2 letter code)
+countryName_default = AU
+countryName_value = AU
+
+organizationName = Organization Name (eg, company)
+organizationName_value = Dodgy Brothers
+
+commonName = Common Name (eg, YOUR name)
+commonName_value = Dodgy CA
+
+####################################################################
+[ ca ]
+default_ca = CA_default # The default ca section
+
+####################################################################
+[ CA_default ]
+
+dir = ./demoCA # Where everything is kept
+certs = $dir/certs # Where the issued certs are kept
+crl_dir = $dir/crl # Where the issued crl are kept
+database = $dir/index.txt # database index file.
+#unique_subject = no # Set to 'no' to allow creation of
+ # several certificates with same subject.
+new_certs_dir = $dir/newcerts # default place for new certs.
+
+certificate = $dir/cacert.pem # The CA certificate
+serial = $dir/serial # The current serial number
+crl = $dir/crl.pem # The current CRL
+private_key = $dir/private/cakey.pem# The private key
+RANDFILE = $dir/private/.rand # private random number file
+
+x509_extensions = v3_ca # The extensions to add to the cert
+
+name_opt = ca_default # Subject Name options
+cert_opt = ca_default # Certificate field options
+
+default_days = 365 # how long to certify for
+default_crl_days= 30 # how long before next CRL
+default_md = md5 # which md to use.
+preserve = no # keep passed DN ordering
+
+policy = policy_anything
+
+[ policy_anything ]
+countryName = optional
+stateOrProvinceName = optional
+localityName = optional
+organizationName = optional
+organizationalUnitName = optional
+commonName = supplied
+emailAddress = optional
+
+
+
+[ v3_ca ]
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid:always,issuer:always
+basicConstraints = critical,CA:true,pathlen:1
+keyUsage = cRLSign, keyCertSign
+issuerAltName=issuer:copy
diff --git a/fuzz/conf_corpus/dd3c504d9aa688c7b6663010be449da67635f043 b/fuzz/conf_corpus/dd3c504d9aa688c7b6663010be449da67635f043
new file mode 100644
index 0000000..db43c1c
--- /dev/null
+++ b/fuzz/conf_corpus/dd3c504d9aa688c7b6663010be449da67635f043
@@ -0,0 +1,50 @@
+# [ proxy_ext ]
+language=id-ppl-anyLanguage
+pathlen=0
+policy=text:BC
+
+#
+# SSLeay example configuration file.
+# This is mostly being used for generation of certificate requests.
+#
+
+RANDFILE = ./.rnd
+
+####################################################################
+[ req ]
+default_bits = 2048
+default_keyfile = keySS.pem
+distinguished_name = req_distinguished_name
+encrypt_rsa_key = no
+default_md = sha256
+
+[ req_distinguished_name ]
+countryName = Country Name (2 letter code)
+countryName_default = AU
+countryName_value = AU
+
+organizationName = Organization Name (eg, company)
+organizationName_value = Dodgy Brothers
+
+0.commonName = Common Name (eg, YOUR name)
+0.commonName_value = Brother 1
+
+1.commonName = Common Name (eg, YOUR name)
+1.commonName_value = Brother 2
+
+2.commonName = Common Name (eg, YOUR name)
+2.commonName_value = Proxy 1
+
+3.commonName = Common Name (eg, YOUR name)
+3.commonName_value = Proxy 2
+
+[ v3_proxy ]
+basicConstraints=CA:FALSE
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid,issuer:always
+proxyCertInfo=critical,@proxy_ext
+
+[ proxy_ext ]
+language=id-ppl-anyLanguage
+pathlen=0
+policy=text:BC
diff --git a/fuzz/conf_corpus/dd9b29e2d9b871fac7942691fc72f5cbb36004f8 b/fuzz/conf_corpus/dd9b29e2d9b871fac7942691fc72f5cbb36004f8
new file mode 100644
index 0000000..d164287
--- /dev/null
+++ b/fuzz/conf_corpus/dd9b29e2d9b871fac7942691fc72f5cbb36004f8
@@ -0,0 +1,165 @@
+
+#
+# This config is used by the Time Stamp Authority tests.
+#
+
+RANDFILE = ./.rnd
+
+# Extra OBJECT IDENTIFIER info:
+oid_section = new_oids
+
+TSDNSECT = ts_cert_dn
+INDEX = 1
+
+[ new_oids ]
+
+# Policies used by the TSA tests.
+tsa_policy1 = 1.2.3.4.1
+tsa_policy2 = 1.2.3.4.5.6
+tsa_policy3 = 1.2.3.4.5.7
+
+#----------------------------------------------------------------------
+[ ca ]
+default_ca = CA_default # The default ca section
+
+[ CA_default ]
+
+dir = ./demoCA
+certs = $dir/certs # Where the issued certs are kept
+database = $dir/index.txt # database index file.
+new_certs_dir = $dir/newcerts # default place for new certs.
+
+certificate = $dir/cacert.pem # The CA certificate
+serial = $dir/serial # The current serial number
+private_key = $dir/private/cakey.pem# The private key
+RANDFILE = $dir/private/.rand # private random number file
+
+default_days = 365 # how long to certify for
+default_md = sha256 # which md to use.
+preserve = no # keep passed DN ordering
+
+policy = policy_match
+
+# For the CA policy
+[ policy_match ]
+countryName = supplied
+stateOrProvinceName = supplied
+organizationName = supplied
+organizationalUnitName = optional
+commonName = supplied
+emailAddress = optional
+
+#----------------------------------------------------------------------
+[ req ]
+default_bits = 2048
+default_md = sha1
+distinguished_name = $ENV::TSDNSECT
+encrypt_rsa_key = no
+prompt = no
+# attributes = req_attributes
+x509_extensions = v3_ca # The extensions to add to the self signed cert
+
+string_mask = nombstr
+
+[ ts_ca_dn ]
+countryName = HU
+stateOrProvinceName = Budapest
+localityName = Budapest
+organizationName = Gov-CA Ltd.
+commonName = ca1
+
+[ ts_cert_dn ]
+countryName = HU
+stateOrProvinceName = Budapest
+localityName = Buda
+organizationName = Hun-TSA Ltd.
+commonName = tsa$ENV::INDEX
+
+[ tsa_cert ]
+
+# TSA server cert is not a CA cert.
+basicConstraints=CA:FALSE
+
+# The following key usage flags are needed for TSA server certificates.
+keyUsage = nonRepudiation, digitalSignature
+extendedKeyUsage = critical,timeStamping
+
+# PKIX recommendations harmless if included in all certificates.
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid,issuer:always
+
+[ non_tsa_cert ]
+
+# This is not a CA cert and not a TSA cert, either (timeStamping usage missing)
+basicConstraints=CA:FALSE
+
+# The following key usage flags are needed for TSA server certificates.
+keyUsage = nonRepudiation, digitalSignature
+# timeStamping is not supported by this certificate
+# extendedKeyUsage = critical,timeStamping
+
+# PKIX recommendations harmless if included in all certificates.
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid,issuer:always
+
+[ v3_req ]
+
+# Extensions to add to a certificate request
+basicConstraints = CA:FALSE
+keyUsage = nonRepudiation, digitalSignature
+
+[ v3_ca ]
+
+# Extensions for a typical CA
+
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid:always,issuer:always
+basicConstraints = critical,CA:true
+keyUsage = cRLSign, keyCertSign
+
+#----------------------------------------------------------------------
+[ tsa ]
+
+default_tsa = tsa_config1 # the default TSA section
+
+[ tsa_config1 ]
+
+# These are used by the TSA reply generation only.
+dir = . # TSA root directory
+serial = $dir/tsa_serial # The current serial number (mandatory)
+signer_cert = $dir/tsa_cert1.pem # The TSA signing certificate
+ # (optional)
+certs = $dir/tsaca.pem # Certificate chain to include in reply
+ # (optional)
+signer_key = $dir/tsa_key1.pem # The TSA private key (optional)
+signer_digest = sha256 # Signing digest to use. (Optional)
+default_policy = tsa_policy1 # Policy if request did not specify it
+ # (optional)
+other_policies = tsa_policy2, tsa_policy3 # acceptable policies (optional)
+digests = sha1, sha256, sha384, sha512 # Acceptable message digests (mandatory)
+accuracy = secs:1, millisecs:500, microsecs:100 # (optional)
+ordering = yes # Is ordering defined for timestamps?
+ # (optional, default: no)
+tsa_name = yes # Must the TSA name be included in the reply?
+ # (optional, default: no)
+ess_cert_id_chain = yes # Must the ESS cert id chain be included?
+ # (optional, default: no)
+ess_cert_id_alg = sha256 # algorithm to compute certificate
+ # identifier (optional, default: sha1)
+
+[ tsa_config2 ]
+
+# This configuration uses a certificate which doesn't have timeStamping usage.
+# These are used by the TSA reply generation only.
+dir = . # TSA root directory
+serial = $dir/tsa_serial # The current serial number (mandatory)
+signer_cert = $dir/tsa_cert2.pem # The TSA signing certificate
+ # (optional)
+certs = $dir/demoCA/cacert.pem# Certificate chain to include in reply
+ # (optional)
+signer_key = $dir/tsa_key2.pem # The TSA private key (optional)
+signer_digest = sha256 # Signing digest to use. (Optional)
+default_policy = tsa_policy1 # Policy if request did not specify it
+ # (optional)
+other_policies = tsa_policy2, tsa_policy3 # acceptable policies (optional)
+digests = sha1, sha256, sha384, sha512 # Acceptable message digests (mandatory)
diff --git a/fuzz/conf_corpus/de9e4e5ccbea6b35551ac18fd955b8bdc9fa86e3 b/fuzz/conf_corpus/de9e4e5ccbea6b35551ac18fd955b8bdc9fa86e3
new file mode 100644
index 0000000..f4c75cb
--- /dev/null
+++ b/fuzz/conf_corpus/de9e4e5ccbea6b35551ac18fd955b8bdc9fa86e3
@@ -0,0 +1,2 @@
+1.2.840.113554.4.1.72585.2 = ASN1:INT:0
+
diff --git a/fuzz/conf_corpus/dea83c239f1cf4b30155bb86eb2b8e15298f56e6 b/fuzz/conf_corpus/dea83c239f1cf4b30155bb86eb2b8e15298f56e6
new file mode 100644
index 0000000..b0579ed
--- /dev/null
+++ b/fuzz/conf_corpus/dea83c239f1cf4b30155bb86eb2b8e15298f56e6
@@ -0,0 +1,83 @@
+# [ req ]
+default_bits = 2048
+default_keyfile = keySS.pem
+distinguished_name = req_distinguished_name
+encrypt_rsa_key = no
+default_md = sha1
+
+#
+# SSLeay example configuration file.
+# This is mostly being used for generation of certificate requests.
+#
+
+RANDFILE = ./.rnd
+
+####################################################################
+[ req ]
+default_bits = 2048
+default_keyfile = keySS.pem
+distinguished_name = req_distinguished_name
+encrypt_rsa_key = no
+default_md = sha1
+
+[ req_distinguished_name ]
+countryName = Country Name (2 letter code)
+countryName_default = AU
+countryName_value = AU
+
+organizationName = Organization Name (eg, company)
+organizationName_value = Dodgy Brothers
+
+commonName = Common Name (eg, YOUR name)
+commonName_value = Dodgy CA
+
+####################################################################
+[ ca ]
+default_ca = CA_default # The default ca section
+
+####################################################################
+[ CA_default ]
+
+dir = ./demoCA # Where everything is kept
+certs = $dir/certs # Where the issued certs are kept
+crl_dir = $dir/crl # Where the issued crl are kept
+database = $dir/index.txt # database index file.
+#unique_subject = no # Set to 'no' to allow creation of
+ # several certificates with same subject.
+new_certs_dir = $dir/newcerts # default place for new certs.
+
+certificate = $dir/cacert.pem # The CA certificate
+serial = $dir/serial # The current serial number
+crl = $dir/crl.pem # The current CRL
+private_key = $dir/private/cakey.pem# The private key
+RANDFILE = $dir/private/.rand # private random number file
+
+x509_extensions = v3_ca # The extensions to add to the cert
+
+name_opt = ca_default # Subject Name options
+cert_opt = ca_default # Certificate field options
+
+default_days = 365 # how long to certify for
+default_crl_days= 30 # how long before next CRL
+default_md = md5 # which md to use.
+preserve = no # keep passed DN ordering
+
+policy = policy_anything
+
+[ policy_anything ]
+countryName = optional
+stateOrProvinceName = optional
+localityName = optional
+organizationName = optional
+organizationalUnitName = optional
+commonName = supplied
+emailAddress = optional
+
+
+
+[ v3_ca ]
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid:always,issuer:always
+basicConstraints = critical,CA:true,pathlen:1
+keyUsage = cRLSign, keyCertSign
+issuerAltName=issuer:copy
diff --git a/fuzz/conf_corpus/e055b94e4253ca8c820e7d90cd898e91c387305f b/fuzz/conf_corpus/e055b94e4253ca8c820e7d90cd898e91c387305f
new file mode 100644
index 0000000..04ff275
--- /dev/null
+++ b/fuzz/conf_corpus/e055b94e4253ca8c820e7d90cd898e91c387305f
@@ -0,0 +1,28 @@
+# [ssl_sect]
+# list of SSL configurations
+server = server_sect
+
+# Example config module configuration
+
+# Name supplied by application to CONF_modules_load_file
+# and section containing configuration
+testapp = test_sect
+
+[test_sect]
+# list of configuration modules
+
+# SSL configuration module
+ssl_conf = ssl_sect
+
+[ssl_sect]
+# list of SSL configurations
+server = server_sect
+
+[server_sect]
+# Only support 3 curves
+Curves = P-521:P-384:P-256
+# Restricted signature algorithms
+SignatureAlgorithms = RSA+SHA512:ECDSA+SHA512
+# Certificates and keys
+RSA.Certificate=server.pem
+ECDSA.Certificate=server-ec.pem
diff --git a/fuzz/conf_corpus/e26367c7aa40d55985aff3458ed6b6bd775f4bfc b/fuzz/conf_corpus/e26367c7aa40d55985aff3458ed6b6bd775f4bfc
new file mode 100644
index 0000000..c7da588
--- /dev/null
+++ b/fuzz/conf_corpus/e26367c7aa40d55985aff3458ed6b6bd775f4bfc
@@ -0,0 +1,7 @@
+1.2.840.113554.4.1.72585.2 = ASN1:SEQ:seq1
+
+[seq1]
+val = SEQ:seq2
+[seq2]
+val = SEQ:seq1
+
diff --git a/fuzz/conf_corpus/e2c246860c12b137377d1fd48d24beafbeabe730 b/fuzz/conf_corpus/e2c246860c12b137377d1fd48d24beafbeabe730
new file mode 100644
index 0000000..9f3d29a
--- /dev/null
+++ b/fuzz/conf_corpus/e2c246860c12b137377d1fd48d24beafbeabe730
@@ -0,0 +1,19 @@
+# [providers]
+p_test_configured = p_test_configured
+
+# Comment out the next line to ignore configuration errors
+config_diagnostics = 1
+
+
+openssl_conf = openssl_init
+
+[openssl_init]
+providers = providers
+
+[providers]
+p_test_configured = p_test_configured
+
+[p_test_configured]
+module = p_test.dylib
+activate = 1
+greeting = Hello OpenSSL, greetings from Test Provider
diff --git a/fuzz/conf_corpus/e455aa989be06525bd8cf5ab6d8f5406a9735347 b/fuzz/conf_corpus/e455aa989be06525bd8cf5ab6d8f5406a9735347
new file mode 100644
index 0000000..b670be0
--- /dev/null
+++ b/fuzz/conf_corpus/e455aa989be06525bd8cf5ab6d8f5406a9735347
@@ -0,0 +1,358 @@
+# [ crl_ext ]
+
+# CRL extensions.
+# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.
+
+# issuerAltName=issuer:copy
+authorityKeyIdentifier=keyid:always
+
+#
+# OpenSSL example configuration file.
+# This is mostly being used for generation of certificate requests.
+#
+
+# Note that you can include other files from the main configuration
+# file using the .include directive.
+#.include filename
+
+# This definition stops the following lines choking if HOME isn't
+# defined.
+HOME = .
+
+# Extra OBJECT IDENTIFIER info:
+#oid_file = $ENV::HOME/.oid
+oid_section = new_oids
+
+# To use this configuration file with the "-extfile" option of the
+# "openssl x509" utility, name here the section containing the
+# X.509v3 extensions to use:
+# extensions =
+# (Alternatively, use a configuration file that has only
+# X.509v3 extensions in its main [= default] section.)
+
+[ new_oids ]
+
+# We can add new OIDs in here for use by 'ca', 'req' and 'ts'.
+# Add a simple OID like this:
+# testoid1=1.2.3.4
+# Or use config file substitution like this:
+# testoid2=${testoid1}.5.6
+
+# Policies used by the TSA examples.
+tsa_policy1 = 1.2.3.4.1
+tsa_policy2 = 1.2.3.4.5.6
+tsa_policy3 = 1.2.3.4.5.7
+
+####################################################################
+[ ca ]
+default_ca = CA_default # The default ca section
+
+####################################################################
+[ CA_default ]
+
+dir = ./demoCA # Where everything is kept
+certs = $dir/certs # Where the issued certs are kept
+crl_dir = $dir/crl # Where the issued crl are kept
+database = $dir/index.txt # database index file.
+#unique_subject = no # Set to 'no' to allow creation of
+ # several certs with same subject.
+new_certs_dir = $dir/newcerts # default place for new certs.
+
+certificate = $dir/cacert.pem # The CA certificate
+serial = $dir/serial # The current serial number
+crlnumber = $dir/crlnumber # the current crl number
+ # must be commented out to leave a V1 CRL
+crl = $dir/crl.pem # The current CRL
+private_key = $dir/private/cakey.pem# The private key
+
+x509_extensions = usr_cert # The extensions to add to the cert
+
+# Comment out the following two lines for the "traditional"
+# (and highly broken) format.
+name_opt = ca_default # Subject Name options
+cert_opt = ca_default # Certificate field options
+
+# Extension copying option: use with caution.
+# copy_extensions = copy
+
+# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
+# so this is commented out by default to leave a V1 CRL.
+# crlnumber must also be commented out to leave a V1 CRL.
+# crl_extensions = crl_ext
+
+default_days = 365 # how long to certify for
+default_crl_days= 30 # how long before next CRL
+default_md = default # use public key default MD
+preserve = no # keep passed DN ordering
+
+# A few difference way of specifying how similar the request should look
+# For type CA, the listed attributes must be the same, and the optional
+# and supplied fields are just that :-)
+policy = policy_match
+
+# For the CA policy
+[ policy_match ]
+countryName = match
+stateOrProvinceName = match
+organizationName = match
+organizationalUnitName = optional
+commonName = supplied
+emailAddress = optional
+
+# For the 'anything' policy
+# At this point in time, you must list all acceptable 'object'
+# types.
+[ policy_anything ]
+countryName = optional
+stateOrProvinceName = optional
+localityName = optional
+organizationName = optional
+organizationalUnitName = optional
+commonName = supplied
+emailAddress = optional
+
+####################################################################
+[ req ]
+default_bits = 2048
+default_keyfile = privkey.pem
+distinguished_name = req_distinguished_name
+attributes = req_attributes
+x509_extensions = v3_ca # The extensions to add to the self signed cert
+
+# Passwords for private keys if not present they will be prompted for
+# input_password = secret
+# output_password = secret
+
+# This sets a mask for permitted string types. There are several options.
+# default: PrintableString, T61String, BMPString.
+# pkix : PrintableString, BMPString (PKIX recommendation before 2004)
+# utf8only: only UTF8Strings (PKIX recommendation after 2004).
+# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings).
+# MASK:XXXX a literal mask value.
+# WARNING: ancient versions of Netscape crash on BMPStrings or UTF8Strings.
+string_mask = utf8only
+
+# req_extensions = v3_req # The extensions to add to a certificate request
+
+[ req_distinguished_name ]
+countryName = Country Name (2 letter code)
+countryName_default = AU
+countryName_min = 2
+countryName_max = 2
+
+stateOrProvinceName = State or Province Name (full name)
+stateOrProvinceName_default = Some-State
+
+localityName = Locality Name (eg, city)
+
+0.organizationName = Organization Name (eg, company)
+0.organizationName_default = Internet Widgits Pty Ltd
+
+# we can do this but it is not needed normally :-)
+#1.organizationName = Second Organization Name (eg, company)
+#1.organizationName_default = World Wide Web Pty Ltd
+
+organizationalUnitName = Organizational Unit Name (eg, section)
+#organizationalUnitName_default =
+
+commonName = Common Name (e.g. server FQDN or YOUR name)
+commonName_max = 64
+
+emailAddress = Email Address
+emailAddress_max = 64
+
+# SET-ex3 = SET extension number 3
+
+[ req_attributes ]
+challengePassword = A challenge password
+challengePassword_min = 4
+challengePassword_max = 20
+
+unstructuredName = An optional company name
+
+[ usr_cert ]
+
+# These extensions are added when 'ca' signs a request.
+
+# This goes against PKIX guidelines but some CAs do it and some software
+# requires this to avoid interpreting an end user certificate as a CA.
+
+basicConstraints=CA:FALSE
+
+# Here are some examples of the usage of nsCertType. If it is omitted
+# the certificate can be used for anything *except* object signing.
+
+# This is OK for an SSL server.
+# nsCertType = server
+
+# For an object signing certificate this would be used.
+# nsCertType = objsign
+
+# For normal client use this is typical
+# nsCertType = client, email
+
+# and for everything including object signing:
+# nsCertType = client, email, objsign
+
+# This is typical in keyUsage for a client certificate.
+# keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+
+# This will be displayed in Netscape's comment listbox.
+nsComment = "OpenSSL Generated Certificate"
+
+# PKIX recommendations harmless if included in all certificates.
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid,issuer
+
+# This stuff is for subjectAltName and issuerAltname.
+# Import the email address.
+# subjectAltName=email:copy
+# An alternative to produce certificates that aren't
+# deprecated according to PKIX.
+# subjectAltName=email:move
+
+# Copy subject details
+# issuerAltName=issuer:copy
+
+#nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem
+#nsBaseUrl
+#nsRevocationUrl
+#nsRenewalUrl
+#nsCaPolicyUrl
+#nsSslServerName
+
+# This is required for TSA certificates.
+# extendedKeyUsage = critical,timeStamping
+
+[ v3_req ]
+
+# Extensions to add to a certificate request
+
+basicConstraints = CA:FALSE
+keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+
+[ v3_ca ]
+
+
+# Extensions for a typical CA
+
+
+# PKIX recommendation.
+
+subjectKeyIdentifier=hash
+
+authorityKeyIdentifier=keyid:always,issuer
+
+basicConstraints = critical,CA:true
+
+# Key usage: this is typical for a CA certificate. However since it will
+# prevent it being used as an test self-signed certificate it is best
+# left out by default.
+# keyUsage = cRLSign, keyCertSign
+
+# Some might want this also
+# nsCertType = sslCA, emailCA
+
+# Include email address in subject alt name: another PKIX recommendation
+# subjectAltName=email:copy
+# Copy issuer details
+# issuerAltName=issuer:copy
+
+# DER hex encoding of an extension: beware experts only!
+# obj=DER:02:03
+# Where 'obj' is a standard or added object
+# You can even override a supported extension:
+# basicConstraints= critical, DER:30:03:01:01:FF
+
+[ crl_ext ]
+
+# CRL extensions.
+# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.
+
+# issuerAltName=issuer:copy
+authorityKeyIdentifier=keyid:always
+
+[ proxy_cert_ext ]
+# These extensions should be added when creating a proxy certificate
+
+# This goes against PKIX guidelines but some CAs do it and some software
+# requires this to avoid interpreting an end user certificate as a CA.
+
+basicConstraints=CA:FALSE
+
+# Here are some examples of the usage of nsCertType. If it is omitted
+# the certificate can be used for anything *except* object signing.
+
+# This is OK for an SSL server.
+# nsCertType = server
+
+# For an object signing certificate this would be used.
+# nsCertType = objsign
+
+# For normal client use this is typical
+# nsCertType = client, email
+
+# and for everything including object signing:
+# nsCertType = client, email, objsign
+
+# This is typical in keyUsage for a client certificate.
+# keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+
+# This will be displayed in Netscape's comment listbox.
+nsComment = "OpenSSL Generated Certificate"
+
+# PKIX recommendations harmless if included in all certificates.
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid,issuer
+
+# This stuff is for subjectAltName and issuerAltname.
+# Import the email address.
+# subjectAltName=email:copy
+# An alternative to produce certificates that aren't
+# deprecated according to PKIX.
+# subjectAltName=email:move
+
+# Copy subject details
+# issuerAltName=issuer:copy
+
+#nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem
+#nsBaseUrl
+#nsRevocationUrl
+#nsRenewalUrl
+#nsCaPolicyUrl
+#nsSslServerName
+
+# This really needs to be in place for it to be a proxy certificate.
+proxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:3,policy:foo
+
+####################################################################
+[ tsa ]
+
+default_tsa = tsa_config1 # the default TSA section
+
+[ tsa_config1 ]
+
+# These are used by the TSA reply generation only.
+dir = ./demoCA # TSA root directory
+serial = $dir/tsaserial # The current serial number (mandatory)
+crypto_device = builtin # OpenSSL engine to use for signing
+signer_cert = $dir/tsacert.pem # The TSA signing certificate
+ # (optional)
+certs = $dir/cacert.pem # Certificate chain to include in reply
+ # (optional)
+signer_key = $dir/private/tsakey.pem # The TSA private key (optional)
+signer_digest = sha256 # Signing digest to use. (Optional)
+default_policy = tsa_policy1 # Policy if request did not specify it
+ # (optional)
+other_policies = tsa_policy2, tsa_policy3 # acceptable policies (optional)
+digests = sha1, sha256, sha384, sha512 # Acceptable message digests (mandatory)
+accuracy = secs:1, millisecs:500, microsecs:100 # (optional)
+clock_precision_digits = 0 # number of digits after dot. (optional)
+ordering = yes # Is ordering defined for timestamps?
+ # (optional, default: no)
+tsa_name = yes # Must the TSA name be included in the reply?
+ # (optional, default: no)
+ess_cert_id_chain = no # Must the ESS cert id chain be included?
+ # (optional, default: no)
+ess_cert_id_alg = sha1 # algorithm to compute certificate
+ # identifier (optional, default: sha1)
diff --git a/fuzz/conf_corpus/e53857febc1becd1ae5b928971a6e048938d34b3 b/fuzz/conf_corpus/e53857febc1becd1ae5b928971a6e048938d34b3
new file mode 100644
index 0000000..39ac54e
--- /dev/null
+++ b/fuzz/conf_corpus/e53857febc1becd1ae5b928971a6e048938d34b3
@@ -0,0 +1,24 @@
+# Example config module configuration
+
+# Name supplied by application to CONF_modules_load_file
+# and section containing configuration
+testapp = test_sect
+
+[test_sect]
+# list of configuration modules
+
+# SSL configuration module
+ssl_conf = ssl_sect
+
+[ssl_sect]
+# list of SSL configurations
+server = server_sect
+
+[server_sect]
+# Only support 3 curves
+Curves = P-521:P-384:P-256
+# Restricted signature algorithms
+SignatureAlgorithms = RSA+SHA512:ECDSA+SHA512
+# Certificates and keys
+RSA.Certificate=server.pem
+ECDSA.Certificate=server-ec.pem
diff --git a/fuzz/conf_corpus/e5ef73ebd19d87df954f20435820e1f30c9ce289 b/fuzz/conf_corpus/e5ef73ebd19d87df954f20435820e1f30c9ce289
new file mode 100644
index 0000000..5ea32eb
--- /dev/null
+++ b/fuzz/conf_corpus/e5ef73ebd19d87df954f20435820e1f30c9ce289
@@ -0,0 +1,2 @@
+1.2.840.113554.4.1.72585.2 = DER:0001020304
+
diff --git a/fuzz/conf_corpus/e734f951873b98f37a1f4418c045f2b81f03c2eb b/fuzz/conf_corpus/e734f951873b98f37a1f4418c045f2b81f03c2eb
new file mode 100644
index 0000000..957ce59
--- /dev/null
+++ b/fuzz/conf_corpus/e734f951873b98f37a1f4418c045f2b81f03c2eb
@@ -0,0 +1,379 @@
+# [ req_distinguished_name ]
+countryName = Country Name (2 letter code)
+countryName_default = AU
+countryName_min = 2
+countryName_max = 2
+
+stateOrProvinceName = State or Province Name (full name)
+stateOrProvinceName_default = Some-State
+
+localityName = Locality Name (eg, city)
+
+0.organizationName = Organization Name (eg, company)
+0.organizationName_default = Internet Widgits Pty Ltd
+
+# we can do this but it is not needed normally :-)
+#1.organizationName = Second Organization Name (eg, company)
+#1.organizationName_default = World Wide Web Pty Ltd
+
+organizationalUnitName = Organizational Unit Name (eg, section)
+#organizationalUnitName_default =
+
+commonName = Common Name (e.g. server FQDN or YOUR name)
+commonName_max = 64
+
+emailAddress = Email Address
+emailAddress_max = 64
+
+# SET-ex3 = SET extension number 3
+
+#
+# OpenSSL example configuration file.
+# This is mostly being used for generation of certificate requests.
+#
+
+# Note that you can include other files from the main configuration
+# file using the .include directive.
+#.include filename
+
+# This definition stops the following lines choking if HOME isn't
+# defined.
+HOME = .
+
+# Extra OBJECT IDENTIFIER info:
+#oid_file = $ENV::HOME/.oid
+oid_section = new_oids
+
+# To use this configuration file with the "-extfile" option of the
+# "openssl x509" utility, name here the section containing the
+# X.509v3 extensions to use:
+# extensions =
+# (Alternatively, use a configuration file that has only
+# X.509v3 extensions in its main [= default] section.)
+
+[ new_oids ]
+
+# We can add new OIDs in here for use by 'ca', 'req' and 'ts'.
+# Add a simple OID like this:
+# testoid1=1.2.3.4
+# Or use config file substitution like this:
+# testoid2=${testoid1}.5.6
+
+# Policies used by the TSA examples.
+tsa_policy1 = 1.2.3.4.1
+tsa_policy2 = 1.2.3.4.5.6
+tsa_policy3 = 1.2.3.4.5.7
+
+####################################################################
+[ ca ]
+default_ca = CA_default # The default ca section
+
+####################################################################
+[ CA_default ]
+
+dir = ./demoCA # Where everything is kept
+certs = $dir/certs # Where the issued certs are kept
+crl_dir = $dir/crl # Where the issued crl are kept
+database = $dir/index.txt # database index file.
+#unique_subject = no # Set to 'no' to allow creation of
+ # several certs with same subject.
+new_certs_dir = $dir/newcerts # default place for new certs.
+
+certificate = $dir/cacert.pem # The CA certificate
+serial = $dir/serial # The current serial number
+crlnumber = $dir/crlnumber # the current crl number
+ # must be commented out to leave a V1 CRL
+crl = $dir/crl.pem # The current CRL
+private_key = $dir/private/cakey.pem# The private key
+
+x509_extensions = usr_cert # The extensions to add to the cert
+
+# Comment out the following two lines for the "traditional"
+# (and highly broken) format.
+name_opt = ca_default # Subject Name options
+cert_opt = ca_default # Certificate field options
+
+# Extension copying option: use with caution.
+# copy_extensions = copy
+
+# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
+# so this is commented out by default to leave a V1 CRL.
+# crlnumber must also be commented out to leave a V1 CRL.
+# crl_extensions = crl_ext
+
+default_days = 365 # how long to certify for
+default_crl_days= 30 # how long before next CRL
+default_md = default # use public key default MD
+preserve = no # keep passed DN ordering
+
+# A few difference way of specifying how similar the request should look
+# For type CA, the listed attributes must be the same, and the optional
+# and supplied fields are just that :-)
+policy = policy_match
+
+# For the CA policy
+[ policy_match ]
+countryName = match
+stateOrProvinceName = match
+organizationName = match
+organizationalUnitName = optional
+commonName = supplied
+emailAddress = optional
+
+# For the 'anything' policy
+# At this point in time, you must list all acceptable 'object'
+# types.
+[ policy_anything ]
+countryName = optional
+stateOrProvinceName = optional
+localityName = optional
+organizationName = optional
+organizationalUnitName = optional
+commonName = supplied
+emailAddress = optional
+
+####################################################################
+[ req ]
+default_bits = 2048
+default_keyfile = privkey.pem
+distinguished_name = req_distinguished_name
+attributes = req_attributes
+x509_extensions = v3_ca # The extensions to add to the self signed cert
+
+# Passwords for private keys if not present they will be prompted for
+# input_password = secret
+# output_password = secret
+
+# This sets a mask for permitted string types. There are several options.
+# default: PrintableString, T61String, BMPString.
+# pkix : PrintableString, BMPString (PKIX recommendation before 2004)
+# utf8only: only UTF8Strings (PKIX recommendation after 2004).
+# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings).
+# MASK:XXXX a literal mask value.
+# WARNING: ancient versions of Netscape crash on BMPStrings or UTF8Strings.
+string_mask = utf8only
+
+# req_extensions = v3_req # The extensions to add to a certificate request
+
+[ req_distinguished_name ]
+countryName = Country Name (2 letter code)
+countryName_default = AU
+countryName_min = 2
+countryName_max = 2
+
+stateOrProvinceName = State or Province Name (full name)
+stateOrProvinceName_default = Some-State
+
+localityName = Locality Name (eg, city)
+
+0.organizationName = Organization Name (eg, company)
+0.organizationName_default = Internet Widgits Pty Ltd
+
+# we can do this but it is not needed normally :-)
+#1.organizationName = Second Organization Name (eg, company)
+#1.organizationName_default = World Wide Web Pty Ltd
+
+organizationalUnitName = Organizational Unit Name (eg, section)
+#organizationalUnitName_default =
+
+commonName = Common Name (e.g. server FQDN or YOUR name)
+commonName_max = 64
+
+emailAddress = Email Address
+emailAddress_max = 64
+
+# SET-ex3 = SET extension number 3
+
+[ req_attributes ]
+challengePassword = A challenge password
+challengePassword_min = 4
+challengePassword_max = 20
+
+unstructuredName = An optional company name
+
+[ usr_cert ]
+
+# These extensions are added when 'ca' signs a request.
+
+# This goes against PKIX guidelines but some CAs do it and some software
+# requires this to avoid interpreting an end user certificate as a CA.
+
+basicConstraints=CA:FALSE
+
+# Here are some examples of the usage of nsCertType. If it is omitted
+# the certificate can be used for anything *except* object signing.
+
+# This is OK for an SSL server.
+# nsCertType = server
+
+# For an object signing certificate this would be used.
+# nsCertType = objsign
+
+# For normal client use this is typical
+# nsCertType = client, email
+
+# and for everything including object signing:
+# nsCertType = client, email, objsign
+
+# This is typical in keyUsage for a client certificate.
+# keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+
+# This will be displayed in Netscape's comment listbox.
+nsComment = "OpenSSL Generated Certificate"
+
+# PKIX recommendations harmless if included in all certificates.
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid,issuer
+
+# This stuff is for subjectAltName and issuerAltname.
+# Import the email address.
+# subjectAltName=email:copy
+# An alternative to produce certificates that aren't
+# deprecated according to PKIX.
+# subjectAltName=email:move
+
+# Copy subject details
+# issuerAltName=issuer:copy
+
+#nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem
+#nsBaseUrl
+#nsRevocationUrl
+#nsRenewalUrl
+#nsCaPolicyUrl
+#nsSslServerName
+
+# This is required for TSA certificates.
+# extendedKeyUsage = critical,timeStamping
+
+[ v3_req ]
+
+# Extensions to add to a certificate request
+
+basicConstraints = CA:FALSE
+keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+
+[ v3_ca ]
+
+
+# Extensions for a typical CA
+
+
+# PKIX recommendation.
+
+subjectKeyIdentifier=hash
+
+authorityKeyIdentifier=keyid:always,issuer
+
+basicConstraints = critical,CA:true
+
+# Key usage: this is typical for a CA certificate. However since it will
+# prevent it being used as an test self-signed certificate it is best
+# left out by default.
+# keyUsage = cRLSign, keyCertSign
+
+# Some might want this also
+# nsCertType = sslCA, emailCA
+
+# Include email address in subject alt name: another PKIX recommendation
+# subjectAltName=email:copy
+# Copy issuer details
+# issuerAltName=issuer:copy
+
+# DER hex encoding of an extension: beware experts only!
+# obj=DER:02:03
+# Where 'obj' is a standard or added object
+# You can even override a supported extension:
+# basicConstraints= critical, DER:30:03:01:01:FF
+
+[ crl_ext ]
+
+# CRL extensions.
+# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.
+
+# issuerAltName=issuer:copy
+authorityKeyIdentifier=keyid:always
+
+[ proxy_cert_ext ]
+# These extensions should be added when creating a proxy certificate
+
+# This goes against PKIX guidelines but some CAs do it and some software
+# requires this to avoid interpreting an end user certificate as a CA.
+
+basicConstraints=CA:FALSE
+
+# Here are some examples of the usage of nsCertType. If it is omitted
+# the certificate can be used for anything *except* object signing.
+
+# This is OK for an SSL server.
+# nsCertType = server
+
+# For an object signing certificate this would be used.
+# nsCertType = objsign
+
+# For normal client use this is typical
+# nsCertType = client, email
+
+# and for everything including object signing:
+# nsCertType = client, email, objsign
+
+# This is typical in keyUsage for a client certificate.
+# keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+
+# This will be displayed in Netscape's comment listbox.
+nsComment = "OpenSSL Generated Certificate"
+
+# PKIX recommendations harmless if included in all certificates.
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid,issuer
+
+# This stuff is for subjectAltName and issuerAltname.
+# Import the email address.
+# subjectAltName=email:copy
+# An alternative to produce certificates that aren't
+# deprecated according to PKIX.
+# subjectAltName=email:move
+
+# Copy subject details
+# issuerAltName=issuer:copy
+
+#nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem
+#nsBaseUrl
+#nsRevocationUrl
+#nsRenewalUrl
+#nsCaPolicyUrl
+#nsSslServerName
+
+# This really needs to be in place for it to be a proxy certificate.
+proxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:3,policy:foo
+
+####################################################################
+[ tsa ]
+
+default_tsa = tsa_config1 # the default TSA section
+
+[ tsa_config1 ]
+
+# These are used by the TSA reply generation only.
+dir = ./demoCA # TSA root directory
+serial = $dir/tsaserial # The current serial number (mandatory)
+crypto_device = builtin # OpenSSL engine to use for signing
+signer_cert = $dir/tsacert.pem # The TSA signing certificate
+ # (optional)
+certs = $dir/cacert.pem # Certificate chain to include in reply
+ # (optional)
+signer_key = $dir/private/tsakey.pem # The TSA private key (optional)
+signer_digest = sha256 # Signing digest to use. (Optional)
+default_policy = tsa_policy1 # Policy if request did not specify it
+ # (optional)
+other_policies = tsa_policy2, tsa_policy3 # acceptable policies (optional)
+digests = sha1, sha256, sha384, sha512 # Acceptable message digests (mandatory)
+accuracy = secs:1, millisecs:500, microsecs:100 # (optional)
+clock_precision_digits = 0 # number of digits after dot. (optional)
+ordering = yes # Is ordering defined for timestamps?
+ # (optional, default: no)
+tsa_name = yes # Must the TSA name be included in the reply?
+ # (optional, default: no)
+ess_cert_id_chain = no # Must the ESS cert id chain be included?
+ # (optional, default: no)
+ess_cert_id_alg = sha1 # algorithm to compute certificate
+ # identifier (optional, default: sha1)
diff --git a/fuzz/conf_corpus/e89cd88731014345571db8549b41fc2bd97c3c77 b/fuzz/conf_corpus/e89cd88731014345571db8549b41fc2bd97c3c77
new file mode 100644
index 0000000..9ebd56a
--- /dev/null
+++ b/fuzz/conf_corpus/e89cd88731014345571db8549b41fc2bd97c3c77
@@ -0,0 +1,60 @@
+# [ req_DN ]
+commonName = "Common Name"
+commonName_value = "CA"
+
+####################################################################
+[ req ]
+default_bits = 2432
+default_keyfile = cakey.pem
+default_md = sha256
+distinguished_name = req_DN
+string_mask = utf8only
+x509_extensions = v3_selfsign
+
+[ req_DN ]
+commonName = "Common Name"
+commonName_value = "CA"
+
+[ v3_selfsign ]
+basicConstraints = critical,CA:true
+keyUsage = keyCertSign
+subjectKeyIdentifier=hash
+
+####################################################################
+[ ca ]
+default_ca = CA_default # The default ca section
+
+####################################################################
+[ CA_default ]
+
+dir = ./demoCA
+certificate = ./demoCA/cacert.pem
+serial = ./demoCA/serial
+private_key = ./demoCA/private/cakey.pem
+new_certs_dir = ./demoCA/newcerts
+
+certificate = cacert.pem
+private_key = cakey.pem
+
+x509_extensions = v3_user
+
+name_opt = ca_default # Subject Name options
+cert_opt = ca_default # Certificate field options
+
+policy = policy_anything
+
+[ policy_anything ]
+countryName = optional
+stateOrProvinceName = optional
+localityName = optional
+organizationName = optional
+organizationalUnitName = optional
+commonName = supplied
+emailAddress = optional
+
+[ v3_user ]
+basicConstraints=critical,CA:FALSE
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid,issuer
+issuerAltName=issuer:copy
+
diff --git a/fuzz/conf_corpus/e91a9da2d47e9de221557d52e75bc88383651c74 b/fuzz/conf_corpus/e91a9da2d47e9de221557d52e75bc88383651c74
new file mode 100644
index 0000000..4d74085
--- /dev/null
+++ b/fuzz/conf_corpus/e91a9da2d47e9de221557d52e75bc88383651c74
@@ -0,0 +1,2 @@
+1.2.840.113554.4.1.72585.2 = ASN1:INTEGER:10
+
diff --git a/fuzz/conf_corpus/ec90d9f753ca4d55f66f65839a9860c94497db24 b/fuzz/conf_corpus/ec90d9f753ca4d55f66f65839a9860c94497db24
new file mode 100644
index 0000000..d530e31
--- /dev/null
+++ b/fuzz/conf_corpus/ec90d9f753ca4d55f66f65839a9860c94497db24
@@ -0,0 +1,45 @@
+#
+# SSLeay example configuration file.
+# This is mostly being used for generation of certificate requests.
+#
+
+RANDFILE = ./.rnd
+
+####################################################################
+[ req ]
+default_bits = 2048
+default_keyfile = keySS.pem
+distinguished_name = req_distinguished_name
+encrypt_rsa_key = no
+default_md = sha256
+
+[ req_distinguished_name ]
+countryName = Country Name (2 letter code)
+countryName_default = AU
+countryName_value = AU
+
+organizationName = Organization Name (eg, company)
+organizationName_value = Dodgy Brothers
+
+0.commonName = Common Name (eg, YOUR name)
+0.commonName_value = Brother 1
+
+1.commonName = Common Name (eg, YOUR name)
+1.commonName_value = Brother 2
+
+2.commonName = Common Name (eg, YOUR name)
+2.commonName_value = Proxy 1
+
+3.commonName = Common Name (eg, YOUR name)
+3.commonName_value = Proxy 2
+
+[ v3_proxy ]
+basicConstraints=CA:FALSE
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid,issuer:always
+proxyCertInfo=critical,@proxy_ext
+
+[ proxy_ext ]
+language=id-ppl-anyLanguage
+pathlen=0
+policy=text:BC
diff --git a/fuzz/conf_corpus/ed1a1d969e7e6d58f52b9cb82fb0c7e67453e58c b/fuzz/conf_corpus/ed1a1d969e7e6d58f52b9cb82fb0c7e67453e58c
new file mode 100644
index 0000000..d397a64
--- /dev/null
+++ b/fuzz/conf_corpus/ed1a1d969e7e6d58f52b9cb82fb0c7e67453e58c
@@ -0,0 +1,60 @@
+# [ CA_default ]
+
+dir = ./demoCA # Where everything is kept
+certs = $dir/certs # Where the issued certs are kept
+crl_dir = $dir/crl # Where the issued crl are kept
+database = $dir/index.txt # database index file.
+new_certs_dir = $dir/new_certs # default place for new certs.
+
+certificate = $dir/CAcert.pem # The CA certificate
+serial = $dir/serial # The current serial number
+crl = $dir/crl.pem # The current CRL
+private_key = $dir/private/CAkey.pem# The private key
+RANDFILE = $dir/private/.rand # private random number file
+
+default_days = 365 # how long to certify for
+default_crl_days= 30 # how long before next CRL
+default_md = md5 # which md to use.
+
+# A few difference way of specifying how similar the request should look
+# For type CA, the listed attributes must be the same, and the optional
+# and supplied fields are just that :-)
+policy = policy_match
+
+
+[ default ]
+#
+# SSLeay example configuration file.
+# This is mostly being used for generation of certificate requests.
+#
+
+RANDFILE = ./.rnd
+
+####################################################################
+[ ca ]
+default_ca = CA_default # The default ca section
+
+####################################################################
+[ CA_default ]
+
+dir = ./demoCA # Where everything is kept
+certs = $dir/certs # Where the issued certs are kept
+crl_dir = $dir/crl # Where the issued crl are kept
+database = $dir/index.txt # database index file.
+new_certs_dir = $dir/new_certs # default place for new certs.
+
+certificate = $dir/CAcert.pem # The CA certificate
+serial = $dir/serial # The current serial number
+crl = $dir/crl.pem # The current CRL
+private_key = $dir/private/CAkey.pem# The private key
+RANDFILE = $dir/private/.rand # private random number file
+
+default_days = 365 # how long to certify for
+default_crl_days= 30 # how long before next CRL
+default_md = md5 # which md to use.
+
+# A few difference way of specifying how similar the request should look
+# For type CA, the listed attributes must be the same, and the optional
+# and supplied fields are just that :-)
+policy = policy_match
+
diff --git a/fuzz/conf_corpus/f1eca4627e6a9f02bf41aca290f6cef886465fac b/fuzz/conf_corpus/f1eca4627e6a9f02bf41aca290f6cef886465fac
new file mode 100644
index 0000000..18fe178
--- /dev/null
+++ b/fuzz/conf_corpus/f1eca4627e6a9f02bf41aca290f6cef886465fac
@@ -0,0 +1,2 @@
+1.2.840.113554.4.1.72585.2 = ASN1:UTC:invalid
+
diff --git a/fuzz/conf_corpus/f2d29c5a0fa65ac03ffca407d706a24b0d0c5c4e b/fuzz/conf_corpus/f2d29c5a0fa65ac03ffca407d706a24b0d0c5c4e
new file mode 100644
index 0000000..cbe4c7a
--- /dev/null
+++ b/fuzz/conf_corpus/f2d29c5a0fa65ac03ffca407d706a24b0d0c5c4e
@@ -0,0 +1,2 @@
+1.2.840.113554.4.1.72585.2 = ASN1:NULL
+
diff --git a/fuzz/conf_corpus/f327bf51b3dbd27db36d1d8f5d60b2fd24b10af4 b/fuzz/conf_corpus/f327bf51b3dbd27db36d1d8f5d60b2fd24b10af4
new file mode 100644
index 0000000..bda6eec
--- /dev/null
+++ b/fuzz/conf_corpus/f327bf51b3dbd27db36d1d8f5d60b2fd24b10af4
@@ -0,0 +1,56 @@
+####################################################################
+[ req ]
+default_bits = 2432
+default_keyfile = cakey.pem
+default_md = sha256
+distinguished_name = req_DN
+string_mask = utf8only
+x509_extensions = v3_selfsign
+
+[ req_DN ]
+commonName = "Common Name"
+commonName_value = "CA"
+
+[ v3_selfsign ]
+basicConstraints = critical,CA:true
+keyUsage = keyCertSign
+subjectKeyIdentifier=hash
+
+####################################################################
+[ ca ]
+default_ca = CA_default # The default ca section
+
+####################################################################
+[ CA_default ]
+
+dir = ./demoCA
+certificate = ./demoCA/cacert.pem
+serial = ./demoCA/serial
+private_key = ./demoCA/private/cakey.pem
+new_certs_dir = ./demoCA/newcerts
+
+certificate = cacert.pem
+private_key = cakey.pem
+
+x509_extensions = v3_user
+
+name_opt = ca_default # Subject Name options
+cert_opt = ca_default # Certificate field options
+
+policy = policy_anything
+
+[ policy_anything ]
+countryName = optional
+stateOrProvinceName = optional
+localityName = optional
+organizationName = optional
+organizationalUnitName = optional
+commonName = supplied
+emailAddress = optional
+
+[ v3_user ]
+basicConstraints=critical,CA:FALSE
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid,issuer
+issuerAltName=issuer:copy
+
diff --git a/fuzz/conf_corpus/fa0bc7b35fb3959a17dbc0320292d864b0df68be b/fuzz/conf_corpus/fa0bc7b35fb3959a17dbc0320292d864b0df68be
new file mode 100644
index 0000000..572af85
--- /dev/null
+++ b/fuzz/conf_corpus/fa0bc7b35fb3959a17dbc0320292d864b0df68be
@@ -0,0 +1,2 @@
+1.2.840.113554.4.1.72585.2 = ASN1:FORMAT:BITLIST,BITSTR:1,invalid,5
+
diff --git a/fuzz/conf_corpus/fa88066fa3360a2a2347c6cc7fff330025b33591 b/fuzz/conf_corpus/fa88066fa3360a2a2347c6cc7fff330025b33591
new file mode 100644
index 0000000..543479a
--- /dev/null
+++ b/fuzz/conf_corpus/fa88066fa3360a2a2347c6cc7fff330025b33591
@@ -0,0 +1,20 @@
+# [default_sect]
+activate = 1
+
+
+
+openssl_conf = openssl_init
+
+# Comment out the next line to ignore configuration errors
+config_diagnostics = 1
+
+[openssl_init]
+providers = provider_sect
+
+[provider_sect]
+default = default_sect
+
+[default_sect]
+activate = 1
+
+
diff --git a/fuzz/conf_corpus/fadf69d83c1e00e57e2531854949d5d1770c1660 b/fuzz/conf_corpus/fadf69d83c1e00e57e2531854949d5d1770c1660
new file mode 100644
index 0000000..0da07ed
--- /dev/null
+++ b/fuzz/conf_corpus/fadf69d83c1e00e57e2531854949d5d1770c1660
@@ -0,0 +1,2 @@
+1.2.840.113554.4.1.72585.2 = ASN1:NULL:invalid
+
diff --git a/fuzz/conf_corpus/fb131639df5a1df7894bb7e81f9e896624a0e9bf b/fuzz/conf_corpus/fb131639df5a1df7894bb7e81f9e896624a0e9bf
new file mode 100644
index 0000000..f212523
--- /dev/null
+++ b/fuzz/conf_corpus/fb131639df5a1df7894bb7e81f9e896624a0e9bf
@@ -0,0 +1,2 @@
+1.2.840.113554.4.1.72585.2 = ASN1:FORMAT:BITLIST,BITSTR:1,5
+
diff --git a/fuzz/conf_corpus/fbe2f5f1cf481f17c44729e05776c5b5d4251f8f b/fuzz/conf_corpus/fbe2f5f1cf481f17c44729e05776c5b5d4251f8f
new file mode 100644
index 0000000..b24d974
--- /dev/null
+++ b/fuzz/conf_corpus/fbe2f5f1cf481f17c44729e05776c5b5d4251f8f
@@ -0,0 +1,2 @@
+1.2.840.113554.4.1.72585.2 = ASN1:UNIV:hello
+
diff --git a/fuzz/conf_corpus/ffe92960d72947bfdc67cb350c73378fc7d2ba1b b/fuzz/conf_corpus/ffe92960d72947bfdc67cb350c73378fc7d2ba1b
new file mode 100644
index 0000000..f5f6f6a
--- /dev/null
+++ b/fuzz/conf_corpus/ffe92960d72947bfdc67cb350c73378fc7d2ba1b
@@ -0,0 +1,2 @@
+1.2.840.113554.4.1.72585.2 = ASN1:FORMAT:BITLIST,BITSTR:4294967296
+
