diff --git a/CMakeLists.txt b/CMakeLists.txt
index 9a7741ac..2b3a1257 100644
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -820,7 +820,7 @@ endif()
 #
 set(CPACK_PACKAGE_NAME "GmSSL")
 set(CPACK_PACKAGE_VENDOR "GmSSL develop team")
-set(CPACK_PACKAGE_VERSION "3.2.0-dev.1098")
+set(CPACK_PACKAGE_VERSION "3.2.0-dev.1099")
 set(CPACK_PACKAGE_DESCRIPTION_FILE ${PROJECT_SOURCE_DIR}/README.md)
 set(CPACK_NSIS_MODIFY_PATH ON)
 include(CPack)
diff --git a/include/gmssl/version.h b/include/gmssl/version.h
index ac155179..6594af3f 100644
--- a/include/gmssl/version.h
+++ b/include/gmssl/version.h
@@ -18,7 +18,7 @@ extern "C" {
 
 
 #define GMSSL_VERSION_NUM	30200
-#define GMSSL_VERSION_STR	"GmSSL 3.2.0-dev.1098"
+#define GMSSL_VERSION_STR	"GmSSL 3.2.0-dev.1099"
 
 int gmssl_version_num(void);
 const char *gmssl_version_str(void);
diff --git a/src/x509_cer.c b/src/x509_cer.c
index b78be2b7..c8f4adb9 100644
--- a/src/x509_cer.c
+++ b/src/x509_cer.c
@@ -1898,11 +1898,12 @@ int x509_certs_verify(const uint8_t *certs, size_t certslen, int certs_type,
 	const uint8_t *rootcerts, size_t rootcertslen, int depth, int *verify_result)
 {
 	int entity_cert_type;
+	const uint8_t *cert_chain = certs;
+	size_t cert_chain_len = certslen;
 	const uint8_t *cert;
 	size_t certlen;
 	const uint8_t *cacert;
 	size_t cacertlen;
-	int matched_root = 0;
 	int ret;
 
 	int path_len = 0;
@@ -1943,8 +1944,7 @@ int x509_certs_verify(const uint8_t *certs, size_t certslen, int certs_type,
 			return -1;
 		}
 
-		if ((path_len_constraint >= 0 && path_len > path_len_constraint)
-			|| path_len > depth) {
+		if (path_len > depth) {
 			error_print();
 			return -1;
 		}
@@ -1961,37 +1961,36 @@ int x509_certs_verify(const uint8_t *certs, size_t certslen, int certs_type,
 		path_len++;
 	}
 
-	// 函数提供了一组根证书，我们要从根证书中找到和被验证的证书链匹配的那个根证书
-	// 如果没有找到对应的根证书，那么就会出错
-	// 但是这个错误隐藏在这个函数中并不合适！这说明这个函数的接口有问题
-	// 					
-	while (rootcertslen) {
-		if (x509_cert_from_der(&cacert, &cacertlen, &rootcerts, &rootcertslen) != 1) {
-			error_print();
-			return -1;
-		}
-		if ((ret = x509_cert_is_signed_by_root_ca_cert(cert, certlen, cacert, cacertlen,
-			SM2_DEFAULT_ID, SM2_DEFAULT_ID_LENGTH)) < 0) {
-			error_print();
-			return -1;
-		}
-		if (ret == 0) {
-			continue;
-		}
-		if (x509_cert_check(cacert, cacertlen, X509_cert_ca, &path_len_constraint) != 1) {
-			error_print();
-			return -1;
-		}
-		if ((path_len_constraint >= 0 && path_len > path_len_constraint)
-			|| path_len > depth) {
-			error_print();
-			return -1;
-		}
-		matched_root = 1;
-		break;
+	if ((ret = x509_cert_chain_find_root_ca_cert(cert_chain, cert_chain_len,
+		rootcerts, rootcertslen, &cacert, &cacertlen,
+		SM2_DEFAULT_ID, SM2_DEFAULT_ID_LENGTH)) < 0) {
+		error_print();
+		return -1;
+	}
+	if (ret == 0) {
+		error_print();
+		return -1;
+	}
+	if (x509_cert_check(cacert, cacertlen, X509_cert_ca, &path_len_constraint) != 1) {
+		error_print();
+		return -1;
+	}
+	if (path_len > depth) {
+		error_print();
+		return -1;
 	}
 
-	if (!matched_root) {
+	if (x509_certs_check_basic_constraints(cert_chain, cert_chain_len,
+		cacert, cacertlen) != 1) {
+		error_print();
+		return -1;
+	}
+	if ((ret = x509_certs_check_name_constraints(cert_chain, cert_chain_len,
+		cacert, cacertlen)) < 0) {
+		error_print();
+		return -1;
+	}
+	if (ret == 0) {
 		error_print();
 		return -1;
 	}