This PR allows the user to specify the URL component of the SAN in the certificate request.
Microsoft have made an alternative to the SID/security extension which is to include a "URL" component in the SAN including the SID of the target principal. This alternative is also considered as "strong mapping". Details:
This new URL parameter can be used as an alternative to the SID extension in an ESC1 attack. However, in an ESC6 attack, you can only specify the SAN in the cert request and not the SID extension, and URL parameter therefore enables an ESC6 attack in the case where strong certificate mapping is enforced. The ESC6 attack still requires the EDITF_ATTRIBUTESUBJECTALTNAME2 flag on the CA to allow the attacker to set the SAN, and requires a cert template with the NO_SECURITY_EXTENSION to prevent the CA from adding the SID extension with the enrollee's SID.
This PR allows the user to specify the URL component of the SAN in the certificate request.
Microsoft have made an alternative to the SID/security extension which is to include a "URL" component in the SAN including the SID of the target principal. This alternative is also considered as "strong mapping". Details:
This new URL parameter can be used as an alternative to the SID extension in an ESC1 attack. However, in an ESC6 attack, you can only specify the SAN in the cert request and not the SID extension, and URL parameter therefore enables an ESC6 attack in the case where strong certificate mapping is enforced. The ESC6 attack still requires the EDITF_ATTRIBUTESUBJECTALTNAME2 flag on the CA to allow the attacker to set the SAN, and requires a cert template with the NO_SECURITY_EXTENSION to prevent the CA from adding the SID extension with the enrollee's SID.