UTF-8 X.509 distinguished names

The UTF-8 support that came with commit 2627335 does allow international
usernames and passwords. This patch introduces UTF-8 support for X.509 DNs.
Additionally, instead of using the legacy openssl format, DNs are now
displayed in RFC 2253 format; "/C=ru/L=\xD0\x9C\xD0\xBE\xD1\x81\xD0\xBA\xD0
\xB2\xD0\xB0/O=\xD0\x9A\xD1\x80\xD0\xB5\xD0\xBC\xD0\xBB\xD1\x8C/CN=kreml.ru"
becomes "C=ru, L=Москва, O=Кремль, CN=kreml.ru".

Since the specific character classes for X.509 names are removed, the
"no-name-remapping" configuration option has no use anymore and is removed
as well.

Signed-off-by: Heiko Hund <heiko.hund@sophos.com>
Acked-by: Adriaan de Jong <dejong@fox-it.com>
Acked-by: David Sommerseth <davids@redhat.com>
Signed-off-by: David Sommerseth <davids@redhat.com>

1 files changed, 3 insertions, 3 deletions

diff --git a/sample-scripts/verify-cn b/sample-scripts/verify-cn
index f9fea0f..6e747ef 100755
--- a/sample-scripts/verify-cn
+++ b/sample-scripts/verify-cn
@@ -3,7 +3,7 @@
 # verify-cn -- a sample OpenVPN tls-verify script
 #
 # Return 0 if cn matches the common name component of
-# X509_NAME_oneline, 1 otherwise.
+# subject, 1 otherwise.
 #
 # For example in OpenVPN, you could use the directive:
 #
@@ -13,7 +13,7 @@
 # the client common name is listed on a line in the
 # allowed_clients file.
 
-die "usage: verify-cn cnfile certificate_depth X509_NAME_oneline" if (@ARGV != 3);
+die "usage: verify-cn cnfile certificate_depth subject" if (@ARGV != 3);
 
 # Parse out arguments:
 #   cnfile -- The file containing the list of common names, one per
@@ -37,7 +37,7 @@ if ($depth == 0) {
     # If so, parse out the common name substring in
     # the X509 subject string.
 
-    if ($x509 =~ /\/CN=([^\/]+)/) {
+    if ($x509 =~ / CN=([^,]+)/) {
         $cn = $1;
 	# Accept the connection if the X509 common name
 	# string matches the passed cn argument.