make some accommodations to facilitate Apple App Attest

[jstewmon]

👋 Hi @MasterKale, I've been working on a project that uses Apple App Attest, which is based on WebAuthn, but requires some nuanced checks which I don't think are compatible with the high level interface currently exposed in @simplewebauthn/server package.

My initial thoughts on what I might want are:

• expose helpers and attestation verifications in the public api
• support parameterization of the apple root certificate

I worked up an example using @simplewebauthn/server to illustrate how easily Apple App Attest can be implemented using the the helpers that are already defined in the package:

import { AsnParser } from "@peculiar/asn1-schema";
import { Certificate } from "@peculiar/asn1-x509";
import type verifyApple from "@simplewebauthn/server/dist/attestation/verifications/verifyApple";
import convertCOSEtoPKCS from "@simplewebauthn/server/dist/helpers/convertCOSEtoPKCS";
import convertPublicKeyToPEM from "@simplewebauthn/server/dist/helpers/convertPublicKeyToPEM";
import convertX509CertToPEM from "@simplewebauthn/server/dist/helpers/convertX509CertToPEM";
import decodeAttestationObject from "@simplewebauthn/server/dist/helpers/decodeAttestationObject";
import decodeCredentialPublicKey from "@simplewebauthn/server/dist/helpers/decodeCredentialPublicKey";
import parseAuthenticatorData from "@simplewebauthn/server/dist/helpers/parseAuthenticatorData";
import toHash from "@simplewebauthn/server/dist/helpers/toHash";
import validateCertificatePath from "@simplewebauthn/server/dist/helpers/validateCertificatePath";
import crypto from "crypto";

// see: https://www.apple.com/certificateauthority/Apple_App_Attestation_Root_CA.pem
const AppleAppAttestRootCertificate = `-----BEGIN CERTIFICATE-----
MIICITCCAaegAwIBAgIQC/O+DvHN0uD7jG5yH2IXmDAKBggqhkjOPQQDAzBSMSYw
JAYDVQQDDB1BcHBsZSBBcHAgQXR0ZXN0YXRpb24gUm9vdCBDQTETMBEGA1UECgwK
QXBwbGUgSW5jLjETMBEGA1UECAwKQ2FsaWZvcm5pYTAeFw0yMDAzMTgxODMyNTNa
Fw00NTAzMTUwMDAwMDBaMFIxJjAkBgNVBAMMHUFwcGxlIEFwcCBBdHRlc3RhdGlv
biBSb290IENBMRMwEQYDVQQKDApBcHBsZSBJbmMuMRMwEQYDVQQIDApDYWxpZm9y
bmlhMHYwEAYHKoZIzj0CAQYFK4EEACIDYgAERTHhmLW07ATaFQIEVwTtT4dyctdh
NbJhFs/Ii2FdCgAHGbpphY3+d8qjuDngIN3WVhQUBHAoMeQ/cLiP1sOUtgjqK9au
Yen1mMEvRq9Sk3Jm5X8U62H+xTD3FE9TgS41o0IwQDAPBgNVHRMBAf8EBTADAQH/
MB0GA1UdDgQWBBSskRBTM72+aEH/pwyp5frq5eWKoTAOBgNVHQ8BAf8EBAMCAQYw
CgYIKoZIzj0EAwMDaAAwZQIwQgFGnByvsiVbpTKwSga0kP0e8EeDS4+sQmTvb7vn
53O5+FRXgeLhpJ06ysC5PrOyAjEAp5U4xDgEgllF7En3VcE3iexZZtKeYnpqtijV
oyFraWVIyd/dganmrduC1bmTBGwD
-----END CERTIFICATE-----`;

// Same as verifyApple, but bound to AppleAppAttestRootCertificate
async function verifyAppleAppAttest(options: Parameters<typeof verifyApple>[0]): Promise<boolean> {
  const { attStmt, authData, clientDataHash, credentialPublicKey } = options;
  const { x5c } = attStmt;

  if (!x5c) {
    throw new Error(
      "No attestation certificate provided in attestation statement (Apple)"
    );
  }

  /**
   * Verify certificate path
   */
  const certPath = x5c.map(convertX509CertToPEM);
  certPath.push(AppleAppAttestRootCertificate);

  try {
    await validateCertificatePath(certPath);
  } catch (err) {
    throw new Error(`${err.message} (Apple)`);
  }

  /**
   * Compare nonce in certificate extension to computed nonce
   */
  const parsedCredCert = AsnParser.parse(x5c[0], Certificate);
  const { extensions, subjectPublicKeyInfo } = parsedCredCert.tbsCertificate;

  if (!extensions) {
    throw new Error("credCert missing extensions (Apple)");
  }

  const extCertNonce = extensions.find(
    (ext) => ext.extnID === "1.2.840.113635.100.8.2"
  );

  if (!extCertNonce) {
    throw new Error(
      'credCert missing "1.2.840.113635.100.8.2" extension (Apple)'
    );
  }

  const nonceToHash = Buffer.concat([authData, clientDataHash]);
  const nonce = toHash(nonceToHash, "SHA256");
  /**
   * Ignore the first six ASN.1 structure bytes that define the nonce as an OCTET STRING. Should
   * trim off <Buffer 30 24 a1 22 04 20>
   *
   * TODO: Try and get @peculiar (GitHub) to add a schema for "1.2.840.113635.100.8.2" when we
   * find out where it's defined (doesn't seem to be publicly documented at the moment...)
   */
  const extNonce = Buffer.from(extCertNonce.extnValue.buffer).slice(6);

  if (!nonce.equals(extNonce)) {
    throw new Error(`credCert nonce was not expected value (Apple)`);
  }

  /**
   * Verify credential public key matches the Subject Public Key of credCert
   */
  const credPubKeyPKCS = convertCOSEtoPKCS(credentialPublicKey);
  const credCertSubjectPublicKey = Buffer.from(
    subjectPublicKeyInfo.subjectPublicKey
  );

  if (!credPubKeyPKCS.equals(credCertSubjectPublicKey)) {
    throw new Error(
      "Credential public key does not equal credCert public key (Apple)"
    );
  }

  return true;
}

// values taken from https://github.com/veehaitch/devicecheck-appattest/blob/main/src/test/resources/ios-14.3.yaml
const clientData = Buffer.from("d3VyemVscGZyb3Bm", "base64");
const attestation =
  "o2NmbXRvYXBwbGUtYXBwYXR0ZXN0Z2F0dFN0bXSiY3g1Y4JZAvowggL2MIICe6ADAgECAgYBdnrpFpcwCgYIKoZIzj0EAwIwTzEjMCEGA1UEAwwaQXBwbGUgQXBwIEF0dGVzdGF0aW9uIENBIDExEzARBgNVBAoMCkFwcGxlIEluYy4xEzARBgNVBAgMCkNhbGlmb3JuaWEwHhcNMjAxMjE4MTIxMTA0WhcNMjAxMjIxMTIxMTA0WjCBkTFJMEcGA1UEAwxAYmU0MzQxMjdlNTNjYzJlY2Q5ZDFhNzJiMGEwZTkwODQwYmZhNjI5ODI2Y2E0MGQ3ZmNmYjdlMzM3MGY0MmU1YjEaMBgGA1UECwwRQUFBIENlcnRpZmljYXRpb24xEzARBgNVBAoMCkFwcGxlIEluYy4xEzARBgNVBAgMCkNhbGlmb3JuaWEwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAT+pXVUwIHXFloiyixS90aRYUHdq2YL5wU6Ix4f2D0gC0les7hbx/0OVjXunqOxxNLMeWqbvo89vjkJvES9wAeeo4H/MIH8MAwGA1UdEwEB/wQCMAAwDgYDVR0PAQH/BAQDAgTwMIGLBgkqhkiG92NkCAUEfjB8pAMCAQq/iTADAgEBv4kxAwIBAL+JMgMCAQG/iTMDAgEBv4k0MwQxNk1VUkw4VEE1Ny5kZS52aW5jZW50LWhhdXBlcnQuYXBwbGUtYXBwYXR0ZXN0LXBvY6UGBARza3Mgv4k2AwIBBb+JNwMCAQC/iTkDAgEAv4k6AwIBADAZBgkqhkiG92NkCAcEDDAKv4p4BgQEMTQuMzAzBgkqhkiG92NkCAIEJjAkoSIEIGfk6mDlepJ/X91VX1xMEho6AkwkvCYruF9l6QjIASoeMAoGCCqGSM49BAMCA2kAMGYCMQCFJrhv2jg4j4kXklq/15YwzHiY+Bn+UNC2oDp+m7/UlAHS9y/n1L3HqMPHs8V5lU4CMQCckVQ+WWhYrdBHD1ORujuLHJK+mUjbTM482HQTvLdsVBWGrK/r/kZ20Hfil1O7EmRZAkcwggJDMIIByKADAgECAhAJusXhvEAa2dRTlbw4GghUMAoGCCqGSM49BAMDMFIxJjAkBgNVBAMMHUFwcGxlIEFwcCBBdHRlc3RhdGlvbiBSb290IENBMRMwEQYDVQQKDApBcHBsZSBJbmMuMRMwEQYDVQQIDApDYWxpZm9ybmlhMB4XDTIwMDMxODE4Mzk1NVoXDTMwMDMxMzAwMDAwMFowTzEjMCEGA1UEAwwaQXBwbGUgQXBwIEF0dGVzdGF0aW9uIENBIDExEzARBgNVBAoMCkFwcGxlIEluYy4xEzARBgNVBAgMCkNhbGlmb3JuaWEwdjAQBgcqhkjOPQIBBgUrgQQAIgNiAASuWzegd015sjWPQOfR8iYm8cJf7xeALeqzgmpZh0/40q0VJXiaomYEGRJItjy5ZwaemNNjvV43D7+gjjKegHOphed0bqNZovZvKdsyr0VeIRZY1WevniZ+smFNwhpmzpmjZjBkMBIGA1UdEwEB/wQIMAYBAf8CAQAwHwYDVR0jBBgwFoAUrJEQUzO9vmhB/6cMqeX66uXliqEwHQYDVR0OBBYEFD7jXRwEGanJtDH4hHTW4eFXcuObMA4GA1UdDwEB/wQEAwIBBjAKBggqhkjOPQQDAwNpADBmAjEAu76IjXONBQLPvP1mbQlXUDW81ocsP4QwSSYp7dH5FOh5mRya6LWu+NOoVDP3tg0GAjEAqzjt0MyB7QCkUsO6RPmTY2VT/swpfy60359evlpKyraZXEuCDfkEOG94B7tYlDm3Z3JlY2VpcHRZDnkwgAYJKoZIhvcNAQcCoIAwgAIBATEPMA0GCWCGSAFlAwQCAQUAMIAGCSqGSIb3DQEHAaCAJIAEggPoMYIENDA5AgECAgEBBDE2TVVSTDhUQTU3LmRlLnZpbmNlbnQtaGF1cGVydC5hcHBsZS1hcHBhdHRlc3QtcG9jMIIDBAIBAwIBAQSCAvowggL2MIICe6ADAgECAgYBdnrpFpcwCgYIKoZIzj0EAwIwTzEjMCEGA1UEAwwaQXBwbGUgQXBwIEF0dGVzdGF0aW9uIENBIDExEzARBgNVBAoMCkFwcGxlIEluYy4xEzARBgNVBAgMCkNhbGlmb3JuaWEwHhcNMjAxMjE4MTIxMTA0WhcNMjAxMjIxMTIxMTA0WjCBkTFJMEcGA1UEAwxAYmU0MzQxMjdlNTNjYzJlY2Q5ZDFhNzJiMGEwZTkwODQwYmZhNjI5ODI2Y2E0MGQ3ZmNmYjdlMzM3MGY0MmU1YjEaMBgGA1UECwwRQUFBIENlcnRpZmljYXRpb24xEzARBgNVBAoMCkFwcGxlIEluYy4xEzARBgNVBAgMCkNhbGlmb3JuaWEwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAT+pXVUwIHXFloiyixS90aRYUHdq2YL5wU6Ix4f2D0gC0les7hbx/0OVjXunqOxxNLMeWqbvo89vjkJvES9wAeeo4H/MIH8MAwGA1UdEwEB/wQCMAAwDgYDVR0PAQH/BAQDAgTwMIGLBgkqhkiG92NkCAUEfjB8pAMCAQq/iTADAgEBv4kxAwIBAL+JMgMCAQG/iTMDAgEBv4k0MwQxNk1VUkw4VEE1Ny5kZS52aW5jZW50LWhhdXBlcnQuYXBwbGUtYXBwYXR0ZXN0LXBvY6UGBARza3Mgv4k2AwIBBb+JNwMCAQC/iTkDAgEAv4k6AwIBADAZBgkqhkiG92NkCAcEDDAKv4p4BgQEMTQuMzAzBgkqhkiG92NkCAIEJjAkoSIEIGfk6mDlepJ/X91VX1xMEho6AkwkvCYruF9l6QjIASoeMAoGCCqGSM49BAMCA2kAMGYCMQCFJrhv2jg4j4kXklq/15YwzHiY+Bn+UNC2oDp+m7/UlAHS9y/n1L3HqMPHs8V5lU4CMQCckVQ+WWhYrdBHD1ORujuLHJK+mUjbTM482HQTvLdsVBWGrK/r/kZ20Hfil1O7EmQwKAIBBAIBAQQgi+ZcylFa0JfJU5Z9GNY12G3XihQu09B3UmvtEca+xnswYAIBBQIBAQRYUTV2dXBYTmZvNXI5TUZ4OWNEeGdJdFR4blJvbCtwRWNJSUVLMEc0TmRSdTlubENFcEFHTlJ5a0orUllDSUl3OE1HQngvTTRDK05VVnBEdnhTVUQ1RHc9PTAOAgEGAgEBBAZBVFRFU1QwDwIBBwRQAgEBBAdzYW5kYm94MCACAQwCAQEEGDIwMjAtMTItMTlUMTI6MTE6MDQuNzM5WjAgAgEVAgEBBBgyMDIxLTAzLTE5VDEyOjExOjA0LjczOVoAAAAAAACggDCCA60wggNUoAMCAQICEFkzVq3lWYLPREI3rN9FG1MwCgYIKoZIzj0EAwIwfDEwMC4GA1UEAwwnQXBwbGUgQXBwbGljYXRpb24gSW50ZWdyYXRpb24gQ0EgNSAtIEcxMSYwJAYDVQQLDB1BcHBsZSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTETMBEGA1UECgwKQXBwbGUgSW5jLjELMAkGA1UEBhMCVVMwHhcNMjAwNTE5MTc0NzMxWhcNMjEwNjE4MTc0NzMxWjBaMTYwNAYDVQQDDC1BcHBsaWNhdGlvbiBBdHRlc3RhdGlvbiBGcmF1ZCBSZWNlaXB0IFNpZ25pbmcxEzARBgNVBAoMCkFwcGxlIEluYy4xCzAJBgNVBAYTAlVTMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEf+kVNGzDinuYPJPR0ENf2KvaVnAE0yxYhmVRlXq0ePfLKvi6Rff6eOrGLEnk+c3AhLUDFPECM9qbdvpEKiu4cqOCAdgwggHUMAwGA1UdEwEB/wQCMAAwHwYDVR0jBBgwFoAU2Rf+S2eQOEuS9NvO1VeAFAuPPckwQwYIKwYBBQUHAQEENzA1MDMGCCsGAQUFBzABhidodHRwOi8vb2NzcC5hcHBsZS5jb20vb2NzcDAzLWFhaWNhNWcxMDEwggEcBgNVHSAEggETMIIBDzCCAQsGCSqGSIb3Y2QFATCB/TCBwwYIKwYBBQUHAgIwgbYMgbNSZWxpYW5jZSBvbiB0aGlzIGNlcnRpZmljYXRlIGJ5IGFueSBwYXJ0eSBhc3N1bWVzIGFjY2VwdGFuY2Ugb2YgdGhlIHRoZW4gYXBwbGljYWJsZSBzdGFuZGFyZCB0ZXJtcyBhbmQgY29uZGl0aW9ucyBvZiB1c2UsIGNlcnRpZmljYXRlIHBvbGljeSBhbmQgY2VydGlmaWNhdGlvbiBwcmFjdGljZSBzdGF0ZW1lbnRzLjA1BggrBgEFBQcCARYpaHR0cDovL3d3dy5hcHBsZS5jb20vY2VydGlmaWNhdGVhdXRob3JpdHkwHQYDVR0OBBYEFGkexw9H7OON3XU3RPPp4VpsEFYlMA4GA1UdDwEB/wQEAwIHgDAPBgkqhkiG92NkDA8EAgUAMAoGCCqGSM49BAMCA0cAMEQCICUYFlxeKZxZ9oU5rV3bmfY3PvYOzQhFqf13GtYkLSwiAiBdKpsqX6ujY4FljRhA969IC9droZTYNCCH9NaTW7UbrjCCAvkwggJ/oAMCAQICEFb7g9Qr/43DN5kjtVqubr0wCgYIKoZIzj0EAwMwZzEbMBkGA1UEAwwSQXBwbGUgUm9vdCBDQSAtIEczMSYwJAYDVQQLDB1BcHBsZSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTETMBEGA1UECgwKQXBwbGUgSW5jLjELMAkGA1UEBhMCVVMwHhcNMTkwMzIyMTc1MzMzWhcNMzQwMzIyMDAwMDAwWjB8MTAwLgYDVQQDDCdBcHBsZSBBcHBsaWNhdGlvbiBJbnRlZ3JhdGlvbiBDQSA1IC0gRzExJjAkBgNVBAsMHUFwcGxlIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MRMwEQYDVQQKDApBcHBsZSBJbmMuMQswCQYDVQQGEwJVUzBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABJLOY719hrGrKAo7HOGv+wSUgJGs9jHfpssoNW9ES+Eh5VfdEo2NuoJ8lb5J+r4zyq7NBBnxL0Ml+vS+s8uDfrqjgfcwgfQwDwYDVR0TAQH/BAUwAwEB/zAfBgNVHSMEGDAWgBS7sN6hWDOImqSKmd6+veuv2sskqzBGBggrBgEFBQcBAQQ6MDgwNgYIKwYBBQUHMAGGKmh0dHA6Ly9vY3NwLmFwcGxlLmNvbS9vY3NwMDMtYXBwbGVyb290Y2FnMzA3BgNVHR8EMDAuMCygKqAohiZodHRwOi8vY3JsLmFwcGxlLmNvbS9hcHBsZXJvb3RjYWczLmNybDAdBgNVHQ4EFgQU2Rf+S2eQOEuS9NvO1VeAFAuPPckwDgYDVR0PAQH/BAQDAgEGMBAGCiqGSIb3Y2QGAgMEAgUAMAoGCCqGSM49BAMDA2gAMGUCMQCNb6afoeDk7FtOc4qSfz14U5iP9NofWB7DdUr+OKhMKoMaGqoNpmRt4bmT6NFVTO0CMGc7LLTh6DcHd8vV7HaoGjpVOz81asjF5pKw4WG+gElp5F8rqWzhEQKqzGHZOLdzSjCCAkMwggHJoAMCAQICCC3F/IjSxUuVMAoGCCqGSM49BAMDMGcxGzAZBgNVBAMMEkFwcGxlIFJvb3QgQ0EgLSBHMzEmMCQGA1UECwwdQXBwbGUgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkxEzARBgNVBAoMCkFwcGxlIEluYy4xCzAJBgNVBAYTAlVTMB4XDTE0MDQzMDE4MTkwNloXDTM5MDQzMDE4MTkwNlowZzEbMBkGA1UEAwwSQXBwbGUgUm9vdCBDQSAtIEczMSYwJAYDVQQLDB1BcHBsZSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTETMBEGA1UECgwKQXBwbGUgSW5jLjELMAkGA1UEBhMCVVMwdjAQBgcqhkjOPQIBBgUrgQQAIgNiAASY6S89QHKk7ZMicoETHN0QlfHFo05x3BQW2Q7lpgUqd2R7X04407scRLV/9R+2MmJdyemEW08wTxFaAP1YWAyl9Q8sTQdHE3Xal5eXbzFc7SudeyA72LlU2V6ZpDpRCjGjQjBAMB0GA1UdDgQWBBS7sN6hWDOImqSKmd6+veuv2sskqzAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBBjAKBggqhkjOPQQDAwNoADBlAjEAg+nBxBZeGl00GNnt7/RsDgBGS7jfskYRxQ/95nqMoaZrzsID1Jz1k8Z0uGrfqiMVAjBtZooQytQN1E/NjUM+tIpjpTNu423aF7dkH8hTJvmIYnQ5Cxdby1GoDOgYA+eisigAADGB/TCB+gIBATCBkDB8MTAwLgYDVQQDDCdBcHBsZSBBcHBsaWNhdGlvbiBJbnRlZ3JhdGlvbiBDQSA1IC0gRzExJjAkBgNVBAsMHUFwcGxlIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MRMwEQYDVQQKDApBcHBsZSBJbmMuMQswCQYDVQQGEwJVUwIQWTNWreVZgs9EQjes30UbUzANBglghkgBZQMEAgEFADAKBggqhkjOPQQDAgRHMEUCIFy5yROKSJWnhCFnY554lU6lRUADXzXM2+gXN3PZkLIzAiEAwcyUVDmge7cZFRlQXP4xtyPaw2DR0M5GvD6Em9KiuO4AAAAAAABoYXV0aERhdGFYpEVlEup+JpR2q5Pht5cWhVkv9z+JSsDsL9VICKCL+2yPQAAAAABhcHBhdHRlc3RkZXZlbG9wACC+Q0En5TzC7NnRpysKDpCEC/pimCbKQNf8+34zcPQuW6UBAgMmIAEhWCD+pXVUwIHXFloiyixS90aRYUHdq2YL5wU6Ix4f2D0gCyJYIEles7hbx/0OVjXunqOxxNLMeWqbvo89vjkJvES9wAee";
const attestationObject = decodeAttestationObject(
  Buffer.from(attestation, "base64")
);

const authData = parseAuthenticatorData(attestationObject.authData);
const aaguid = authData.aaguid!.toString();
const publicKey = decodeCredentialPublicKey(authData.credentialPublicKey!);
const pkcsPublicKey = convertPublicKeyToPEM(authData.credentialPublicKey!);
const verifyOptions = {
  attStmt: attestationObject.attStmt,
  authData: attestationObject.authData,
  clientDataHash: crypto.createHash("sha256").update(clientData).digest(),
  credentialPublicKey: authData.credentialPublicKey!,
};
verifyAppleAppAttest(verifyOptions).then(console.log);

TIA for taking a look and giving feedback. I'm happy to open PRs for any changes we agree on. 🙏

[MasterKale]

It's funny you mention AppAttest, before Apple released any official documentation on their "apple" WebAuthn attestation format I thought to try and get some hints about what it would look like from the AppAttest verification logic. I'm not surprised to see the two can be similarly verified.

I want to sleep on it, about what you're proposing. Regarding exposing the various helpers: on its face it seems fine, but the orchestration of the various internal helper functions into something like the verification functionality you demonstrate above would never make it into SimpleWebAuthn as a "simple" way to perform this verification. It would need to be cobbled together and maintained by developers like you in whatever project you want to add this to.

Which makes me wonder if the helpers couldn't be pulled out into a separate "@simplewebauthn/server-helpers" package. As a separate package there'd be more opportunities to incorporate that logic into various other verification libraries that could exist independent of @simplewebauthn/server while benefiting from its typed logic.

But now we're talking a separate package namespace because "@simplewebauthn/appleAppAttest" has nothing to do with WebAuthn!

One thing I have almost no objections to is your proposal to "support parameterization of the apple root certificate". There are a small number of root certificates that are currently baked into the library (not just Apple-related) that really should be default values that can then be overridden by environment variables. If you are looking to contribute again that would be a great slam dunk of an addition to the library.

These are my initial thoughts. AppAttest, while similar to the "apple" WebAuthn attestation format, falls outside the scope no matter how I try to picture it...let me sleep on it for a day or two and maybe a solution will come to mind.

[jstewmon]

the orchestration of the various internal helper functions into something like the verification functionality you demonstrate above would never make it into SimpleWebAuthn as a "simple" way to perform this verification. It would need to be cobbled together and maintained by developers like you in whatever project you want to add this to.

👍 Agreed

Which makes me wonder if the helpers couldn't be pulled out into a separate "@simplewebauthn/server-helpers" package. As a separate package there'd be more opportunities to incorporate that logic into various other verification libraries that could exist independent of @simplewebauthn/server while benefiting from its typed logic.

Would you imagine separate packages for the attestation and assertion modules too? I know some maintainers split their packages along very fine boundaries like this. Practically, I'm not sure there's a clear value proposition to doing that at this point. If the package export surface area is the primary motivation for package splitting, using package exports to define entry points might be a lower touch solution.

One thing I have almost no objections to is your proposal to "support parameterization of the apple root certificate". There are a small number of root certificates that are currently baked into the library (not just Apple-related) that really should be default values that can then be overridden by environment variables. If you are looking to contribute again that would be a great slam dunk of an addition to the library.

👍 thanks, I'll work on a PR for this