Properly check the KDC certificate for REALM SAN and KDC EKU.

dotnet / Kerberos.NET

A Kerberos implementation built entirely in managed code.

MIT License

520 stars 91 forks source link

Properly check the KDC certificate for REALM SAN and KDC EKU. #360

Closed michael-dev closed 1 year ago

michael-dev commented 1 year ago

What's the problem?

KDC certificate is not checked against Domain and EKU.

[x] Bugfix
[ ] New Feature

What's the solution?

Check Domain SAN and KDC EKU on KDC reply certificate.

[ ] Includes unit tests
[x] Requires manual test

What issue is this related to, if any?

None known.

michael-dev commented 1 year ago

I could also provide code to restrict the KDC cert to issuers in the LocalMachine (enterprise) NTAuth store to restrict the issuers in line with what Windows does, but am unsure if this is wanted?

SteveSyfuhs commented 1 year ago

I like it.