3 files changed, 10 insertions, 12 deletions

diff --git a/packages/server/src/attestation/verifications/verifyAndroidSafetyNet.ts b/packages/server/src/attestation/verifications/verifyAndroidSafetyNet.ts
index 0ab7524..8f9a237 100644
--- a/packages/server/src/attestation/verifications/verifyAndroidSafetyNet.ts
+++ b/packages/server/src/attestation/verifications/verifyAndroidSafetyNet.ts
@@ -15,7 +15,7 @@ type Options = {
   clientDataHash: Buffer;
   authData: Buffer;
   aaguid: Buffer;
-  rootCertificate: string;
+  rootCertificates: string[];
   verifyTimestampMS?: boolean;
 };
 
@@ -30,7 +30,7 @@ export default async function verifyAttestationAndroidSafetyNet(
     clientDataHash,
     authData,
     aaguid,
-    rootCertificate,
+    rootCertificates,
     verifyTimestampMS = true,
   } = options;
   const { response, ver } = attStmt;
@@ -110,12 +110,11 @@ export default async function verifyAttestationAndroidSafetyNet(
       throw new Error(`${err.message} (SafetyNet)`);
     }
   } else {
-    // Validate certificate path using a fixed global root cert
+    // Try validating the certificate path using the root certificates set via SettingsService
     const path = HEADER.x5c.map(convertCertBufferToPEM);
-    path.push(rootCertificate);
 
     try {
-      await validateCertificatePath(path);
+      await validateCertificatePath(path, rootCertificates);
     } catch (err) {
       throw new Error(`${err.message} (SafetyNet)`);
     }
diff --git a/packages/server/src/attestation/verifications/verifyApple.ts b/packages/server/src/attestation/verifications/verifyApple.ts
index 9740449..7e892d7 100644
--- a/packages/server/src/attestation/verifications/verifyApple.ts
+++ b/packages/server/src/attestation/verifications/verifyApple.ts
@@ -12,11 +12,11 @@ type Options = {
   authData: Buffer;
   clientDataHash: Buffer;
   credentialPublicKey: Buffer;
-  rootCertificate: string;
+  rootCertificates: string[];
 };
 
 export default async function verifyApple(options: Options): Promise<boolean> {
-  const { attStmt, authData, clientDataHash, credentialPublicKey, rootCertificate } = options;
+  const { attStmt, authData, clientDataHash, credentialPublicKey, rootCertificates } = options;
   const { x5c } = attStmt;
 
   if (!x5c) {
@@ -27,10 +27,9 @@ export default async function verifyApple(options: Options): Promise<boolean> {
    * Verify certificate path
    */
   const certPath = x5c.map(convertCertBufferToPEM);
-  certPath.push(rootCertificate);
 
   try {
-    await validateCertificatePath(certPath);
+    await validateCertificatePath(certPath, rootCertificates);
   } catch (err) {
     throw new Error(`${err.message} (Apple)`);
   }
diff --git a/packages/server/src/attestation/verifyAttestationResponse.ts b/packages/server/src/attestation/verifyAttestationResponse.ts
index f7e67f5..c447379 100644
--- a/packages/server/src/attestation/verifyAttestationResponse.ts
+++ b/packages/server/src/attestation/verifyAttestationResponse.ts
@@ -175,7 +175,7 @@ export default async function verifyAttestationResponse(
   }
 
   const clientDataHash = toHash(base64url.toBuffer(response.clientDataJSON));
-  const rootCertificate = settingsService.getRootCertificate({ attestationFormat: fmt });
+  const rootCertificates = settingsService.getRootCertificates({ attestationFormat: fmt });
 
   /**
    * Verification can only be performed when attestation = 'direct'
@@ -204,7 +204,7 @@ export default async function verifyAttestationResponse(
       authData,
       clientDataHash,
       aaguid,
-      rootCertificate,
+      rootCertificates,
     });
   } else if (fmt === 'android-key') {
     verified = await verifyAndroidKey({
@@ -228,7 +228,7 @@ export default async function verifyAttestationResponse(
       authData,
       clientDataHash,
       credentialPublicKey,
-      rootCertificate,
+      rootCertificates,
     });
   } else if (fmt === 'none') {
     if (Object.keys(attStmt).length > 0) {