From c7413a0bbffd63272e3f58b27702d7f0ed69d676 Mon Sep 17 00:00:00 2001
From: Zhi Guan <guanzhi1980@gmail.com>
Date: Thu, 18 Jun 2026 23:18:41 +0800
Subject: [PATCH] Update x509_certs_verify_tlcp

---
 CMakeLists.txt          |  2 +-
 include/gmssl/version.h |  2 +-
 src/x509_cer.c          | 60 ++++++++++++++++++++++-------------------
 3 files changed, 35 insertions(+), 29 deletions(-)

diff --git a/CMakeLists.txt b/CMakeLists.txt
index e10e7bcc..2e1c11ea 100644
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -820,7 +820,7 @@ endif()
 #
 set(CPACK_PACKAGE_NAME "GmSSL")
 set(CPACK_PACKAGE_VENDOR "GmSSL develop team")
-set(CPACK_PACKAGE_VERSION "3.2.0-dev.1092")
+set(CPACK_PACKAGE_VERSION "3.2.0-dev.1093")
 set(CPACK_PACKAGE_DESCRIPTION_FILE ${PROJECT_SOURCE_DIR}/README.md)
 set(CPACK_NSIS_MODIFY_PATH ON)
 include(CPack)
diff --git a/include/gmssl/version.h b/include/gmssl/version.h
index 1ae5add0..485239ab 100644
--- a/include/gmssl/version.h
+++ b/include/gmssl/version.h
@@ -18,7 +18,7 @@ extern "C" {
 
 
 #define GMSSL_VERSION_NUM	30200
-#define GMSSL_VERSION_STR	"GmSSL 3.2.0-dev.1092"
+#define GMSSL_VERSION_STR	"GmSSL 3.2.0-dev.1093"
 
 int gmssl_version_num(void);
 const char *gmssl_version_str(void);
diff --git a/src/x509_cer.c b/src/x509_cer.c
index 11b70af7..b78be2b7 100644
--- a/src/x509_cer.c
+++ b/src/x509_cer.c
@@ -2010,8 +2010,8 @@ int x509_certs_verify_tlcp(const uint8_t *certs, size_t certslen, int certs_type
 	size_t kenc_certlen;
 	const uint8_t *cacert;
 	size_t cacertlen;
-	const uint8_t *name;
-	size_t namelen;
+	int matched_root = 0;
+	int ret;
 
 	int path_len = 0;
 	int path_len_constraint;
@@ -2085,36 +2085,42 @@ int x509_certs_verify_tlcp(const uint8_t *certs, size_t certslen, int certs_type
 		path_len++;
 	}
 
-
-	if (x509_cert_get_issuer(cert, certlen, &name, &namelen) != 1) {
-		error_print();
-		return -1;
-	}
-	if (x509_certs_get_cert_by_subject(rootcerts, rootcertslen, name, namelen, &cacert, &cacertlen) != 1) {
-		error_print();
-		return -1;
-	}
-	if (x509_cert_check(cacert, cacertlen, X509_cert_ca, &path_len_constraint) != 1) {
-		error_print();
-		return -1;
-	}
-	if ((path_len_constraint >= 0 && path_len > path_len_constraint)
-		|| path_len > depth) {
-		error_print();
-		return -1;
-	}
-
-	// when no mid CA certs
-	if (path_len == 0) {
-		if (x509_cert_verify_by_ca_cert(kenc_cert, kenc_certlen, cacert, cacertlen,
-			SM2_DEFAULT_ID, SM2_DEFAULT_ID_LENGTH) != 1) {
+	while (rootcertslen) {
+		if (x509_cert_from_der(&cacert, &cacertlen, &rootcerts, &rootcertslen) != 1) {
 			error_print();
 			return -1;
 		}
+		if ((ret = x509_cert_is_signed_by_root_ca_cert(cert, certlen, cacert, cacertlen,
+			SM2_DEFAULT_ID, SM2_DEFAULT_ID_LENGTH)) < 0) {
+			error_print();
+			return -1;
+		}
+		if (ret == 0) {
+			continue;
+		}
+		if (x509_cert_check(cacert, cacertlen, X509_cert_ca, &path_len_constraint) != 1) {
+			error_print();
+			return -1;
+		}
+		if ((path_len_constraint >= 0 && path_len > path_len_constraint)
+			|| path_len > depth) {
+			error_print();
+			return -1;
+		}
+
+		// when no mid CA certs
+		if (path_len == 0) {
+			if (x509_cert_verify_by_ca_cert(kenc_cert, kenc_certlen, cacert, cacertlen,
+				SM2_DEFAULT_ID, SM2_DEFAULT_ID_LENGTH) != 1) {
+				error_print();
+				return -1;
+			}
+		}
+		matched_root = 1;
+		break;
 	}
 
-	if (x509_cert_verify_by_ca_cert(cert, certlen, cacert, cacertlen,
-		SM2_DEFAULT_ID, SM2_DEFAULT_ID_LENGTH) != 1) {
+	if (!matched_root) {
 		error_print();
 		return -1;
 	}