feat(jans-fido2): make Apple WebAuthn root CA subject DN configurable

[imran-ishaq]

Description

This PR makes the Apple WebAuthn root CA subject DN configurable via Fido2Configuration,
replacing the hardcoded constant in AppleAttestationProcessor.

Changes

jans-fido2/model — Fido2Configuration.java

• Added new optional field appleRootCaSubjectDn with default value
  "st=california, o=apple inc., cn=apple webauthn root ca" (same as the
  previously hardcoded string)
• Added getter getAppleRootCaSubjectDn() and setter setAppleRootCaSubjectDn()

jans-fido2/server — AppleAttestationProcessor.java

• Injected AppConfiguration into the processor
• Added private helper getAppleRootCaSubjectDn() that reads the value from
  Fido2Configuration at runtime, with a fallback to the hardcoded SUBJECT_DN
  constant if config is null or the field is unset
• Replaced direct SUBJECT_DN usage in process() with getAppleRootCaSubjectDn()

Backward Compatibility

• Fully backward compatible. Existing deployments with no config change will use
  the field default which is identical to the previously hardcoded string.
• @JsonIgnoreProperties(ignoreUnknown = true) on Fido2Configuration ensures
  existing stored configs without appleRootCaSubjectDn deserialize cleanly,
  falling back to the Java field default.
• The hardcoded SUBJECT_DN constant is retained as a final safety fallback.
• All existing Apple attestation tests pass without modification.

Target issue

The Apple WebAuthn root CA subject DN was hardcoded in AppleAttestationProcessor.java
with no way to override it without modifying and redeploying code. If Apple rotates
their root CA with a different subject DN, attestation would silently fail with no
configuration path to fix it.

closes #13736

Implementation Details

---

Test and Document the changes

• Static code analysis has been run locally and issues have been fixed
• Relevant unit and integration tests have been added/updated
• Relevant documentation has been updated if any (i.e. user guides, installation and configuration guides, technical design docs etc)

Please check the below before submitting your PR. The PR will not be merged if there are no commits that start with docs: to indicate documentation changes or if the below checklist is not selected.

• I confirm that there is no impact on the docs due to the code changes in this PR.

Summary by CodeRabbit

• New Features
  • FIDO2 attestation verification now supports a configurable Apple WebAuthn root CA subject DN, enabling runtime override of the trust anchor.
  • A sensible default Apple WebAuthn root CA subject DN is provided when no custom value is set.
  • Verification logic now prefers the configured DN when present, falling back to the default otherwise.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: 76e5ee94-6f3b-4a5a-814c-5f747d702797

📥 Commits

Reviewing files that changed from the base of the PR and between a6c7bdf and b34352d.

📒 Files selected for processing (1)

• jans-fido2/server/src/main/java/io/jans/fido2/service/processor/attestation/AppleAttestationProcessor.java

---

📝 Walkthrough

Walkthrough

Fido2Configuration gains a new appleRootCaSubjectDn property (defaulting to Apple's WebAuthn root CA Subject DN). AppleAttestationProcessor now reads that configurable DN via AppConfiguration and falls back to the original hardcoded DN when unset.

Changes

Cohort / File(s)	Summary
Configuration jans-fido2/model/src/main/java/io/jans/fido2/model/conf/Fido2Configuration.java	Added appleRootCaSubjectDn field with default "st=california, o=apple inc., cn=apple webauthn root ca", plus getAppleRootCaSubjectDn() and setAppleRootCaSubjectDn(...).
Attestation Processor jans-fido2/server/src/main/java/io/jans/fido2/service/processor/attestation/AppleAttestationProcessor.java	Injected AppConfiguration and added a helper to obtain the Apple root CA Subject DN from Fido2Configuration; replaced direct use of the hardcoded SUBJECT_DN with this configurable value (fallback to original constant if unset).

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 12.50% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	Title clearly summarizes the main change: making Apple WebAuthn root CA subject DN configurable via configuration instead of hardcoded.
Description check	✅ Passed	Description covers target issue (#13736), implementation details for both files, backward compatibility considerations, and acknowledges checklist items, though test/docs checkboxes remain unchecked.
Linked Issues check	✅ Passed	PR fully addresses all objectives: appleRootCaSubjectDn field added to Fido2Configuration with correct default [#13736], AppleAttestationProcessor updated to read from config with fallback [#13736], backward compatibility maintained [#13736].
Out of Scope Changes check	✅ Passed	All changes directly support the stated objective of making Apple root CA DN configurable; no unrelated modifications detected in configuration or attestation processor classes.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch jans-fido2-make-apple-root-ca-subject-dn-configurable

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[mo-auto]

✅ Snyk checks have passed. No issues have been found so far.

Status	Scan Engine	Critical	High	Medium	Low	Total (0)
✅	Open Source Security	0	0	0	0	0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.

[sonarqubecloud]

Quality Gate passed for 'Jans authentication server parent'

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In
`@jans-fido2/server/src/main/java/io/jans/fido2/service/processor/attestation/AppleAttestationProcessor.java`:
- Around line 189-195: The fallback in getAppleRootCaSubjectDn() only checks for
null and can return empty or whitespace DNs; update the method to treat
blank/whitespace as absent by checking the configured value (via
appConfiguration.getFido2Configuration().getAppleRootCaSubjectDn()) for
emptiness (e.g., use String.isBlank() or trim().isEmpty()) and return SUBJECT_DN
when the value is null or blank; keep the rest of the logic and references to
Fido2Configuration and appConfiguration unchanged.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: edd8288c-dbb9-4bfa-ba76-f44703f535ff

📥 Commits

Reviewing files that changed from the base of the PR and between cedd270 and dd724e2.

📒 Files selected for processing (2)

• jans-fido2/model/src/main/java/io/jans/fido2/model/conf/Fido2Configuration.java
• jans-fido2/server/src/main/java/io/jans/fido2/service/processor/attestation/AppleAttestationProcessor.java

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In
`@jans-fido2/server/src/main/java/io/jans/fido2/service/processor/attestation/AppleAttestationProcessor.java`:
- Around line 189-194: In getAppleRootCaSubjectDn(), avoid calling
fido2Configuration.getAppleRootCaSubjectDn() multiple times; instead read
fido2Configuration into a local variable (already named fido2Configuration) then
cache fido2Configuration.getAppleRootCaSubjectDn() into a local String (e.g.,
appleDn) and use that for the null/blank checks and return, updating the method
to reference these locals rather than repeated calls to
getAppleRootCaSubjectDn().

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: 692a6645-774b-43ba-ba9c-d2173aa389c2

📥 Commits

Reviewing files that changed from the base of the PR and between dd724e2 and a6c7bdf.

📒 Files selected for processing (1)

• jans-fido2/server/src/main/java/io/jans/fido2/service/processor/attestation/AppleAttestationProcessor.java