From 53940870445a44d485f92d0879d6e55a18de2ab2 Mon Sep 17 00:00:00 2001
From: zwkylkx <51225320+zwkylkx@users.noreply.github.com>
Date: Fri, 3 Mar 2023 10:53:36 +0800
Subject: [PATCH 1/5] Create demo_tls12_post.c

demo_tls12_post
---
 demos/src/demo_tls12_post.c | 105 ++++++++++++++++++++++++++++++++++++
 1 file changed, 105 insertions(+)
 create mode 100644 demos/src/demo_tls12_post.c

diff --git a/demos/src/demo_tls12_post.c b/demos/src/demo_tls12_post.c
new file mode 100644
index 00000000..36720e21
--- /dev/null
+++ b/demos/src/demo_tls12_post.c
@@ -0,0 +1,105 @@
+#include <stdio.h>
+#include <errno.h>
+#include <string.h>
+#include <stdlib.h>
+#include <unistd.h>
+#include <netdb.h>
+#include <sys/types.h>
+#include <arpa/inet.h>
+#include <sys/socket.h>
+#include <netinet/in.h>
+#include <gmssl/tls.h>
+#include <gmssl/error.h>
+#include "url_parser.h"
+
+
+int main(int argc, char *argv[])
+{
+	int ret = -1;
+	char *prog = argv[0];
+	const int cipher = TLS_cipher_ecc_sm4_cbc_sm3;
+	URL_COMPONENTS *url;
+	struct hostent *hp;
+	int port = 4430;
+	struct sockaddr_in server;
+	int sock;
+	TLS_CTX ctx;
+	TLS_CONNECT conn;
+	char request[1024];
+	uint8_t buf[16800];
+	char *p;
+	size_t len;
+
+	if (argc != 2) {
+		fprintf(stderr, "example: https://sm2only.ovssl.cn\n");
+		return 1;
+	}
+
+	if (!(url = parse_url(argv[1]))) {
+		fprintf(stderr, "parse url '%s' failure\n", argv[1]);
+		return 1;
+	}
+	if (!(hp = gethostbyname(url->host))) {
+		herror("tls12_client: '-host' invalid");
+		goto end;
+	}
+	if (url->port != -1) {
+		port = url->port;
+	}
+
+	server.sin_addr = *((struct in_addr *)hp->h_addr_list[0]);
+	server.sin_family = AF_INET;
+	server.sin_port = htons(port);
+
+	if ((sock = socket(AF_INET, SOCK_STREAM, 0)) < 0) {
+		perror("socket");
+		goto end;
+	}
+	if (connect(sock, (struct sockaddr *)&server , sizeof(server)) < 0) {
+		perror("connect");
+		goto end;
+	}
+
+	memset(&ctx, 0, sizeof(ctx));
+	memset(&conn, 0, sizeof(conn));
+
+	tls_ctx_init(&ctx, TLS_protocol_tls12, TLS_client_mode);
+	tls_ctx_set_cipher_suites(&ctx, &cipher, 1);
+	tls_init(&conn, &ctx);
+	tls_set_socket(&conn, sock);
+
+	if (tls_do_handshake(&conn) != 1) {
+		fprintf(stderr, "%s: error\n", prog);
+		goto end;
+	}
+
+	snprintf(request, sizeof(request)-1, "POST %s HTTP/1.1\r\nHost: %s\r\n\r\n",
+		url->path ? url->path : "/",
+		url->host);
+
+	tls_send(&conn, (uint8_t *)request, strlen(request), &len);
+
+	len = fread(buf, 1, sizeof(buf), stdin);
+	if (len) {
+		tls_send(&conn, buf, len, &len);
+	}
+
+	if (tls_recv(&conn, buf, sizeof(buf), &len) != 1) {
+		fprintf(stderr, "recv failure\n");
+		goto end;
+	}
+	buf[len] = 0;
+
+	p = strstr((char *)buf, "\r\n\r\n");
+	if (p) {
+		printf("%s", p + 4);
+		fflush(stdout);
+	}
+
+end:
+	free_url_components(url);
+	close(sock);
+	tls_ctx_cleanup(&ctx);
+	tls_cleanup(&conn);
+	return 0;
+}

From 4dfedc0d25498e37b31eeada1251bf9e8f3b2af6 Mon Sep 17 00:00:00 2001
From: zwkylkx <51225320+zwkylkx@users.noreply.github.com>
Date: Sat, 18 Mar 2023 15:34:22 +0800
Subject: [PATCH 2/5] Update demo_tls12_post.c

---
 demos/src/demo_tls12_post.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/demos/src/demo_tls12_post.c b/demos/src/demo_tls12_post.c
index 36720e21..60cffbd6 100644
--- a/demos/src/demo_tls12_post.c
+++ b/demos/src/demo_tls12_post.c
@@ -31,7 +31,7 @@ int main(int argc, char *argv[])
 	size_t len;
 
 	if (argc != 2) {
-		fprintf(stderr, "example: https://sm2only.ovssl.cn\n");
+		fprintf(stderr, "example: example.com\n");
 		return 1;
 	}
 

From 7738a150d04eeeb221a5d67c2c636df51107673f Mon Sep 17 00:00:00 2001
From: LuckyPowerfuljjj <119035666+LuckyPowerfuljjj@users.noreply.github.com>
Date: Fri, 7 Apr 2023 20:57:24 +0800
Subject: [PATCH 3/5] demos_tlcp_client_connection (#1440)

* Create tlcp_client_connect.c

* Create rootcacert.pem

* Create clientcert.pem

* Create clientkey.pem

* Create url_parser.h

* Delete clientcert.pem

* Delete clientkey.pem

* Delete rootcacert.pem

* Delete tlcp_client_connect.c

* Delete url_parser.h

* Create tlcp_client_rootcacert.pem

* Create tlcp_client_cert.pem

* Create tlcp_client_key.pem

* Create demo_tlcp_client_connect.c

* Delete tlcp_client_cert.pem

* Delete tlcp_client_key.pem

* Delete tlcp_client_rootcacert.pem

* Update demo_tlcp_client_connect.c
---
 demos/src/demo_tlcp_client_connect.c | 91 ++++++++++++++++++++++++++++
 1 file changed, 91 insertions(+)
 create mode 100644 demos/src/demo_tlcp_client_connect.c

diff --git a/demos/src/demo_tlcp_client_connect.c b/demos/src/demo_tlcp_client_connect.c
new file mode 100644
index 00000000..1fc27b86
--- /dev/null
+++ b/demos/src/demo_tlcp_client_connect.c
@@ -0,0 +1,91 @@
+#include <stdio.h>
+#include <errno.h>
+#include <string.h>
+#include <stdlib.h>
+#include <unistd.h>
+#include <netdb.h>
+#include <sys/types.h>
+#include <arpa/inet.h>
+#include <sys/socket.h>
+#include <netinet/in.h>
+#include <gmssl/tls.h>
+#include <gmssl/error.h>
+#define TLS_DEFAULT_VERIFY_DEPTH	4
+
+int main(int argc, char *argv[])
+{
+    int ret = -1;
+    char *prog = argv[0];
+    const int cipher = TLS_cipher_ecc_sm4_cbc_sm3;
+    struct hostent *hp;
+    struct sockaddr_in server;
+    int sock;
+    TLS_CTX ctx;
+    TLS_CONNECT conn;
+    char request[1024];
+    uint8_t buf[16800];
+    char *p;
+    size_t len;
+	
+    //证书和密钥使用/demos/scripts/tlcp_server.sh生成
+    char* cacertfile="rootcacert.pem";
+    char* certfile="clientcert.pem";
+    char* keyfile="clientkey.pem";
+    char *pass = "1234";
+    if(argc < 3)
+    {
+    	fprintf(stderr,"usage %s ip port \n",argv[0]);
+    	return -1;
+    }
+    server.sin_family = AF_INET;
+    server.sin_port = htons(atoi(argv[2]));
+    server.sin_addr.s_addr = inet_addr(argv[1]);
+    if ((sock = socket(AF_INET, SOCK_STREAM, 0)) < 0) {
+        perror("socket");
+        printf("创建socket错误");
+        goto end;
+    }
+    if (connect(sock, (struct sockaddr *)&server , sizeof(server)) < 0) {//去连接服务器
+        perror("connect");
+        printf("socket连接失败");
+        goto end;
+    }
+
+
+	memset(&ctx, 0, sizeof(ctx));
+	memset(&conn, 0, sizeof(conn));
+
+	tls_ctx_init(&ctx, TLS_protocol_tlcp, TLS_client_mode);
+	tls_ctx_set_cipher_suites(&ctx, &cipher, 1);
+
+	if (cacertfile) {
+		if (tls_ctx_set_ca_certificates(&ctx, cacertfile, TLS_DEFAULT_VERIFY_DEPTH) != 1) {
+			fprintf(stderr, "%s: context init error\n", prog);
+			goto end;
+		}
+	}
+	if (certfile) {
+		if (tls_ctx_set_certificate_and_key(&ctx, certfile, keyfile, pass) != 1) {
+			fprintf(stderr, "%s: context init error\n", prog);
+			goto end;
+		}
+	}
+
+    tls_init(&conn, &ctx);
+	tls_set_socket(&conn, sock);
+
+
+    if(tls_do_handshake(&conn) == 1)
+    {
+        return 0;
+    }
+	else {//握手
+		fprintf(stderr, "%s: error\n", prog);
+		goto end;
+	}
+end:
+    close(sock);
+	tls_ctx_cleanup(&ctx);
+	tls_cleanup(&conn);
+    return 0;
+}

From f96d2f6a956fa919cf3a9ef2d9777da8c79c653b Mon Sep 17 00:00:00 2001
From: PowerJJJ6669991819
 <127295546+PowerJJJ6669991819@users.noreply.github.com>
Date: Fri, 7 Apr 2023 20:57:49 +0800
Subject: [PATCH 4/5] demos_tlcp_server_connection (#1439)

* Create tlcp_server_connect.c

* Create double_certs.pem

* Create signkey.pem

* Create enckey.pem

* Create cacert.pem

* Delete cacert.pem

* Delete double_certs.pem

* Delete enckey.pem

* Delete signkey.pem

* Delete tlcp_server_connect.c

* Create demo_tlcp_server_connect.c

* Create tlcp_server_double_certs.pem

* Create tlcp_server_signkey.pem

* Create tlcp_server_enckey.pem

* Create tlcp_server_cacert.pem

* Delete tlcp_server_cacert.pem

* Delete tlcp_server_double_certs.pem

* Delete tlcp_server_enckey.pem

* Delete tlcp_server_signkey.pem

* Create tlcp_server_double_certs.pem

* Create tlcp_server_signkey.pem

* Create tlcp_server_enckey.pem

* Create tlcp_server_cacert.pem

* Delete tlcp_server_cacert.pem

* Delete tlcp_server_double_certs.pem

* Delete tlcp_server_enckey.pem

* Delete tlcp_server_signkey.pem

* Update demo_tlcp_server_connect.c
---
 demos/src/demo_tlcp_server_connect.c | 106 +++++++++++++++++++++++++++
 1 file changed, 106 insertions(+)
 create mode 100644 demos/src/demo_tlcp_server_connect.c

diff --git a/demos/src/demo_tlcp_server_connect.c b/demos/src/demo_tlcp_server_connect.c
new file mode 100644
index 00000000..546986cb
--- /dev/null
+++ b/demos/src/demo_tlcp_server_connect.c
@@ -0,0 +1,106 @@
+#include <stdio.h>
+#include <errno.h>
+#include <string.h>
+#include <stdlib.h>
+#include <unistd.h>
+#include <sys/types.h>
+#include <arpa/inet.h>
+#include <sys/socket.h>
+#include <netinet/in.h>
+#include <gmssl/mem.h>
+#include <gmssl/sm2.h>
+#include <gmssl/tls.h>
+#include <gmssl/error.h>
+#include <gmssl/pem.h>
+
+int main(int argc,char *argv[]){
+
+    int ret = 1;
+	char *prog = argv[0];
+	char *signpass = "1234";
+	char *encpass = "1234";
+
+	int server_ciphers[] = { TLS_cipher_ecc_sm4_cbc_sm3, };
+	uint8_t verify_buf[4096];
+
+	TLS_CTX ctx;
+	TLS_CONNECT conn;
+	char buf[1600] = {0};
+	size_t len = sizeof(buf);
+
+	int sock;
+	struct sockaddr_in server_addr;//服务端地址
+	struct sockaddr_in client_addr;//客户端地址
+	socklen_t client_addrlen;
+	int conn_sock;
+
+	//证书和密钥使用/demos/scripts/tlcp_server.sh生成
+	char* certfile="double_certs.pem";
+	char* signkeyfile="signkey.pem";
+	char* enckeyfile="enckey.pem";
+	char* cacertfile="cacert.pem";
+
+
+	if(argc < 3)
+    {
+    	fprintf(stderr,"usage %s ip port \n",argv[0]);
+    	return -1;
+    }
+
+	memset(&ctx, 0, sizeof(ctx));
+	memset(&conn, 0, sizeof(conn));
+
+	if (tls_ctx_init(&ctx, TLS_protocol_tlcp, TLS_server_mode) != 1
+		|| tls_ctx_set_cipher_suites(&ctx, server_ciphers, sizeof(server_ciphers)/sizeof(int)) != 1
+		|| tls_ctx_set_tlcp_server_certificate_and_keys(&ctx, certfile, signkeyfile, signpass, enckeyfile, encpass) != 1) {
+		error_print();
+		return -1;
+	}
+	if (cacertfile) {
+		if (tls_ctx_set_ca_certificates(&ctx, cacertfile, TLS_DEFAULT_VERIFY_DEPTH) != 1) {
+			error_print();
+			return -1;
+		}
+	}
+	if ((sock = socket(AF_INET, SOCK_STREAM, 0)) < 0) {
+		error_print();
+		return 1;
+	}
+
+    server_addr.sin_family = AF_INET;
+    server_addr.sin_port = htons(atoi(argv[2]));
+    server_addr.sin_addr.s_addr = inet_addr(argv[1]);
+
+    if (bind(sock, (struct sockaddr *)&server_addr, sizeof(server_addr)) < 0) {
+        error_print();
+        perror("tlcp_accept: bind: ");
+    }
+
+    puts("start listen ...\n");
+    listen(sock, 1);
+    client_addrlen = sizeof(client_addr);
+
+    if ((conn_sock = accept(sock, (struct sockaddr *)&client_addr, &client_addrlen)) < 0) {
+        error_print();
+    }
+
+    puts("socket connected\n");
+    printf("client ip : %s\nport %d\n",inet_ntoa(client_addr.sin_addr),ntohs(client_addr.sin_port));
+
+
+	if (tls_init(&conn, &ctx) != 1
+		|| tls_set_socket(&conn, conn_sock) != 1) {
+		error_print();
+		return -1;
+	}
+	printf("tlcp_init finished\n");
+	if (tls_do_handshake(&conn) == 1) {
+		return 0;
+	}	
+	else {
+		error_print(); 
+		return -1;
+	}
+
+	return 0;
+}

From 9ac4ba8fd3aa3bd612f8ac68c320eff3d390383e Mon Sep 17 00:00:00 2001
From: zhwist <74577660+zhwist@users.noreply.github.com>
Date: Fri, 7 Apr 2023 21:06:56 +0800
Subject: [PATCH 5/5] =?UTF-8?q?=E5=A2=9E=E5=8A=A0=E8=AF=81=E4=B9=A6?=
 =?UTF-8?q?=E7=94=9F=E6=88=90=E7=9A=84C=E8=AF=AD=E8=A8=80demo=20(#1465)?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

* Add files via upload

* Add files via upload

* Add files via upload

* Add files via upload

* Delete cert_gen.sh

* Delete cert_sign.sh

---------

Co-authored-by: Simon <zhaopku09@gmail.com>
---
 demos/src/demo_cert_gen.c  | 258 +++++++++++++++++++++++++++
 demos/src/demo_cert_sign.c | 353 +++++++++++++++++++++++++++++++++++++
 2 files changed, 611 insertions(+)
 create mode 100644 demos/src/demo_cert_gen.c
 create mode 100644 demos/src/demo_cert_sign.c

diff --git a/demos/src/demo_cert_gen.c b/demos/src/demo_cert_gen.c
new file mode 100644
index 00000000..790b8caf
--- /dev/null
+++ b/demos/src/demo_cert_gen.c
@@ -0,0 +1,258 @@
+/*
+ *  Copyright 2014-2023 The GmSSL Project. All Rights Reserved.
+ *
+ *  Licensed under the Apache License, Version 2.0 (the License); you may
+ *  not use this file except in compliance with the License.
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ */
+
+#include <stdio.h>
+#include <errno.h>
+#include <string.h>
+#include <stdlib.h>
+#include <gmssl/mem.h>
+#include <gmssl/rand.h>
+#include <gmssl/pkcs8.h>
+#include <gmssl/error.h>
+#include <gmssl/hex.h>
+#include <gmssl/x509.h>
+#include <gmssl/x509_ext.h>
+
+
+
+
+static int ext_key_usage_set(int *usages, const char *usage_name)
+{
+	int flag;
+	if (x509_key_usage_from_name(&flag, usage_name) != 1) {
+		error_print();
+		return -1;
+	}
+	*usages |= flag;
+	return 1;
+}
+
+int main(int argc, char *argv[])
+{
+	int ret = 1;
+	char *prog = argv[0];
+	char *str;
+
+	// SerialNumber
+	uint8_t serial[20];
+	int serial_len = 12;
+
+	// Issuer, Subject
+	uint8_t name[256];
+	size_t namelen;
+	char *country = "CN";
+	char *state = "Beijing";
+	char *locality = "Haidian";
+	char *org = "PKU";
+	char *org_unit = "CS";
+	char *common_name = "ROOTCA";
+
+	// Validity
+	int days = 3650;
+	time_t not_before;
+	time_t not_after;
+
+	// Private Key
+	char *keyfile="rootcakey.pem";  //可由/demos/scripts/cert_gen.sh生成
+	FILE *keyfp = NULL;
+	char *pass = "1234";
+	SM2_KEY sm2_key;
+	char signer_id[SM2_MAX_ID_LENGTH + 1] = {0};
+	size_t signer_id_len = 0;
+
+	uint8_t *cert = NULL;
+	size_t certlen = 0;
+	FILE *outfp = stdout;
+	char *outfile = "rootcacert.pem";
+	uint8_t *p;
+
+	// Extensions
+	uint8_t exts[4096];
+	size_t extslen = 0;
+
+	// AuthorityKeyIdentifier
+	int gen_authority_key_id = 0;
+
+	// SubjectKeyIdentifier
+	int gen_subject_key_id = 0;
+
+	// KeyUsage
+	int key_usage = 0;
+	char *keyusage1="keyCertSign";
+	char *keyusage2="cRLSign";
+
+	// SubjectAltName
+	uint8_t subject_alt_name[2048];
+	size_t subject_alt_name_len = 0;
+
+	// IssuerAltName
+	uint8_t issuer_alt_name[512];
+	size_t issuer_alt_name_len = 0;
+
+	// BasicConstraints
+	int ca = 1;
+	int path_len_constraint = 6;
+
+	// ExtKeyUsageSyntax
+	int ext_key_usages[12];
+	size_t ext_key_usages_cnt = 0;
+
+	// CRLDistributionPoints
+	char *crl_http_uri = "http://pku.edu.cn/ca.crl";
+	char *crl_ldap_uri = NULL;
+
+	// InhibitAnyPolicy
+	int inhibit_any_policy = -1;
+
+	// FreshestCRL
+	char *ca_issuers_uri = "http://pku.edu.cn/ca.crt";
+	char *ocsp_uri = "http://ocsp.pku.edu.cn";
+
+
+	if (!(keyfp = fopen(keyfile, "rb"))) {
+		fprintf(stderr, "%s: open '%s' failure : %s\n", prog, keyfile, strerror(errno));
+		goto end;
+	}
+
+
+	if (ext_key_usage_set(&key_usage, keyusage1) != 1) {
+		fprintf(stderr, "%s: invalid `-key_usage` value '%s'\n", prog, keyusage1);
+		goto end;
+	}
+	
+	if (ext_key_usage_set(&key_usage, keyusage2) != 1) {
+		fprintf(stderr, "%s: invalid `-key_usage` value '%s'\n", prog, keyusage2);
+		goto end;
+	}
+	
+	
+	if (!(outfp = fopen(outfile, "wb"))) {
+		fprintf(stderr, "%s: open '%s' failure : %s\n", prog, outfile, strerror(errno));
+		goto end;
+	}
+	
+	if (!signer_id_len) {
+		strcpy(signer_id, SM2_DEFAULT_ID);
+		signer_id_len = strlen(SM2_DEFAULT_ID);
+	}
+
+
+
+	if (sm2_private_key_info_decrypt_from_pem(&sm2_key, pass, keyfp) != 1) {
+		fprintf(stderr, "%s: load private key failed\n", prog);
+		goto end;
+	}
+	
+
+
+
+	// Issuer, Subject
+	if (x509_name_set(name, &namelen, sizeof(name), country, state, locality, org, org_unit, common_name) != 1) {
+		fprintf(stderr, "%s: set Issuer/Subject Name error\n", prog);
+		goto end;
+	}
+
+	// Validity
+	time(&not_before);
+	if (x509_validity_add_days(&not_after, not_before, days) != 1) {
+		fprintf(stderr, "%s: set Validity failure\n", prog);
+		goto end;
+	}
+
+
+	if (key_usage) {
+		if (x509_exts_add_key_usage(exts, &extslen, sizeof(exts), X509_critical, key_usage) != 1) {
+			fprintf(stderr, "%s: set KeyUsage extension failure\n", prog);
+			goto end;
+		}
+	}
+
+
+	// no SubjectDirectoryAttributes
+	if (ca >= 0 || path_len_constraint >= 0) {
+		if (x509_exts_add_basic_constraints(exts, &extslen, sizeof(exts),
+			X509_critical, ca, path_len_constraint) != 1) {
+			fprintf(stderr, "%s: set BasicConstraints extension failure\n", prog);
+			goto end;
+		}
+	}
+	// no NameConstraints
+	// no PolicyConstraints
+
+	if (crl_http_uri || crl_ldap_uri) {
+		if (x509_exts_add_crl_distribution_points(exts, &extslen, sizeof(exts),
+			-1,
+			crl_http_uri, crl_http_uri ? strlen(crl_http_uri) : 0,
+			crl_ldap_uri, crl_ldap_uri ? strlen(crl_ldap_uri) : 0) != 1) {
+			fprintf(stderr, "%s: set CRLDistributionPoints extension failure\n", prog);
+			return -1;
+		}
+	}
+	
+
+	if (ca_issuers_uri || ocsp_uri) {
+		if (x509_exts_add_authority_info_access(exts, &extslen, sizeof(exts), 0,
+			ca_issuers_uri, ca_issuers_uri ? strlen(ca_issuers_uri) : 0,
+			ocsp_uri, ocsp_uri ? strlen(ocsp_uri) : 0) != 1) {
+			fprintf(stderr, "%s: set AuthorityInfoAccess extension failure\n",  prog);
+			goto end;
+		}
+	}
+
+	if (x509_cert_sign_to_der(
+		X509_version_v3,
+		serial, serial_len,
+		OID_sm2sign_with_sm3,
+		name, namelen,
+		not_before, not_after,
+		name, namelen,
+		&sm2_key,
+		NULL, 0,
+		NULL, 0,
+		exts, extslen,
+		&sm2_key, signer_id, signer_id_len,
+		NULL, &certlen) != 1) {
+		fprintf(stderr, "%s: certificate generation failure\n", prog);
+		goto end;
+	}
+	if (!(cert = malloc(certlen))) {
+		fprintf(stderr, "%s: malloc failure\n", prog);
+		goto end;
+	}
+	p = cert;
+	certlen = 0;
+	if (x509_cert_sign_to_der(
+		X509_version_v3,
+		serial, serial_len,
+		OID_sm2sign_with_sm3,
+		name, namelen,
+		not_before, not_after,
+		name, namelen,
+		&sm2_key,
+		NULL, 0,
+		NULL, 0,
+		exts, extslen,
+		&sm2_key, signer_id, signer_id_len,
+		&p, &certlen) != 1) {
+		fprintf(stderr, "%s: certificate generation failure\n", prog);
+		goto end;
+	}
+	if (x509_cert_to_pem(cert, certlen, outfp) != 1) {
+		fprintf(stderr, "%s: output certificate failed\n", prog);
+		goto end;
+	}
+	ret = 0;
+
+end:
+	gmssl_secure_clear(&sm2_key, sizeof(SM2_KEY));
+	if (cert) free(cert);
+	if (keyfp) fclose(keyfp);
+	if (outfile && outfp) fclose(outfp);
+	return ret;
+}
diff --git a/demos/src/demo_cert_sign.c b/demos/src/demo_cert_sign.c
new file mode 100644
index 00000000..54d642c4
--- /dev/null
+++ b/demos/src/demo_cert_sign.c
@@ -0,0 +1,353 @@
+/*
+ *  Copyright 2014-2022 The GmSSL Project. All Rights Reserved.
+ *
+ *  Licensed under the Apache License, Version 2.0 (the License); you may
+ *  not use this file except in compliance with the License.
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ */
+
+
+#include <stdio.h>
+#include <errno.h>
+#include <string.h>
+#include <stdlib.h>
+#include <gmssl/hex.h>
+#include <gmssl/mem.h>
+#include <gmssl/rand.h>
+#include <gmssl/x509.h>
+#include <gmssl/x509_ext.h>
+#include <gmssl/x509_req.h>
+
+
+
+static int ext_key_usage_set(int *usages, const char *usage_name)
+{
+	int flag = 0;
+	if (x509_key_usage_from_name(&flag, usage_name) != 1) {
+		return -1;
+	}
+	*usages |= flag;
+	return 1;
+}
+
+int main(int argc, char **argv)
+{
+	int ret = 1;
+	char *prog = argv[0];
+	char *str;
+
+	// Input Req/CSR
+	char *infile = "careq.pem";
+	FILE *infp = NULL;
+	uint8_t req[512];
+	size_t reqlen;
+	char req_id[SM2_MAX_ID_LENGTH + 1] = {0};
+	size_t req_id_len = 0;
+
+	// SerialNumber
+	uint8_t serial[20];
+	int serial_len = 12;
+
+	// Validity
+	int days = 365;
+	time_t not_before;
+	time_t not_after;
+
+	// Subject from Req
+	const uint8_t *subject;
+	size_t subject_len;
+	SM2_KEY subject_public_key;
+
+	// CA certficate and Private Key
+	uint8_t *cacert = NULL;
+	char *rootcacert="rootcacert.pem";
+	size_t cacertlen;
+	FILE *keyfp = NULL;
+	char *rootcakey="rootcakey.pem";
+	char *pass = "1234";
+	SM2_KEY sm2_key;
+	char signer_id[SM2_MAX_ID_LENGTH + 1] = {0};
+	size_t signer_id_len = 0;
+
+	// Issuer from CA certificate
+	const uint8_t *issuer;
+	size_t issuer_len;
+	SM2_KEY issuer_public_key;
+
+	// Output
+	char *outfile = "cacert.pem";
+	FILE *outfp = stdout;
+	uint8_t *cert = NULL;
+	size_t certlen = 0;
+	uint8_t *p;
+
+	// Extensions
+	uint8_t exts[4096];
+	size_t extslen = 0;
+
+	// AuthorityKeyIdentifier
+	int gen_authority_key_id = 0;
+
+	// SubjectKeyIdentifier
+	int gen_subject_key_id = 0;
+
+	// KeyUsage
+	int key_usage = 0;
+	char *keyusage="keyCertSign";
+
+	// SubjectAltName
+	uint8_t subject_alt_name[2048];
+	size_t subject_alt_name_len = 0;
+
+	// IssuerAltName
+	uint8_t issuer_alt_name[512];
+	size_t issuer_alt_name_len = 0;
+
+	// BasicConstraints
+	int ca = -1;
+	int path_len_constraint = 0;
+
+	// ExtKeyUsageSyntax
+	int ext_key_usages[12];
+	size_t ext_key_usages_cnt = 0;
+
+	// CRLDistributionPoints
+	char *crl_http_uri = NULL;
+	char *crl_ldap_uri = NULL;
+
+	// InhibitAnyPolicy
+	int inhibit_any_policy = -1;
+
+	// FreshestCRL
+	char *ca_issuers_uri = NULL;
+	char *ocsp_uri = NULL;
+
+
+
+
+
+			if (!(infp = fopen(infile, "rb"))) {
+				fprintf(stderr, "%s: open '%s' failure : %s\n", prog, infile, strerror(errno));
+				goto end;
+			}
+			
+
+			if (!(outfp = fopen(outfile, "wb"))) {
+				fprintf(stderr, "%s: open '%s' failure : %s\n", prog, outfile, strerror(errno));
+				goto end;
+			}
+
+
+			if (x509_cert_new_from_file(&cacert, &cacertlen, rootcacert) != 1) {
+				fprintf(stderr, "%s: load ca certificate '%s' failure\n", prog, rootcacert);
+				goto end;
+			}
+			
+			
+			if (!(keyfp = fopen(rootcakey, "rb"))) {
+				fprintf(stderr, "%s: open '%s' failure : %s\n", prog, rootcakey, strerror(errno));
+				goto end;
+			}
+			
+
+			if (ext_key_usage_set(&key_usage, keyusage) != 1) {
+				fprintf(stderr, "%s: invalid `-key_usage` value '%s'\n", prog, keyusage);
+				goto end;
+			}
+
+	if (!days) {
+		fprintf(stderr, "%s: '-days' option required\n", prog);
+		goto end;
+	}
+	if (!cacert) {
+		fprintf(stderr, "%s: '-cacert' option required\n", prog);
+		goto end;
+	}
+	if (!keyfp) {
+		fprintf(stderr, "%s: '-key' option required\n", prog);
+		goto end;
+	}
+	if (!pass) {
+		fprintf(stderr, "%s: '-pass' option required\n", prog);
+		goto end;
+	}
+
+	if (x509_req_from_pem(req, &reqlen, sizeof(req), infp) != 1) {
+		fprintf(stderr, "%s: parse CSR failure\n", prog);
+		goto end;
+	}
+	if (!req_id_len) {
+		strcpy(req_id, SM2_DEFAULT_ID);
+		req_id_len = strlen(SM2_DEFAULT_ID);
+	}
+	if (x509_req_verify(req, reqlen, req_id, req_id_len) != 1) {
+		fprintf(stderr, "%s: signature verification failure\n", prog);
+		goto end;
+	}
+	if (x509_req_get_details(req, reqlen,
+		NULL, &subject, &subject_len, &subject_public_key,
+		NULL, NULL, NULL, NULL, NULL) != 1) {
+		fprintf(stderr, "%s: parse CSR failure\n", prog);
+		goto end;
+	}
+
+	if (x509_cert_get_subject(cacert, cacertlen, &issuer, &issuer_len) != 1
+		|| x509_cert_get_subject_public_key(cacert, cacertlen, &issuer_public_key) != 1) {
+		fprintf(stderr, "%s: parse CA certificate failure\n", prog);
+		goto end;
+	}
+	if (sm2_private_key_info_decrypt_from_pem(&sm2_key, pass, keyfp) != 1) {
+		fprintf(stderr, "%s: load private key failure\n", prog);
+		goto end;
+	}
+	if (sm2_public_key_equ(&sm2_key, &issuer_public_key) != 1) {
+		fprintf(stderr, "%s: private key and CA certificate not match\n", prog);
+		goto end;
+	}
+	if (!signer_id_len) {
+		strcpy(signer_id, SM2_DEFAULT_ID);
+		signer_id_len = strlen(SM2_DEFAULT_ID);
+	}
+
+	if (rand_bytes(serial, serial_len) != 1) {
+		fprintf(stderr, "%s: random number generator error\n", prog);
+		goto end;
+	}
+
+	time(&not_before);
+	if (x509_validity_add_days(&not_after, not_before, days) != 1) {
+		fprintf(stderr, "%s: set Validity failure\n", prog);
+		goto end;
+	}
+
+	// following code copy from certgen.c
+	// Extensions
+	if (gen_authority_key_id) {
+		if (x509_exts_add_default_authority_key_identifier(exts, &extslen, sizeof(exts), &sm2_key) != 1) {
+			fprintf(stderr, "%s: set AuthorityKeyIdentifier extension failure\n", prog);
+			goto end;
+		}
+	}
+	if (gen_subject_key_id) {
+		if (x509_exts_add_subject_key_identifier_ex(exts, &extslen, sizeof(exts), -1, &sm2_key) != 1) {
+			fprintf(stderr, "%s: set SubjectKeyIdentifier extension failure\n", prog);
+			goto end;
+		}
+	}
+	if (key_usage) {
+		if (x509_exts_add_key_usage(exts, &extslen, sizeof(exts), X509_critical, key_usage) != 1) {
+			fprintf(stderr, "%s: set KeyUsage extension failure\n", prog);
+			goto end;
+		}
+	}
+	// no CertificatePolicies
+	// no PolicyMappings
+	if (subject_alt_name_len) {
+		if (x509_exts_add_subject_alt_name(exts, &extslen, sizeof(exts),
+			-1, subject_alt_name, subject_alt_name_len) != 1) {
+			fprintf(stderr, "%s: set SubjectAltName extension failure\n", prog);
+			goto end;
+		}
+	}
+	if (issuer_alt_name_len) {
+		if (x509_exts_add_issuer_alt_name(exts, &extslen, sizeof(exts),
+			-1, issuer_alt_name, issuer_alt_name_len) != 1) {
+			fprintf(stderr, "%s: set IssuerAltName extension failure\n", prog);
+			goto end;
+		}
+	}
+	// no SubjectDirectoryAttributes
+	if (ca >= 0 || path_len_constraint >= 0) {
+		if (x509_exts_add_basic_constraints(exts, &extslen, sizeof(exts),
+			X509_critical, ca, path_len_constraint) != 1) {
+			fprintf(stderr, "%s: set BasicConstraints extension failure\n", prog);
+			goto end;
+		}
+	}
+	// no NameConstraints
+	// no PolicyConstraints
+	if (ext_key_usages_cnt) {
+		if (x509_exts_add_ext_key_usage(exts, &extslen, sizeof(exts),
+			-1, ext_key_usages, ext_key_usages_cnt) != 1) {
+			fprintf(stderr, "%s: set ExtKeyUsage extension failure\n", prog);
+			goto end;
+		}
+	}
+	if (crl_http_uri || crl_ldap_uri) {
+		if (x509_exts_add_crl_distribution_points(exts, &extslen, sizeof(exts),
+			-1,
+			crl_http_uri, crl_http_uri ? strlen(crl_http_uri) : 0,
+			crl_ldap_uri, crl_ldap_uri ? strlen(crl_ldap_uri) : 0) != 1) {
+			fprintf(stderr, "%s: set CRLDistributionPoints extension failure\n", prog);
+			return -1;
+		}
+	}
+	if (inhibit_any_policy >= 0) {
+		if (x509_exts_add_inhibit_any_policy(exts, &extslen, sizeof(exts),
+			X509_critical, inhibit_any_policy) != 1) {
+			fprintf(stderr, "%s: set InhibitAnyPolicy extension failure\n", prog);
+			goto end;
+		}
+	}
+	if (ca_issuers_uri || ocsp_uri) {
+		if (x509_exts_add_authority_info_access(exts, &extslen, sizeof(exts), 0,
+			ca_issuers_uri, ca_issuers_uri ? strlen(ca_issuers_uri) : 0,
+			ocsp_uri, ocsp_uri ? strlen(ocsp_uri) : 0) != 1) {
+			fprintf(stderr, "%s: set AuthorityInfoAccess extension failure\n",  prog);
+			goto end;
+		}
+	}
+
+	if (x509_cert_sign_to_der(
+		X509_version_v3,
+		serial, serial_len,
+		OID_sm2sign_with_sm3,
+		issuer, issuer_len,
+		not_before, not_after,
+		subject, subject_len,
+		&subject_public_key,
+		NULL, 0,
+		NULL, 0,
+		exts, extslen,
+		&sm2_key, signer_id, signer_id_len,
+		NULL, &certlen) != 1) {
+		fprintf(stderr, "%s: certificate generation failure\n", prog);
+		goto end;
+	}
+	if (!(cert = malloc(certlen))) {
+		fprintf(stderr, "%s: malloc failure\n", prog);
+		goto end;
+	}
+	p = cert;
+	certlen = 0;
+	if (x509_cert_sign_to_der(
+		X509_version_v3,
+		serial, serial_len,
+		OID_sm2sign_with_sm3,
+		issuer, issuer_len,
+		not_before, not_after,
+		subject, subject_len,
+		&subject_public_key,
+		NULL, 0,
+		NULL, 0,
+		exts, extslen,
+		&sm2_key, signer_id, signer_id_len,
+		&p, &certlen) != 1) {
+		fprintf(stderr, "%s: certificate generation failure\n", prog);
+		goto end;
+	}
+
+	if (x509_cert_to_pem(cert, certlen, outfp) != 1) {
+		fprintf(stderr, "%s: output certificate failed\n", prog);
+		goto end;
+	}
+	ret = 0;
+end:
+	gmssl_secure_clear(&sm2_key, sizeof(SM2_KEY));
+	if (cert) free(cert);
+	if (keyfp) fclose(keyfp);
+	if (infile && infp) fclose(infp);
+	if (outfile && outfp) fclose(outfp);
+	return ret;
+}