diff --git a/CMakeLists.txt b/CMakeLists.txt
index 3a73fe44..6bd2964d 100644
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -748,10 +748,43 @@ if (CMAKE_C_COMPILER_ID MATCHES "MSVC")
 endif()
 
 
-add_test(NAME sm3_commands COMMAND ${CMAKE_COMMAND} -P "${CMAKE_SOURCE_DIR}/cmake/sm3_commands.cmake")
-add_test(NAME sm2_commands COMMAND ${CMAKE_COMMAND} -P "${CMAKE_SOURCE_DIR}/cmake/sm2_commands.cmake")
-add_test(NAME cert_commands COMMAND ${CMAKE_COMMAND} -P "${CMAKE_SOURCE_DIR}/cmake/cert_commands.cmake")
-set_tests_properties(cert_commands PROPERTIES FIXTURES_SETUP gmssl_cert_files)
+add_test(NAME tool_sm3 COMMAND ${CMAKE_COMMAND} -P "${CMAKE_SOURCE_DIR}/cmake/tool_sm3.cmake")
+add_test(NAME tool_sm2 COMMAND ${CMAKE_COMMAND} -P "${CMAKE_SOURCE_DIR}/cmake/tool_sm2.cmake")
+add_test(NAME tool_rand COMMAND ${CMAKE_COMMAND} -P "${CMAKE_SOURCE_DIR}/cmake/tool_rand.cmake")
+add_test(NAME tool_sm4 COMMAND ${CMAKE_COMMAND}
+	-DENABLE_SM4_ECB=${ENABLE_SM4_ECB}
+	-DENABLE_SM4_CFB=${ENABLE_SM4_CFB}
+	-DENABLE_SM4_OFB=${ENABLE_SM4_OFB}
+	-DENABLE_SM4_CCM=${ENABLE_SM4_CCM}
+	-DENABLE_SM4_XTS=${ENABLE_SM4_XTS}
+	-DENABLE_SM4_CBC_MAC=${ENABLE_SM4_CBC_MAC}
+	-P "${CMAKE_SOURCE_DIR}/cmake/tool_sm4.cmake")
+if(ENABLE_ZUC)
+	add_test(NAME tool_zuc COMMAND ${CMAKE_COMMAND} -P "${CMAKE_SOURCE_DIR}/cmake/tool_zuc.cmake")
+endif()
+if(ENABLE_GHASH)
+	add_test(NAME tool_ghash COMMAND ${CMAKE_COMMAND} -P "${CMAKE_SOURCE_DIR}/cmake/tool_ghash.cmake")
+endif()
+if(ENABLE_SM9)
+	add_test(NAME tool_sm9 COMMAND ${CMAKE_COMMAND} -P "${CMAKE_SOURCE_DIR}/cmake/tool_sm9.cmake")
+endif()
+if(ENABLE_LMS OR ENABLE_XMSS OR ENABLE_SPHINCS OR ENABLE_KYBER)
+	add_test(NAME tool_pqc COMMAND ${CMAKE_COMMAND}
+		-DENABLE_LMS=${ENABLE_LMS}
+		-DENABLE_XMSS=${ENABLE_XMSS}
+		-DENABLE_SPHINCS=${ENABLE_SPHINCS}
+		-DENABLE_KYBER=${ENABLE_KYBER}
+		-P "${CMAKE_SOURCE_DIR}/cmake/tool_pqc.cmake")
+endif()
+add_test(NAME tool_cert COMMAND ${CMAKE_COMMAND} -P "${CMAKE_SOURCE_DIR}/cmake/tool_cert.cmake")
+set_tests_properties(tool_cert PROPERTIES FIXTURES_SETUP gmssl_cert_files)
+add_test(NAME tool_crl COMMAND ${CMAKE_COMMAND} -P "${CMAKE_SOURCE_DIR}/cmake/tool_crl.cmake")
+add_test(NAME tool_ocsp COMMAND ${CMAKE_COMMAND} -P "${CMAKE_SOURCE_DIR}/cmake/tool_ocsp.cmake")
+set_tests_properties(tool_crl tool_ocsp PROPERTIES FIXTURES_REQUIRED gmssl_cert_files)
+if(ENABLE_CMS)
+	add_test(NAME tool_cms COMMAND ${CMAKE_COMMAND} -P "${CMAKE_SOURCE_DIR}/cmake/tool_cms.cmake")
+	set_tests_properties(tool_cms PROPERTIES FIXTURES_REQUIRED gmssl_cert_files)
+endif()
 if(ENABLE_TLS AND NOT WIN32)
 	find_program(OPENSSL_EXECUTABLE openssl)
 	set(GMSSL_OPENSSL_INTEROP_ENABLED OFF)
@@ -760,71 +793,71 @@ if(ENABLE_TLS AND NOT WIN32)
 	else()
 		message(STATUS "OpenSSL TLS interop tests require ENABLE_AES=ON, ENABLE_SHA2=ON and ENABLE_SECP256R1=ON; skipping")
 	endif()
-	add_test(NAME tlcp_sm4_gcm_sni COMMAND ${CMAKE_COMMAND} -DTEST_CASE=tlcp_sm4_gcm_sni -P "${CMAKE_SOURCE_DIR}/cmake/tlcp_commands.cmake")
-	add_test(NAME tlcp_sm4_cbc_sni COMMAND ${CMAKE_COMMAND} -DTEST_CASE=tlcp_sm4_cbc_sni -P "${CMAKE_SOURCE_DIR}/cmake/tlcp_commands.cmake")
-	add_test(NAME tlcp_sm4_gcm_client_cert COMMAND ${CMAKE_COMMAND} -DTEST_CASE=tlcp_sm4_gcm_client_cert -P "${CMAKE_SOURCE_DIR}/cmake/tlcp_commands.cmake")
-	add_test(NAME tls12_sm4_gcm_sni COMMAND ${CMAKE_COMMAND} -DTEST_CASE=tls12_sm4_gcm_sni -P "${CMAKE_SOURCE_DIR}/cmake/tls12_commands.cmake")
-	add_test(NAME tls12_sm4_cbc_sni COMMAND ${CMAKE_COMMAND} -DTEST_CASE=tls12_sm4_cbc_sni -P "${CMAKE_SOURCE_DIR}/cmake/tls12_commands.cmake")
-	add_test(NAME tls12_sm4_gcm_client_cert COMMAND ${CMAKE_COMMAND} -DTEST_CASE=tls12_sm4_gcm_client_cert -P "${CMAKE_SOURCE_DIR}/cmake/tls12_commands.cmake")
-	add_test(NAME tls12_sm4_gcm_renegotiation_info COMMAND ${CMAKE_COMMAND} -DTEST_CASE=tls12_sm4_gcm_renegotiation_info -P "${CMAKE_SOURCE_DIR}/cmake/tls12_commands.cmake")
-	add_test(NAME tls12_sm4_gcm_renegotiation_info_scsv COMMAND ${CMAKE_COMMAND} -DTEST_CASE=tls12_sm4_gcm_renegotiation_info_scsv -P "${CMAKE_SOURCE_DIR}/cmake/tls12_commands.cmake")
-	add_test(NAME tls12_client_reject_renegotiation_info_both
+	add_test(NAME tool_tlcp_sm4_gcm_sni COMMAND ${CMAKE_COMMAND} -DTEST_CASE=tlcp_sm4_gcm_sni -P "${CMAKE_SOURCE_DIR}/cmake/tlcp_commands.cmake")
+	add_test(NAME tool_tlcp_sm4_cbc_sni COMMAND ${CMAKE_COMMAND} -DTEST_CASE=tlcp_sm4_cbc_sni -P "${CMAKE_SOURCE_DIR}/cmake/tlcp_commands.cmake")
+	add_test(NAME tool_tlcp_sm4_gcm_client_cert COMMAND ${CMAKE_COMMAND} -DTEST_CASE=tlcp_sm4_gcm_client_cert -P "${CMAKE_SOURCE_DIR}/cmake/tlcp_commands.cmake")
+	add_test(NAME tool_tls12_sm4_gcm_sni COMMAND ${CMAKE_COMMAND} -DTEST_CASE=tls12_sm4_gcm_sni -P "${CMAKE_SOURCE_DIR}/cmake/tls12_commands.cmake")
+	add_test(NAME tool_tls12_sm4_cbc_sni COMMAND ${CMAKE_COMMAND} -DTEST_CASE=tls12_sm4_cbc_sni -P "${CMAKE_SOURCE_DIR}/cmake/tls12_commands.cmake")
+	add_test(NAME tool_tls12_sm4_gcm_client_cert COMMAND ${CMAKE_COMMAND} -DTEST_CASE=tls12_sm4_gcm_client_cert -P "${CMAKE_SOURCE_DIR}/cmake/tls12_commands.cmake")
+	add_test(NAME tool_tls12_sm4_gcm_renegotiation_info COMMAND ${CMAKE_COMMAND} -DTEST_CASE=tls12_sm4_gcm_renegotiation_info -P "${CMAKE_SOURCE_DIR}/cmake/tls12_commands.cmake")
+	add_test(NAME tool_tls12_sm4_gcm_renegotiation_info_scsv COMMAND ${CMAKE_COMMAND} -DTEST_CASE=tls12_sm4_gcm_renegotiation_info_scsv -P "${CMAKE_SOURCE_DIR}/cmake/tls12_commands.cmake")
+	add_test(NAME tool_tls12_client_reject_renegotiation_info_both
 		COMMAND bash -c "bin/gmssl tls12_client -host 127.0.0.1 -renegotiation_info -renegotiation_info_scsv > tls12_client_reject_renegotiation_info_both.log 2>&1; test $? -ne 0 && grep -q 'should not be used together' tls12_client_reject_renegotiation_info_both.log")
-	add_test(NAME tls13_sm4_gcm_sni COMMAND ${CMAKE_COMMAND} -DTEST_CASE=tls13_sm4_gcm_sni -P "${CMAKE_SOURCE_DIR}/cmake/tls13_commands.cmake")
-	add_test(NAME tls13_sm4_gcm_client_cert COMMAND ${CMAKE_COMMAND} -DTEST_CASE=tls13_sm4_gcm_client_cert -P "${CMAKE_SOURCE_DIR}/cmake/tls13_commands.cmake")
-	add_test(NAME tls13_hrr_sm4_gcm COMMAND ${CMAKE_COMMAND} -DTEST_CASE=tls13_hrr_sm4_gcm -P "${CMAKE_SOURCE_DIR}/cmake/tls13_commands.cmake")
-	add_test(NAME tls13_psk_dhe_sm4_gcm COMMAND ${CMAKE_COMMAND} -DTEST_CASE=tls13_psk_dhe_sm4_gcm -P "${CMAKE_SOURCE_DIR}/cmake/tls13_commands.cmake")
-	add_test(NAME tls13_psk_only_sm4_gcm COMMAND ${CMAKE_COMMAND} -DTEST_CASE=tls13_psk_only_sm4_gcm -P "${CMAKE_SOURCE_DIR}/cmake/tls13_commands.cmake")
-	add_test(NAME tls13_early_data_sm4_gcm COMMAND ${CMAKE_COMMAND} -DTEST_CASE=tls13_early_data_sm4_gcm -P "${CMAKE_SOURCE_DIR}/cmake/tls13_commands.cmake")
+	add_test(NAME tool_tls13_sm4_gcm_sni COMMAND ${CMAKE_COMMAND} -DTEST_CASE=tls13_sm4_gcm_sni -P "${CMAKE_SOURCE_DIR}/cmake/tls13_commands.cmake")
+	add_test(NAME tool_tls13_sm4_gcm_client_cert COMMAND ${CMAKE_COMMAND} -DTEST_CASE=tls13_sm4_gcm_client_cert -P "${CMAKE_SOURCE_DIR}/cmake/tls13_commands.cmake")
+	add_test(NAME tool_tls13_hrr_sm4_gcm COMMAND ${CMAKE_COMMAND} -DTEST_CASE=tls13_hrr_sm4_gcm -P "${CMAKE_SOURCE_DIR}/cmake/tls13_commands.cmake")
+	add_test(NAME tool_tls13_psk_dhe_sm4_gcm COMMAND ${CMAKE_COMMAND} -DTEST_CASE=tls13_psk_dhe_sm4_gcm -P "${CMAKE_SOURCE_DIR}/cmake/tls13_commands.cmake")
+	add_test(NAME tool_tls13_psk_only_sm4_gcm COMMAND ${CMAKE_COMMAND} -DTEST_CASE=tls13_psk_only_sm4_gcm -P "${CMAKE_SOURCE_DIR}/cmake/tls13_commands.cmake")
+	add_test(NAME tool_tls13_early_data_sm4_gcm COMMAND ${CMAKE_COMMAND} -DTEST_CASE=tls13_early_data_sm4_gcm -P "${CMAKE_SOURCE_DIR}/cmake/tls13_commands.cmake")
 	set_tests_properties(
-		tlcp_sm4_gcm_sni
-		tlcp_sm4_cbc_sni
-		tlcp_sm4_gcm_client_cert
-		tls12_sm4_gcm_sni
-		tls12_sm4_cbc_sni
-		tls12_sm4_gcm_client_cert
-		tls12_sm4_gcm_renegotiation_info
-		tls12_sm4_gcm_renegotiation_info_scsv
-		tls13_sm4_gcm_sni
-		tls13_sm4_gcm_client_cert
-		tls13_hrr_sm4_gcm
-		tls13_psk_dhe_sm4_gcm
-		tls13_psk_only_sm4_gcm
-		tls13_early_data_sm4_gcm
+		tool_tlcp_sm4_gcm_sni
+		tool_tlcp_sm4_cbc_sni
+		tool_tlcp_sm4_gcm_client_cert
+		tool_tls12_sm4_gcm_sni
+		tool_tls12_sm4_cbc_sni
+		tool_tls12_sm4_gcm_client_cert
+		tool_tls12_sm4_gcm_renegotiation_info
+		tool_tls12_sm4_gcm_renegotiation_info_scsv
+		tool_tls13_sm4_gcm_sni
+		tool_tls13_sm4_gcm_client_cert
+		tool_tls13_hrr_sm4_gcm
+		tool_tls13_psk_dhe_sm4_gcm
+		tool_tls13_psk_only_sm4_gcm
+		tool_tls13_early_data_sm4_gcm
 		PROPERTIES FIXTURES_REQUIRED gmssl_cert_files)
 	set_tests_properties(
-		tls13_hrr_sm4_gcm
-		tls13_psk_only_sm4_gcm
-		tls13_early_data_sm4_gcm
+		tool_tls13_hrr_sm4_gcm
+		tool_tls13_psk_only_sm4_gcm
+		tool_tls13_early_data_sm4_gcm
 		PROPERTIES DISABLED TRUE)
 	if(OPENSSL_EXECUTABLE AND GMSSL_OPENSSL_INTEROP_ENABLED)
-		add_test(NAME tls12_openssl_server COMMAND ${CMAKE_COMMAND} -DOPENSSL_EXECUTABLE=${OPENSSL_EXECUTABLE} -DTEST_CASE=tls12_openssl_server -P "${CMAKE_SOURCE_DIR}/cmake/openssl_interop_commands.cmake")
-		add_test(NAME tls12_openssl_server_renegotiation_info COMMAND ${CMAKE_COMMAND} -DOPENSSL_EXECUTABLE=${OPENSSL_EXECUTABLE} -DTEST_CASE=tls12_openssl_server_renegotiation_info -P "${CMAKE_SOURCE_DIR}/cmake/openssl_interop_commands.cmake")
-		add_test(NAME tls12_openssl_server_renegotiation_info_scsv COMMAND ${CMAKE_COMMAND} -DOPENSSL_EXECUTABLE=${OPENSSL_EXECUTABLE} -DTEST_CASE=tls12_openssl_server_renegotiation_info_scsv -P "${CMAKE_SOURCE_DIR}/cmake/openssl_interop_commands.cmake")
-		add_test(NAME tls12_openssl_client COMMAND ${CMAKE_COMMAND} -DOPENSSL_EXECUTABLE=${OPENSSL_EXECUTABLE} -DTEST_CASE=tls12_openssl_client -P "${CMAKE_SOURCE_DIR}/cmake/openssl_interop_commands.cmake")
-		add_test(NAME tls13_openssl_server COMMAND ${CMAKE_COMMAND} -DOPENSSL_EXECUTABLE=${OPENSSL_EXECUTABLE} -DTEST_CASE=tls13_openssl_server -P "${CMAKE_SOURCE_DIR}/cmake/openssl_interop_commands.cmake")
-		add_test(NAME tls13_openssl_client COMMAND ${CMAKE_COMMAND} -DOPENSSL_EXECUTABLE=${OPENSSL_EXECUTABLE} -DTEST_CASE=tls13_openssl_client -P "${CMAKE_SOURCE_DIR}/cmake/openssl_interop_commands.cmake")
-		add_test(NAME tls13_hrr_openssl_client COMMAND ${CMAKE_COMMAND} -DOPENSSL_EXECUTABLE=${OPENSSL_EXECUTABLE} -DTEST_CASE=tls13_hrr_openssl_client -P "${CMAKE_SOURCE_DIR}/cmake/openssl_interop_commands.cmake")
-		add_test(NAME tls13_psk_dhe_openssl_server COMMAND ${CMAKE_COMMAND} -DOPENSSL_EXECUTABLE=${OPENSSL_EXECUTABLE} -DTEST_CASE=tls13_psk_dhe_openssl_server -P "${CMAKE_SOURCE_DIR}/cmake/openssl_interop_commands.cmake")
-		add_test(NAME tls13_psk_dhe_openssl_client COMMAND ${CMAKE_COMMAND} -DOPENSSL_EXECUTABLE=${OPENSSL_EXECUTABLE} -DTEST_CASE=tls13_psk_dhe_openssl_client -P "${CMAKE_SOURCE_DIR}/cmake/openssl_interop_commands.cmake")
-		add_test(NAME tls13_psk_only_openssl_server COMMAND ${CMAKE_COMMAND} -DOPENSSL_EXECUTABLE=${OPENSSL_EXECUTABLE} -DTEST_CASE=tls13_psk_only_openssl_server -P "${CMAKE_SOURCE_DIR}/cmake/openssl_interop_commands.cmake")
-		add_test(NAME tls13_psk_only_openssl_client COMMAND ${CMAKE_COMMAND} -DOPENSSL_EXECUTABLE=${OPENSSL_EXECUTABLE} -DTEST_CASE=tls13_psk_only_openssl_client -P "${CMAKE_SOURCE_DIR}/cmake/openssl_interop_commands.cmake")
+		add_test(NAME tool_tls12_openssl_server COMMAND ${CMAKE_COMMAND} -DOPENSSL_EXECUTABLE=${OPENSSL_EXECUTABLE} -DTEST_CASE=tls12_openssl_server -P "${CMAKE_SOURCE_DIR}/cmake/openssl_interop_commands.cmake")
+		add_test(NAME tool_tls12_openssl_server_renegotiation_info COMMAND ${CMAKE_COMMAND} -DOPENSSL_EXECUTABLE=${OPENSSL_EXECUTABLE} -DTEST_CASE=tls12_openssl_server_renegotiation_info -P "${CMAKE_SOURCE_DIR}/cmake/openssl_interop_commands.cmake")
+		add_test(NAME tool_tls12_openssl_server_renegotiation_info_scsv COMMAND ${CMAKE_COMMAND} -DOPENSSL_EXECUTABLE=${OPENSSL_EXECUTABLE} -DTEST_CASE=tls12_openssl_server_renegotiation_info_scsv -P "${CMAKE_SOURCE_DIR}/cmake/openssl_interop_commands.cmake")
+		add_test(NAME tool_tls12_openssl_client COMMAND ${CMAKE_COMMAND} -DOPENSSL_EXECUTABLE=${OPENSSL_EXECUTABLE} -DTEST_CASE=tls12_openssl_client -P "${CMAKE_SOURCE_DIR}/cmake/openssl_interop_commands.cmake")
+		add_test(NAME tool_tls13_openssl_server COMMAND ${CMAKE_COMMAND} -DOPENSSL_EXECUTABLE=${OPENSSL_EXECUTABLE} -DTEST_CASE=tls13_openssl_server -P "${CMAKE_SOURCE_DIR}/cmake/openssl_interop_commands.cmake")
+		add_test(NAME tool_tls13_openssl_client COMMAND ${CMAKE_COMMAND} -DOPENSSL_EXECUTABLE=${OPENSSL_EXECUTABLE} -DTEST_CASE=tls13_openssl_client -P "${CMAKE_SOURCE_DIR}/cmake/openssl_interop_commands.cmake")
+		add_test(NAME tool_tls13_hrr_openssl_client COMMAND ${CMAKE_COMMAND} -DOPENSSL_EXECUTABLE=${OPENSSL_EXECUTABLE} -DTEST_CASE=tls13_hrr_openssl_client -P "${CMAKE_SOURCE_DIR}/cmake/openssl_interop_commands.cmake")
+		add_test(NAME tool_tls13_psk_dhe_openssl_server COMMAND ${CMAKE_COMMAND} -DOPENSSL_EXECUTABLE=${OPENSSL_EXECUTABLE} -DTEST_CASE=tls13_psk_dhe_openssl_server -P "${CMAKE_SOURCE_DIR}/cmake/openssl_interop_commands.cmake")
+		add_test(NAME tool_tls13_psk_dhe_openssl_client COMMAND ${CMAKE_COMMAND} -DOPENSSL_EXECUTABLE=${OPENSSL_EXECUTABLE} -DTEST_CASE=tls13_psk_dhe_openssl_client -P "${CMAKE_SOURCE_DIR}/cmake/openssl_interop_commands.cmake")
+		add_test(NAME tool_tls13_psk_only_openssl_server COMMAND ${CMAKE_COMMAND} -DOPENSSL_EXECUTABLE=${OPENSSL_EXECUTABLE} -DTEST_CASE=tls13_psk_only_openssl_server -P "${CMAKE_SOURCE_DIR}/cmake/openssl_interop_commands.cmake")
+		add_test(NAME tool_tls13_psk_only_openssl_client COMMAND ${CMAKE_COMMAND} -DOPENSSL_EXECUTABLE=${OPENSSL_EXECUTABLE} -DTEST_CASE=tls13_psk_only_openssl_client -P "${CMAKE_SOURCE_DIR}/cmake/openssl_interop_commands.cmake")
 		set_tests_properties(
-			tls12_openssl_server
-			tls12_openssl_server_renegotiation_info
-			tls12_openssl_server_renegotiation_info_scsv
-			tls12_openssl_client
-			tls13_openssl_server
-			tls13_openssl_client
-			tls13_hrr_openssl_client
-			tls13_psk_dhe_openssl_server
-			tls13_psk_dhe_openssl_client
-			tls13_psk_only_openssl_server
-			tls13_psk_only_openssl_client
+			tool_tls12_openssl_server
+			tool_tls12_openssl_server_renegotiation_info
+			tool_tls12_openssl_server_renegotiation_info_scsv
+			tool_tls12_openssl_client
+			tool_tls13_openssl_server
+			tool_tls13_openssl_client
+			tool_tls13_hrr_openssl_client
+			tool_tls13_psk_dhe_openssl_server
+			tool_tls13_psk_dhe_openssl_client
+			tool_tls13_psk_only_openssl_server
+			tool_tls13_psk_only_openssl_client
 			PROPERTIES FIXTURES_REQUIRED gmssl_cert_files)
 		set_tests_properties(
-			tls13_psk_only_openssl_server
-			tls13_psk_only_openssl_client
+			tool_tls13_psk_only_openssl_server
+			tool_tls13_psk_only_openssl_client
 			PROPERTIES DISABLED TRUE)
 	elseif(NOT OPENSSL_EXECUTABLE)
 		message(STATUS "openssl executable not found; skipping OpenSSL TLS interop tests")
@@ -841,7 +874,7 @@ endif()
 #
 set(CPACK_PACKAGE_NAME "GmSSL")
 set(CPACK_PACKAGE_VENDOR "GmSSL develop team")
-set(CPACK_PACKAGE_VERSION "3.2.0-dev.1123")
+set(CPACK_PACKAGE_VERSION "3.2.0-dev.1124")
 set(CPACK_PACKAGE_DESCRIPTION_FILE ${PROJECT_SOURCE_DIR}/README.md)
 set(CPACK_NSIS_MODIFY_PATH ON)
 include(CPack)
diff --git a/cmake/sm3_commands.cmake b/cmake/sm3_commands.cmake
deleted file mode 100644
index 94aaae1b..00000000
--- a/cmake/sm3_commands.cmake
+++ /dev/null
@@ -1,14 +0,0 @@
-execute_process(
-	COMMAND bin/gmssl sm3 -in_str abc
-	RESULT_VARIABLE TEST_RESULT
-	ERROR_VARIABLE TEST_STDERR
-	OUTPUT_VARIABLE TEST_OUTPUT
-)
-
-if(NOT ${TEST_RESULT} EQUAL 0)
-	message(FATAL_ERROR "stderr: ${TEST_STDERR}")
-endif()
-
-if(NOT ${TEST_OUTPUT} STREQUAL "66c7f0f462eeedd9d1f2d46bdc10e4e24167c4875cf2f7a2297da02b8f4ba8e0\n")
-	message(FATAL_ERROR "stdout: ${TEST_OUTPUT}")
-endif()
diff --git a/cmake/cert_commands.cmake b/cmake/tool_cert.cmake
similarity index 94%
rename from cmake/cert_commands.cmake
rename to cmake/tool_cert.cmake
index ce71af0f..43f2e841 100644
--- a/cmake/cert_commands.cmake
+++ b/cmake/tool_cert.cmake
@@ -203,3 +203,23 @@ gmssl_write_bundle(sm2_tlcp_server_keys.pem
 
 gmssl_write_bundle(test_root_certs.pem
 	sm2_root_ca_cert.pem p256_root_ca_cert.pem)
+
+gmssl_run(bin/gmssl certparse -in sm2_tlcp_server_certs.pem -out tool_certparse.txt)
+gmssl_require_generated_file(tool_certparse.txt)
+
+gmssl_run(bin/gmssl certverify
+	-tlcp_server
+	-in sm2_tlcp_server_certs.pem
+	-cacert sm2_root_ca_cert.pem
+	-hostname localhost)
+
+gmssl_run(bin/gmssl certverify
+	-server
+	-in sm2_tls_server_certs.pem
+	-cacert sm2_root_ca_cert.pem
+	-hostname LOCALHOST)
+
+gmssl_run(bin/gmssl certverify
+	-client
+	-in sm2_tls_client_certs.pem
+	-cacert sm2_root_ca_cert.pem)
diff --git a/cmake/tool_cms.cmake b/cmake/tool_cms.cmake
new file mode 100644
index 00000000..aacae120
--- /dev/null
+++ b/cmake/tool_cms.cmake
@@ -0,0 +1,32 @@
+include("${CMAKE_CURRENT_LIST_DIR}/tool_helpers.cmake")
+
+file(WRITE tool_cms_message.txt "CMS command line test message")
+
+gmssl_run(cmssign
+	-key sm2_tls_server_key.pem
+	-pass P@ssw0rd
+	-cert sm2_tls_server_cert.pem
+	-in tool_cms_message.txt
+	-out tool_cms_signed.pem)
+gmssl_require_file(tool_cms_signed.pem)
+
+gmssl_run(cmsparse -in tool_cms_signed.pem)
+
+gmssl_run(cmsverify
+	-in tool_cms_signed.pem
+	-out tool_cms_verified.txt)
+gmssl_expect_file_text(tool_cms_verified.txt "CMS command line test message")
+
+gmssl_run(cmsencrypt
+	-rcptcert sm2_tlcp_server_enc_cert.pem
+	-in tool_cms_message.txt
+	-out tool_cms_enveloped.pem)
+gmssl_require_file(tool_cms_enveloped.pem)
+
+gmssl_run(cmsdecrypt
+	-key sm2_tlcp_server_enc_key.pem
+	-pass P@ssw0rd
+	-cert sm2_tlcp_server_enc_cert.pem
+	-in tool_cms_enveloped.pem
+	-out tool_cms_decrypted.txt)
+gmssl_expect_file_text(tool_cms_decrypted.txt "CMS command line test message")
diff --git a/cmake/tool_crl.cmake b/cmake/tool_crl.cmake
new file mode 100644
index 00000000..c5f0714e
--- /dev/null
+++ b/cmake/tool_crl.cmake
@@ -0,0 +1,25 @@
+include("${CMAKE_CURRENT_LIST_DIR}/tool_helpers.cmake")
+
+gmssl_run(certrevoke
+	-in sm2_tls_server_cert.pem
+	-reason keyCompromise
+	-invalid_date 20260101000000Z
+	-out tool_revoked_certs.der)
+gmssl_require_file(tool_revoked_certs.der)
+
+gmssl_run(crlgen
+	-in tool_revoked_certs.der
+	-cacert sm2_tls_server_ca2_cert.pem
+	-key sm2_tls_server_ca2_key.pem
+	-pass P@ssw0rd
+	-next_update 20270101000000Z
+	-gen_authority_key_id
+	-crl_num 1
+	-out tool_crl.der)
+gmssl_require_file(tool_crl.der)
+
+gmssl_run(crlparse -in tool_crl.der -out tool_crl.txt)
+gmssl_require_file(tool_crl.txt)
+
+gmssl_expect_stdout("Verification success\n"
+	crlverify -in tool_crl.der -cacert sm2_tls_server_ca2_cert.pem)
diff --git a/cmake/tool_ghash.cmake b/cmake/tool_ghash.cmake
new file mode 100644
index 00000000..8bf94769
--- /dev/null
+++ b/cmake/tool_ghash.cmake
@@ -0,0 +1,9 @@
+include("${CMAKE_CURRENT_LIST_DIR}/tool_helpers.cmake")
+
+gmssl_expect_stdout("50db43e2ab4a2bbddd6e1182de2cc22b\n"
+	ghash -h 0123456789abcdeffedcba9876543210 -aad_hex 001122 -in_str abc)
+
+file(WRITE tool_ghash_input.txt "abc")
+gmssl_run(ghash -h 0123456789abcdeffedcba9876543210 -aad "aad" -bin
+	-in tool_ghash_input.txt -out tool_ghash.bin)
+gmssl_require_file(tool_ghash.bin)
diff --git a/cmake/tool_helpers.cmake b/cmake/tool_helpers.cmake
new file mode 100644
index 00000000..1eb4c678
--- /dev/null
+++ b/cmake/tool_helpers.cmake
@@ -0,0 +1,67 @@
+set(GMSSL_BIN bin/gmssl)
+
+function(gmssl_run)
+	execute_process(
+		COMMAND ${GMSSL_BIN} ${ARGN}
+		RESULT_VARIABLE TEST_RESULT
+		ERROR_VARIABLE TEST_STDERR
+		OUTPUT_VARIABLE TEST_STDOUT
+	)
+	if(NOT TEST_RESULT EQUAL 0)
+		message(FATAL_ERROR "command failed: ${GMSSL_BIN} ${ARGN}\nstderr: ${TEST_STDERR}\nstdout: ${TEST_STDOUT}")
+	endif()
+endfunction()
+
+function(gmssl_run_capture out_var)
+	execute_process(
+		COMMAND ${GMSSL_BIN} ${ARGN}
+		RESULT_VARIABLE TEST_RESULT
+		ERROR_VARIABLE TEST_STDERR
+		OUTPUT_VARIABLE TEST_STDOUT
+	)
+	if(NOT TEST_RESULT EQUAL 0)
+		message(FATAL_ERROR "command failed: ${GMSSL_BIN} ${ARGN}\nstderr: ${TEST_STDERR}\nstdout: ${TEST_STDOUT}")
+	endif()
+	set(${out_var} "${TEST_STDOUT}" PARENT_SCOPE)
+endfunction()
+
+function(gmssl_expect_stdout expected)
+	gmssl_run_capture(TEST_STDOUT ${ARGN})
+	if(NOT TEST_STDOUT STREQUAL "${expected}")
+		message(FATAL_ERROR "unexpected stdout for ${GMSSL_BIN} ${ARGN}\nexpected: ${expected}\nactual: ${TEST_STDOUT}")
+	endif()
+endfunction()
+
+function(gmssl_require_file file)
+	if(NOT EXISTS "${file}")
+		message(FATAL_ERROR "generated file does not exist: ${file}")
+	endif()
+endfunction()
+
+function(gmssl_files_equal expected actual)
+	gmssl_require_file("${expected}")
+	gmssl_require_file("${actual}")
+	file(SHA256 "${expected}" EXPECTED_HASH)
+	file(SHA256 "${actual}" ACTUAL_HASH)
+	if(NOT EXPECTED_HASH STREQUAL ACTUAL_HASH)
+		message(FATAL_ERROR "file mismatch: ${expected} ${actual}")
+	endif()
+endfunction()
+
+function(gmssl_expect_file_hex file expected_hex)
+	gmssl_require_file("${file}")
+	file(READ "${file}" ACTUAL_HEX HEX)
+	string(TOLOWER "${ACTUAL_HEX}" ACTUAL_HEX)
+	string(TOLOWER "${expected_hex}" EXPECTED_HEX)
+	if(NOT ACTUAL_HEX STREQUAL EXPECTED_HEX)
+		message(FATAL_ERROR "unexpected hex in ${file}\nexpected: ${EXPECTED_HEX}\nactual: ${ACTUAL_HEX}")
+	endif()
+endfunction()
+
+function(gmssl_expect_file_text file expected_text)
+	gmssl_require_file("${file}")
+	file(READ "${file}" ACTUAL_TEXT)
+	if(NOT ACTUAL_TEXT STREQUAL "${expected_text}")
+		message(FATAL_ERROR "unexpected text in ${file}\nexpected: ${expected_text}\nactual: ${ACTUAL_TEXT}")
+	endif()
+endfunction()
diff --git a/cmake/tool_ocsp.cmake b/cmake/tool_ocsp.cmake
new file mode 100644
index 00000000..32f670ea
--- /dev/null
+++ b/cmake/tool_ocsp.cmake
@@ -0,0 +1,34 @@
+include("${CMAKE_CURRENT_LIST_DIR}/tool_helpers.cmake")
+
+file(READ sm2_tls_server_cert.pem OCSP_CERT)
+file(READ sm2_tls_server_ca2_cert.pem OCSP_ISSUER)
+file(WRITE tool_ocsp_chain.pem "${OCSP_CERT}${OCSP_ISSUER}")
+
+gmssl_run(ocspreq
+	-in tool_ocsp_chain.pem
+	-digest sm3
+	-out tool_ocsp_req.der
+	-verbose)
+gmssl_require_file(tool_ocsp_req.der)
+
+gmssl_run(ocspsign
+	-reqin tool_ocsp_req.der
+	-cacert sm2_tls_server_ca2_cert.pem
+	-signer sm2_ocsp_responder_cert.pem
+	-key sm2_ocsp_responder_key.pem
+	-pass P@ssw0rd
+	-status good
+	-certs sm2_ocsp_responder_cert.pem
+	-out tool_ocsp_resp.der
+	-verbose)
+gmssl_require_file(tool_ocsp_resp.der)
+
+gmssl_expect_stdout("Verification success\n"
+	ocspverify
+	-reqin tool_ocsp_req.der
+	-respin tool_ocsp_resp.der
+	-cacert sm2_tls_server_ca2_cert.pem
+	-signer sm2_ocsp_responder_cert.pem
+	-certs sm2_ocsp_responder_cert.pem
+	-clock_skew 300
+	-verbose)
diff --git a/cmake/tool_pqc.cmake b/cmake/tool_pqc.cmake
new file mode 100644
index 00000000..e449e59a
--- /dev/null
+++ b/cmake/tool_pqc.cmake
@@ -0,0 +1,40 @@
+include("${CMAKE_CURRENT_LIST_DIR}/tool_helpers.cmake")
+
+file(WRITE tool_pqc_message.txt "PQC command line test message")
+
+function(gmssl_signature_roundtrip name keygen sign verify)
+	cmake_parse_arguments(ARG "" "" "KEYGEN_ARGS;SIGN_ARGS;VERIFY_ARGS" ${ARGN})
+	gmssl_run(${keygen} ${ARG_KEYGEN_ARGS}
+		-out "${name}_key.pem" -pubout "${name}_pub.pem")
+	gmssl_run(${sign} -key "${name}_key.pem"
+		-in tool_pqc_message.txt -out "${name}.sig" ${ARG_SIGN_ARGS})
+	gmssl_run(${verify} -pubkey "${name}_pub.pem"
+		-in tool_pqc_message.txt -sig "${name}.sig" ${ARG_VERIFY_ARGS})
+endfunction()
+
+if(ENABLE_LMS)
+	gmssl_signature_roundtrip(tool_lms lmskeygen lmssign lmsverify
+		KEYGEN_ARGS -lms_type LMS_SM3_M32_H5)
+	gmssl_signature_roundtrip(tool_hss hsskeygen hsssign hssverify
+		KEYGEN_ARGS -lms_types LMS_SM3_M32_H5:LMS_SM3_M32_H5)
+endif()
+
+if(ENABLE_XMSS)
+	gmssl_signature_roundtrip(tool_xmss xmsskeygen xmsssign xmssverify
+		KEYGEN_ARGS -xmss_type XMSS_SHA2_10_256)
+	gmssl_signature_roundtrip(tool_xmssmt xmssmtkeygen xmssmtsign xmssmtverify
+		KEYGEN_ARGS -xmssmt_type XMSSMT_SHA2_20_2_256)
+endif()
+
+if(ENABLE_SPHINCS)
+	gmssl_signature_roundtrip(tool_sphincs sphincskeygen sphincssign sphincsverify)
+endif()
+
+if(ENABLE_KYBER)
+	gmssl_run(kyberkeygen -out tool_kyber_key.pem -pubout tool_kyber_pub.pem)
+	gmssl_run(kyberencap -pubkey tool_kyber_pub.pem
+		-out tool_kyber_cipher.bin -outkey tool_kyber_secret.bin)
+	gmssl_run(kyberdecap -key tool_kyber_key.pem
+		-in tool_kyber_cipher.bin -out tool_kyber_dec_secret.bin)
+	gmssl_files_equal(tool_kyber_secret.bin tool_kyber_dec_secret.bin)
+endif()
diff --git a/cmake/tool_rand.cmake b/cmake/tool_rand.cmake
new file mode 100644
index 00000000..f0b8fabe
--- /dev/null
+++ b/cmake/tool_rand.cmake
@@ -0,0 +1,15 @@
+include("${CMAKE_CURRENT_LIST_DIR}/tool_helpers.cmake")
+
+gmssl_run(rand -outlen 16 -out tool_rand.bin)
+file(SIZE tool_rand.bin RAND_BIN_SIZE)
+if(NOT RAND_BIN_SIZE EQUAL 16)
+	message(FATAL_ERROR "unexpected rand output size: ${RAND_BIN_SIZE}")
+endif()
+
+gmssl_run_capture(RAND_HEX rand -hex -outlen 16)
+string(STRIP "${RAND_HEX}" RAND_HEX_STRIPPED)
+string(REGEX MATCH "^[0-9a-fA-F]+$" RAND_HEX_MATCH "${RAND_HEX_STRIPPED}")
+string(LENGTH "${RAND_HEX_STRIPPED}" RAND_HEX_LEN)
+if(NOT RAND_HEX_MATCH OR NOT RAND_HEX_LEN EQUAL 32)
+	message(FATAL_ERROR "unexpected rand hex output: ${RAND_HEX}")
+endif()
diff --git a/cmake/sm2_commands.cmake b/cmake/tool_sm2.cmake
similarity index 72%
rename from cmake/sm2_commands.cmake
rename to cmake/tool_sm2.cmake
index 58d42f55..04ef92c9 100644
--- a/cmake/sm2_commands.cmake
+++ b/cmake/tool_sm2.cmake
@@ -64,3 +64,25 @@ if(NOT "${TEST_STDOUT}" STREQUAL "${SECRET_MESSAGE}")
 	message(FATAL_ERROR "stdout: ${TEST_STDOUT}")
 endif()
 
+execute_process(
+	COMMAND bin/gmssl sm2sign -key sm2.pem -pass P@ssw0rd -id Alice -in message.txt -out sm2_id.sig
+	RESULT_VARIABLE TEST_RESULT
+	ERROR_VARIABLE TEST_STDERR
+)
+if(NOT ${TEST_RESULT} EQUAL 0)
+	message(FATAL_ERROR "stderr: ${TEST_STDERR}")
+endif()
+
+execute_process(
+	COMMAND bin/gmssl sm2verify -pubkey sm2pub.pem -id Alice -in message.txt -sig sm2_id.sig
+	RESULT_VARIABLE TEST_RESULT
+	ERROR_VARIABLE TEST_STDERR
+	OUTPUT_VARIABLE TEST_STDOUT
+)
+if(NOT ${TEST_RESULT} EQUAL 0)
+	message(FATAL_ERROR "stderr: ${TEST_STDERR}")
+endif()
+string(FIND "${TEST_STDOUT}" "success" VERIFY_SUCCESS)
+if(VERIFY_SUCCESS EQUAL -1)
+    message(FATAL_ERROR "verify failure")
+endif()
diff --git a/cmake/tool_sm3.cmake b/cmake/tool_sm3.cmake
new file mode 100644
index 00000000..9876d1fb
--- /dev/null
+++ b/cmake/tool_sm3.cmake
@@ -0,0 +1,20 @@
+include("${CMAKE_CURRENT_LIST_DIR}/tool_helpers.cmake")
+
+gmssl_expect_stdout("66c7f0f462eeedd9d1f2d46bdc10e4e24167c4875cf2f7a2297da02b8f4ba8e0\n"
+	sm3 -in_str abc)
+
+file(WRITE tool_sm3_input.txt "abc")
+gmssl_expect_stdout("66c7f0f462eeedd9d1f2d46bdc10e4e24167c4875cf2f7a2297da02b8f4ba8e0\n"
+	sm3 -hex -in tool_sm3_input.txt)
+gmssl_run(sm3 -bin -in tool_sm3_input.txt -out tool_sm3.bin)
+gmssl_expect_file_hex(tool_sm3.bin "66c7f0f462eeedd9d1f2d46bdc10e4e24167c4875cf2f7a2297da02b8f4ba8e0")
+
+gmssl_expect_stdout("28d8a61be67d8bf7652c4eda7092b612f88be62184f55005c57ddf076e764199\n"
+	sm3hmac -key 0123456789abcdeffedcba9876543210 -in_str abc)
+gmssl_run(sm3hmac -key 0123456789abcdeffedcba9876543210 -bin -in tool_sm3_input.txt -out tool_sm3hmac.bin)
+gmssl_expect_file_hex(tool_sm3hmac.bin "28d8a61be67d8bf7652c4eda7092b612f88be62184f55005c57ddf076e764199")
+
+gmssl_expect_stdout("df6b713d38d5a35df6861959e529ed22\n"
+	sm3_pbkdf2 -pass password -salt 0011223344556677 -iter 10000 -outlen 16 -hex)
+gmssl_run(sm3_pbkdf2 -pass password -salt 0011223344556677 -iter 10000 -outlen 16 -bin -out tool_sm3_pbkdf2.bin)
+gmssl_expect_file_hex(tool_sm3_pbkdf2.bin "df6b713d38d5a35df6861959e529ed22")
diff --git a/cmake/tool_sm4.cmake b/cmake/tool_sm4.cmake
new file mode 100644
index 00000000..84e75a93
--- /dev/null
+++ b/cmake/tool_sm4.cmake
@@ -0,0 +1,56 @@
+include("${CMAKE_CURRENT_LIST_DIR}/tool_helpers.cmake")
+
+set(SM4_KEY 0123456789abcdeffedcba9876543210)
+set(SM4_IV 00000000000000000000000000000000)
+set(SM4_HMAC_KEY 0123456789abcdeffedcba98765432100123456789abcdeffedcba98765432100123456789abcdeffedcba9876543210)
+set(SM4_XTS_KEY 0123456789abcdeffedcba987654321000112233445566778899aabbccddeeff)
+set(SM4_TEXT "0123456789abcdef0123456789abcdef")
+
+function(gmssl_symmetric_roundtrip name)
+	file(WRITE "${name}.plain" "${SM4_TEXT}")
+	gmssl_run(${ARGN} -encrypt -in "${name}.plain" -out "${name}.cipher")
+	gmssl_run(${ARGN} -decrypt -in "${name}.cipher" -out "${name}.decrypt")
+	gmssl_files_equal("${name}.plain" "${name}.decrypt")
+endfunction()
+
+file(WRITE tool_sm4_cbc_kat.plain "0123456789abcdef")
+gmssl_run(sm4_cbc -encrypt -key ${SM4_KEY} -iv ${SM4_IV}
+	-in tool_sm4_cbc_kat.plain -out tool_sm4_cbc_kat.cipher)
+gmssl_expect_file_hex(tool_sm4_cbc_kat.cipher
+	"e6887b77dbabb572ffa07fed7548b192ceaace11f2b90b94c2b7a4d9382e471e")
+gmssl_run(sm4_cbc -decrypt -key ${SM4_KEY} -iv ${SM4_IV}
+	-in tool_sm4_cbc_kat.cipher -out tool_sm4_cbc_kat.decrypt)
+gmssl_files_equal(tool_sm4_cbc_kat.plain tool_sm4_cbc_kat.decrypt)
+
+gmssl_symmetric_roundtrip(tool_sm4_cbc sm4_cbc -key ${SM4_KEY} -iv ${SM4_IV})
+gmssl_symmetric_roundtrip(tool_sm4_ctr sm4_ctr -key ${SM4_KEY} -iv ${SM4_IV})
+gmssl_symmetric_roundtrip(tool_sm4_gcm sm4_gcm -key ${SM4_KEY} -iv 000000000000000000000000 -aad_hex 001122 -taglen 16)
+gmssl_symmetric_roundtrip(tool_sm4_cbc_sm3_hmac sm4_cbc_sm3_hmac -key ${SM4_HMAC_KEY} -iv ${SM4_IV} -aad_hex 001122)
+gmssl_symmetric_roundtrip(tool_sm4_ctr_sm3_hmac sm4_ctr_sm3_hmac -key ${SM4_HMAC_KEY} -iv ${SM4_IV} -aad_hex 001122)
+
+if(ENABLE_SM4_ECB)
+	gmssl_symmetric_roundtrip(tool_sm4_ecb sm4_ecb -key ${SM4_KEY})
+endif()
+if(ENABLE_SM4_CFB)
+	gmssl_symmetric_roundtrip(tool_sm4_cfb sm4_cfb -sbytes 16 -key ${SM4_KEY} -iv ${SM4_IV})
+endif()
+if(ENABLE_SM4_OFB)
+	gmssl_symmetric_roundtrip(tool_sm4_ofb sm4_ofb -key ${SM4_KEY} -iv ${SM4_IV})
+endif()
+if(ENABLE_SM4_CCM)
+	gmssl_symmetric_roundtrip(tool_sm4_ccm sm4_ccm -key ${SM4_KEY} -iv 000000000000000000000000 -aad_hex 001122 -taglen 16)
+endif()
+if(ENABLE_SM4_XTS)
+	file(WRITE tool_sm4_xts.plain "0123456789abcdef0123456789abcdef")
+	gmssl_run(sm4_xts -encrypt -key ${SM4_XTS_KEY} -iv ${SM4_IV} -data_unit_size 32
+		-in tool_sm4_xts.plain -out tool_sm4_xts.cipher)
+	gmssl_run(sm4_xts -decrypt -key ${SM4_XTS_KEY} -iv ${SM4_IV} -data_unit_size 32
+		-in tool_sm4_xts.cipher -out tool_sm4_xts.decrypt)
+	gmssl_files_equal(tool_sm4_xts.plain tool_sm4_xts.decrypt)
+endif()
+if(ENABLE_SM4_CBC_MAC)
+	gmssl_expect_stdout("9054fccff72871fdad5202c821dbea05\n"
+		sm4_cbc_mac -key ${SM4_KEY} -in_str abc)
+	gmssl_run(sm4_cbc_mac -key ${SM4_KEY} -bin -in_str abc -out tool_sm4_cbc_mac.bin)
+	gmssl_expect_file_hex(tool_sm4_cbc_mac.bin "9054fccff72871fdad5202c821dbea05")
+endif()
diff --git a/cmake/tool_sm9.cmake b/cmake/tool_sm9.cmake
new file mode 100644
index 00000000..5f4dd761
--- /dev/null
+++ b/cmake/tool_sm9.cmake
@@ -0,0 +1,31 @@
+include("${CMAKE_CURRENT_LIST_DIR}/tool_helpers.cmake")
+
+set(SM9_PASS P@ssw0rd)
+set(SM9_USER_PASS 123456)
+set(SM9_ID Alice)
+set(SM9_TEXT "SM9 command line test message")
+
+file(WRITE tool_sm9_message.txt "${SM9_TEXT}")
+
+gmssl_run(sm9setup -alg sm9sign -pass ${SM9_PASS}
+	-out tool_sm9_sign_msk.pem -pubout tool_sm9_sign_mpk.pem)
+gmssl_run(sm9keygen -alg sm9sign
+	-in tool_sm9_sign_msk.pem -inpass ${SM9_PASS}
+	-id ${SM9_ID}
+	-out tool_sm9_sign_key.pem -outpass ${SM9_USER_PASS})
+gmssl_run(sm9sign -key tool_sm9_sign_key.pem -pass ${SM9_USER_PASS}
+	-in tool_sm9_message.txt -out tool_sm9.sig)
+gmssl_run(sm9verify -pubmaster tool_sm9_sign_mpk.pem -id ${SM9_ID}
+	-in tool_sm9_message.txt -sig tool_sm9.sig)
+
+gmssl_run(sm9setup -alg sm9encrypt -pass ${SM9_PASS}
+	-out tool_sm9_enc_msk.pem -pubout tool_sm9_enc_mpk.pem)
+gmssl_run(sm9keygen -alg sm9encrypt
+	-in tool_sm9_enc_msk.pem -inpass ${SM9_PASS}
+	-id ${SM9_ID}
+	-out tool_sm9_enc_key.pem -outpass ${SM9_USER_PASS})
+gmssl_run(sm9encrypt -pubmaster tool_sm9_enc_mpk.pem -id ${SM9_ID}
+	-in tool_sm9_message.txt -out tool_sm9_cipher.der)
+gmssl_run(sm9decrypt -key tool_sm9_enc_key.pem -pass ${SM9_USER_PASS} -id ${SM9_ID}
+	-in tool_sm9_cipher.der -out tool_sm9_plain.txt)
+gmssl_expect_file_text(tool_sm9_plain.txt "${SM9_TEXT}")
diff --git a/cmake/tool_zuc.cmake b/cmake/tool_zuc.cmake
new file mode 100644
index 00000000..1eba9835
--- /dev/null
+++ b/cmake/tool_zuc.cmake
@@ -0,0 +1,10 @@
+include("${CMAKE_CURRENT_LIST_DIR}/tool_helpers.cmake")
+
+set(ZUC_KEY 00000000000000000000000000000000)
+set(ZUC_IV 00000000000000000000000000000000)
+file(WRITE tool_zuc.plain "0123456789abcdef")
+
+gmssl_run(zuc -key ${ZUC_KEY} -iv ${ZUC_IV} -in tool_zuc.plain -out tool_zuc.cipher)
+gmssl_expect_file_hex(tool_zuc.cipher "178fec4735b5b4edbfed84d4fc7cda00")
+gmssl_run(zuc -key ${ZUC_KEY} -iv ${ZUC_IV} -in tool_zuc.cipher -out tool_zuc.decrypt)
+gmssl_files_equal(tool_zuc.plain tool_zuc.decrypt)
diff --git a/include/gmssl/version.h b/include/gmssl/version.h
index 4f3ac4c4..5cbb5543 100644
--- a/include/gmssl/version.h
+++ b/include/gmssl/version.h
@@ -18,7 +18,7 @@ extern "C" {
 
 
 #define GMSSL_VERSION_NUM	30200
-#define GMSSL_VERSION_STR	"GmSSL 3.2.0-dev.1123"
+#define GMSSL_VERSION_STR	"GmSSL 3.2.0-dev.1124"
 
 int gmssl_version_num(void);
 const char *gmssl_version_str(void);
diff --git a/src/cms.c b/src/cms.c
index e39369cc..306a6814 100644
--- a/src/cms.c
+++ b/src/cms.c
@@ -2298,7 +2298,9 @@ int cms_deenvelop(const uint8_t *cms, size_t cmslen,
 		error_print();
 		return -1;
 	}
-	if (memcmp(&public_key.u.sm2_key, rcpt_key, sizeof(SM2_POINT)) != 0) {
+	if (rcpt_key->algor != OID_ec_public_key
+		|| rcpt_key->algor_param != OID_sm2
+		|| sm2_public_key_equ(&public_key.u.sm2_key, &rcpt_key->u.sm2_key) != 1) {
 		error_print();
 		return -1;
 	}
@@ -2498,4 +2500,3 @@ err:
 	return -1;
 }
 
-
diff --git a/tools/certverify.c b/tools/certverify.c
index 3dbb1fd3..5d96366d 100644
--- a/tools/certverify.c
+++ b/tools/certverify.c
@@ -102,7 +102,7 @@ int certverify_main(int argc, char **argv)
 	char *crlfile = NULL;
 	char *ocspfile = NULL;
 	char *hostname = NULL;
-	int chain_type = TLS_cert_chain_tlcp_server;
+	int chain_type = 0;
 	uint8_t *certs = NULL;
 	size_t certslen = 0;
 	uint8_t *cacerts = NULL;
@@ -188,6 +188,9 @@ bad:
 		fprintf(stderr, "%s: '-cacert' option required\n", prog);
 		goto end;
 	}
+	if (!chain_type) {
+		chain_type = TLS_cert_chain_tlcp_server;
+	}
 	if (hostname && chain_type == TLS_cert_chain_client) {
 		fprintf(stderr, "%s: '-hostname' only allowed with '-tlcp_server' or '-server'\n", prog);
 		goto end;
diff --git a/tools/cmssign.c b/tools/cmssign.c
index 1f0b0141..332c08bf 100644
--- a/tools/cmssign.c
+++ b/tools/cmssign.c
@@ -35,6 +35,7 @@ int cmssign_main(int argc, char **argv)
 	FILE *outfp = stdout;
 	SM2_KEY sm2_key;
 	X509_KEY public_key;
+	X509_KEY sign_key;
 	uint8_t cert[8192];
 	size_t certlen;
 	uint8_t *in = NULL;
@@ -134,11 +135,15 @@ bad:
 		fprintf(stderr, "%s: key and cert are not match!\n", prog);
 		goto end;
 	}
+	if (x509_key_set_sm2_key(&sign_key, &sm2_key) != 1) {
+		fprintf(stderr, "%s: invalid signing key\n", prog);
+		goto end;
+	}
 
 
 	cert_and_key.certs = cert;
 	cert_and_key.certs_len = certlen;
-	cert_and_key.sign_key = &public_key;
+	cert_and_key.sign_key = &sign_key;
 
 	if (file_size(infp, &inlen) != 1) {
 		fprintf(stderr, "%s: get input length failed\n", prog);
diff --git a/tools/gmssl.c b/tools/gmssl.c
index 7d04cc6c..37201abc 100644
--- a/tools/gmssl.c
+++ b/tools/gmssl.c
@@ -201,6 +201,7 @@ static const char *options =
 	"  ocspget           Download OCSPResponse from OCSP responder\n"
 	"  ocspsign          Sign OCSPResponse\n"
 	"  ocspverify        Verify OCSPResponse\n"
+	"  sctverify         Verify Signed Certificate Timestamp list\n"
 #ifdef ENABLE_CMS
 	"  cmssign           Generate CMS SignedData\n"
 	"  cmsverify         Verify CMS SignedData\n"
@@ -256,7 +257,6 @@ static const char *options =
 	"  tls12_server      TLS 1.2 server\n"
 	"  tls13_client      TLS 1.3 client\n"
 	"  tls13_server      TLS 1.3 server\n"
-	"  sctverify         Verify Signed Certificate Timestamp list\n"
 #endif
 	"\n"
 	"run `gmssl <command> -help` to print help of the given command\n"
diff --git a/tools/kyberdecap.c b/tools/kyberdecap.c
index 21caef65..0489bf0e 100644
--- a/tools/kyberdecap.c
+++ b/tools/kyberdecap.c
@@ -159,6 +159,10 @@ bad:
 
 
 	}
+	if (fwrite(outbuf, 1, sizeof(outbuf), outfp) != sizeof(outbuf)) {
+		error_print();
+		goto end;
+	}
 
 
 	ret = 0;
diff --git a/tools/sm9verify.c b/tools/sm9verify.c
index 73d880b5..cafc38ea 100644
--- a/tools/sm9verify.c
+++ b/tools/sm9verify.c
@@ -128,11 +128,12 @@ bad:
 		fprintf(stderr, "%s: read failure\n", prog);
 		goto end;
 	}
-	if ((ret = sm9_verify_finish(&ctx, sig, siglen, &mpk, id, strlen(id))) != 1) {
+	if (sm9_verify_finish(&ctx, sig, siglen, &mpk, id, strlen(id)) != 1) {
 		error_print();
 		goto end;
 	}
-	printf("%s %s\n", prog, ret ? "success" : "failure");
+	printf("%s success\n", prog);
+	ret = 0;
 
 end:
 	if (infile && infp) fclose(infp);
@@ -147,4 +148,3 @@ end:
 
 
 
-