Fix NoMethodError in PKINIT extract_user_and_realm

[RiOxFRANKY]

Fix NoMethodError in PKINIT extract_user_and_realm (Issue #20427)

Summary

This PR fixes a NoMethodError: undefined method 'downcase' for OpenSSL::ASN1::ASN1Data that occurs in the Metasploit Kerberos client when a certificate's Subject Alternative Name (SAN) extension contains OtherName entries that are not MS UPNs (or are formatted in a way that returns ASN1Data instead of a String).

Root Cause

The bug was located in the normalization block of extract_user_and_realm. While the previous logic tried to handle ASN1Data objects using a series of elsif/else checks, it unfortunately relied on .to_s.downcase for non-string values. This caused:

1. Crashes: When an ASN1Data object (like an OtherName entry) was passed to the normalization block, it triggered the NoMethodError.
2. Data Corruption: Coercing complex ASN.1 structures to strings via .to_s produced garbage values like "[#<OpenSSL::ASN1::ObjectId:0x0000...>]".

The Fix

Replaced the broken map logic with a robust filter_map. The new implementation:

• Only calls .downcase on actual String objects.
• Automatically drops any pairs that contain non-string elements, ensuring normalized_results only contains valid principal/realm strings.
• Maintains compatibility with PR Fix crash in Kerberos::Client::Pkinit#extract_user_and_realm with specific SAN extension #19495 which fixed the outer SAN extension parsing.

Verification Steps

Automated Tests

Run the following spec to verify the fix and prevent regressions:

rspec spec/lib/msf/core/exploit/remote/kerberos/client/pkinit_spec.rb

[github-actions]

Thanks for your pull request! As part of our landing process, we manually verify that all modules work as expected.

We've added the additional-testing-required label to indicate that additional testing is required before this pull request can be merged.
For maintainers, this means visiting here.