fix: Add KeyUsages for iOS App Attest

Crash-- · Crash-- · commit 0c0aeaf092f6 · 2026-03-02T14:56:19.000+01:00
Maybe Apple added a keyusage within their attestation.

We need to try on int.
diff --git a/model/oauth/ios.go b/model/oauth/ios.go
@@ -218,9 +218,13 @@ func (obj *appleAttestationObject) setupAppleCertificates() (*x509.Certificate,
 		intermediates.AddCert(cert)
 	}
 
+	// App Attest credential certificates have a Key Usage for attestation that
+	// doesn't match Go's default expectations (TLS). We must explicitly allow
+	// any key usage to verify the chain.
 	opts := x509.VerifyOptions{
 		Roots:         roots,
 		Intermediates: intermediates,
+		KeyUsages:     []x509.ExtKeyUsage{x509.ExtKeyUsageAny},
 	}
 	credCert := certs[0]
 	return credCert, &opts, nil

Original file line number	Diff line number	Diff line change
`@@ -218,9 +218,13 @@ func (obj appleAttestationObject) setupAppleCertificates() (x509.Certificate,`
`218`	`218`	`intermediates.AddCert(cert)`
`219`	`219`	`}`
`220`	`220`
	`221`	`+ // App Attest credential certificates have a Key Usage for attestation that`
	`222`	`+ // doesn't match Go's default expectations (TLS). We must explicitly allow`
	`223`	`+ // any key usage to verify the chain.`
`221`	`224`	`opts := x509.VerifyOptions{`
`222`	`225`	`Roots: roots,`
`223`	`226`	`Intermediates: intermediates,`
	`227`	`+ KeyUsages: []x509.ExtKeyUsage{x509.ExtKeyUsageAny},`
`224`	`228`	`}`
`225`	`229`	`credCert := certs[0]`
`226`	`230`	`return credCert, &opts, nil`