Hello,

I am Tobias and I am trying to verify a certificate chain, separate from an SSL/TLS connection using the wolfSSL certmanager. When I call the wolfSSL_CertManagerLoadCABuffer function I get the following Error:

wolfSSL_CertManagerLoadCABuffer() failed (-140): ASN parsing error, invalid input
wolfSSL Entering wolfSSL_CertManagerNew
wolfSSL Entering wolfSSL_CertManagerLoadCABuffer
wolfSSL Entering TLSv1_1_client_method_ex
wolfSSL Entering wolfSSL_CTX_new_ex
wolfSSL Entering wolfSSL_CertManagerNew
wolfSSL Leaving WOLFSSL_CTX_new, return 0
wolfSSL Entering wolfSSL_CertManagerFree
wolfSSL Entering wolfSSL_CTX_load_verify_buffer
Processing CA PEM file
wolfSSL Entering PemToDer
Adding a CA
wolfSSL Entering GetExplicitVersion
wolfSSL Entering GetSerialNumber
Got Cert Header
wolfSSL Entering GetAlgoId
wolfSSL Entering GetObjectId()
Got Algo ID
Getting Cert Name
Cert name lacks set header, trying sequence
    Parsed new CA
    No key size check done on CA
    Freeing Parsed CA
    Freeing der CA
        OK Freeing der CA
wolfSSL Leaving AddCA, return -140
wolfSSL error occurred, error = -140
CA Parse failed, with progress in file.
Search for other certs in file
wolfSSL Entering SSL_CTX_free
CTX ref count down to 0, doing full free
wolfSSL Entering wolfSSL_CertManagerFree
wolfSSL Leaving SSL_CTX_free, return 0
wolfSSL Entering wolfSSL_CertManagerFree

My modification of the wolfssl-examples/certmanager/certloadverifybuffer.c Code:

#include <stdio.h>
//#include <stdlib.h>

#include <wolfssl/options.h>
#include <wolfssl/wolfcrypt/settings.h>
#include <wolfssl/ssl.h>
#include <wolfssl/wolfcrypt/error-crypt.h>
//#include <wolfssl/certs_test.h>

#ifdef CERTTEST

#define FOLD
#ifdef FOLD

static const byte authCert[] = "\
-----BEGIN CERTIFICATE-----\n\
MIIFazCCBCKgAwIBAgIJAKmJV6cI/tYpMD4GCSqGSIb3DQEBCjAxoAswCQYFKw4D\n\
AhoFAKEYMBYGCSqGSIb3DQEBCDAJBgUrDgMCGgUAogMCARSjAwIBATCBszELMAkG\n\
A1UEBhMCREUxDzANBgNVBAgTBkhlc3NlbjESMBAGA1UEBxMJRnJhbmtmdXJ0MR4w\n\
HAYDVQQKExVQU1MgdGVzdCBjZXJ0aWZpY2F0ZXMxOTA3BgNVBAsTMGNyZWF0ZWQg\n\
YnkgTWFydGluIEthaXNlciAoaHR0cDovL3d3dy5rYWlzZXIuY3gvKTEkMCIGA1UE\n\
AxMbUFNTIHRlc3RSb290IENBIENlcnRpZmljYXRlMB4XDTEwMDcxMzE5NTc1NVoX\n\
DTE2MDEwMzE5NTc1NVowgbMxCzAJBgNVBAYTAkRFMQ8wDQYDVQQIEwZIZXNzZW4x\n\
EjAQBgNVBAcTCUZyYW5rZnVydDEeMBwGA1UEChMVUFNTIHRlc3QgY2VydGlmaWNh\n\
dGVzMTkwNwYDVQQLEzBjcmVhdGVkIGJ5IE1hcnRpbiBLYWlzZXIgKGh0dHA6Ly93\n\
d3cua2Fpc2VyLmN4LykxJDAiBgNVBAMTG1BTUyB0ZXN0Um9vdCBDQSBDZXJ0aWZp\n\
Y2F0ZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMZnLiVdh/4aR2Gj\n\
FKBiDmuNe8o6NJSgNRMXv+zweb1CQRUQ4HzdiZDRBTxAGM+83/ofeD3ALUyDGniX\n\
fbjxv05QyPGnJDjJYpdQ3ilM4MXoEYz7ZfB4/AVh1zvqELFR3a2TZ78oQGYJBeF3\n\
vAmVuDwCrZ8J7xddABt7ceqDtzhhNcvOWDZxXtzK5yDtb4N/RMJZtbK6ZNsLV/+J\n\
OMHT+22xycE6tE2gMCqUUC2b2MpnW71GqtkKxaA36VXl/c4Z0IhNE2Zx3qy5NVsU\n\
Z+NYw6JrWtEw+kf2j0bKj5w0LMlERKbNib4kofcMJ8qPEIvk1u6T30vKUb7HQdU7\n\
2OuTWQ8CAwEAAaOCARwwggEYMB0GA1UdDgQWBBTfH+IBoj70+Wn4OseW1pkNL7bO\n\
MzCB6AYDVR0jBIHgMIHdgBTfH+IBoj70+Wn4OseW1pkNL7bOM6GBuaSBtjCBszEL\n\
MAkGA1UEBhMCREUxDzANBgNVBAgTBkhlc3NlbjESMBAGA1UEBxMJRnJhbmtmdXJ0\n\
MR4wHAYDVQQKExVQU1MgdGVzdCBjZXJ0aWZpY2F0ZXMxOTA3BgNVBAsTMGNyZWF0\n\
ZWQgYnkgTWFydGluIEthaXNlciAoaHR0cDovL3d3dy5rYWlzZXIuY3gvKTEkMCIG\n\
A1UEAxMbUFNTIHRlc3RSb290IENBIENlcnRpZmljYXRlggkAqYlXpwj+1ikwDAYD\n\
VR0TBAUwAwEB/zA+BgkqhkiG9w0BAQowMaALMAkGBSsOAwIaBQChGDAWBgkqhkiG\n\
9w0BAQgwCQYFKw4DAhoFAKIDAgEUowMCAQEDggEBAJ8GcFT/Jdhz65JK0c9EFdAq\n\
8FKa9VWX7QDQlIuu0UbZaHYaFmY1NbXcxlvTOD1ArByCHpFQ8+wrXgLrxedlm/fI\n\
9WkvFsyvC1kSeV88C90E3mh+w9i2Qsz0Gjj2RjD98cPsqqQO7q/7uvKNcHMN5nKi\n\
VuIPMr5fisx0C/IBQAunBfzBfdGmjoNaahDBYCKiyAaU7A+dYorRbMJF7SxBhTr1\n\
WI/N3LlBKLF5mvtDYg7sXx6ULR/xAKKkVeUTIgGMYq/s46ZMP11QrfRHx4zNAwP9\n\
aARZeUz1X0/LM6LgaQvVIhZqbyB637eZhusOP3226TDn7hGx/UdS0UxSwfjrzS8=\n\
-----END CERTIFICATE-----\n";

static const byte verifyCert[] = "\
-----BEGIN CERTIFICATE-----\n\
MIIEvDCCA3OgAwIBAgICEAEwPgYJKoZIhvcNAQEKMDGgCzAJBgUrDgMCGgUAoRgw\n\
FgYJKoZIhvcNAQEIMAkGBSsOAwIaBQCiAwIBFKMDAgEBMIGzMQswCQYDVQQGEwJE\n\
RTEPMA0GA1UECBMGSGVzc2VuMRIwEAYDVQQHEwlGcmFua2Z1cnQxHjAcBgNVBAoT\n\
FVBTUyB0ZXN0IGNlcnRpZmljYXRlczE5MDcGA1UECxMwY3JlYXRlZCBieSBNYXJ0\n\
aW4gS2Fpc2VyIChodHRwOi8vd3d3LmthaXNlci5jeC8pMSQwIgYDVQQDExtQU1Mg\n\
dGVzdFJvb3QgQ0EgQ2VydGlmaWNhdGUwHhcNMTAwNzEzMTk1ODI1WhcNMTYwMTAz\n\
MTk1ODI1WjCBrjELMAkGA1UEBhMCREUxDzANBgNVBAgTBkhlc3NlbjESMBAGA1UE\n\
BxMJRnJhbmtmdXJ0MR4wHAYDVQQKExVQU1MgdGVzdCBjZXJ0aWZpY2F0ZXMxOTA3\n\
BgNVBAsTMGNyZWF0ZWQgYnkgTWFydGluIEthaXNlciAoaHR0cDovL3d3dy5rYWlz\n\
ZXIuY3gvKTEfMB0GA1UEAxMWUFNTIENsaWVudCBDZXJ0aWZpY2F0ZTCCASIwDQYJ\n\
KoZIhvcNAQEBBQADggEPADCCAQoCggEBANkLrMSIIRkN3xdaGievqVyBzyAsdQoi\n\
i1+gJkMDTVOL7b8f3esH8yDgNkQOa8tCtdNxFhq/cZsldSJuZXFb4gUtQZc1DwLo\n\
4GIw6L8uk+CCCt9NeaJeTab31SZG18JRRHRRvb9C4q0QeaNfspKELXeV0KFnrh4K\n\
69v5i/AN8GK/RQWYxqlLgY8v2YwIWwPmqFAhJrVXJHEzcHdVHIfpcuTuH4Nvrxmb\n\
H6XvSX4uraHlneGYMsPePhfGunbOfXQgdLQMyM5Sj2LXmkxr8pVz7V6KJQIVAl0r\n\
4oA34lAB0zKYfkJJDPyghBCemwhCe0tEUx0fitrj1rBoENI8NP7AZvkCAwEAAaN7\n\
MHkwCQYDVR0TBAIwADAsBglghkgBhvhCAQ0EHxYdT3BlblNTTCBHZW5lcmF0ZWQg\n\
Q2VydGlmaWNhdGUwHQYDVR0OBBYEFCjZAcd3fo5Rjx8u3PHUNIp5ZbQ7MB8GA1Ud\n\
IwQYMBaAFN8f4gGiPvT5afg6x5bWmQ0vts4zMD4GCSqGSIb3DQEBCjAxoAswCQYF\n\
Kw4DAhoFAKEYMBYGCSqGSIb3DQEBCDAJBgUrDgMCGgUAogMCARSjAwIBAQOCAQEA\n\
rO3xdxs9GkamZwXImt+wRWwYs+MpPEVFyMFq5CY2gmbuKKNb/x15MxmXg6ic9VzM\n\
SC/flOVlcN+4e305FApeR4yhkf5oYC5b52jXsD2Vozt7jELeXFdiw3Ylfe1G1vcZ\n\
vVSHngekonYIVFxMw0IXiEVphwX7SmfjTjgzhN0n+1LOppdktpbx69Yv66Yr6K2a\n\
8joa1Sguz1LJmzwDUtAaVQkZv7W3O41GpRSXk5Kahv5DgeN/1U+caHiNLK9tKfNE\n\
xD0kXtALc/VKdhsOTrv6i2X/HopFPwEifSPxwp32KePtnb93Ueqkc3jFMm0lxvy2\n\
Hgwyk/rtCq5eH32tODWomw==\n\
-----END CERTIFICATE-----\n";
#endif

int main(void){

    int ret = 42;

       WOLFSSL_CERT_MANAGER* cm = NULL;

       wolfSSL_Init();

    #ifdef DEBUG_WOLFSSL
        wolfSSL_Debugging_ON();
    #endif

        cm = wolfSSL_CertManagerNew();
        if (cm == NULL) {
               printf("wolfSSL_CertManagerNew() failed\n");
            return -1;
      }

        ret = wolfSSL_CertManagerLoadCABuffer(cm, authCert, sizeof(authCert), SSL_FILETYPE_PEM);
        if (ret != SSL_SUCCESS) {
               printf("wolfSSL_CertManagerLoadCABuffer() failed (%d): %s\n",
                    ret, wolfSSL_ERR_reason_error_string(ret));
               ret = -1; goto exit;
    }


        ret = wolfSSL_CertManagerVerifyBuffer(cm, verifyCert, sizeof(verifyCert), SSL_FILETYPE_PEM);
        if (ret != SSL_SUCCESS) {
               printf("wolfSSL_CertManagerVerify() failed (%d): %s\n",
                ret, wolfSSL_ERR_reason_error_string(ret));
            ret = -1; goto exit;
        }
       printf("Verification Successful!\n");


exit:
    wolfSSL_CertManagerFree(cm);
    #ifdef DEBUG_WOLFSSL
        wolfSSL_Debugging_OFF();
    #endif
        wolfSSL_Cleanup();    

    return ret;
}

#endif

I downloaded the certificates from here: https://www.kaiser.cx/x509Pss.html
They produce the same error-code as my certificate.

The patch that is described in the following topic couldn't solve my problem.
https://www.wolfssl.com/forums/topic139 … ecert.html

Could you give me a short explanation of the following error message as well?
Cert name lacks set header, trying sequence

Thanks & Regards,
Tobias