From 1fbdfeee59e9c32f7941bc957e3aa11a8ec37dc1 Mon Sep 17 00:00:00 2001
From: Zhi Guan <guanzhi1980@gmail.com>
Date: Wed, 1 Feb 2023 11:03:33 +0800
Subject: [PATCH] Update CRL related code

---
 .gitignore              |   1 +
 demos/certdemo.sh       |  15 +++--
 demos/certs/SubCA-1.crl | Bin 0 -> 350 bytes
 src/x509_cer.c          |  34 ++++++------
 src/x509_crl.c          |   2 +-
 src/x509_ext.c          |  14 ++---
 tools/certgen.c         |  20 +++----
 tools/crlverify.c       | 118 +++++++++++++++++++++-------------------
 tools/reqsign.c         |  24 ++++----
 9 files changed, 118 insertions(+), 110 deletions(-)
 create mode 100644 demos/certs/SubCA-1.crl

diff --git a/.gitignore b/.gitignore
index c426e466..2619cec2 100644
--- a/.gitignore
+++ b/.gitignore
@@ -2,6 +2,7 @@
 # generated file
 /build*
 /demos/*.pem
+/demos/.private
 
 # Object files
 *.o
diff --git a/demos/certdemo.sh b/demos/certdemo.sh
index a328c28d..0b3d91ee 100755
--- a/demos/certdemo.sh
+++ b/demos/certdemo.sh
@@ -5,29 +5,28 @@ gmssl sm2keygen -pass 1234 -out rootcakey.pem
 gmssl certgen -C CN -ST Beijing -L Haidian -O PKU -OU CS -CN ROOTCA -days 3650 \
 	-key rootcakey.pem -pass 1234 \
 	-out rootcacert.pem \
-	-ca -path_len_constraints 6 \
+	-ca -path_len_constraint 6 \
 	-key_usage keyCertSign -key_usage cRLSign \
 	-crl_http_uri http://pku.edu.cn/ca.crl -ca_issuers_uri http://pku.edu.cn/ca.crt -ocsp_uri http://ocsp.pku.edu.cn
 
-
 gmssl certparse -in rootcacert.pem
 
 gmssl sm2keygen -pass 1234 -out cakey.pem
-gmssl reqgen -C CN -ST Beijing -L Haidian -O PKU -OU CS -CN "Sub CA" -days 3650 -key cakey.pem -pass 1234 -out careq.pem
+gmssl reqgen -C CN -ST Beijing -L Haidian -O PKU -OU CS -CN "Sub CA" -key cakey.pem -pass 1234 -out careq.pem
 gmssl reqsign -in careq.pem -days 365 -key_usage keyCertSign -path_len_constraint 0 -cacert rootcacert.pem -key rootcakey.pem -pass 1234 -out cacert.pem \
-	-crl_uri http://pku.edu.cn/ca.crl -ca_issuers_uri http://pku.edu.cn/ca.crt -ocsp_uri http://ocsp.pku.edu.cn
+	-crl_http_uri http://pku.edu.cn/ca.crl -ca_issuers_uri http://pku.edu.cn/ca.crt -ocsp_uri http://ocsp.pku.edu.cn
 gmssl certparse -in cacert.pem
 
 gmssl sm2keygen -pass 1234 -out signkey.pem
-gmssl reqgen -C CN -ST Beijing -L Haidian -O PKU -OU CS -CN localhost -days 365 -key signkey.pem -pass 1234 -out signreq.pem
+gmssl reqgen -C CN -ST Beijing -L Haidian -O PKU -OU CS -CN localhost -key signkey.pem -pass 1234 -out signreq.pem
 gmssl reqsign -in signreq.pem -days 365 -key_usage digitalSignature -cacert cacert.pem -key cakey.pem -pass 1234 -out signcert.pem \
-	-crl_uri http://pku.edu.cn/ca.crl -ca_issuers_uri http://pku.edu.cn/ca.crt -ocsp_uri http://ocsp.pku.edu.cn
+	-crl_http_uri http://pku.edu.cn/ca.crl -ca_issuers_uri http://pku.edu.cn/ca.crt -ocsp_uri http://ocsp.pku.edu.cn
 gmssl certparse -in signcert.pem
 
 gmssl sm2keygen -pass 1234 -out enckey.pem
-gmssl reqgen -C CN -ST Beijing -L Haidian -O PKU -OU CS -CN localhost -days 365 -key enckey.pem -pass 1234 -out encreq.pem
+gmssl reqgen -C CN -ST Beijing -L Haidian -O PKU -OU CS -CN localhost -key enckey.pem -pass 1234 -out encreq.pem
 gmssl reqsign -in encreq.pem -days 365 -key_usage keyEncipherment -cacert cacert.pem -key cakey.pem -pass 1234 -out enccert.pem \
-	-crl_uri http://pku.edu.cn/ca.crl -ca_issuers_uri http://pku.edu.cn/ca.crt -ocsp_uri http://ocsp.pku.edu.cn
+	-crl_http_uri http://pku.edu.cn/ca.crl -ca_issuers_uri http://pku.edu.cn/ca.crt -ocsp_uri http://ocsp.pku.edu.cn
 gmssl certparse -in enccert.pem
 
 
diff --git a/demos/certs/SubCA-1.crl b/demos/certs/SubCA-1.crl
new file mode 100644
index 0000000000000000000000000000000000000000..e4a4def0c3dbb188f20ec435d89f054694fe775c
GIT binary patch
literal 350
zcmXqLVvI6qVq{=qWHjJn<Irl9IUmZ{Txt+&$Zf#M#vIDRCd}mQXDDF62jXxDvpc0`
zW@YB3!$jDH**y|7Q!*3t40(VC0M&2_GY5Ew!nAV(wFevW8}Ndpn1$JbOOq6w9mRQ#
zj17zo3=ND-jSNhq3|tHpn0OglPd3e5|9Sp;yX24p34S93m>LsvQ==%bia&0f-rLXV
z->Rjf;)<fe!oVbIfwh69fi}<{S!EU#1EmIq{?m&kgVIjV*m}WDLb)I~<kY3;cb(mz
z{Q^S{e7<$7@-5iCvLY<ZXr5>GU@&lHQjooF)>=Nhr%Pdy&7_arYb|Z9Os0r!|E42q
x<-A?>^yi&SiVPo0HgxfYz0i~UlzsGd{?^A@`yV`>#`pTga_!Jve-C$@1OPbgXe|H$

literal 0
HcmV?d00001

diff --git a/src/x509_cer.c b/src/x509_cer.c
index 9dcdfdfa..87d3376f 100644
--- a/src/x509_cer.c
+++ b/src/x509_cer.c
@@ -1669,7 +1669,7 @@ int x509_certs_get_cert_by_issuer_and_serial_number(
 // 这里面需要validate的类型是两种，一种直接得到了实际值，因此可以直接对实际值做验证
 // 另一种是SEQUENCE OF类型，本质上是完整的a,alen，因此这种类型实际上可以用from_der来解析
 int x509_cert_validate(const uint8_t *cert, size_t certlen, int cert_type,
-	int *path_len_constraints)
+	int *path_len_constraint)
 {
 	int version;
 	time_t now;
@@ -1740,7 +1740,7 @@ int x509_cert_validate(const uint8_t *cert, size_t certlen, int cert_type,
 		//return -1;
 	}
 
-	if (x509_exts_validate(exts, extslen, cert_type, path_len_constraints) != 1) {
+	if (x509_exts_validate(exts, extslen, cert_type, path_len_constraint) != 1) {
 		error_print();
 		return -1;
 	}
@@ -1765,7 +1765,7 @@ int x509_certs_verify(const uint8_t *certs, size_t certslen, int certs_type,
 	size_t namelen;
 
 	int path_len = 0;
-	int path_len_constraints;
+	int path_len_constraint;
 
 	switch (certs_type) {
 	case X509_cert_chain_server:
@@ -1784,7 +1784,7 @@ int x509_certs_verify(const uint8_t *certs, size_t certslen, int certs_type,
 		error_print();
 		return -1;
 	}
-	if (x509_cert_validate(cert, certlen, entity_cert_type, &path_len_constraints) != 1) {
+	if (x509_cert_validate(cert, certlen, entity_cert_type, &path_len_constraint) != 1) {
 		error_print();
 		return -1;
 	}
@@ -1795,18 +1795,18 @@ int x509_certs_verify(const uint8_t *certs, size_t certslen, int certs_type,
 			error_print();
 			return -1;
 		}
-		if (x509_cert_validate(cert, certlen, X509_cert_ca, &path_len_constraints) != 1) {
+		if (x509_cert_validate(cert, certlen, X509_cert_ca, &path_len_constraint) != 1) {
 			error_print();
 			return -1;
 		}
 
 		if (path_len == 0) {
-			if (path_len_constraints != 0) {
+			if (path_len_constraint != 0) {
 				error_print();
 				return -1;
 			}
 		}
-		if ((path_len_constraints >= 0 && path_len > path_len_constraints)
+		if ((path_len_constraint >= 0 && path_len > path_len_constraint)
 			|| path_len > depth) {
 			error_print();
 			return -1;
@@ -1833,11 +1833,11 @@ int x509_certs_verify(const uint8_t *certs, size_t certslen, int certs_type,
 		return -1;
 	}
 
-	if (x509_cert_validate(cacert, cacertlen, X509_cert_ca, &path_len_constraints) != 1) {
+	if (x509_cert_validate(cacert, cacertlen, X509_cert_ca, &path_len_constraint) != 1) {
 		error_print();
 		return -1;
 	}
-	if ((path_len_constraints >= 0 && path_len > path_len_constraints)
+	if ((path_len_constraint >= 0 && path_len > path_len_constraint)
 		|| path_len > depth) {
 		error_print();
 		return -1;
@@ -1866,7 +1866,7 @@ int x509_certs_verify_tlcp(const uint8_t *certs, size_t certslen, int certs_type
 	size_t namelen;
 
 	int path_len = 0;
-	int path_len_constraints;
+	int path_len_constraint;
 
 	switch (certs_type) {
 	case X509_cert_chain_server:
@@ -1886,7 +1886,7 @@ int x509_certs_verify_tlcp(const uint8_t *certs, size_t certslen, int certs_type
 		error_print();
 		return -1;
 	}
-	if (x509_cert_validate(cert, certlen, sign_cert_type, &path_len_constraints) != 1) {
+	if (x509_cert_validate(cert, certlen, sign_cert_type, &path_len_constraint) != 1) {
 		error_print();
 		return -1;
 	}
@@ -1896,7 +1896,7 @@ int x509_certs_verify_tlcp(const uint8_t *certs, size_t certslen, int certs_type
 		error_print();
 		return -1;
 	}
-	if (x509_cert_validate(kenc_cert, kenc_certlen, kenc_cert_type, &path_len_constraints) != 1) {
+	if (x509_cert_validate(kenc_cert, kenc_certlen, kenc_cert_type, &path_len_constraint) != 1) {
 		error_print();
 		return -1;
 	}
@@ -1907,13 +1907,13 @@ int x509_certs_verify_tlcp(const uint8_t *certs, size_t certslen, int certs_type
 			error_print();
 			return -1;
 		}
-		if (x509_cert_validate(cacert, cacertlen, X509_cert_ca, &path_len_constraints) != 1) {
+		if (x509_cert_validate(cacert, cacertlen, X509_cert_ca, &path_len_constraint) != 1) {
 			error_print();
 			return -1;
 		}
 
 		if (path_len == 0) {
-			if (path_len_constraints != 0) {
+			if (path_len_constraint != 0) {
 				error_print();
 				return -1;
 			}
@@ -1925,7 +1925,7 @@ int x509_certs_verify_tlcp(const uint8_t *certs, size_t certslen, int certs_type
 				return -1;
 			}
 		}
-		if ((path_len_constraints >= 0 && path_len > path_len_constraints)
+		if ((path_len_constraint >= 0 && path_len > path_len_constraint)
 			|| path_len > depth) {
 			error_print();
 			return -1;
@@ -1951,11 +1951,11 @@ int x509_certs_verify_tlcp(const uint8_t *certs, size_t certslen, int certs_type
 		error_print();
 		return -1;
 	}
-	if (x509_cert_validate(cacert, cacertlen, X509_cert_ca, &path_len_constraints) != 1) {
+	if (x509_cert_validate(cacert, cacertlen, X509_cert_ca, &path_len_constraint) != 1) {
 		error_print();
 		return -1;
 	}
-	if ((path_len_constraints >= 0 && path_len > path_len_constraints)
+	if ((path_len_constraint >= 0 && path_len > path_len_constraint)
 		|| path_len > depth) {
 		error_print();
 		return -1;
diff --git a/src/x509_crl.c b/src/x509_crl.c
index e59df376..8d38f19b 100644
--- a/src/x509_crl.c
+++ b/src/x509_crl.c
@@ -529,7 +529,7 @@ int x509_revoked_cert_from_der(
 	}
 	if (asn1_integer_from_der(serial, serial_len, &d, &dlen) != 1
 		|| x509_time_from_der(revoke_date, &d, &dlen) != 1
-		|| asn1_sequence_from_der(crl_entry_exts, crl_entry_exts_len, &d, &dlen) != 1
+		|| asn1_sequence_from_der(crl_entry_exts, crl_entry_exts_len, &d, &dlen) < 0
 		|| asn1_length_is_zero(dlen) != 1) {
 		error_print();
 		return -1;
diff --git a/src/x509_ext.c b/src/x509_ext.c
index 511870ad..7018b75d 100644
--- a/src/x509_ext.c
+++ b/src/x509_ext.c
@@ -1532,16 +1532,16 @@ int x509_basic_constraints_validate(int ca, int path_len_cons, int cert_type)
 	/*
 	entity_cert:
 		ca = -1 or 0
-		path_len_constraints = -1
+		path_len_constraint = -1
 	first_ca_cert:
 		ca = 1
-		path_len_constraints = 0
+		path_len_constraint = 0
 	middle_ca_cert:
 		ca = 1
-		path_len_constraints = -1 or > 0
+		path_len_constraint = -1 or > 0
 	root_ca_cert:
 		ca = 1
-		path_len_constraints = -1 or > 0 (=0 might be ok?)
+		path_len_constraint = -1 or > 0 (=0 might be ok?)
 	*/
 	if (cert_type == X509_cert_ca) {
 		if (ca != 1) {
@@ -2307,7 +2307,7 @@ int x509_netscape_cert_type_print(FILE *fp, int fmt, int ind, const char *label,
 }
 
 int x509_exts_validate(const uint8_t *exts, size_t extslen, int cert_type,
-	int *path_len_constraints)
+	int *path_len_constraint)
 {
 	int oid;
 	uint32_t nodes[32];
@@ -2322,7 +2322,7 @@ int x509_exts_validate(const uint8_t *exts, size_t extslen, int cert_type,
 	int ext_key_usages[X509_MAX_KEY_PURPOSES];
 	size_t ext_key_usages_cnt;
 
-	*path_len_constraints = -1;
+	*path_len_constraint = -1;
 
 	while (extslen) {
 		if (x509_ext_from_der(&oid, nodes, &nodes_cnt, &critical, &val, &vlen, &exts, &extslen) != 1) {
@@ -2434,7 +2434,7 @@ int x509_exts_validate(const uint8_t *exts, size_t extslen, int cert_type,
 			error_print();
 			return -1;
 		}
-		*path_len_constraints = path_len;
+		*path_len_constraint = path_len;
 		break;
 	}
 
diff --git a/tools/certgen.c b/tools/certgen.c
index a246cd8d..ebcf611f 100644
--- a/tools/certgen.c
+++ b/tools/certgen.c
@@ -33,7 +33,7 @@ static const char *options =
 	" [-key_usage str]*"
 	" [-subject_dns_name str]*"
 	" [-issuer_dns_name str]*"
-	" [-ca -path_len_constraints num]"
+	" [-ca -path_len_constraint num]"
 	" [-ext_key_usage str]*"
 	" [-crl_http_uri uri] [-crl_ldap_uri uri]"
 	" [-inhibit_any_policy num]"
@@ -85,7 +85,7 @@ static char *usage =
 "    -issuer_dns_name str         Add DNS name to IssuerAltName extension\n"
 "                                 this option can be called multi-times\n"
 "    -ca                          Set cA of BasicConstaints extension\n"
-"    -path_len_constraints num    Set pathLenConstaints of BasicConstaints extension\n"
+"    -path_len_constraint num     Set pathLenConstraint of BasicConstaints extension\n"
 "    -ext_key_usage str           Set ExtKeyUsage extension\n"
 "                                 this option can be called multi-times\n"
 "                                 avaiable values:\n"
@@ -108,7 +108,7 @@ static char *usage =
 "\n"
 "    gmssl certgen -C CN -ST Beijing -L Haidian -O PKU -OU CS -CN ROOTCA -days 3650 \\\n"
 "          -key rootcakey.pem -pass P@ssw0rd \\\n"
-"          -ca -path_len_constraints 6 \\\n"
+"          -ca -path_len_constraint 6 \\\n"
 "          -key_usage keyCertSign -key_usage cRLSign \\\n"
 "          -crl_http_uri http://pku.edu.cn/ca.crl \\\n"
 "          -ca_issuers_uri http://pku.edu.cn/ca.crt -ocsp_uri http://ocsp.pku.edu.cn \\\n"
@@ -187,7 +187,7 @@ int certgen_main(int argc, char **argv)
 
 	// BasicConstraints
 	int ca = -1;
-	int path_len_constraints = -1;
+	int path_len_constraint = -1;
 
 	// ExtKeyUsageSyntax
 	int ext_key_usages[12];
@@ -316,11 +316,11 @@ int certgen_main(int argc, char **argv)
 			}
 		} else if (!strcmp(*argv, "-ca")) {
 			ca = 1;
-		} else if (!strcmp(*argv, "-path_len_constraints")) {
+		} else if (!strcmp(*argv, "-path_len_constraint")) {
 			if (--argc < 1) goto bad;
-			path_len_constraints = atoi(*(++argv));
-			if (path_len_constraints < 0) {
-				fprintf(stderr, "%s: invalid `-path_len_constraints` value\n", prog);
+			path_len_constraint = atoi(*(++argv));
+			if (path_len_constraint < 0) {
+				fprintf(stderr, "%s: invalid `-path_len_constraint` value\n", prog);
 				goto end;
 			}
 		} else if (!strcmp(*argv, "-ext_key_usage")) {
@@ -459,9 +459,9 @@ bad:
 		}
 	}
 	// no SubjectDirectoryAttributes
-	if (ca >= 0 || path_len_constraints >= 0) {
+	if (ca >= 0 || path_len_constraint >= 0) {
 		if (x509_exts_add_basic_constraints(exts, &extslen, sizeof(exts),
-			X509_critical, ca, path_len_constraints) != 1) {
+			X509_critical, ca, path_len_constraint) != 1) {
 			fprintf(stderr, "%s: set BasicConstraints extension failure\n", prog);
 			goto end;
 		}
diff --git a/tools/crlverify.c b/tools/crlverify.c
index f40bfa87..981c8a1e 100644
--- a/tools/crlverify.c
+++ b/tools/crlverify.c
@@ -12,30 +12,45 @@
 #include <errno.h>
 #include <string.h>
 #include <stdlib.h>
+#include <gmssl/hex.h>
 #include <gmssl/file.h>
 #include <gmssl/x509.h>
 #include <gmssl/x509_crl.h>
 
 
-static const char *options = "-in file -cacert file\n";
+static const char *usage = " -in der -cacert pem [-req_sm2_id str | -req_sm2_id_hex hex]\n";
+static const char *options =
+"Options\n"
+"\n"
+"    -in pem                      Input CSR file in PEM format\n"
+"    -cacert pem                  Issuer CA certificate\n"
+"    -sm2_id str                  Authority's ID in SM2 signature algorithm\n"
+"    -sm2_id_hex hex              Authority's ID in hex format\n"
+"                                 When `-sm2_id` or `-sm2_id_hex` is specified,\n"
+"                                   must use the same ID in other commands explicitly.\n"
+"                                 If neither `-sm2_id` nor `-sm2_id_hex` is specified,\n"
+"                                   the default string '1234567812345678' is used\n"
+"\n"
+"Examples\n"
+"\n"
+"    gmssl certverify -in crl.der -cacert cacert.pem\n"
+"\n";
 
 int crlverify_main(int argc, char **argv)
 {
 	int ret = 1;
 	char *prog = argv[0];
-	char *infile = NULL;
-	char *cacertfile = NULL;
-	FILE *infp = NULL;
-	FILE *cacertfp = NULL;
-	uint8_t *in = NULL;
-	size_t inlen;
-	const uint8_t *pin;
-	const uint8_t *crl = NULL;
-	size_t crllen;
+	char *str;
+
+	uint8_t *crl = NULL;
+	size_t crl_len;
+	uint8_t *cacert = NULL;
+	size_t cacertlen;
+	char signer_id[SM2_MAX_ID_LENGTH + 1] = SM2_DEFAULT_ID;
+	size_t signer_id_len = strlen(SM2_DEFAULT_ID);
+
 	const uint8_t *subject;
 	size_t subject_len;
-	uint8_t cacert[1024];
-	size_t cacertlen;
 	int rv;
 
 	argc--;
@@ -53,23 +68,43 @@ int crlverify_main(int argc, char **argv)
 			goto end;
 		} else if (!strcmp(*argv, "-in")) {
 			if (--argc < 1) goto bad;
-			infile = *(++argv);
-			if (!(infp = fopen(infile, "rb"))) {
-				fprintf(stderr, "%s: open '%s' failure : %s\n", prog, infile, strerror(errno));
+			str = *(++argv);
+			if (file_read_all(str, &crl, &crl_len) != 1) {
+				fprintf(stderr, "%s: read '%s' failure : %s\n", prog, str, strerror(errno));
 				goto end;
 			}
 		} else if (!strcmp(*argv, "-cacert")) {
 			if (--argc < 1) goto bad;
-			cacertfile = *(++argv);
-			if (!(cacertfp = fopen(cacertfile, "rb"))) {
-				fprintf(stderr, "%s: open '%s' failure : %s\n", prog, cacertfile, strerror(errno));
+			str = *(++argv);
+			if (x509_cert_new_from_file(&cacert, &cacertlen, str) != 1) {
+				fprintf(stderr, "%s: open '%s' failure : %s\n", prog, str, strerror(errno));
+				goto end;
+			}
+		} else if (!strcmp(*argv, "-sm2_id")) {
+			if (--argc < 1) goto bad;
+			str = *(++argv);
+			if (strlen(str) > sizeof(signer_id) - 1) {
+				fprintf(stderr, "%s: invalid `-sm2_id` length\n", prog);
+				goto end;
+			}
+			strncpy(signer_id, str, sizeof(signer_id));
+			signer_id_len = strlen(str);
+		} else if (!strcmp(*argv, "-sm2_id_hex")) {
+			if (--argc < 1) goto bad;
+			str = *(++argv);
+			if (strlen(str) > (sizeof(signer_id) - 1) * 2) {
+				fprintf(stderr, "%s: invalid `-sm2_id_hex` length\n", prog);
+				goto end;
+			}
+			if (hex_to_bytes(str, strlen(str), (uint8_t *)signer_id, &signer_id_len) != 1) {
+				fprintf(stderr, "%s: invalid `-sm2_id_hex` value\n", prog);
 				goto end;
 			}
 		} else {
-			fprintf(stderr, "%s: illegal option '%s'\n", prog, *argv);
+			fprintf(stderr, "%s: illegal option `%s`\n", prog, *argv);
 			goto end;
 bad:
-			fprintf(stderr, "%s: '%s' option value missing\n", prog, *argv);
+			fprintf(stderr, "%s: `%s` option value missing\n", prog, *argv);
 			goto end;
 		}
 
@@ -77,46 +112,20 @@ bad:
 		argv++;
 	}
 
-	if (!infile) {
-		fprintf(stderr, "%s: '-in' option required\n", prog);
+	if (!crl) {
+		fprintf(stderr, "%s: `-in` option required\n", prog);
 		goto end;
 	}
-	if (!cacertfile) {
-		fprintf(stderr, "%s: '-cacert' option required\n", prog);
+	if (!cacert) {
+		fprintf(stderr, "%s: `-cacert` option required\n", prog);
 		goto end;
 	}
 
-	if (file_size(infp, &inlen) != 1) {
-		fprintf(stderr, "%s: get input length failed\n", prog);
-		goto end;
-	}
-	if (!(in = malloc(inlen))) {
-		fprintf(stderr, "%s: malloc failure\n", prog);
-		goto end;
-	}
-	if (fread(in, 1, inlen, infp) != inlen) {
-		fprintf(stderr, "%s: read file error : %s\n",  prog, strerror(errno));
-		goto end;
-	}
-	pin = in;
-	if (x509_crl_from_der(&crl, &crllen, &pin, &inlen) != 1
-		|| asn1_length_is_zero(inlen) != 1) {
-		fprintf(stderr, "%s: read CRL failure\n", prog);
-		goto end;
-	}
-	if (x509_crl_get_issuer(crl, crllen, &subject, &subject_len) != 1) {
-		fprintf(stderr, "%s: inner error\n", prog);
-		goto end;
-	}
-	if (x509_cert_from_pem_by_subject(cacert, &cacertlen, sizeof(cacert), subject, subject_len, cacertfp) != 1) {
-		fprintf(stderr, "%s: read certificate failure\n", prog);
-		goto end;
-	}
-	if (x509_crl_validate(crl, crllen, time(NULL)) != 1) {
+	if (x509_crl_validate(crl, crl_len, time(NULL)) != 1) {
 		fprintf(stderr, "%s: invalid CRL data or format\n", prog);
 		goto end;
 	}
-	if ((rv = x509_crl_verify_by_ca_cert(crl, crllen, cacert, cacertlen, SM2_DEFAULT_ID, strlen(SM2_DEFAULT_ID))) < 0) {
+	if ((rv = x509_crl_verify_by_ca_cert(crl, crl_len, cacert, cacertlen, SM2_DEFAULT_ID, strlen(SM2_DEFAULT_ID))) < 0) {
 		fprintf(stderr, "%s: verification inner error\n", prog);
 		goto end;
 	}
@@ -125,8 +134,7 @@ bad:
 	if (rv == 1) ret = 0;
 
 end:
-	if (infile && infp) fclose(infp);
-	if (cacertfp) fclose(cacertfp);
-	if (in) free(in);
+	if (crl) free(crl);
+	if (cacert) free(cacert);
 	return ret;
 }
diff --git a/tools/reqsign.c b/tools/reqsign.c
index 9f221f70..0f8e65ba 100644
--- a/tools/reqsign.c
+++ b/tools/reqsign.c
@@ -33,7 +33,7 @@ static const char *options =
 	" [-key_usage str]*"
 	" [-subject_dns_name str]*"
 	" [-issuer_dns_name str]*"
-	" [-ca -path_len_constraints num]"
+	" [-ca -path_len_constraint num]"
 	" [-ext_key_usage str]*"
 	" [-crl_http_uri uri] [-crl_ldap_uri uri]"
 	" [-inhibit_any_policy num]"
@@ -43,7 +43,7 @@ static const char *options =
 static char *usage =
 "Options\n"
 "\n"
-"    -in pem                      Input CSR file in PEM format\n"
+"    -in pem | stdin              Input CSR file in PEM format\n"
 "    -req_sm2_id str              CSR Owner's ID in SM2 signature algorithm\n"
 "    -req_sm2_id_hex hex          CSR Owner's ID in hex format\n"
 "                                 When `-req_sm2_id` or `-req_sm2_id_hex` is specified,\n"
@@ -84,7 +84,7 @@ static char *usage =
 "    -issuer_dns_name str         Add DNS name to IssuerAltName extension\n"
 "                                 this option can be called multi-times\n"
 "    -ca                          Set cA of BasicConstaints extension\n"
-"    -path_len_constraints num    Set pathLenConstaints of BasicConstaints extension\n"
+"    -path_len_constraint num    Set pathLenConstaint of BasicConstaints extension\n"
 "    -ext_key_usage str           Set ExtKeyUsage extension\n"
 "                                 this option can be called multi-times\n"
 "                                 avaiable values:\n"
@@ -108,7 +108,7 @@ static char *usage =
 "    gmssl sm2keygen -pass P@ssw0rd -out rootcakey.pem\n"
 "    gmssl certgen -C CN -ST Beijing -L Haidian -O PKU -OU CS -CN ROOTCA -days 3650 \\\n"
 "          -key rootcakey.pem -pass P@ssw0rd \\\n"
-"          -ca -path_len_constraints 6 \\\n"
+"          -ca -path_len_constraint 6 \\\n"
 "          -key_usage keyCertSign -key_usage cRLSign \\\n"
 "          -crl_http_uri http://pku.edu.cn/ca.crl \\\n"
 "          -ca_issuers_uri http://pku.edu.cn/ca.crt -ocsp_uri http://ocsp.pku.edu.cn \\\n"
@@ -123,7 +123,7 @@ static char *usage =
 "\n"
 "    gmssl reqsign -in careq.pem -serial_len 12 -days 365 \\\n"
 "          -cacert rootcacert.pem -key rootcakey.pem -pass P@ssw0rd \\\n"
-"          -ca -path_len_constraints 0 \\\n"
+"          -ca -path_len_constraint 0 \\\n"
 "          -key_usage keyCertSign -key_usage cRLSign \\\n"
 "          -crl_http_uri http://pku.edu.cn/ca.crl \\\n"
 "          -ca_issuers_uri http://pku.edu.cn/ca.crt -ocsp_uri http://ocsp.pku.edu.cn \\\n"
@@ -211,7 +211,7 @@ int reqsign_main(int argc, char **argv)
 
 	// BasicConstraints
 	int ca = -1;
-	int path_len_constraints = -1;
+	int path_len_constraint = -1;
 
 	// ExtKeyUsageSyntax
 	int ext_key_usages[12];
@@ -361,11 +361,11 @@ int reqsign_main(int argc, char **argv)
 			}
 		} else if (!strcmp(*argv, "-ca")) {
 			ca = 1;
-		} else if (!strcmp(*argv, "-path_len_constraints")) {
+		} else if (!strcmp(*argv, "-path_len_constraint")) {
 			if (--argc < 1) goto bad;
-			path_len_constraints = atoi(*(++argv));
-			if (path_len_constraints < 0) {
-				fprintf(stderr, "%s: invalid `-path_len_constraints` value\n", prog);
+			path_len_constraint = atoi(*(++argv));
+			if (path_len_constraint < 0) {
+				fprintf(stderr, "%s: invalid `-path_len_constraint` value\n", prog);
 				goto end;
 			}
 		} else if (!strcmp(*argv, "-ext_key_usage")) {
@@ -518,9 +518,9 @@ bad:
 		}
 	}
 	// no SubjectDirectoryAttributes
-	if (ca >= 0 || path_len_constraints >= 0) {
+	if (ca >= 0 || path_len_constraint >= 0) {
 		if (x509_exts_add_basic_constraints(exts, &extslen, sizeof(exts),
-			X509_critical, ca, path_len_constraints) != 1) {
+			X509_critical, ca, path_len_constraint) != 1) {
 			fprintf(stderr, "%s: set BasicConstraints extension failure\n", prog);
 			goto end;
 		}