Clarification:
By using the term “Root Certificate”, I am refering to a “Attestation Certificate”/“WebAuthn Root CA”/“Root CA”.
What I am attempting to do:
I have been trying to make use of WebAuthn in my web project (using a PHP library) on user login.
The issue I am facing:
I tested this feature on a PC with Windows 11, on an iPhone device, and on my Samsung phone. I was able to get a ValidRoot state from the library on Windows and iOS, but not on my Samsung phone (Samsung Galaxy S22, not rooted/not unlocked). It seems that Samsung does not use the typical Android/Google Hardware root certificates for security key attestation when it comes to WebAuthn/device auth. (And, seeing that I have the latest FIDO-affiliated certificates loaded into my project, it seems that Samsung is not affiliated with FIDO.)
My question:
where can I get the root certificate(s) that Samsung uses on their Android devices on WebAuthn/device auth? (I did try to search for them online, but I wasn’t able to find what I was looking for.)
Useful links:
Securing WebAuthn with Attestation: https://developers.yubico.com/WebAuthn/Concepts/Securing_WebAuthn_with_Attestation.html
Related discussion: https://github.com/lbuchs/WebAuthn/issues/31
Used certificates in the project: https://github.com/Ciel-Core/ciel-accounts-system/tree/main/public/certificates
Online project: https://ciel-core.online/user/login/#activate-developer-mode (username: TESTER, password: password12345, you can check the console for the server’s responseInfo.text message - if it’s empty, then the ValidRoot state is true)