Update X509 and certgen tool

include/gmssl/x509.h

@@ -279,6 +279,10 @@ int x509_signed_from_der(
 	int *signature_algor,
 	const uint8_t **sig, size_t *siglen,
 	const uint8_t **in, size_t *inlen);
+int x509_signed_verify(const uint8_t *a, size_t alen, const SM2_KEY *pub_key,
+	const char *signer_id, size_t signer_id_len);
+int x509_signed_verify_by_ca_cert(const uint8_t *a, size_t alen, const uint8_t *cacert, size_t cacertlen,
+	const char *signer_id, size_t signer_id_len);
 
 int x509_certificate_print(FILE *fp, int fmt, int ind, const char *label, const uint8_t *d, size_t dlen);
 
@@ -297,10 +301,6 @@ int x509_cert_sign(
 	const uint8_t *exts, size_t exts_len,
 	const SM2_KEY *sign_key,
 	const char *signer_id, size_t signer_id_len);
-int x509_cert_verify(const uint8_t *a, size_t alen, const SM2_KEY *pub_key,
-	const char *signer_id, size_t signer_id_len);
-int x509_cert_verify_by_ca_cert(const uint8_t *a, size_t alen, const uint8_t *cacert, size_t cacertlen,
-	const char *signer_id, size_t signer_id_len);
 
 int x509_cert_to_der(const uint8_t *a, size_t alen, uint8_t **out, size_t *outlen);
 int x509_cert_from_der(const uint8_t **a, size_t *alen, const uint8_t **in, size_t *inlen);
@@ -310,6 +310,9 @@ int x509_cert_from_pem_by_index(uint8_t *a, size_t *alen, size_t maxlen, int ind
 int x509_cert_from_pem_by_subject(uint8_t *a, size_t *alen, size_t maxlen, const uint8_t *name, size_t namelen, FILE *fp);
 int x509_cert_print(FILE *fp, int fmt, int ind, const char *label, const uint8_t *a, size_t alen);
 
+int x509_cert_verify_by_ca_cert(const uint8_t *a, size_t alen, const uint8_t *cacert, size_t cacertlen,
+	const char *signer_id, size_t signer_id_len);
+
 int x509_cert_get_details(const uint8_t *a, size_t alen,
 	int *version,
 	const uint8_t **serial_number, size_t *serial_number_len,

include/gmssl/x509_crl.h

@@ -173,6 +173,8 @@ int x509_crl_exts_add_authority_key_identifier(
 	const uint8_t *keyid, size_t keyid_len,
 	const uint8_t *issuer, size_t issuer_len,
 	const uint8_t *serial, size_t serial_len);
+int x509_crl_exts_add_default_authority_key_identifier(uint8_t *exts, size_t *extslen, size_t maxlen,
+	const SM2_KEY *public_key);
 int x509_crl_exts_add_issuer_alt_name(
 	uint8_t *exts, size_t *extslen, size_t maxlen,
 	int critical,
@@ -277,7 +279,7 @@ int x509_crl_from_der_ex(
 	const uint8_t **exts, size_t *exts_len,
 	int *sig_alg, const uint8_t **sig, size_t *siglen,
 	const uint8_t **in, size_t *inlen);
-int x509_crl_validate(const uint8_t *a, size_t alen, time_t now, const uint8_t *ca_subject, size_t ca_subject_len);
+int x509_crl_validate(const uint8_t *a, size_t alen, time_t now);
 int x509_crl_verify(const uint8_t *a, size_t alen,
 	const SM2_KEY *sign_pub_key, const char *signer_id, size_t signer_id_len);
 int x509_crl_verify_by_ca_cert(const uint8_t *a, size_t alen, const uint8_t *cacert, size_t cacertlen,

include/gmssl/x509_ext.h

@@ -1,4 +1,4 @@
-/*
+/*
  *  Copyright 2014-2023 The GmSSL Project. All Rights Reserved.
  *
  *  Licensed under the Apache License, Version 2.0 (the License); you may
@@ -33,21 +33,21 @@ enum {
 /*
 Extensions:
 
-	1.  AuthorityKeyIdentifier	SEQUENCE			AuthorityKeyIdentifier
-	2.  SubjectKeyIdentifier	OCTET STRING
-	3.  KeyUsage			BIT STRING
+	1.  AuthorityKeyIdentifier	SEQUENCE			AuthorityKeyIdentifier		MUST non-critical
+	2.  SubjectKeyIdentifier	OCTET STRING							MUST non-critical
+	3.  KeyUsage			BIT STRING							SHOULD critical
 	4.  CertificatePolicies		SEQUENCE OF SEQUENCE		CertificatePolicies
-	5.  PolicyMappings		SEQUENCE OF SEQUENCE		PolicyMappings
-	6.  SubjectAltName		SEQUENCE OF SEQUENCE		GeneralNames
-	7.  IssuerAltName		SEQUENCE OF SEQUENCE		GeneralNames
-	8.  SubjectDirectoryAttributes	SEQUENCE OF SEQUENCE		Attributes
-	9.  BasicConstraints		SEQUENCE			BasicConstraints
+	5.  PolicyMappings		SEQUENCE OF SEQUENCE		PolicyMappings			SHOULD critical
+	6.  SubjectAltName		SEQUENCE OF SEQUENCE		GeneralNames			SHOULD non-critical
+	7.  IssuerAltName		SEQUENCE OF SEQUENCE		GeneralNames			SHOULD non-critical
+	8.  SubjectDirectoryAttributes	SEQUENCE OF SEQUENCE		Attributes			MUST non-critical
+	9.  BasicConstraints		SEQUENCE			BasicConstraints		CA: MUST critical, End-entity: MAY critical or non-critical
 	10. NameConstraints		SEQUENCE			NameConstraints
-	11. PolicyConstraints		SEQUENCE			PolicyConstraints
-	12. ExtKeyUsageSyntax		SEQUENCE OF OBJECT IDENTIFIER
+	11. PolicyConstraints		SEQUENCE			PolicyConstraints		MUST critical
+	12. ExtKeyUsageSyntax		SEQUENCE OF OBJECT IDENTIFIER					MAY critical or non-critical
 	13. CRLDistributionPoints	SEQUENCE OF SEQUENCE		DistributionPoints
-	14. InhibitAnyPolicy		INTEGER
-	15. FreshestCRL			SEQUENCE OF SEQUENCE		DistributionPoints
+	14. InhibitAnyPolicy		INTEGER								MUST critical
+	15. FreshestCRL			SEQUENCE OF SEQUENCE		DistributionPoints		MUST non-critical
 */
 
 int x509_exts_add_authority_key_identifier(uint8_t *exts, size_t *extslen, size_t maxlen, int critical,
@@ -57,6 +57,7 @@ int x509_exts_add_authority_key_identifier(uint8_t *exts, size_t *extslen, size_
 int x509_exts_add_default_authority_key_identifier(uint8_t *exts, size_t *extslen, size_t maxlen,
 	const SM2_KEY *public_key);
 int x509_exts_add_subject_key_identifier(uint8_t *exts, size_t *extslen, size_t maxlen, int critical, const uint8_t *d, size_t dlen);
+int x509_exts_add_subject_key_identifier_ex(uint8_t *exts, size_t *extslen, size_t maxlen, int critical, const SM2_KEY *subject_key);
 int x509_exts_add_key_usage(uint8_t *exts, size_t *extslen, size_t maxlen, int critical, int bits);
 int x509_exts_add_certificate_policies(uint8_t *exts, size_t *extslen, size_t maxlen, int critical, const uint8_t *d, size_t dlen);
 int x509_exts_add_policy_mappings(uint8_t *exts, size_t *extslen, size_t maxlen, int critical, const uint8_t *d, size_t dlen);