Support 'apple' attestation statement format

[juanarias93]

https://www.w3.org/TR/webauthn-2/#sctn-apple-anonymous-attestation

• [x] Seed data from Macbook Touch ID.
• [x] Validate nonce
• [x] Validate public key
• [x] Validate chain up to Apple WebAuthn Root CA.

[bdewater]

Thanks for working on this! I wonder if this should be in a separate gem like other attestation formats. It is also possible to use it outside of the WebAuthn/browser context as documented on https://developer.apple.com/documentation/devicecheck/validating_apps_that_connect_to_your_server

In that sense it's very similar to https://github.com/bdewater/android_key_attestation and https://github.com/bdewater/safety_net_attestation 😄

[juanarias93]

Hi @bdewater! Thanks for the comment!

I wonder if this should be in a separate gem like other attestation formats.

Yes! We considered this possibility with @grzuy, but decided to keep the implementation here for now 🙂

[grzuy]

Hey @bdewater!

Thanks for the recommendation. It's definitely a possibility we might take that approach.

As a first take I wanted to implement here to see how it played out and how much is specific to Apple vs. WebAuthn core.

But yes, agree we should consider splitting up.

[grzuy]

as documented on https://developer.apple.com/documentation/devicecheck/validating_apps_that_connect_to_your_server

@bdewater After taking a more close look to that link, isn't fmt: apple-appattest (what's documented in that link) similar but still different than fmt: apple (a.k.a Apple Anonymous https://www.w3.org/TR/webauthn-2/#sctn-apple-anonymous-attestation)?

In fact it seems there are even different root certs for both in https://www.apple.com/certificateauthority/private apparently?

[grzuy]

Released in v2.5.0.

[bdewater]

@grzuy you're right, my bad!