From d7fcc6f457ad4266aa840d861e0907825405a5f3 Mon Sep 17 00:00:00 2001
From: Zhi Guan <guanzhi1980@gmail.com>
Date: Tue, 7 Feb 2023 14:57:17 +0800
Subject: [PATCH] Update demos

---
 demos/scripts/tlcpdemo.sh  | 12 +++++------
 demos/scripts/tls12demo.sh | 10 ++++-----
 demos/scripts/tls13demo.sh | 10 ++++-----
 src/sm2_lib.c              | 33 +++++++++++++++++++---------
 src/x509_cer.c             |  4 +++-
 src/x509_ext.c             | 44 +++++++++++++++++---------------------
 tools/certverify.c         | 10 ++++++---
 tools/gmssl.c              | 15 +++++++------
 tools/sm2keygen.c          | 16 ++++++++++----
 9 files changed, 90 insertions(+), 64 deletions(-)

diff --git a/demos/scripts/tlcpdemo.sh b/demos/scripts/tlcpdemo.sh
index 7e7c1891..ec8e1fa1 100755
--- a/demos/scripts/tlcpdemo.sh
+++ b/demos/scripts/tlcpdemo.sh
@@ -2,21 +2,21 @@
 
 
 gmssl sm2keygen -pass 1234 -out rootcakey.pem
-gmssl certgen -C CN -ST Beijing -L Haidian -O PKU -OU CS -CN ROOTCA -days 3650 -key rootcakey.pem -pass 1234 -out rootcacert.pem -key_usage keyCertSign -key_usage cRLSign
+gmssl certgen -C CN -ST Beijing -L Haidian -O PKU -OU CS -CN ROOTCA -days 3650 -key rootcakey.pem -pass 1234 -out rootcacert.pem -key_usage keyCertSign -key_usage cRLSign -ca
 gmssl certparse -in rootcacert.pem
 
 gmssl sm2keygen -pass 1234 -out cakey.pem
-gmssl reqgen -C CN -ST Beijing -L Haidian -O PKU -OU CS -CN "Sub CA" -days 3650 -key cakey.pem -pass 1234 -out careq.pem
-gmssl reqsign -in careq.pem -days 365 -key_usage keyCertSign -path_len_constraint 0 -cacert rootcacert.pem -key rootcakey.pem -pass 1234 -out cacert.pem
+gmssl reqgen -C CN -ST Beijing -L Haidian -O PKU -OU CS -CN "Sub CA" -key cakey.pem -pass 1234 -out careq.pem
+gmssl reqsign -in careq.pem -days 365 -key_usage keyCertSign -ca -path_len_constraint 0 -cacert rootcacert.pem -key rootcakey.pem -pass 1234 -out cacert.pem
 gmssl certparse -in cacert.pem
 
 gmssl sm2keygen -pass 1234 -out signkey.pem
-gmssl reqgen -C CN -ST Beijing -L Haidian -O PKU -OU CS -CN localhost -days 365 -key signkey.pem -pass 1234 -out signreq.pem
+gmssl reqgen -C CN -ST Beijing -L Haidian -O PKU -OU CS -CN localhost -key signkey.pem -pass 1234 -out signreq.pem
 gmssl reqsign -in signreq.pem -days 365 -key_usage digitalSignature -cacert cacert.pem -key cakey.pem -pass 1234 -out signcert.pem
 gmssl certparse -in signcert.pem
 
 gmssl sm2keygen -pass 1234 -out enckey.pem
-gmssl reqgen -C CN -ST Beijing -L Haidian -O PKU -OU CS -CN localhost -days 365 -key enckey.pem -pass 1234 -out encreq.pem
+gmssl reqgen -C CN -ST Beijing -L Haidian -O PKU -OU CS -CN localhost -key enckey.pem -pass 1234 -out encreq.pem
 gmssl reqsign -in encreq.pem -days 365 -key_usage keyEncipherment -cacert cacert.pem -key cakey.pem -pass 1234 -out enccert.pem
 gmssl certparse -in enccert.pem
 
@@ -30,7 +30,7 @@ sudo gmssl tlcp_server -port 443 -cert double_certs.pem -key signkey.pem -pass 1
 sleep 3
 
 gmssl sm2keygen -pass 1234 -out clientkey.pem
-gmssl reqgen -C CN -ST Beijing -L Haidian -O PKU -OU CS -CN Client -days 365 -key clientkey.pem -pass 1234 -out clientreq.pem
+gmssl reqgen -C CN -ST Beijing -L Haidian -O PKU -OU CS -CN Client -key clientkey.pem -pass 1234 -out clientreq.pem
 gmssl reqsign -in clientreq.pem -days 365 -key_usage digitalSignature -cacert cacert.pem -key cakey.pem -pass 1234 -out clientcert.pem
 gmssl certparse -in clientcert.pem
 
diff --git a/demos/scripts/tls12demo.sh b/demos/scripts/tls12demo.sh
index a8988b70..b9028456 100755
--- a/demos/scripts/tls12demo.sh
+++ b/demos/scripts/tls12demo.sh
@@ -2,16 +2,16 @@
 
 
 gmssl sm2keygen -pass 1234 -out rootcakey.pem
-gmssl certgen -C CN -ST Beijing -L Haidian -O PKU -OU CS -CN ROOTCA -days 3650 -key rootcakey.pem -pass 1234 -out rootcacert.pem -key_usage keyCertSign -key_usage cRLSign
+gmssl certgen -C CN -ST Beijing -L Haidian -O PKU -OU CS -CN ROOTCA -days 3650 -key rootcakey.pem -pass 1234 -out rootcacert.pem -key_usage keyCertSign -key_usage cRLSign -ca
 gmssl certparse -in rootcacert.pem
 
 gmssl sm2keygen -pass 1234 -out cakey.pem
-gmssl reqgen -C CN -ST Beijing -L Haidian -O PKU -OU CS -CN "Sub CA" -days 3650 -key cakey.pem -pass 1234 -out careq.pem
-gmssl reqsign -in careq.pem -days 365 -key_usage keyCertSign -path_len_constraint 0 -cacert rootcacert.pem -key rootcakey.pem -pass 1234 -out cacert.pem
+gmssl reqgen -C CN -ST Beijing -L Haidian -O PKU -OU CS -CN "Sub CA" -key cakey.pem -pass 1234 -out careq.pem
+gmssl reqsign -in careq.pem -days 365 -key_usage keyCertSign -cacert rootcacert.pem -key rootcakey.pem -pass 1234 -out cacert.pem -ca -path_len_constraint 0
 gmssl certparse -in cacert.pem
 
 gmssl sm2keygen -pass 1234 -out signkey.pem
-gmssl reqgen -C CN -ST Beijing -L Haidian -O PKU -OU CS -CN localhost -days 365 -key signkey.pem -pass 1234 -out signreq.pem
+gmssl reqgen -C CN -ST Beijing -L Haidian -O PKU -OU CS -CN localhost -key signkey.pem -pass 1234 -out signreq.pem
 gmssl reqsign -in signreq.pem -days 365 -key_usage digitalSignature -cacert cacert.pem -key cakey.pem -pass 1234 -out signcert.pem
 gmssl certparse -in signcert.pem
 
@@ -24,7 +24,7 @@ sudo gmssl tls12_server -port 443 -cert certs.pem -key signkey.pem -pass 1234 -c
 sleep 3
 
 gmssl sm2keygen -pass 1234 -out clientkey.pem
-gmssl reqgen -C CN -ST Beijing -L Haidian -O PKU -OU CS -CN Client -days 365 -key clientkey.pem -pass 1234 -out clientreq.pem
+gmssl reqgen -C CN -ST Beijing -L Haidian -O PKU -OU CS -CN Client -key clientkey.pem -pass 1234 -out clientreq.pem
 gmssl reqsign -in clientreq.pem -days 365 -key_usage digitalSignature -cacert cacert.pem -key cakey.pem -pass 1234 -out clientcert.pem
 gmssl certparse -in clientcert.pem
 
diff --git a/demos/scripts/tls13demo.sh b/demos/scripts/tls13demo.sh
index e53a7593..5107c61f 100755
--- a/demos/scripts/tls13demo.sh
+++ b/demos/scripts/tls13demo.sh
@@ -2,16 +2,16 @@
 
 
 gmssl sm2keygen -pass 1234 -out rootcakey.pem
-gmssl certgen -C CN -ST Beijing -L Haidian -O PKU -OU CS -CN ROOTCA -days 3650 -key rootcakey.pem -pass 1234 -out rootcacert.pem -key_usage keyCertSign -key_usage cRLSign
+gmssl certgen -C CN -ST Beijing -L Haidian -O PKU -OU CS -CN ROOTCA -days 3650 -key rootcakey.pem -pass 1234 -out rootcacert.pem -key_usage keyCertSign -key_usage cRLSign -ca
 gmssl certparse -in rootcacert.pem
 
 gmssl sm2keygen -pass 1234 -out cakey.pem
-gmssl reqgen -C CN -ST Beijing -L Haidian -O PKU -OU CS -CN "Sub CA" -days 3650 -key cakey.pem -pass 1234 -out careq.pem
-gmssl reqsign -in careq.pem -days 365 -key_usage keyCertSign -path_len_constraint 0 -cacert rootcacert.pem -key rootcakey.pem -pass 1234 -out cacert.pem
+gmssl reqgen -C CN -ST Beijing -L Haidian -O PKU -OU CS -CN "Sub CA" -key cakey.pem -pass 1234 -out careq.pem
+gmssl reqsign -in careq.pem -days 365 -key_usage keyCertSign -ca -path_len_constraint 0 -cacert rootcacert.pem -key rootcakey.pem -pass 1234 -out cacert.pem
 gmssl certparse -in cacert.pem
 
 gmssl sm2keygen -pass 1234 -out signkey.pem
-gmssl reqgen -C CN -ST Beijing -L Haidian -O PKU -OU CS -CN localhost -days 365 -key signkey.pem -pass 1234 -out signreq.pem
+gmssl reqgen -C CN -ST Beijing -L Haidian -O PKU -OU CS -CN localhost -key signkey.pem -pass 1234 -out signreq.pem
 gmssl reqsign -in signreq.pem -days 365 -key_usage digitalSignature -cacert cacert.pem -key cakey.pem -pass 1234 -out signcert.pem
 gmssl certparse -in signcert.pem
 
@@ -24,7 +24,7 @@ sudo gmssl tls13_server -port 443 -cert certs.pem -key signkey.pem -pass 1234 -c
 sleep 3
 
 gmssl sm2keygen -pass 1234 -out clientkey.pem
-gmssl reqgen -C CN -ST Beijing -L Haidian -O PKU -OU CS -CN Client -days 365 -key clientkey.pem -pass 1234 -out clientreq.pem
+gmssl reqgen -C CN -ST Beijing -L Haidian -O PKU -OU CS -CN Client -key clientkey.pem -pass 1234 -out clientreq.pem
 gmssl reqsign -in clientreq.pem -days 365 -key_usage digitalSignature -cacert cacert.pem -key cakey.pem -pass 1234 -out clientcert.pem
 gmssl certparse -in clientcert.pem
 
diff --git a/src/sm2_lib.c b/src/sm2_lib.c
index cd93c2ca..2018d76f 100644
--- a/src/sm2_lib.c
+++ b/src/sm2_lib.c
@@ -733,15 +733,27 @@ int sm2_ciphertext_from_der(SM2_CIPHERTEXT *C, const uint8_t **in, size_t *inlen
 		return ret;
 	}
 	if (asn1_integer_from_der(&x, &xlen, &d, &dlen) != 1
-		|| asn1_integer_from_der(&y, &ylen, &d, &dlen) != 1
-		|| asn1_octet_string_from_der(&hash, &hashlen, &d, &dlen) != 1
-		|| asn1_octet_string_from_der(&c, &clen, &d, &dlen) != 1
-		|| asn1_length_le(xlen, 32) != 1
-		|| asn1_length_le(ylen, 32) != 1
-		|| asn1_check(hashlen == 32) != 1
-		|| asn1_length_le(clen, SM2_MAX_PLAINTEXT_SIZE) != 1
-		|| asn1_length_is_zero(clen) == 1
-		|| asn1_length_is_zero(dlen) != 1) {
+		|| asn1_length_le(xlen, 32) != 1) {
+		error_print();
+		return -1;
+	}
+	if (asn1_integer_from_der(&y, &ylen, &d, &dlen) != 1
+		|| asn1_length_le(ylen, 32) != 1) {
+		error_print();
+		return -1;
+	}
+	if (asn1_octet_string_from_der(&hash, &hashlen, &d, &dlen) != 1
+		|| asn1_check(hashlen == 32) != 1) {
+		error_print();
+		return -1;
+	}
+	if (asn1_octet_string_from_der(&c, &clen, &d, &dlen) != 1
+	//	|| asn1_length_is_zero(clen) == 1
+		|| asn1_length_le(clen, SM2_MAX_PLAINTEXT_SIZE) != 1) {
+		error_print();
+		return -1;
+	}
+	if (asn1_length_is_zero(dlen) != 1) {
 		error_print();
 		return -1;
 	}
@@ -818,7 +830,8 @@ int sm2_decrypt(const SM2_KEY *key, const uint8_t *in, size_t inlen, uint8_t *ou
 		return -1;
 	}
 	if (sm2_ciphertext_from_der(&C, &in, &inlen) != 1
-		|| asn1_length_is_zero(inlen) != 1) {
+		|| asn1_length_is_zero(inlen) != 1
+		) {
 		error_print();
 		return -1;
 	}
diff --git a/src/x509_cer.c b/src/x509_cer.c
index 51688f46..3522d72c 100644
--- a/src/x509_cer.c
+++ b/src/x509_cer.c
@@ -1796,6 +1796,7 @@ int x509_certs_verify(const uint8_t *certs, size_t certslen, int certs_type,
 	}
 	if (x509_cert_check(cert, certlen, entity_cert_type, &path_len_constraint) != 1) {
 		error_print();
+		x509_cert_print(stderr, 0, 10, "Invalid Entity Certificate", cert, certlen);
 		return -1;
 	}
 
@@ -1805,8 +1806,9 @@ int x509_certs_verify(const uint8_t *certs, size_t certslen, int certs_type,
 			error_print();
 			return -1;
 		}
-		if (x509_cert_check(cert, certlen, X509_cert_ca, &path_len_constraint) != 1) {
+		if (x509_cert_check(cacert, cacertlen, X509_cert_ca, &path_len_constraint) != 1) {
 			error_print();
+			x509_cert_print(stderr, 0, 10, "Invalid CA Certificate", cacert, cacertlen);
 			return -1;
 		}
 
diff --git a/src/x509_ext.c b/src/x509_ext.c
index 4e765db7..c6715731 100644
--- a/src/x509_ext.c
+++ b/src/x509_ext.c
@@ -2039,7 +2039,7 @@ int x509_basic_constraints_from_der(int *ca, int *path_len_cons, const uint8_t *
 	return 1;
 }
 
-int x509_basic_constraints_check(int ca, int path_len_cons, int cert_type)
+int x509_basic_constraints_check(int ca, int path_len_constraint, int cert_type)
 {
 	/*
 	entity_cert:
@@ -2055,20 +2055,28 @@ int x509_basic_constraints_check(int ca, int path_len_cons, int cert_type)
 		ca = 1
 		path_len_constraint = -1 or > 0 (=0 might be ok?)
 	*/
-	if (cert_type == X509_cert_ca) {
+	switch (cert_type) {
+	case X509_cert_server_auth:
+	case X509_cert_client_auth:
+	case X509_cert_server_key_encipher:
+	case X509_cert_client_key_encipher:
+		if (ca > 0 || path_len_constraint != -1) {
+			error_print();
+			return -1;
+		}
+		break;
+	// FIXME: add more cert types and check path_len_constraint		
+	case X509_cert_ca:
+	case X509_cert_crl_sign:
+	case X509_cert_root_ca:
 		if (ca != 1) {
 			error_print();
 			return -1;
 		}
-		if (path_len_cons < 0 || path_len_cons > X509_MAX_PATH_LEN_CONSTRAINT) {
-			error_print();
-			return -1;
-		}
-	} else {
-		if (ca == 1 || path_len_cons >= 0) {
-			error_print();
-			return -1; // comment to only warning
-		}
+		break;
+	default:
+		error_print();
+		return -1;
 	}
 	return 1;
 }
@@ -2087,7 +2095,6 @@ int x509_basic_constraints_print(FILE *fp, int fmt, int ind, const char *label,
 
 	if ((ret = asn1_boolean_from_der(&val, &d, &dlen)) < 0) goto err;
 	if (ret) format_print(fp, fmt, ind, "cA: %s\n", asn1_boolean_name(val));
-	//else format_print(fp, fmt, ind, "cA: %s\n", asn1_boolean_name(0));
 	if ((ret = asn1_int_from_der(&val, &d, &dlen)) < 0) goto err;
 	if (ret) format_print(fp, fmt, ind, "pathLenConstraint: %d\n", val);
 	if (asn1_length_is_zero(dlen) != 1) goto err;
@@ -2921,10 +2928,9 @@ int x509_exts_check(const uint8_t *exts, size_t extslen, int cert_type,
 				error_print();
 				return -1;
 			}
+			*path_len_constraint = path_len;
 			break;
 
-
-
 		case OID_ce_ext_key_usage:
 			if (x509_ext_key_usage_from_der(ext_key_usages, &ext_key_usages_cnt,
 					sizeof(ext_key_usages)/sizeof(ext_key_usages[0]), &val, &vlen) != 1
@@ -2949,16 +2955,6 @@ int x509_exts_check(const uint8_t *exts, size_t extslen, int cert_type,
 		}
 	}
 
-	switch (cert_type) {
-	case X509_cert_ca:
-		if (ca != 1 || path_len < 0) {
-			error_print();
-			return -1;
-		}
-		*path_len_constraint = path_len;
-		break;
-	}
-
 	return 1;
 }
 
diff --git a/tools/certverify.c b/tools/certverify.c
index 49a1651d..742e387a 100644
--- a/tools/certverify.c
+++ b/tools/certverify.c
@@ -14,6 +14,7 @@
 #include <stdlib.h>
 #include <gmssl/x509.h>
 #include <gmssl/x509_crl.h>
+#include <gmssl/error.h>
 
 
 static const char *usage =
@@ -60,7 +61,7 @@ int certverify_main(int argc, char **argv)
 	argv++;
 
 	if (argc < 1) {
-		fprintf(stderr, "usage: %s %s\n", prog, options);
+		fprintf(stderr, "usage: %s %s\n", prog, usage);
 		return 1;
 	}
 
@@ -171,7 +172,8 @@ bad:
 			}
 
 		}
-		x509_name_print(stdout, 0, 0, "Signed by", subject, subject_len);
+		format_print(stdout, 0, 0, "Signed by\n");
+		x509_name_print(stdout, 0, 0, "Certificate", subject, subject_len);
 
 		check_crl = 0; // only check the entity CRL
 
@@ -193,7 +195,8 @@ final:
 		goto end;
 	}
 	printf("Verification %s\n", rv ? "success" : "failure");
-	x509_name_print(stdout, 0, 0, "Signed by", subject, subject_len);
+	format_print(stdout, 0, 0, "Signed by\n");
+	x509_name_print(stdout, 0, 0, "Certificate", subject, subject_len);
 
 	if (double_certs) {
 		if ((rv = x509_cert_verify_by_ca_cert(enc_cert, enc_cert_len, cacert, cacertlen, SM2_DEFAULT_ID, strlen(SM2_DEFAULT_ID))) < 0) {
@@ -202,6 +205,7 @@ final:
 		}
 		printf("Verification %s\n", rv ? "success" : "failure");
 	}
+	printf("\n");
 
 	ret = 0;
 end:
diff --git a/tools/gmssl.c b/tools/gmssl.c
index 7da74f1b..ef2bd6d2 100644
--- a/tools/gmssl.c
+++ b/tools/gmssl.c
@@ -59,6 +59,7 @@ extern int skfutil_main(int argc, char **argv);
 
 static const char *options =
 	"command [options]\n"
+	"command -help\n"
 	"\n"
 	"Commands:\n"
 	"  help            Print this help message\n"
@@ -85,13 +86,13 @@ static const char *options =
 	"  reqparse        Parse and print a CSR\n"
 	"  crlget          Download the CRL of given certificate\n"
 	"  crlgen          Sign a CRL with CA certificate and private key\n"
-	"  crlparse        Verify a CRL with certificate\n"
-	"  crlverify       Parse and print CRL\n"
+	"  crlverify       Verify a CRL with issuer's certificate\n"
+	"  crlparse        Parse and print CRL\n"
 	"  certgen         Generate a self-signed certificate\n"
 	"  certparse       Parse and print certificates\n"
 	"  certverify      Verify certificate chain\n"
-	"  certrevoke      Revoke certificate and output RevokedCertificate in DER\n"
-	"  cmsparse        Parse cryptographic message syntax (CMS)\n"
+	"  certrevoke      Revoke certificate and output RevokedCertificate record\n"
+	"  cmsparse        Parse CMS (cryptographic message syntax) file\n"
 	"  cmsencrypt      Generate CMS EnvelopedData\n"
 	"  cmsdecrypt      Decrypt CMS EnvelopedData\n"
 	"  cmssign         Generate CMS SignedData\n"
@@ -103,8 +104,10 @@ static const char *options =
 	"  tls12_client    TLS 1.2 client\n"
 	"  tls12_server    TLS 1.2 server\n"
 	"  tls13_client    TLS 1.3 client\n"
-	"  tls13_server    TLS 1.3 server\n";
-
+	"  tls13_server    TLS 1.3 server\n"
+	"\n"
+	"run `gmssl <command> -help` to print help of the given command\n"
+	"\n";
 
 
 int main(int argc, char **argv)
diff --git a/tools/sm2keygen.c b/tools/sm2keygen.c
index 39af3d12..c4f7f65a 100644
--- a/tools/sm2keygen.c
+++ b/tools/sm2keygen.c
@@ -16,7 +16,14 @@
 #include <gmssl/sm2.h>
 
 
-static const char *options = "-pass str [-out pem] [-pubout pem]";
+static const char *usage = "-pass str [-out pem] [-pubout pem]\n";
+
+static const char *options =
+"Options\n"
+"    -pass pass                  Password to encrypt the private key\n"
+"    -out pem                    Output password-encrypted PKCS #8 private key in PEM format\n"
+"    -pubout pem                 Output public key in PEM format\n"
+"\n";
 
 int sm2keygen_main(int argc, char **argv)
 {
@@ -39,7 +46,8 @@ int sm2keygen_main(int argc, char **argv)
 
 	while (argc > 0) {
 		if (!strcmp(*argv, "-help")) {
-			printf("usage: %s %s\n", prog, options);
+			printf("usage: %s %s\n", prog, usage);
+			printf("%s\n", options);
 			ret = 0;
 			goto end;
 		} else if (!strcmp(*argv, "-pass")) {
@@ -63,7 +71,7 @@ int sm2keygen_main(int argc, char **argv)
 			fprintf(stderr, "%s: illegal option '%s'\n", prog, *argv);
 			goto end;
 bad:
-			fprintf(stderr, "%s: '%s' option value missing\n", prog, *argv);
+			fprintf(stderr, "%s: `%s` option value missing\n", prog, *argv);
 			goto end;
 		}
 
@@ -72,7 +80,7 @@ bad:
 	}
 
 	if (!pass) {
-		fprintf(stderr, "%s: '-pass' option required\n", prog);
+		fprintf(stderr, "%s: `-pass` option required\n", prog);
 		goto end;
 	}