WebAuthn and root certificate(s) on Samsung mobile devices


      By using the term “Root Certificate”, I am refering to a “Attestation Certificate”/“WebAuthn Root CA”/“Root CA”.

What I am attempting to do:

      I have been trying to make use of WebAuthn in my web project (using a PHP library) on user login.

The issue I am facing:

      I tested this feature on a PC with Windows 11, on an iPhone device, and on my Samsung phone. I was able to get a ValidRoot state from the library on Windows and iOS, but not on my Samsung phone (Samsung Galaxy S22, not rooted/not unlocked). It seems that Samsung does not use the typical Android/Google Hardware root certificates for security key attestation when it comes to WebAuthn/device auth. (And, seeing that I have the latest FIDO-affiliated certificates loaded into my project, it seems that Samsung is not affiliated with FIDO.)

My question:

      where can I get the root certificate(s) that Samsung uses on their Android devices on WebAuthn/device auth? (I did try to search for them online, but I wasn’t able to find what I was looking for.)

Useful links:

      Securing WebAuthn with Attestation: https://developers.yubico.com/WebAuthn/Concepts/Securing_WebAuthn_with_Attestation.html

      Related discussion: https://github.com/lbuchs/WebAuthn/issues/31

      Used certificates in the project: https://github.com/Ciel-Core/ciel-accounts-system/tree/main/public/certificates

      Online project: https://ciel-core.online/user/login/#activate-developer-mode (username: TESTER, password: password12345, you can check the console for the server’s responseInfo.text message - if it’s empty, then the ValidRoot state is true)

So, turns out I was loading the FIDO certificates incorrectly. After correcting my code, Samsung devices started returning a ValidRoot state.

…so, tots my bad.