Target Issue
The Apple WebAuthn root CA subject DN is currently hardcoded in AppleAttestationProcessor.java:
private static final String SUBJECT_DN = "st=california, o=apple inc., cn=apple webauthn root ca";
This value is used to look up the Apple root certificate from authenticatorCertsFolder to verify fmt="apple" attestations (standard WebAuthn, used by Touch ID / Face ID).
Problem
If Apple rotates their root CA with a different subject DN, the lookup will return an empty result, causing attestation to fail.
There is no configuration-based way to override or update this value.
Test or custom environments cannot use alternative Apple-like certificates.
This approach is inconsistent with the rest of the module, where similar values are configurable via Fido2Configuration.
Proposed Fix
Add a new optional field appleRootCaSubjectDn to Fido2Configuration.
Update AppleAttestationProcessor to read the value from configuration:
Use Fido2Configuration.getAppleRootCaSubjectDn()
Fall back to the existing hardcoded value if not set
Backward Compatibility
Fully backward compatible
Existing deployments will continue using the default hardcoded DN if no configuration is provided
No behavioral changes expected
Acceptance Criteria
Add appleRootCaSubjectDn field to Fido2Configuration.java
Default value:
"st=california, o=apple inc., cn=apple webauthn root ca"
Update AppleAttestationProcessor to use the configurable value instead of a hardcoded constant
Ensure all existing Apple attestation tests pass without modification
Target Issue
The Apple WebAuthn root CA subject DN is currently hardcoded in AppleAttestationProcessor.java:
private static final String SUBJECT_DN = "st=california, o=apple inc., cn=apple webauthn root ca";
This value is used to look up the Apple root certificate from authenticatorCertsFolder to verify fmt="apple" attestations (standard WebAuthn, used by Touch ID / Face ID).
Problem
If Apple rotates their root CA with a different subject DN, the lookup will return an empty result, causing attestation to fail.
There is no configuration-based way to override or update this value.
Test or custom environments cannot use alternative Apple-like certificates.
This approach is inconsistent with the rest of the module, where similar values are configurable via Fido2Configuration.
Proposed Fix
Add a new optional field appleRootCaSubjectDn to Fido2Configuration.
Update AppleAttestationProcessor to read the value from configuration:
Use Fido2Configuration.getAppleRootCaSubjectDn()
Fall back to the existing hardcoded value if not set
Backward Compatibility
Fully backward compatible
Existing deployments will continue using the default hardcoded DN if no configuration is provided
No behavioral changes expected
Acceptance Criteria
Add appleRootCaSubjectDn field to Fido2Configuration.java
Default value:
"st=california, o=apple inc., cn=apple webauthn root ca"
Update AppleAttestationProcessor to use the configurable value instead of a hardcoded constant
Ensure all existing Apple attestation tests pass without modification